】=

Chapter 8Information Systems Controls for System Reliability— Part 1: Information Security

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

8-1

Learning Objectives

Discuss how the COBIT framework can be used to

develop sound internal control over an organization’s

information systems.

Explain the factors that influence information systems

reliability.

Describe how a combination of preventive, detective,

and corrective controls can be employed to provide

reasonable assurance about information security.

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-2

AIS Controls

COSO and COSO-ERM address general internal control

COBIT addresses information technology internal control


Information for Management Should

Be:

Effectiveness

Information must be relevant and timely.

Efficiency

Information must be produced in a cost-effective manner.

Confidentiality

Sensitive information must be protected from unauthorized disclosure.

Integrity

Information must be accurate, complete, and valid.

Availability

Information must be available whenever needed.

Compliance

Controls must ensure compliance with internal policies and with external legal and regulatory requirements.

Reliability

Management must have access to appropriate information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities.


COBIT Framework


Information

Criteria

COBIT Cycle

Management develops plans to organize information resources to provide the information it needs.

Management authorizes and oversees efforts to acquire (or build internally) the desired functionality.

Management ensures that the resulting system actually delivers the desired information.

Management monitors and evaluates system performance against the established criteria.

Cycle constantly repeats, as management modifies existing plans and procedures or develops new ones to respond to changes in business objectives and new developments in information technology.


COBIT Controls

210 controls for ensuring information integrity

Subset is relevant for external auditors

IT control objectives for Sarbanes-Oxley, 2nd Edition

AICPA and CICA information systems controls

Controls for system and financial statement reliability


Trust Services Framework

Security

Access to the system and its data is controlled and restricted to legitimate users.

Confidentiality

Sensitive organizational information (e.g., marketing plans, trade secrets) is protected from unauthorized disclosure.

Privacy

Personal information about customers is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure.

Processing Integrity

Data are processed accurately, completely, in a timely manner, and only with proper authorization.

Availability

The system and its information are available to meet operational and contractual obligations.


Trust Services Framework


Security / Systems Reliability

Foundation of the Trust Services Framework

Management issue, not a technology issue

SOX 302 states:

CEO and the CFO responsible to certify that the

financial statements fairly present the results of the

company’s activities.

The accuracy of an organization’s financial

statements depends upon the reliability of its

information systems.

Defense-in-depth and the time-based model of information

security

Have multiple layers of control


Management’s Role in IS Security

Create security aware culture

Inventory and value company information resources

Assess risk, select risk response

Develop and communicate security:

Plans, policies, and procedures

Acquire and deploy IT security resources

Monitor and evaluate effectiveness


Time-Based Model

Combination of detective and corrective controls

P = the time it takes an attacker to break through the

organization’s preventive controls

D = the time it takes to detect that an attack is in progress

C = the time it takes to respond to the attack

For an effective information security system:

P > D + C


Steps in an IS System Attack


Mitigate Risk of Attack

Preventive Control

Detective Control

Corrective Control


Preventive Control

Training

User access controls (authentication and authorization)

Physical access controls (locks, guards, etc.)

Network access controls (firewalls, intrusion prevention

systems, etc.)

Device and software hardening controls (configuration

options)


Authentication vs.

Authorization Authentication—verifies who a person is

1. Something person knows

2. Something person has

3. Some biometric characteristic

4. Combination of all three

Authorization—determines what a person can access


Network Access Control

(Perimeter Defense) Border router

Connects an organization’s information system to the Internet

Firewall

Software or hardware used to filter information

Demilitarized Zone (DMZ)

Separate network that permits controlled access from the Internet to selected resources

Intrusion Prevention Systems (IPS)

Monitors patterns in the traffic flow, rather than only inspecting individual packets, to identify and automatically block attacks


Internet Information Protocols


Device and Software

Hardening (Internal Defense) End-Point Configuration

Disable unnecessary features that may be vulnerable to

attack on:

Servers, printers, workstations

User Account Management

Software Design

Programmers must be trained to treat all input from external

users as untrustworthy and to carefully check it before

performing further actions.


Detective Controls

Log Analysis

Process of examining logs to identify evidence of possible attacks

Intrusion Detection

Sensors and a central monitoring unit that create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions

Managerial Reports

Security Testing


Corrective Controls

Computer Incident Response Team

Chief Information Security Officer (CISO)

Independent responsibility for information security assigned

to someone at an appropriate senior level

Patch Management

Fix known vulnerabilities by installing the latest updates

Security programs

Operating systems

Applications programs


Computer Incident Response

Team Recognize that a problem exists

Containment of the problem

Recovery

Follow-up


New Considerations

Virtualization

Multiple systems are

run on one computer

Cloud Computing

Remotely accessed

resources

Software

applications

Data storage

Hardware


Risks

Increased exposure if

breach occurs

Reduced

authentication standards

Opportunities

Implementing strong access controls in the cloud or over the server that hosts a virtual network provides good security over all the systems contained therein

】=

Documents

desired information

information integritysubset

information securitycopyright

appropriate information

privacypersonal information

information resources

pearson education

prentice hall8