Skip to main content

3.10F Security Architecture

3.10F Security Architecture


It is important for a risk practitioner to evaluate the system architecture in terms of appropriateness of controls and other forms of risk response. System architecture should be robust enough to provide assurance against malicious activity.


Security architecture provides overview and relationship between systems and hence it is very useful in complex security deployment.


Primary purpose for developing a security architecture is to align the security strategy between the functional areas of the organization and external parties.


Platforms and Operating Systems


  • Organizations should purchase the IT equipment from trusted vendors to avoid the risk of infected devices. Also, new devices should be tested thoroughly before implementation. This helps to address the risk of hardware infected with back doors and security vulnerabilities during the manufacturing or delivery process.


  • If a hardware is not certified by the vendor or the manufacturer, there remains an unknown risk.


  • Vendors provided default accounts and passwords should be disabled or changed.


  • Strong authentication is required for privilege accounts such as administration.


  • Organization should ensure use of licensed operating software and regular updation of patch and configuration.


  • Patch management policy should be available. Patch should be tested before deployment. In exceptional cases, pre-testing of patches may not be feasible due to business emergency, in such cases organization should have a rollback plan to roll back the patches from the system in case of adverse impact of patch deployment.


  • Operating software should be hardened to disable all the unused services.


Applications


  • Adoption of secure coding practices is necessary to address the flaws or bugs in the coding of the application.


  • Application should have proper design, coding and testing to address the vulnerabilities.


  • Organizations should study the common vulnerabilities published by the Open Web Application Security Project (www.owasp.org) and should address these vulnerabilities.


  •  Applications can be made secured by adopting following practices:


  • Sensitive data should be masked

  • Restricted access for the users

  • Input controls such as range checks, reasonableness checks etc.

  • Reconciliation and balancing for proper processing of transaction

  • Use of digital certificates for authentication

  • Encryption of stored as well as in transit data

  • Secure coding practices

  • Use of middleware to isolate direct access and manage data input/output

  • Network isolation and secure communications channels


  • Absence of validation checks for data input fields is a major vulnerability. It provides an opportunity for attackers to exploit the system by way of SQL injection attack. Attackers can submit a part of a structured query language statement to gain access to the application and database. They can deface or even disable the web applications.


  • Organization to evaluate the risk associated with legacy systems and should be controlled by use of middleware, network isolation and secure communication channels.


  • Error messages should not be displayed in such a way that they might provide information to an attacker that can be used to modify the attack. Error messages should have different code that can be understood by IT department only for rectification.


  • Use of multiple factors of authentication for critical systems such as biometric access and a password.


  • User account should be automatically locked out after a number of failed login attempts.


  • When an application is developed from a third party, it is always recommended to conduct a security code review for the entire application to detect all the malware including back doors.


Key aspects from CRISC exam perspective


CRISC Questions 

Possible Answer

Most important aspect before installing new equipment   

Conduct risk assessment of new equipment


Most useful in managing complex security deployments   

Security Architecture


Primary purpose for developing a security architecture   

To align the security strategy between the functional areas of the organization and external parties

What is the most important aspect prior to releasing a patch into production?   

Testing of the patch

What is the best method to minimize the risk of interoperability issues of untested patch deployment?   

Organization should have a rollback plan to roll back the patches from the system in case of adverse impact of patch deployment.

What is the risk if validation checks are missing for data input fields?

Absence of validation checks for data input fields is a major vulnerability. It provides an opportunity for attackers to exploit the system by way of SQL injection attack. Attackers can submit a part of a structured query language statement to gain access to the application and database. They can deface or even disable the web applications



Flashcards - 3.10F Security Architecture



Practice Questions - 3.10F Security Architecture 




Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: A...
Read more

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical backgrou...
Read more

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more