Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-1
Dec 22, 2015
Chapter 8Information Systems Controls for System Reliability— Part 1: Information Security
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
8-1
Learning Objectives
Discuss how the COBIT framework can be used to develop sound internal control over an organization’s information systems.
Explain the factors that influence information systems reliability.
Describe how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about information security.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-2
AIS Controls
COSO and COSO-ERM address general internal control
COBIT addresses information technology internal control
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-3
Information for Management Should Be:
Effectiveness Information must be relevant
and timely.
Efficiency Information must be
produced in a cost-effective manner.
Confidentiality Sensitive information must
be protected from unauthorized disclosure.
Integrity Information must be
accurate, complete, and valid.
Availability Information must be
available whenever needed.
Compliance Controls must ensure
compliance with internal policies and with external legal and regulatory requirements.
Reliability Management must have
access to appropriate information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-4
COBIT Framework
Plan & Organize
Acquire & Implemen
t
Deliver & Support
Monitor & Evaluate
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-5
InformationCriteria
COBIT Cycle
Management develops plans to organize information resources to provide the information it needs.
Management authorizes and oversees efforts to acquire (or build internally) the desired functionality.
Management ensures that the resulting system actually delivers the desired information.
Management monitors and evaluates system performance against the established criteria.
Cycle constantly repeats, as management modifies existing plans and procedures or develops new ones to respond to changes in business objectives and new developments in information technology.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-6
COBIT Controls
210 controls for ensuring information integrity Subset is relevant for external auditors
IT control objectives for Sarbanes-Oxley, 2nd Edition
AICPA and CICA information systems controls Controls for system and financial statement reliability
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-7
Trust Services Framework
Security Access to the system and its data is controlled and restricted to legitimate
users.
Confidentiality Sensitive organizational information (e.g., marketing plans, trade secrets)
is protected from unauthorized disclosure.
Privacy Personal information about customers is collected, used, disclosed, and
maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure.
Processing Integrity Data are processed accurately, completely, in a timely manner, and only
with proper authorization.
Availability The system and its information are available to meet operational and
contractual obligations.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-8
Trust Services Framework
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-9
Security / Systems Reliability
Foundation of the Trust Services Framework Management issue, not a technology issue
SOX 302 states: CEO and the CFO responsible to certify that the
financial statements fairly present the results of the company’s activities.
The accuracy of an organization’s financial statements depends upon the reliability of its information systems.
Defense-in-depth and the time-based model of information security Have multiple layers of control
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-10
Management’s Role in IS Security
Create security aware culture
Inventory and value company information resources
Assess risk, select risk response
Develop and communicate security: Plans, policies, and procedures
Acquire and deploy IT security resources
Monitor and evaluate effectiveness
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-11
Time-Based Model
Combination of detective and corrective controls P = the time it takes an attacker to break through the
organization’s preventive controls D = the time it takes to detect that an attack is in
progress C = the time it takes to respond to the attack For an effective information security system:
P > D + C
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-12
Steps in an IS System Attack
Conduct Reconnaissa
nceAttempt Social
Engineering
Scan & Map Target
Research
Execute Attack
Cover Tracks
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-13
Mitigate Risk of Attack
Preventive Control
Detective Control
Corrective Control
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-14
Preventive Control
Training
User access controls (authentication and authorization)
Physical access controls (locks, guards, etc.)
Network access controls (firewalls, intrusion prevention systems, etc.)
Device and software hardening controls (configuration options)
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-15
Authentication vs. Authorization
Authentication—verifies who a person is1. Something person knows
2. Something person has
3. Some biometric characteristic
4. Combination of all three
Authorization—determines what a person can access
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-16
Network Access Control (Perimeter Defense)
Border router Connects an organization’s information system to the
Internet
Firewall Software or hardware used to filter information
Demilitarized Zone (DMZ) Separate network that permits controlled access from the
Internet to selected resources
Intrusion Prevention Systems (IPS) Monitors patterns in the traffic flow, rather than only
inspecting individual packets, to identify and automatically block attacks
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-17
Internet Information Protocols
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-18
Device and Software Hardening (Internal Defense)
End-Point Configuration Disable unnecessary features that may be vulnerable to
attack on: Servers, printers, workstations
User Account Management
Software Design Programmers must be trained to treat all input from
external users as untrustworthy and to carefully check it before performing further actions.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-19
Detective Controls
Log Analysis Process of examining logs to identify evidence of possible
attacks
Intrusion Detection Sensors and a central monitoring unit that create logs of
network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions
Managerial Reports
Security Testing
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-20
Corrective Controls
Computer Incident Response Team
Chief Information Security Officer (CISO) Independent responsibility for information security
assigned to someone at an appropriate senior level
Patch Management Fix known vulnerabilities by installing the latest updates
Security programs Operating systems Applications programs
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-21
Computer Incident Response Team
Recognize that a problem exists
Containment of the problem
Recovery
Follow-up
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-22
New Considerations
Virtualization Multiple systems are
run on one computer
Cloud Computing Remotely accessed
resources Software
applications Data storage Hardware
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-23
Risks Increased exposure if
breach occurs Reduced
authentication standards
Opportunities Implementing strong
access controls in the cloud or over the server that hosts a virtual network provides good security over all the systems contained therein