Chapter 8 Slater

Chapter 8
Information Systems Controls for System Reliability Part 1: Information Security

Copyright 2012 Pearson Education, Inc. publishing as Prentice
Hall
8-1
Learning Objectives
Discuss how the COBIT framework can be
used to develop sound internal control
over an organizations information
systems.
Explain the factors that influence
information systems reliability.
Describe how a combination of
preventive, detective, and corrective
controls can be employed to provide
reasonable assurance about information
security.
Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall
8-2
AIS Controls
COSO and COSO-ERM address general
internal control
COBIT addresses information technology
internal control
8-3
Business Objectives
Criteria
COBIT
Frame
work
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
IT Resources
Monitor and
Evaluate
Application systems
Information
Infrastructure
People
IT Life C
ycle
Deliver and
Support
2007 IT Governance Institute. All rights reserved. www.itgi.org
Acquire and
Implement
4
Plan and
Organise
Information for Management Should

Be:
Effectiveness
Information must be relevant and
timely.
Availability
Information must be
available whenever needed.
Efficiency
Information must be produced in a
cost-effective manner.
Confidentiality
Sensitive information must be
protected from unauthorized
disclosure.
Compliance
Controls must ensure
compliance with internal
policies and with external
legal and regulatory
requirements.
Reliability
Management must have
access to appropriate
information needed to
conduct daily activities and
to exercise its fiduciary and
governance responsibilities.
Integrity
Information must be accurate,
complete, and valid.
8-5
COBIT and Trust Frameworks

COBIT Framework provides a comprehensive guidance for
controlling and managing IS.
COBIT specifies detailed control objectives for 34 IT
processes (figure 8-1).
Auditors are only interested in a subset of COBIT, SOX
only addresses the issue of system reliability for financial
statements.
The Trust Services Framework developed by the AICPA and
CICA (Canadian) relates to systems reliability (security,
confidentiality, privacy, process integrity, availability).
Trust Services Framework

SYSTEMS
RELIABILITY
The five basic principles

that contribute to systems
reliability:

SYSTEMS
RELIABILITY

reliability:
Security
Access to the system and its data is

controlled.
SECURITY

SYSTEMS
RELIABILITY

reliability:
CONFIDENTIALITY
Security
Confidentiality
SECURITY
Sensitive information is protected

from unauthorized disclosure.
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
SECURITY

reliability:
Security
Confidentiality
Personal information about
Privacy
customers collected through
ecommerce is collected, used,
disclosed, and maintained in an
appropriate manner.
SECURITY
PROCESSING INTEGRITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
The five basic principles that

contribute to systems reliability:
Security
Confidentiality
Privacy
Processing
integrity
Data
is processed:
Accurately
Completely
In a timely manner
With proper authorization

The five basic principles that
contribute to systems reliability:
SECURITY
AVAILABILITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
Security
Confidentiality
Online privacy
Processing integrity
Availability
The system is available to meet

operational and contractual
obligations.

Note the importance of
security in this picture.
It is the foundation of
systems reliability.
Security procedures:
SECURITY
AVAILABILITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
Restrict system access to

only authorized users and
protect:
The confidentiality of
sensitive organizational
data.
The privacy of personal
identifying information
collected from customers.
INTRODUCTION
Trust
Services Framework
Security procedures
also:
SECURITY
Provide for processing

integrity by preventing:
AVAILABILITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
Submission of unauthorized
or fictitious transactions.
Unauthorized changes to
stored data or programs.
Protect against a variety of

attacks, including viruses
and worms, thereby
ensuring the system is
available when needed.
8-15
FUNDAMENTAL INFORMATION
SECURITY CONCEPTS
There are two fundamental information
security concepts that will be discussed in
this chapter:
Security as a management issue, not a
technology issue.
Defense in depth & time-based model of
security.
Security / Systems Reliability

Foundation of the Trust Services Framework
Security is a Management issue, not a technology
issue
SOX 302 states:
CEO and the CFO responsible to certify that
the financial statements fairly present the
results of the companys activities.
The accuracy of an organizations financial
statements depends upon the reliability of
its information systems.
8-17
Managements Role in IS Security

Table 8-1
Create security aware culture
Inventory and value company information resources
Assess risk, select risk response
Develop and communicate security:
Plans, policies, and procedures
Acquire and deploy IT security resources

Monitor and evaluate effectiveness
8-18
FUNDAMENTAL INFORMATION
SECURITY CONCEPTS
There are two fundamental information
security concepts that will be discussed in
this chapter:
Security is a management issue, not a
technology issue.
Defense in depth and the time-based
model of security.
TIME-BASED MODEL OF
SECURITY
The time-based model of security
focuses on implementing a set of
controls that enable an organization to
recognize that an attack is occurring and
take steps to thwart it before any assets
have been compromised.
All three types of controls are necessary:
Preventive Limit actions to those in accord
with the organizations security
policy and disallows all others.
TIME-BASED MODEL OF
SECURITY
All three types of controls are necessary:
Preventive
Detective
Identify when preventive controls

have been breached.
TIME-BASED MODEL OF
SECURITY
Repair
damage from
problems
that
All three types
of controls
are
necessary:
Preventive
Detective
Corrective
have occurred.
Improve preventive and detective
controls to reduce likelihood of similar
incidents.
TIME-BASED MODEL OF
SECURITY
The time-based model evaluates the
effectiveness of an organizations security
by measuring and comparing the
relationship among three variables:
P = Time it takes an attacker to break through
the organizations preventive controls.
D = Time it takes to detect that an attack is in
progress.
C = Time to respond to the attack.
These three variables are evaluated as

follows:
If P > (D + C), then security procedures are
effective.
Otherwise, security is ineffective.
DEFENSE IN DEPTH
The idea of defense-in-depth is to employ
multiple layers of controls to avoid having
a single point of failure.
If one layer fails, another may function as
planned.
Information security involves using a
combination of firewalls, passwords, and
other preventive procedures to restrict
access.
Redundancy also applies to detective and
corrective controls.
DEFENSE IN DEPTH
Major types of preventive controls used for
defense in depth include:
Authentication controls (passwords, tokens,
biometrics, MAC addresses)
Authorization controls (access control matrices and
compatibility tests)
Training
Physical access controls (locks, guards, biometric
devices)
Remote access controls (IP packet filtering by border
routers and firewalls using access control lists; intrusion
prevention systems; authentication of dial-in users;
wireless access controls)
Host and application hardening procedures
(firewalls, anti-virus software, disabling of unnecessary
features, user account management, software design,
e.g., to prevent buffer overflows)
Encryption
DEFENSE IN DEPTH**SP14
NIGHT
Major types of Detective Controls used for defense in depth
include:
Detective controls include:
Log analysis
Intrusion detection systems
Managerial reports
Security testing (vulnerability scanners, penetration tests, war

dialing)
DEFENSE IN DEPTH***
Major types of Corrective controls used for defense in depth
include:
Corrective controls include:
Computer incident response teams (CIRT)
Chief Information Security Officer (CISO)
Patch Management
PREVENTIVE CONTROLS
Major types of preventive controls used for
defense in depth include:
Authentication controls (passwords, tokens,
biometrics, MAC addresses)
Authorization controls (access control matrices
and compatibility tests)
Training
Physical access controls (locks, guards, biometric
devices)
Remote access controls (IP packet filtering by border
routers and firewalls using access control lists; intrusion
prevention systems; authentication of dial-in users;
wireless access controls)
Host and application hardening procedures (firewalls,
anti-virus software, disabling of unnecessary features,
user account management, software design, e.g., to
prevent buffer overflows)
Encryption
PREVENTIVE CONTROLS
The objective of preventive controls is to prevent security
incidents from happening.
Involves two related functions:
Authentication
Focuses on verifying the identity of the person or device
attempting to gain access.
Authorization
Restricts access of authenticated users to specific portions
of the system and specifies what actions they are permitted
to perform.
PREVENTIVE CONTROLS
Users can be authenticated by verifying:
Something they know, such as passwords or PINs.
Something they have, such as smart cards or ID badges.
Some physical characteristic (biometric identifier), such as

fingerprints or voice.
PREVENTIVE CONTROLS
Passwords are probably the most commonly used
authentication method and also the most controversial.
An effective password must satisfy a number of requirements:

Length
Multiple character types
Random
Secret
PREVENTIVE CONTROLS
Each authentication method has its limitations.
Passwords
Can be guessed, lost, written down, or given away.
PREVENTIVE CONTROLS
Each authentication method has its limitations.
Passwords
Physical identification techniques
Include cards, badges, and USB devices, cell

phones
.
Can be lost, stolen, or duplicated.
Expensive and often cumbersome.

Not yet 100% accurate, sometimes rejecting legitimate users
and allowing unauthorized people.
Some techniques like fingerprints may carry negative
connotations that
hinder has
acceptance.
Each authentication
method
its limitations.
Security concerns surround the storage of this data.
Passwords
If
the data is compromised,
Physical
identification
techniques it could create serious, life-long
problems
for the donor.
Biometric
techniques
Unlike passwords or tokens, biometric identifiers cannot be
replaced or changed.
PREVENTIVE CONTROLS
PREVENTIVE CONTROLS
Although none of the three basic
authentication methods is foolproof by
itself, the use of two or three in
conjunction, known as multi-factor
authentication, is quite effective.
Example: Using a palm print and a PIN
number together is much more effective
than using either method alone.
PREVENTIVE CONTROLS
Authorization controls are implemented
by creating an access control matrix.
Specifies what part of the IS a user can access
and what actions they are permitted to
perform.
When an employee tries to access a particular
resource, the system performs a compatibility
test that matches the users authentication
credentials against the matrix to determine if
the action should be allowed.
PREVENTIVE CONTROLS
User Identification
Code
Number Password
12345
ABC
12346
DEF
12354
KLM
12359
NOP
12389
RST
12567
XYZ
Files
A
0
0
1
3
0
1
B
0
2
1
0
1
1
Programs
C
1
0
1
0
0
1
1
0
0
0
0
0
1
2
0
0
0
0
3
1
Codes for type of access:

0 = No access permitted
1 = Read and display only
2 = Read, display, and update
3 = Read, display, update, create, and delete
3
0
0
0
0
0
1
4
0
0
0
0
0
1
Who has
the
authority
to delete
Program
2?
PREVENTIVE CONTROLS
Authentication and authorization can be applied
to devices as well as users.
Every workstation, printer, or other computing device
needs a network interface card (NIC) to connect to the
organizations network.
Each network device has a unique identifier, referred to
as its media access control (MAC) address.
It is possible to restrict network access to only those
devices which have a recognized MAC address or to use
MAC addresses for authorization.
For example, payroll or EFT applications should be set
only to run from authorized terminals.
PREVENTIVE CONTROLS
Encryption
Training
Control Physical Access
Control Remote Access
Hardening
Encryption
The final layer of

preventive
controls.
PREVENTIVE CONTROLS
Encrypting sensitive stored data provides
one last barrier that must be overcome by
an intruder.
Also strengthens authentication
procedures and plays an essential role in
ensuring and verifying the validity of ebusiness transactions.
Therefore, accountants, auditors, and
systems professionals need to understand
encryption.
Plaintext
This is a
contract
for . . .
PREVENTIV
E
CONTROLS
Key
Encryption
algorithm
Ciphertext
Xb&j &m 2
ep0%fg . . .
Key
Encryption is the
process of transforming
normal text, called
plaintext, into
unreadable gibberish,
called ciphertext.
Decryption reverses
this process.
Decryption
algorithm
Plain- This is a
contract
text
for . . .
To encrypt or decrypt,
both a key and an
algorithm are needed.
PREVENTIVE CONTROLS
Hashing
Hashing takes plaintext of any length and
transforms it into a short code called a hash.
SHA-256 creates 256 bit hash regardless of text
length.
Hashing differs from encryption in that:
Encryption always produces ciphertext similar in
length to the plaintext, but hashing produces a hash
of a fixed short length.
Encryption is reversible, but hashing is not; you
cannot transform a hash back into its original
plaintext.
PREVENTIVE CONTROLS
Digital signatures
Asymmetric encryption and hashing are used to
create digital signatures.
A digital signature is information encrypted
with the creators private key.
That information can only be decrypted using the
corresponding public key.
So successful decryption with an entitys public key
proves the message could only have been created by
the entity that holds the corresponding private key.
The private key is known only to its owner, so only the
owner could have created the message.
PREVENTIVE CONTROLS
A digital certificate is an electronic document,
created and digitally signed by a trusted third
party.
Certifies the identity of the owner of a particular public
key.
Digital certificates provide an automated method for
obtaining an organizations or individuals public key.
DETECTIVE CONTROLS
Preventive controls are never 100% effective in blocking all
attacks.
So organizations implement detective controls to enhance
security by:
Monitoring the effectiveness of preventive controls; and
Detecting incidents in which preventive controls have been

circumvented.
DETECTIVE CONTROLS
Authentication and authorization controls (both
preventive and detective) govern access to the
system and limit the actions that can be
performed by authorized users.
Actual system use (detective control) must be
examined to assess compliance through:
Log analysis
Managerial reports
Periodically testing the effectiveness of existing security
procedures
DETECTIVE CONTROLS
Authentication and authorization controls
represent the organizations policies governing
access to the system and limits the actions that
can be performed by authorized users.
Actual system use must be examined to assess
compliance through:
Log analysis
Managerial reports
procedures
DETECTIVE CONTROLS
Log analysis
Most systems come with extensive capabilities for logging who

accesses the system and what specific actions each user
performed.
Logs form an audit trail of system access.
Are of value only if routinely examined.
Log analysis is the process of examining logs to monitor

security.
DETECTIVE CONTROLS
The log may indicate unsuccessful
attempts to log in to different servers.
The person analyzing the log must try to
determine the reason for the failed
attempt. Could be:
The person was a legitimate user who forgot
his password.
Was a legitimate user but not authorized to
access that particular server.
The user ID was invalid and represented an
attempted intrusion.
DETECTIVE CONTROLS
compliance through:
Log analysis
Managerial reports
procedures
DETECTIVE CONTROLS
A major weakness of log analysis is that it is
labor intensive and prone to human error.
Intrusion detection systems (IDS) represent an
attempt to automate part of the monitoring.
DETECTIVE CONTROLS
An Intrusion Detection System creates a
log of network traffic that was permitted to
pass the firewall.
Analyzes the logs for signs of attempted or
successful intrusions.
Most common analysis is to compare logs to a
database containing patterns of traffic
associated with known attacks.
An alternative technique builds a model
representing normal network traffic and uses
various statistical techniques to identify
unusual behavior.
DETECTIVE CONTROLS
compliance through:
Log analysis
Managerial reports
procedures
DETECTIVE CONTROLS
Managerial reports
Management reports are another important
detective control.
Management can use COBIT to set up a report
scorecard.
COBIT provides:
Management guidelines that identify
crucial success factors associated with
each objective.
Key performance indicators that can be
used to assess their effectiveness.
DETECTIVE CONTROLS
COBIT key performance indicators:
Number of incidents with business impact
Percent of users who do not comply with
password standards
Percent of cryptographic keys compromised
and revoked
DETECTIVE CONTROLS
Although regular review of periodic
performance reports can help ensure that
security controls are adequate, surveys
indicate that many organizations fail to
regularly monitor security.
DETECTIVE CONTROLS
compliance through:
Log analysis
Managerial reports
Periodically testing the effectiveness of existing
security procedures
DETECTIVE CONTROLS
Security testing
The effectiveness of existing security procedures should
be tested periodically.
One approach is vulnerability scans, which use
automated tools designed to identify whether a
system possesses any well-known vulnerabilities.
Security Websites such as the Center for Information
Security (www.cisecurity.org) provide:
Benchmarks for security best practices.
Tools to measure how well a system conforms.
DETECTIVE CONTROLS
Penetration testing provides a rigorous way to
test the effectiveness of an organizations
information security.
This testing involves an authorized attempt by
either an internal audit team or external security
consulting firm to break into the organizations IS.
Steps in an IS System Attack

Conduct
Reconnaissance
Cover Tracks
Attempt Social
Engineering
Execute Attack
Scan & Map

Target
Research
8-60
DETECTIVE CONTROLS
The teams try every possible way to
compromise a companys system,
including:
Masquerading as custodians, temporary
workers, or confused delivery personnel to get
into offices to locate passwords or access
computers.
Using sexy decoys to distract guards.
Climbing through roof hatches and dropping
through ceiling panels.
Some claim they can get into 90% or more

of the companies they attack.
CORRECTIVE CONTROLS
CORRECTIVE CONTROLS
COBIT specifies the need to identify and
handle security incidents.
Two of the Trust Services framework
criteria for effective security are the
existence of procedures to:
React to system security breaches and other
incidents.
Take corrective action on a timely basis.
CORRECTIVE CONTROLS
Three key components that satisfy the preceding criteria
are:
Establishment of a computer incident response team.
Designation of a specific individual with organization-wide

responsibility for security.
An organized patch management system.
CORRECTIVE CONTROLS
Computer emergency response team
A key component to being able to respond to security

incidents promptly and effectively is the establish of a
computer incident response team (CIRT).
Responsible for dealing with major incidents.
Should include technical specialists and senior operations

management.
Some potential responses have

significant economic consequences
(e.g., whether to temporarily shut down
an e-commerce server) that require
management input.
CORRECTIVE CONTROLS
The CIRT should lead the organizations incident response
process through four steps:
Recognition that a problem exists
Typically occurs when an IDS signals an alert

or as a result of a system administrators log
analysis.
CORRECTIVE CONTROLS
Containment of the problem
Once an intrusion is detected, prompt action

is needed to stop it and contain the damage.
CORRECTIVE CONTROLS
Recovery
Damage must be repaired.

May involve restoring data from backup and
reinstalling corrupted programs (discussed
more in Chapter 8).
Once recovery is in process, the CIRT

should lead analysis of how the incident
occurred.
Steps should be taken to modify existing
security policy and minimize the likelihood of
similar
incident.
The CIRT should leada the
organizations
incident response
process through four
steps:
An
important decision is whether to try to
catch andexists
punish the perpetrator.
Recognition that a problem

If the perpetrator will be pursued, forensic

experts should be involved immediately
Recovery
to ensure that all possible evidence is
Follow-up
collected and maintained in a manner
that makes it admissible in court.
CORRECTIVE CONTROLS
CORRECTIVE CONTROLS
are:
Designation of a specific individual with organizationwide responsibility for security.
CORRECTIVE CONTROLS
A chief infomation security officer (CISO):
Should be independent of other IS functions and report
to either the COO or CEO.
Must understand the companys technology environment
and work with the CIO to design, implement, and
promote sound security policies and procedures.
Disseminates info about fraud, errors, security breaches,
improper system use, and consequences of these
actions.
Works with the person in charge of building security, as
that is often the entitys weakest link.
Should impartially assess and evaluate the IT
environment, conduct vulnerability and risk
assessments, and audit the CIOs security measures.
CORRECTIVE CONTROLS
are:
Designation of a specific individual with organization-wide

responsibility for security.
CORRECTIVE CONTROLS
Patch management
Another important corrective control involves
fixing known vulnerabilities and installing latest
updates to:
Anti-virus software
Firewalls
Operating systems
Application programs
The number of reported vulnerabilities rises
each year.
CORRECTIVE CONTROLS
Hackers usually publish instructions for
doing so (known as exploits) on the
Internet.
Although it takes skill to discover the
exploit, once published, it can be executed
by almost anyone.
Attackers who execute these programmed
exploits are referred to as script kiddies.
A patch is code released by software
developers to fix vulnerabilities that have
CORRECTIVE CONTROLS
Patch management is the process for
regularly applying patches and updates to
all of an organizations software.
Challenging to do because:
Patches can have unanticipated side effects
that cause problems, which means they should
be tested before being deployed.
There are likely to be many patches each year
for each software program, which may mean
that hundreds of patches will need to be
applied to thousands of machines.
CORRECTIVE CONTROLS
Intrusion prevention systems may provide
great promise if they can be quickly
updated to respond to new vulnerabilities
and block new exploits, so that the entity
can buy time to:
Thoroughly test the patches.
Apply the patches.
Network Access Control Perimeter

Defense
(Should be part of Preventative
Controls)**
Border router
Connects an organizations information system to
the Internet
Firewall
Software or hardware used to filter information
Demilitarized Zone (DMZ)

Separate network that permits controlled access
from the Internet to selected resources
Intrusion Prevention Systems (IPS)

Monitors patterns in the traffic flow, rather than only
inspecting individual packets, to identify and
automatically block attacks
8-76
New Considerations
Virtualization
Risks
Increased exposure if
breach occurs
Reduced
authentication
standards
Multiple systems are

run on one
computer
Cloud Computing
Remotely accessed
resources
Software
applications
Data storage
Hardware
Opportunities
Implementing strong
access controls in the
cloud or over the server
that hosts a virtual
network provides good
security over all the
systems contained therein
8-77

Chapter 8 Slater

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 8 Slater

Uploaded by

Copyright:

Available Formats

Chapter 8

Information Systems Controls for System Reliability Part 1: Information Security

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

2007 IT Governance Institute. All rights reserved. www.itgi.org

Information for Management Should

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

COBIT and Trust Frameworks

Trust Services Framework

The five basic principles

Trust Services Framework

The five basic principles

Access to the system and its data is

Trust Services Framework

The five basic principles

Sensitive information is protected

Trust Services Framework

The five basic principles

Trust Services Framework

The five basic principles that

Trust Services Framework

The system is available to meet

Trust Services Framework

Restrict system access to

Provide for processing

Protect against a variety of

Trust Services Framework

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

Security / Systems Reliability

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

Managements Role in IS Security

Plans, policies, and procedures

Acquire and deploy IT security resources

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

Identify when preventive controls

These three variables are evaluated as

Intrusion detection systems

Security testing (vulnerability scanners, penetration tests, war

Computer incident response teams (CIRT)

Chief Information Security Officer (CISO)

Something they know, such as passwords or PINs.

Something they have, such as smart cards or ID badges.

Some physical characteristic (biometric identifier), such as

An effective password must satisfy a number of requirements:

Multiple character types

Can be guessed, lost, written down, or given away.

Physical identification techniques

Include cards, badges, and USB devices, cell

Expensive and often cumbersome.

Codes for type of access:

The final layer of

Monitoring the effectiveness of preventive controls; and

Detecting incidents in which preventive controls have been

Most systems come with extensive capabilities for logging who

Are of value only if routinely examined.

Log analysis is the process of examining logs to monitor

Steps in an IS System Attack

Scan & Map

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

Some claim they can get into 90% or more

Establishment of a computer incident response team.

Designation of a specific individual with organization-wide

An organized patch management system.

A key component to being able to respond to security