Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Chapter 8Information Systems Controls for System Reliability— Part 1: Information Security

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

8-1

Learning Objectives

Discuss how the COBIT framework can be used to develop sound internal control over an organization’s information systems.

Explain the factors that influence information systems reliability.

Describe how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about information security.

Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-2

AIS Controls

COSO and COSO-ERM address general internal control

COBIT addresses information technology internal control


Information for Management Should Be:

Effectiveness Information must be relevant

and timely.

Efficiency Information must be

produced in a cost-effective manner.

Confidentiality Sensitive information must

be protected from unauthorized disclosure.

Integrity Information must be

accurate, complete, and valid.

Availability Information must be

available whenever needed.

Compliance Controls must ensure

compliance with internal policies and with external legal and regulatory requirements.

Reliability Management must have

access to appropriate information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities.


COBIT Framework

Plan & Organize

Acquire & Implemen

t

Deliver & Support

Monitor & Evaluate


InformationCriteria

COBIT Cycle

Management develops plans to organize information resources to provide the information it needs.

Management authorizes and oversees efforts to acquire (or build internally) the desired functionality.

Management ensures that the resulting system actually delivers the desired information.

Management monitors and evaluates system performance against the established criteria.

Cycle constantly repeats, as management modifies existing plans and procedures or develops new ones to respond to changes in business objectives and new developments in information technology.


COBIT Controls

210 controls for ensuring information integrity Subset is relevant for external auditors

IT control objectives for Sarbanes-Oxley, 2nd Edition

AICPA and CICA information systems controls Controls for system and financial statement reliability


Trust Services Framework

Security Access to the system and its data is controlled and restricted to legitimate

users.

Confidentiality Sensitive organizational information (e.g., marketing plans, trade secrets)

is protected from unauthorized disclosure.

Privacy Personal information about customers is collected, used, disclosed, and

maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure.

Processing Integrity Data are processed accurately, completely, in a timely manner, and only

with proper authorization.

Availability The system and its information are available to meet operational and

contractual obligations.


Trust Services Framework


Security / Systems Reliability

Foundation of the Trust Services Framework Management issue, not a technology issue

SOX 302 states: CEO and the CFO responsible to certify that the

financial statements fairly present the results of the company’s activities.

The accuracy of an organization’s financial statements depends upon the reliability of its information systems.

Defense-in-depth and the time-based model of information security Have multiple layers of control


Management’s Role in IS Security

Create security aware culture

Inventory and value company information resources

Assess risk, select risk response

Develop and communicate security: Plans, policies, and procedures

Acquire and deploy IT security resources

Monitor and evaluate effectiveness


Time-Based Model

Combination of detective and corrective controls P = the time it takes an attacker to break through the

organization’s preventive controls D = the time it takes to detect that an attack is in

progress C = the time it takes to respond to the attack For an effective information security system:

P > D + C


Steps in an IS System Attack

Conduct Reconnaissa

nceAttempt Social

Engineering

Scan & Map Target

Research

Execute Attack

Cover Tracks


Mitigate Risk of Attack

Preventive Control

Detective Control

Corrective Control


Preventive Control

Training

User access controls (authentication and authorization)

Physical access controls (locks, guards, etc.)

Network access controls (firewalls, intrusion prevention systems, etc.)

Device and software hardening controls (configuration options)


Authentication vs. Authorization

Authentication—verifies who a person is1. Something person knows

2. Something person has

3. Some biometric characteristic

4. Combination of all three

Authorization—determines what a person can access


Network Access Control (Perimeter Defense)

Border router Connects an organization’s information system to the

Internet

Firewall Software or hardware used to filter information

Demilitarized Zone (DMZ) Separate network that permits controlled access from the

Internet to selected resources

Intrusion Prevention Systems (IPS) Monitors patterns in the traffic flow, rather than only

inspecting individual packets, to identify and automatically block attacks


Internet Information Protocols


Device and Software Hardening (Internal Defense)

End-Point Configuration Disable unnecessary features that may be vulnerable to

attack on: Servers, printers, workstations

User Account Management

Software Design Programmers must be trained to treat all input from

external users as untrustworthy and to carefully check it before performing further actions.


Detective Controls

Log Analysis Process of examining logs to identify evidence of possible

attacks

Intrusion Detection Sensors and a central monitoring unit that create logs of

network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions

Managerial Reports

Security Testing


Corrective Controls

Computer Incident Response Team

Chief Information Security Officer (CISO) Independent responsibility for information security

assigned to someone at an appropriate senior level

Patch Management Fix known vulnerabilities by installing the latest updates

Security programs Operating systems Applications programs


Computer Incident Response Team

Recognize that a problem exists

Containment of the problem

Recovery

Follow-up


New Considerations

Virtualization Multiple systems are

run on one computer

Cloud Computing Remotely accessed

resources Software

applications Data storage Hardware


Risks Increased exposure if

breach occurs Reduced

authentication standards

Opportunities Implementing strong

access controls in the cloud or over the server that hosts a virtual network provides good security over all the systems contained therein

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Documents

integrity information

information criteria

desired information

appropriate information

effectiveness information

information resources

availability information

efficiency information