REPORTE FINAL

In this topic, six issues will be discussed, such issues are Resource protection, Hardware controls, Software controls, Privileged entity controls, Media resource protection, and Physical access controls.

2.6.2.1 Resource protection

Resource protection is about protecting an organization’s computing resources and assets from loss or compromise, such resources are defined as any hardware, software, or data that used and owned by the organization. Resource protection is about reducing the possibility of damage which can result from unauthorized disclosure or alteration of data. And here are some resources that require protection according to the authors:

Hardware resources: Communication devices, Storage media, Processing systems,

Standalone computers, and Printers and fax machines,

Software Resources: Program libraries and source code, Operating system, and systems

utilities.

Data Resources: Backup data, User data files, Password files, Operating Data Directories,

and System logs and audit trails (Krutz, and Vines, 2001, P: 216-219).

2.6.2.2 Hardware controls

Hardware Maintenance: System maintenance could be performed by staff, vendor, or

service provider. And it could be done inside or outside the organization. A background check for the service personnel may be necessary.

Maintenance Accounts: Many computer systems present maintenance accounts, which are

supervisor level accounts and created at the factory with widely known passwords. Disabling such accounts is critical until they needed.

Diagnostic Port Control: Many systems have diagnostic ports for troubleshooting

purpose; these ports should only be used by authorized persons, and should not enable neither internal nor external unauthorized access.

Hardware physical control: The data processing areas that contain the hardware should

2.6.2.3 Software controls

Anti-Virus Management: The user’s ability to load or execute programs makes the system

more vulnerable to viruses, unexpected software behavior and destroyed security controls.

Software Testing: A formal software testing process should by applied to make sure that

the software is compatible with other applications

Software Utilities: The use of powerful systems utilities must be controlled by a security

policy, because it can compromise the integrity of operations systems and logical access controls.

Safe Software Storage: Both of logical and physical access controls should be

implemented in the place to ensure that the software and copies of backups have not been modified without proper authorization.

Backup Controls: It is very important to routinely test the restore accuracy of a backup

system. A backup should also be stored securely to protect from theft, damage, or environmental problems (Krutz, and Vines, 2001, P: 216-218).

2.6.2.4 Privileged entity controls

Privileged entity access is defined as special access to computing resources given to operators and system administrators. It is also known as privileged operations functions. Special access to system commands, Access to special parameters, and Access to the system control program are some examples of privileged entity operator functions (Krutz, and Vines, 2001).

2.6.2.5 Media resource protection

Media Security Controls: Are implemented to prevent any threat to C.I.A. by the

exposure of sensitive data, they should be designed to prevent the loss of sensitive information when the media is stored outside the system, and here are some elements of media security controls:

Logging: Logging the use of data media provides accountability and assists in physical

Access Control: Physical access control to the media is used to prevent unauthorized

personnel from accessing the media.

Proper Disposal: Proper disposal of the media after use is required to prevent data

recovery.

Media viability controls: Many physical controls should be used to protect the viability of

the data storage media. The goal is to protect the media from damage during handling and transportation, or during short-term or long-term storage. Proper marking and labeling of the media is required in the event of a system recovery process:

Marking: All data storage media should be accurately marked or labeled. The labels can be

used to identify media with special handling instructions, or to log serial numbers or bar codes for retrieval during a system recovery.

Handling: Some issues with the handling of media include cleanliness of the media and the

protection from physical damage during transportation to the archive sites.

Storage: Storage of the media is very important for both security and environmental reasons. A proper heat- and humidity-free, clean storage environment should be provided for the media. Data media is sensitive to temperature, liquids, magnetism, smoke, and dust (Krutz, and Vines, 2001).

2.6.2.6 Physical access controls

Following are examples of some of the elements of the operations resources that need physical access control.

Hardware: Control of communications and the computing equipment, Control of the

storage media, and Control of the printed logs and reports.

Software: Control of the backup files, Control of the system logs, Control of the

production applications, and Control of the sensitive/critical data.

Personnel: Some personnel will require special physical access to perform their job

functions. The following are examples of this type of personnel: -IT department personnel

-Cleaning staff

-Heating Ventilation and Air Conditioning (HVAC) maintenance personnel -Third-party service contract personnel

-Consultants, contractors, and temporary staff (Krutz, and Vines, 2001).