Information Technology Reference
In-Depth Information
Security controls can also be applied specifically to application systems besides network-
level security controls. One of the common security controls are access controls. These are
applied on the basis of need to know. Only authorised users are given access to use applic-
ation systems.
Security hardening is a feature which can be used to ensure that the application systems
and databases are secure and robust. This can be done by applying patches to the applica-
tion systems, which are normally developed by software vendors or other third-party ser-
vice providers. Closing unused ports on the application server can also be a useful way of
enhancing application security.
Security controls can be embedded in business processes to ensure that business activities
are carried out in a controlled and secure manner. An example would be how customers
make payment for services they would like to access. The enterprise offering services to
its customers would provide a secure platform on which payments can be made and funds
deposited in designated accounts at the bank. The IS auditor would use an application con-
trols audit to review various applications in addition to specific application security audits.
Patch Management
Patch management is a process of implementing security and system updates after the main
application system has been implemented. There are various vulnerabilities which are dis-
covered after software has been released. This applies to both operating and application
systems.
It is important that patching of software is carried out in a controlled environment which
includes testing of patches in a test environment before they are deployed on production
systems. Patches should be tested so that the enterprise is certain and confident that the
patches will not introduce other problems. It is common to find users and some IT profes-
sionals taking it for granted that patches published by software developers or vendors will
not cause problems. Usually problems arise from using different technologies and software
platforms which might cause conflicts after a patch is applied.
In order to reduce costs, some enterprises use virtual servers as test environments which are
essentially using the same hardware and same operating systems running virtual software.
There are various types of virtual software on the market which can be used to build virtual
test environments.
Once patches have been tested, they can be deployed using distribution software which
will push the patches to all workstations and servers. It is easy to apply the patches using
distribution software as all computers will receive the patches at the same time. Common
patch management software includes System Centre Configuration Manager (SCCM or
Search WWH ::
Custom Search