Notes for CHAPTER 5

Securing the Enterprise and Business Continuity

Information security was mostly a technical issue assigned to the IT department. Incidents were handled
on a case by case cleanup basis rather than by taking a preemptive approach to protect ahead of the
threats. Threats to info sec range from high-tech exploits to gain access to a companys networks and
databases to non-tech tactics to steel laptops, etc. the following internal incidents could have been
prevented if stringent info sec policies and defenses had been enforced.
-

Theft of a laptop
Credit and debit cards had been stolen by hackers
Tens of millions of dollars of fraudulent charges were made on the cards
Medical data breaches exposed the personal data of many patients

The preceding examples illustrate info sec breaches harm profitability and customer relations. The timeto-exploitation is the most sophisticated spyware and mobile virus today. It is the elapsed time between
when a vulnerability is discovered and when it is exploited. New vulnerabilities are continuously being
found in operating systems, applications, wired and wireless networks. With data resources available on
demand 24x7, companies benefit from the opportunities for productivity improvement and data sharing
with business partners in their supply chain.
Government Regulations
Data must be protected against existing and future attack schemes, and defenses must satisfy ever-stricter
government and international regulations. Some of the antifraud regulations that force better business
reporting and disclosure of GAAP (Generally Accepted Accounting Principles) violation are SOX
(Sarbanes Oxley) act, GLB (Gramm-Leach-Bliley) act, FISMA (Federal Information Security
Management Act) and USA Patriot act, etc.
Industry groups imposed their own standards to protect their customers and their members brand images
and revenues. Some types of incidents are beyond a companys control. Uncertain events that can cause
IS breakdown require disaster recovery and business continuity plans. Some of the incidents are
cybercrimes, events like the 9/11 attack that lead to the loss of critical data, etc. such incidents illustrate
the diversity of info sec problems and the substantial damage that can be done to organizations anywhere
in the world.
IT Security and Internal Control Model
When senior management shows its commitment to IT security, it becomes important to the rest of the
organization too. Users become aware that insecure practices and mistakes will not be tolerated.
Therefore, an IT security and internal control model begins with:

Step 1: Senior management commitment and support- Senior managers influence is needed to
implement and maintain security, ethical standards, privacy practices and internal control

Step 2: Security policies and training- Develop security policies and provide training to ensure that
everyone is aware of and understands them
Step 3: Security procedures and enforcement- Implement monitoring procedures, training and
enforcement of the AUP (Acceptable Use Policy)
Step 4: Security tools: hardware and software- Implementation of software and hardware needed to
support the policy and enforce the secure practices
Unintentional Threats

Human errors: Errors that occur in the design of the hardware or programming, testing, data
collection, data entry, etc.
Environmental hazards: Natural calamities that may disrupt normal computer operations and
result in long waiting periods and exorbitant costs while computer programs and data files are
recreated.
Computer system failure: Occurs due to poor manufacturing, defective materials, outdated
networks, etc.

Intentional Threats
They include theft of data, inappropriate use of data, theft of mainframe computer time, theft of
equipment, malicious damages, etc. the intentional crimes carried out on the internet are called
cybercrimes. People who indulge in such crimes are named hackers (someone who gains unauthorized
access to a computer system) or crackers (malicious hacker, who may represent a serious problem for a
corporation).
Methods of Attacks on Computing Facilities
Data tampering an attack when someone enters false, fabricated or fraudulent data into a computer, or
changes or deletes existing data. Similarly, programming attacks are popular with computer criminals
who use programming techniques to modify other computer programs. A DoS (Denial of Service) attack
occurs when a server or Website receives a flood of traffic- much more traffic or request for services that
it can handle, causing it to crash.

Malware Is any unwanted software that exploits flaws in other software to gain illicit access.
o Malware Defenses: (1) Anti Malware Technology, (2) Intrusion Detection System and (3)
Intrusion Prevention System
Virus It is a computer code that receives its name from the programs ability to attack itself to and
infect other computer programs, without the owner of the program being aware of the infection.
Worm It spreads without any human intervention such as checking e-mail or transmitting files.
Trojan horses They are referred to as backdoors because they give the attacker illegal access to a
network or through a network port.
RAT (Remote Administration Trojans) A class of backdoors that enable remote control over the
computerized (infected) machine.

Computer crimes appear frequently and with novel names that quickly become very popular among
people. IT has a key role to play in demonstrating good corporate governance and fraud prevention.
Regulators took favorably on companies that can demonstrate good corporate governance and best
practice operational risk management.
IT Security Management Practices
The objective of IT security management practices is to defend all the components of an information
system; data, software applications, hardware and networks. In order to attain this objective, a defense
strategy needs to be framed. The defense strategy and controls should be used depending on what needs
to be protected and the cost benefit analysis. Objectives of defense strategies are:
1. Prevention and deterrence: prevent errors from occurring, deter criminals from attacking the

system
2. Detection: the earlier the attack is detected, the easier it is to combat, and the less damage is done
3. Containment (contain the damage): to minimize or limit losses once the malfunction has

occurred.
4. Recovery: how to fix a damaged information system
5. Correction: correcting the causes of damaged systems
6. Awareness and compliance: all organizational members must be educated about the hazards and

must comply with the security rules and regulations

A defense strategy is also going to require several controls. There are basically two types of controls;
general controls (established to protect the systems regardless of the specific application) and
application controls (safeguards that are intended to protect specific applications). General controls
include physical controls, access controls, biometric controls (thumbprint, retinal scan, voice scan, etc)
and administrative controls.
Network security measures involve three layers
-

Perimeter security (access): technologies used to protect against malware. It enforces an access
control policy between two networks
Authentication: guards against unauthorized access attempts. Its main objective is the proof of
identity
Authorization: permission issued to individuals or groups based on verified identity to do certain
activities with a computer

The internal control environment is the work atmosphere that a company sets for its employees.
Internal Control (IC) is a process designed to achieve reliability of financial reporting, operational
efficiency, compliance with laws, regulations and policies, and safeguarding of assets. SOX and the SEC
are making it clear that if controls are ignored, there is no control. Therefore, fraud prevention and
detection requires an effective monitoring system. Well executed internal fraud can damage a nations
economy as a whole.
Managing risk has become the single most important issue for the regulations and the financial
institutions. Over the years, these institutions have suffered high costs for ignoring their exposure to risk.

However, growing research and improvement in IT have improved the measurement and management of
risk.