Operational Security

There are many options to consider and there is not an ideal

INTRODUCCTION solution that satisfies to a broad class of situations, as each situ
Given the importance and sensitivity that have computer ation is unique.
systems and the environment of these, it is extremely The goal of physical security is to convince potential attack
important to keep them safe and prevent any unwanted ers that the likely costs of an attack exceeds the value of doing
intrusions, either physical or logical. That is why there the attack, i.e., that the consequences of an attack cannot over
operational security, that security is applied to the logical and come widely gain. The combination of security features in lay
physical operations of a system. This work will cover various ers, establishes the presence of territoriality.
areas of the discipline. The initial layer of security for a campus, building, Office o
r physical space implements the prevention of crime through e
I. PHYSICAL SECURITY nvironmental design to deter threats. Some of the most commo
n examples are also the most basic: warning signs, fences, barr
Physical security is a series of measures designed to deny
iers for vehicles, limiting of height vehicles, points of restricte
physical access to a building, area or information to
d access and lighting.
unauthorized personnel. Also defined as the Guide on how
Access control includes doors and locks. The locks are a pro
design structures to withstand hostile attacks. Physical security
blem in large communities of users, forcing the adoption of ele
can be as simple as a door secured with a padlock or as
ctronic access control. Electronic access control handles easily
elaborate as multiple barriers, armed guards or biometric
large amounts of users, controlling individual users by cycles
access.
of life, dates and access points
Security entails costs and really never can be perfect or
For example, a user's access rights could allow access from
complete, in other words, security can reduce, but may not
7: 00 a.m. to 7: 00 p.m. from Monday to Friday and it expires i
completely eliminate the risks. Bearing in mind that the
n 90 days. Another form of access control includes the use of p
controls are imperfect, physical security applies the principle
olicies, processes and procedures to manage the entry into the
of defense in depth with the appropriate combinations of
restricted zone. An example of this is the deployment of securi
overlapping and complementary controls. Controls physical
ty personnel that checks for entry authorized by default points.
access to protected plants are usually a:
This form of access control is usually supplemented with earli
Deter potential intruders (e.g., warning signs and marks of
er forms of control of access (i.e., mechanical and electronic a
perimeter);
ccess control), or simple devices, such as physical passes.
Distinguish authorized personnel of unauthorized (for
The next layer is composed of alarms or intrusion detection
example, use of cards or badges of step and keys)
systems. It is less a preventative measure and more an activato
Delay, thwart and prevent attempts of intrusion (e.g.,
r of response. Intrusion detection has a high incidence in false
strong walls, locks, doors and safes);
alarms.
Detect, monitor and register intrusions (e.g., intrusion
The last layer is composed of video surveillance systems. S
alarms and closed-circuit television systems), and
ecurity cameras can be a deterrent in many cases, but its real p
Give appropriate responses to incidents (for example,
ower comes from verification of incidents and historical analy
security guards and police).
sis. For example, if the alarms are activated and there is a cam
era, this could be used to verify the alarm. In cases where the a
Security engineering identifies the following elements of ph
ttack occurred and there is a camera, the recorded video can be
ysical security:
reviewed. Although the closed circuits of television are comm
Obstacles to frustrate trivial attacks and delay serious attac
on, they are fast becoming obsolete as more video systems use
ks
transmission over networks.
Detection systems, such as the of monitoring, alarms, guar
Advances in information technology are transforming video
ds, cameras, etc., to enable the attacks are noted.
systems in the analysis of video. For example, once an image
Security response to repel, catch or frustrate attacks detect
ed is digitized can be turned into data that sophisticated
algorithms can be processed. As it increases the speed and
In a well- accuracy of automated analysis, video system could move
designed system, these features should complement each other from a tracking system to an intrusion detection or access
. control system.
There are four layers of physical security:
Design of the environment II. ACCESS CONTROLS
Mechanical and electronic access control Access control refers to exercise control on who can interact
Intrusion detection (with appropriate response procedures) with a resource. Often, but not always, this implies an authorit
Identification of staff (authentication)
y that makes the control. The resource can be a particular build
ing, group of buildings or an information system.
Access control is, in fact, an everyday phenomenon. A lock
on a door of a vehicle is essentially a form of access control. A
PIN at an ATM at a bank system is another means of access c
ontrol. The possession of access control is of paramount impor
tance when people try to protect important, confidential or sen
sitive information and equipment.
In computer security, access control includes authentication,
authorization, and auditing. It also includes measures such as
physical devices, such as biometric scanners, locks and bolts o
f metal, hidden routes, digital signatures, encryption, social ba
rriers, and monitoring by humans and automated systems.
In any access control model, entities that can carry out actio
ns in the system are called subject, and the bodies representing
the resource to which access may be necessary to control are
called objects. Subjects and objects should be considered both
as software entities, rather than as human users: any human us
er can only have an effect on the system through the bodies of
software which they control.
Although some systems equate subjects with the user ID, so
that all processes started by a user by default has the same aut
hority, this level of control not sufficiently specific to satisfy t
he principle of minimum privileges, and arguably is responsibl
e for the prevalence of malware in such systems.
Access control models used by current systems tend to fall i
nto one of two classes: those based on the capabilities and thos
e based on access control lists. A model based on skills, the ten
ure of a reference or capacity of an object provides access to t
he object; access is transmitted to a third party through the tran
smission of this capacity in a secure channel. A model of acces
s control based on a subject access to an object depends on if t
heir identity is in a list associated with him; access airs by edit
ing the list.
Access control systems provide essential identification and
authentication, authorization and accountability services wher
e:
Identification and authentication determine who can log in
to a system, and the Association of users with the types
of software that are able to control, as a result of a. rar.
Authorization determines what a subject can do
Accountability identifies what a subject (or all subjects ass
ociated with a user) did.
Authorization determines what a subject can do in the syst
em.
Most modern operating systems define sets of permissions that
are variations or extensions of three basic types of access:
Read: the subject can:
or read the contents of the file
or list the contents of the directory
Write: the subject can change the contents of a file or direc
tory with the following tasks:
or Add
or create
or delete
or change the name of the file
Run: If the file is a program, the subject can do that progra
m running.
Accountability uses components of the system such as records
and logs to associate a subject with its actions. The recorded in
formation must be sufficient to give the subject a user control.
Records are important for:
Detect security breaches
Security incidents recreation.
III. BIOMETRICS
Biometrics is the automatic recognition of individuals
depending on their biological characteristics and behavior.
Examples of biometric features include fingerprint, face, iris,
palma, retina, geometry of the hand and voice.
Biometric recognition form a strong bond between a person
and his identity as the biometric characteristics cannot be
easily shared, lost, or duplicate. Therefore, biometric
recognition is intrinsically more resistant to attacks by social
engineering (e.g., phishing) and higher than the two
conventional methods of recognition, i.e. passwords and
tokens. Biometric recognition requires that the user is present
at the time of authentication, you can also deter users from
making false statements repudiation. Due to these
characteristics, the biometric recognition has been widely
recognized as a component of natural, reliable and
irreplaceable of any identity management system. Biometrics
is integrating more and more in the authentication of multiple
security applications that require precise and reliable answers
to the following questions: "Is the person who claims to be?",
"Who is this person?" and "Is this person someone on a watch
list?". Please note that is supposed to respond to the above
questions, the identity of a person has already been created or
established.
A biometric system is a computer system that implements
biometric recognition algorithms. A typical biometric system
consists of detection, extraction of characteristics and
comparison. Biometric (e.g. fingerprint sensor) sensors
capture or scan biometric traits of an individual to produce its
digital representation. A check of the quality is usually done to
ensure that the acquired sample biometric can be reliable.
Feature extraction module discards unnecessary and unrelated
to the samples acquired information and extracts relevant and
discriminatory information called characteristics that are
usually used for the match. Accordingly, the biometric sample
corresponds to the information stored in the database to
establish the identity associated with the query.
Generally speaking, a biometric system has two stages of
operation: registration and recognition. The inscription refers
to the phase in which the system stores certain information of
biometric reference of the person in a database. This reference
information may be in the form of a template (extracted from
the biometric sample characteristics or parameters of a
mathematical model that best characterizes the learned
features) or the biometric sample itself (for example, the face
or image of the footprint). In many applications, some data
about the person (name, ID, etc.) are also stored together with
the biometric reference. When there is no personal
identification information available (for example, traces of
unknown taken from the scene of the crime), the reference is
usually labelled with an identifier generated by the system for
future recognition. At the stage of recognition, the system
analyzes the user biometric features, extracts traits, and
compares them with the biometric reference stored in the
database information. A high score of similarity between the
query and the data of reference results in the identification of
the user.
IV. SOCIAL ENGINEERING
It is the set of psychological techniques and social skills
used consciously and many times to obtain information from
third parties.
The basic objective of social engineering is to gain
unauthorized access to systems and information of these in
order to commit fraud, intrusion into the network, industrial
espionage, identity theft, or simply to disrupt the system or
network. Typical goals include telephone companies and
services of automatic answering, corporations and institutions
financial, military and Government agencies and hospitals.
It is difficult to find good real-life examples of social
engineering attacks. Targeted organizations either do not want
to admit that they have been victims (after all, to admit a
violation of fundamental security not only it is shameful, it can
damage the reputation of the Organization) or the attack was
not well documented so that no one is really sure whether
there was a social engineering attack or not.
Organizations are attacked through engineering because it is
an easiest way to gain illicit access compared to other more
technical. Even for technicians, it is often much easier simply
to take the phone and ask someone for their password. And
many times, that is what will make a hacker.
Social engineering attacks are carried out at two levels: the
physical and the psychological. Firstly, we will focus on the
physical environment of these attacks: the place of work,
phone, garbage, and even online. In the workplace, the hacker
can just walk through the door, as in the movies, and is
intended to be a worker of maintenance or consultant who has
access to the organization. The intruders then walks through
the Office unless he or she is some passwords out there and
comes out of the building with sufficient information to
exploit the network in your home more later that night.
Another technique to obtain the authentication information is
be there and see an employee to write your password.
Hackers teach social engineering from a psychological
perspective, with an emphasis on how to create the perfect
environment for the psychological attack. The basic methods
of persuasion are: impersonation, compliment, conformity,
diffusion of responsibility and friendship. Regardless of the
method used, the main objective is to convince the person that
information that the social engineer is a person that they can
trust and give sensitive information to disclose. It is important
to never ask for too much information at once.
The impersonation generally means the creation of some
kind of character and play the role. The simplest is the role
better. Sometimes, this could mean simply call and say:
"Hello, am Joseph technical support and need your password".
Other times, the hacker will study a real person in an
organization and will wait until the person is out of town to
impersonate him over the phone.
V. DISASTER RECOVERY
Disaster recovery and business continuity planning processe
s that help organizations prepare for the perturbadores-
si events are events could include a hurricane or, simply, a po
wer outage caused by a backhoe in the parking lot. The partici
pation of CSOs in this process can vary from monitoring the pl
an, to provide information and support, to put the plan into acti
on during an emergency.
Disaster recovery is the process by which to resume activiti
es after a destructive event. The event can be something very b
ig -
such as an earthquake or terrorist attacks on the World Trade
Center, or something small, like a malfunction caused by a co
mputer virus software.
Given the human tendency to look for the positive side, man
y business executives are likely to ignore "disaster recovery",
because disasters appears to be a case unlikely. "Business cont
inuity planning" suggests a more comprehensive approach to e
nsure that you can continue to make money, not only after a na
tural disaster, but also in the case of small interruptions includi
ng the disease or the departure of key employees, the associate
d supply chain problems or other challenges that companies fa
ce from time to time.
The details can vary widely, depending on the size and the s
cope of a company and the way of doing business. For some c
ompanies, issues such as the logistics of supply chain are the
most important and are the focus in the plan. For others, the in
formation technology can play a more central role, and the pla
n of BC / DR can have more than one focus on the recovery of
systems. For example, the plan in a global manufacturing com
pany would restore critical mainframe with the vital data in a s
ite backup from four to six days of an event harmful, obtain a
mobile central unit with 3,000 phones within two days, recove
ring the company of more than 1,000 local area with a view to
the need of the enterprise networks, and establish a temporary
call center to 100 officers in a nearby training centre.
As it systems have become increasingly more critical for the
proper functioning of a company, and you could say that the e
conomy as a whole, the importance of ensuring the continuity
of the operation of those systems, or the quick recovery of syst
ems, has increased.
It is estimated that the largest companies spend between 2%
and 4% of their it budget on disaster recovery planning, in ord
er to avoid larger losses in the event that the company can not
continue working due to the loss of the data and it infrastructur
e. Of the companies that had a significant loss of business data
, 43% never again open, close to 51% in two years, and only 6
% will survive in the long term.
 As a result, the preparation for the continuation or the recov
ery of systems should be taken very seriously. This implies a si
gnificant investment of time and money in order to ensure a m
inimum of losses in the case of a destructive event.
Classification of disasters
Disasters can be classified into two broad categories.
The first is the natural disasters such as floods, hurricanes, t
ornadoes or earthquakes. Whereas the prevention of a natural
disaster is very difficult, measures such as good planning, whi
ch includes mitigation measures can help to reduce or avoid lo
sses.
The second category is man-
made disasters. These include spills of hazardous materials, th
e lack of infrastructure, or bio-
terrorism. In these cases, monitoring and mitigation planning h
ave inestimable value to avoid or reduce losses from these eve
nts.
Control measures in the recovery plan
Control measures are measures or mechanisms that can redu
ce or eliminate various threats to organizations. The different t
ypes of measures can be included in the BCP / DRP.
Disaster recovery planning is a subset of a broader process
known as business continuity planning and should include pla
nning for the resumption of the applications, data, hardware, c
ommunications (such as the creation of networks) and other it
infrastructure. (BCP) business continuity plan includes the pla
nning of it not the related aspects such as key personnel, facilit
ies, communication of crisis and the protection of reputation, a
nd should refer to the recovery plan (DRP) disaster for related
infrastructure recovery / continuity. This article focuses on pla
nning in relation to the infrastructure for it disaster recovery. T
he types of measures:
1. The preventive measures -
these controls are intended to prevent an event occurs.
2 Measures of detectives -
these controls are aimed at detecting or discovering unwanted
events.
3. Corrective measures -
these controls are intended to correct or restore the system aft
er a disaster or an event.
These controls must be always documented and tested regul
arly.
Strategies
Before selecting a recovery strategy disaster, a disaster reco
very planner should refer to the plan of your organization's bus
iness continuity that must indicate the key metrics of the objec
tive of recovery point (RPO) and Recovery Time Objective (R
TO) for various business processes (for example, the process r
un payroll, generate an order)(, etc.) The indicators established
for business processes then underlying TI and the infrastructu
re systems that support these processes should be assigned.
Once the RTO and RPO parameters have been assigned to it
infrastructure, the DR Planner can determine the recovery stra
tegy most appropriate for each system. An important note here
, however is that the business ultimately defines the it budget a
nd therefore the RTO and RPO metrics have to fit in with the a
vailable budget. Although the majority of the business unit hea
ds would like without data loss and zero time loss, the cost ass
ociated with this level of protection can make desired practical
high availability solutions.
VI. ADMINISTRATION OF PRIVILEGES
The term system administrator "can also be used to describe
a privilege of security that is assigned to a user or users from a
given computer, server, network or other system of TI."
The level of access of the system administrator allows the
user can have access to, and to carry out functions of the high
level of system configuration.
This level of user privileges that is more commonly known
within a computer or system of TI as "Administrator" (without
the adjective of "system"). Superuser or root may also be
called.
For example, a team may have a user called
"Administrator" or "Root", which has a sufficient level of
safety to install the software, or give other users access to the
system. Alternatively, a user of a system can be assigned to a
"Administrators" group, whose members gives them the same
privileges as the administrator user. These users can be
referred to as systems administrators, it refers only to the
privilege level of the system, rather than the work function.
For security reasons, the name of a user administrator or
group of administrators of security changes often at the local
level to make it less easy to guess, in order to reduce the
vulnerability of the system to access by hackers.
A superadministrador has unlimited access to the control
panel of the administrator of the system and carry out all the
actions of administrator. Administrators with restricted access
can perform all the actions that appear on the screens of the
Control Panel for which they have authorization.
A manager of systems, systems administrators, systems
administrator or the administrator is a person employed to
maintain and operate a computer system and/or network. The
system administrators can be members of an information
technology (IT) or electronics and communication in the
Department of engineering.
The duties of a system administrator are wide-ranging, and
vary greatly from one organization to another. System
administrators tend to be charged with the installation, support
and maintenance of the servers or other computer systems, and
planning and responding to service outages and other
problems. Other tasks may include sequences of commands or
programming of light, project management for systems related
projects, supervision or training computer operators, and be
the Adviser of computer problems beyond the knowledge of
technical support staff. To carry out their work well, a system
administrator must demonstrate a mixture of technical skills
and responsibility.
Many organizations staff other jobs related to the
administration of the system. In a larger company, all these
can be positions separated within a computer or of the services
of information (SI) Department. In a smaller group that can be
shared by a few Admins, or even a single person.
A manager of database (DBA) maintains a database syste
m, and is responsible for the integrity of the data and the effici
ency and the performance of the system.
A network administrator maintains the network infrastruct
ure, such as switches and routers, and diagnoses problems wit
h these or with the behavior of the networked computers.
A security administrator is a specialist in computer securit
y and network, including the administration of General device
s security such as firewalls, as well as consulting on security
measures.
A web administrator maintains web server (like Apache or
IIS) services that enable access internal or external Web sites.
The tasks include the management of multiple sites, the Securi
ty Administration and configuration of necessary components
and software. Responsibilities may also include change manag
ement software.
Technical support staff respond to individual difficulties w
ith computer systems users, give instructions and training som
etimes, and diagnose and solve common problems.
A computer operator carried out routine maintenance and
maintenance, how to change the tape backup or replacement o
f units failed in a RAID. These tasks often require physical pre
sence in the room with the computer, and while less skilled tha
n sysadmin tasks require a similar confidence level, since the o
perator has access to sensitive data, possibly.
A mail administrator is the administrator of a mail server.
In some organizations, a person may begin as a member of t
he staff of technical support or an operator of the computer, th
en obtain work experience to be promoted to a position of syst
em administrator.
VII. AUDITS
The general definition of an audit is the evaluation of a pers
on, organization, system, process, company, project or product
. The term commonly refers to accounting audits, but there are
also similar concepts in project management, management of
the quality, management of water and energy conservation.
The auditors of the financial statements can be classified int
o two categories:
External auditor / auditor of accounts is an independent fir
m hired by the client, subject to audit, to express an opinion on
whether the financial statements of the company are free of si
gnificant errors, whether due to fraud or error. For companies l
isted on the stock exchange, the external auditors also may be
necessary to express an opinion on the effectiveness of interna
l controls over financial reporting. The external auditors may a
lso be hired to perform other procedures agreed, related or not
to the financial statements. Most importantly, the external audi
tors, although committed and paid by the company which audi
ted, are regarded as independent auditors.
Most used external standards are NAGA EE audit.UU. of th
e American Institute of certified public accountants and the int
ernational auditing standards of ISA, developed by the internat
ional audit and Council rules of the Federation International of
Accountants
Internal Auditors are employed by the organization audit.
They carry out various audit procedures, relating mainly to the
procedures on the effectiveness of internal controls in the com
pany financial information. Due to the requirements of the sect
ion 404 of the Sarbanes Oxley Act of 2002 for the managemen
t to also assess the effectiveness of their internal controls over
financial reporting (as also required by the external auditor), in
ternal auditors are used to make this assessment. Despite the in
ternal auditors are not considered independent of the company
carried out the audit procedures for Auditors internally of the c
ompanies listed are required to report directly to the Board of
Directors, or a Sub-
Committee of the Board of Directors, and not the management
, in order to reduce the risk of Internal Auditors will be under
pressure to produce favourable evaluations.
Most commonly used auditing internal standards are those o
f the Institute of Internal Auditors
Auditors consultants are external staff hired by the compan
y to carry out an audit following the company auditing standar
ds. This differs from the of the external auditor, which follows
its own rules of audit. The level of independence is therefore s
omewhere between the internal auditor and the external audito
r. The auditor consultant can work independently or as part of t
he audit team that includes internal auditors. Auditors consulta
nts are used when the company lacks sufficient experience to
audit certain areas, or simply to the increase in staff when staff
are not available.
Quality Auditors can be consultants or employed by the
organization.
Quality audits are carried out to verify compliance with stan
dards through the review of objective evidence. A system of q
uality audits can check the effectiveness of a quality managem
ent system. This is part of the certifications such as ISO 9001.
Quality audits are essential to verify the existence of objective
evidence showing compliance with the processes necessary to
assess success with processes is implemented, for judging the
effectiveness of achieving the defined target levels, providing
evidence on the reduction and elimination of problem areas an
d are a hands -
in the management tool to achieve continuous improvement i
n an organization.
To benefit the Organization, quality auditing should not
only report actions reputations and corrective, but also
highlight areas of good practice and provide evidence of
conformity. In this way, other departments may share
information and amend their working practices as a result, also
the improvement of continuous improvement.
Audit computers is A process Llevado a Cabo Por
professionals specially trained and that consists in grouping
and evaluating evidence to determine if the Nations United
system of safeguarding the asset business information,
maintains the integrity of the data, held an effectively the fine
of the Organization, banking efficiently resources, and holita
complies with the laws and regulations established. They
detect as systematic use of resources and the flow of
information within an organization and to determine what is
critical information for the fulfilment of its mission and
objectives, identifying needs, the duplication, cost, value and
barriers, impeding efficient information flows.
Audit consists mainly in study the mechanisms of control of
that are implanted in the company or organization,
determining if the same child appropriate and meet certain
goals or strategies, establishing the changes that should be
made for the achievement of the themselves. Service control
mechanisms can management, preventive, detection,
corrective or recovery to A contingency.
The objectives of the audit computer son:
The analysis of the efficiency of computing systems
Verification of compliance of the regulations in this field
The revision of the effective management of the computer
resources.
Computer audit serves paragraph improve certain
characteristics in the company as:
Performance
Reliability
Effectiveness
Profitability
Security
Privacy
Usually you can develop in one or combination of the
following areas:
Corporate governance
Administration of the systems life cycle
Delivery and support services
Safety and protection
Continuity and disaster recovery plans
The need for guidelines and tools standard for the exercise
of audit Informatics has promoted the creation and
development of practices as best COBIT, ITIL and COSO.
Currently certification from ISACA for be CISA Certified
Information Systems Auditor of is one of the most recognized
and backed by certification international standards that the
selection process of the United Nations consists fairly
extensive initial examination and the need to keep updated
accumulating hours (points), par, lose the certification.
VIII. DEVICE REMOVABLE.
Handheld USB devices have been a blessing for anyone
who wants to take information from a PC to another, but its
ease of use has also created a new type of headache for
security firms. The recent explosion in sales of devices such as
USB, iPods and PDAs reports say that they are a view
common in most of the Office.
Where is the danger on an iPod, you can ask. Certainly is
more offensive on an iPod the often unreliable choice of music
that comes from him? But if we take into account that these
small devices of portable media with the same ease can be
used to remove the confidential files of the customers, is a
clear threat behind the bright chrome exterior.
Then, what steps take companies to protect themselves
against the risks associated with these devices?
The greatest threat to the integrity of a company's it security
is not a pirate sinister trying to enter into the corporate
network, but employees and partners, with easy access to
business information.
With media devices removable, such as MP3 players, digital
cameras, PDAs, common in enterprises, the uncontrolled use
of them carries a number of risks, from the factor of simple
discomfort of the network that is used to store personal files
and the risks associated with theft of software, the
consequences of an attack deliberate to the network.
The storage device is also an easy way for malware to
propagate within the network, a user without realizing it can
infect the network with a virus that has been transferred from
your home PC by using a device.
It is a worrying fact that around 80% of computer security
incidents occur within an organization, and however it is
estimated that 80% of security pass still goes outdoor in the
defenses of the perimeter such as firewall, antivirus, intrusion
detection and content filtering. Companies need a formal
monitoring mechanism in place in order to protect critical
databases for data and business systems and the theft of
intellectual property.
If you decide to prohibit USB devices. This is a difficult
proposition, and there is no foolproof method. Windows 2003
to lock access to the USB port, but critically, will also leave
for USB keyboards, mice and other legitimate USB devices
used - a movement which may not be popular with employees.
Not enough to disable USB ports is therefore, it is not the
answer, since it inevitably have an adverse effect on the
productivity of the business and the flexibility.
It is important to have a policy of acceptable use (AUP)
instead, so that employees are aware of what they can and can
not use in the workplace.
CONCLUSIONS
In this work we learned about different components and
elements of operational safety, such as physical security,
access control, privilege management, among others. We have
also learned about their importance to both business and
personal level. Every computer system must have sufficient
security to be operational, otherwise it would be exposed to
serious hazards that can cause major damage.
REFERENCES
[1] Task Committee. Structural design for physical security: state of
the practice. SEI ASCE: Reston, Virginia, 1999.
[2] Anderson, Ross. Security engineering: a guide to building
dependable distributed systems. Wiley: New York, 2001.
[3] Harris, Shon, All-in-one CISSP Exam Guide, 3ra Edicin,
McGraw Hill Osborne, Emeryvill: California, 2005.
[4] Norman, Thomas, Integrated Security Systems Design, Elsevier
Butterworth-Heinemann: Boston, 2007.
[5] Jain, A., Hong, L., Biometric identification. Comm. ACM: New
Jersey, 2000.
[6] Bolle, R. M., Connell, J. H., Pankanti, S. Ratha, N. K., & Senior,
A. W., Guide to biometrics. Springer: New York, 2003.
[7] Anderson, Ross, Security engineering: a guide to building
dependable distributed systems, Wiley: Indianapolis, 2008
[8] Hoffer, Jim, Backing Up Business - Industry Trend or Event.
Nelson Publishing: Pensilvania, 2001
[9] Gregory, Peter, CISA certified information systems auditor all-in-
one exam guide. McGraw-Hill: New York, 2010.
[10] Frisch, Aeleen. Essential system administration, O'Reilly:
California, 2002.
[11] Easttom, Chuck, Essential Linux administratio : a comprehensive
guide for beginners, Course Technology/Cengage Learning:
Boston, 2012.
[12] Burgess, Mark, Principles of network and system administration.
Wiley: New Jersey, 2004.
[13] Limoncelli, Tom, The practice of system and network
administration. Addison-Wesley: Boston, 2002.
[14] McKenna, Francine, Auditors and Audit Reports: Is The Firms
"John Hancock" Enough?, Forbes: New York, 2011.
[15] Cutting, Thomas, How to Survive an Audit. PM Hut: Montreal,
2009.