IM_CH07

CHAPTER 7

INFORMATION SYSTEMS CONTROLS

FOR SYSTEMS RELIABILITY

PART 1: INFORMATION SECURITY INTRODUCTION

?Questions to be addressed in this chapter include:

-How does security affect systems reliability?

-What are the four criteria that can be used to evaluate the effectiveness of an

organization’s information security?

-What is the time-based model of security and the concept of defense-in-depth?

-What types of preventive, detective, and corrective controls are used to provide

information security?

-How does encryption contribute to security and how do the two basic types of encryption systems work?

?An AIS should provide information useful for decision making. To be useful, information must be reliable, which means accurate, complete, and timely; available when needed; and protected

from loss, compromise, and theft.

?The Trust Services framework developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) identified five basic principles that contribute to systems reliability: security, confidentiality, privacy, processing integrity, and availability.

?Security is the foundation of systems reliability. Security procedures restrict access to only authorized users and protect confidentiality and privacy of sensitive information; provide for

processing integrity; and protect against attacks. This chapter focuses on information security,

while Chapter 8 covers the other four reliability principles.

SECURITY AS A MANAGEMENT ISSUE

?Security is a top management issue—not an IT issue. Management is responsible for the accuracy of various internal reports and financial statements produced by the organization’s IS.

Management must certify the accuracy of the financial statements and maintain effective internal controls.

?The Trust Services framework identifies four essential criteria for successfully implementing the five principles of systems reliability:

-Develop and document policies.

-Effectively communicate those policies to all authorized users.

-Design and employ appropriate control procedures to implement those policies.

-Monitor the system, and take corrective action to maintain compliance with the policies.

?Top management involvement and support is necessary to satisfy each of the preceding criteria.

?Policy Development--A comprehensive set of security policies should be developed before designing and implementing specific control procedures. This process begins with taking an

inventory of information systems hardware, software, and databases. Once the resources have

been identified, they need to be valued in order to select the most cost-effective control

procedures.

?Effective Communication of Policies--Security policies must be communicated to and understood by employees, customers, suppliers, and other authorized users. Regular reminders

and compliance training should be employed. Management must actively support these policies, and sanctions should apply to violators.

?Design and Employ Appropriate Control Procedures--Control frameworks such as COBIT and Trust Services identify a variety of specific control procedures and tools that can be used to

mitigate various security threats. Determining the optimal level of investment in security

involves evaluating cost-benefit trade-offs.

?Monitor and Take Remedial Action--Technology advances create new threats and alter the risks associated with existing threats. Effective control involves a continuous cycle of developing

policies to address identified threats; communicating those policies to employees; implementing specific control procedures to mitigate risk; monitoring performance; and taking corrective action in response to problems.

THE TIME-BASED MODEL OF SECURITY

?Given enough time and resources, any preventive control can be circumvented. Detection and correction must be timely, especially for information security, because once preventive controls have been breached, it takes little time to compromise the organization’s economic and

information resources.

?The time-based model evaluates the effectiveness of an organization’s security by me asuring and comparing the relationships among three variables:

–P = Time it takes an attacker to break through the organization’s preventive controls

– D = Time it takes to detect that an attack is in progress

– C = Time to respond to the attack

?If P > (D + C), then security procedures are deemed effective. Otherwise, security is ineffective. DEFENSE IN DEPTH

?Defense-in-depth involves using multiple layers of controls to avoid having a single point of failure. Computer security involves using a combination of firewalls, passwords, and other

preventive procedures to restrict access. Redundancy also applies to detective and corrective

controls.

?Major types of preventive controls used for defense in depth include:

–Authentication controls to identify the person or device attempting access.

–Authorization controls to restrict access to authorized users. These controls are implemented with an access control matrix and compatibility tests.

–Training to teach employees why security measures are important and teach them to use safe computing practices.

–Physical access controls to protect entry points to the building, to rooms housing computer equipment, to wiring, and to devices such as laptops, cell phones, and PDAs.

–Remote access controls include routers, firewalls, and intrusion prevention systems to prevent unauthorized access from remote locations.

? A border router connects the IS to the Internet.

?Behind the router is the main firewall. It works with the border router to filter

information trying to enter or leave the organization.

?Data is transmitted over the Internet in packets through a protocol called TCP/IP.

A set of rules called an access control list (ACL) determines which packets are

allowed in and which are dropped. Stateful packet filtering examines the header

of each packet in isolation. Deep packet filtering examines the data in the body

of a packet to provide more effective access control. Deep packet filtering is the

heart of a new type of filter called intrusion prevention systems.

?Internal firewalls can be used to segment different departments within an

organization.

?Web servers and email servers are placed in a separate network outside the

corporate network referred to as the demilitarized zone.

?Special attention must be paid to use of rogue modems by employees. Wireless access and dial-up modems require special security procedures.

–Host and application hardening procedures involve the use of supplemental preventive controls on workstations, servers, printers, and other devices. Special attention should be

paid to host configuration, user accounts, and software design.

–Encryption provides the final barrier. It involves transforming normal text, called plaintext, into unreadable gibberish, called ciphertext. Decryption reverses the process.

?The factors that determine the strength of an encryption system are the length of the key, key management policies, and the nature of the encryption algorithm.

?There are both symmetric and asymmetric encryption systems. Symmetric

systems use the same key to encrypt and decrypt. Asymmetric systems use both

a public and a private key. E-business uses symmetric encryption to encode most

data, since it is faster, and uses asymmetric encryption to safely send the

symmetric key to the recipient.

?Hashing transforms plaintext into a short code called a hash.

? A digital signature is a hashed document that has been encrypted with the

sender’s private key.

? A digital certificate certifies the owner of a particular public key.

?An organization that issues public and private keys and records the public key in

a digital certificate is a certificate authority.

?Preventive controls are never 100% effective, so organizations implement controls to enhance security by monitoring the effectiveness of preventive controls and detecting incidents in which they have been circumvented. Detective controls include:

–Log analysis—the process of examining logs which record who accesses the system and the actions they take.

–Intrusion detection systems (IDS) automate the monitoring of logs of network traffic permitted to pass the firewall. The most common analysis is to compare the logs to a

database containing patterns of known attacks.

–Managerial reports can be created to disclose the organization’s performance with respect to the COBIT objectives. Key performance indicators include downtime caused

by security incidents, number of systems with IDS installed, and the time needed to react

to security incidents once they are reported.

–Security testing includes

?Vulnerability scans, which use automated tools designed to identify whether a system contains any well-known vulnerabilities.

?Penetration testing which involves an authorized attempt by either an internal audit team or external security consulting firm to break into the organization’s IS.?Corrective controls include the following:

– A computer emergency response teams (CERT), consisting of technical specialists and senior operations management, to deal with major incidents. The CERT leads the

organization’s incident response process through fo ur steps, which must be practiced

regularly:

?Recognizing that a problem exists.

?Containing the problem.

?Recovery.

?Follow up.

– A chief security officer is a designated individual with organization-wide responsibility for security. This individual should report to the COO or CEO and be independent of the

IS function. The CSO must understand the technology; disseminate information about

fraud, security breaches, and consequences; work with the person in charge of building

security; and impartially assess the IT environment.

–Patch management involves fixing known vulnerabilities and installing the latest updates to anti-virus software, firewalls, operating systems, and application programs. SUMMARY OF MATERIAL COVERED

?How security affects systems reliability.

?The four criteria that can be used to evaluate the effectiveness of an organization’s information security.

?The time-based model of security and the concept of defense-in-depth.

?The types of preventive, detective, and corrective controls that are used to provide information security.

?How encryption contributes to security and how the two basic types of encryption systems work. TEACHING TIPS

?This chapter contains much technical information concerning topics that accountants need to understand but in which they seldom develop expertise. The crossword on the following page

will help students assimilate some of the vocabulary.

CHAPTER 7 CROSSWORD PUZZLE

Across

3 Instructions for taking advantage of program vulnerabilities.

5 A method of packet filtering that examines each packet in isolation and maintains a table of

established connections between the organization's computers and the Internet.

11 Hardware or software that filters information entering or leaving an information system.

13 Encrypted text.

14 Code released by software developers to fix vulnerabilities.

18 A set of rules which determines which packets are allowed in and which are dropped.

19 A network that sits outside the corporate network but is accessible from the Internet.

20 Device that connects the organization's information system to the Internet (2 words).

21 An inspection method that examines data in the body of IP packets.

22 Protocol for dividing files and documents into packets and transmitting them over the Internet.

23 Unencrypted text.

Down

1 An organization that issues public and private keys (

2 words).

2 Flaws in programs.

4 Information encrypted with the creator's private key (2 words).

6 An encryption system that uses both a public and private key.

7 Matches the user's authentication credentials against an access control matrix to see if the action

should be allowed (2 words).

8 A group of technical specialists and operations management responsible for dealing with major

incidents.

9 Transforming plaintext into a short code.

10 Process of turning off unnecessary features in programs.

12 A type of filtering that uses deep packet inspection.

15 A method of packet filtering that examines information in the header field of a packet.

16 An encryption system that uses the same key to encrypt and decrypt.

17 A method for verifying the identity of users dialing into the company's network. CHAPTER 7 CROSSWORD SOLUTION