Documente Academic
Documente Profesional
Documente Cultură
• Any potential adverse occurrence or unwanted event that could be injurious to either the
accounting information system or the organization is referred to as a threat or anevent.
• The potential dollar loss should a particular threat become a reality is referred to as the
exposure or impact of the threat.
• The probability that the threat will happen is the likelihood associated with the threat.
Internal Control are the processes implemented to provide assurance that the following
objectives are achieved:
▫ Safeguard assets
Five principles that affect Systems Reliability according to the Trust Services Framework
Information Security:
• Is the foundation of systems reliability and is necessary for achieving the other
principles.
• Restricts access to authorized users only, protecting the confidentiality of the sensitive
data.
• Preventing the submission of fictitious transactions and unauthorized changes about the
data.
P= the time it takes an attacker to break through the organization’s preventive controls
C = the time it takes to respond to the attack and take corrective action
-
Before discussing the preventive, detective and corrective controls, one
must understand first the basic steps the criminals use to attack on the
organization’s information system.
1. Conduct reconnaissance- alarms, number of guards, placements of cameras, etc.
2. Attempt Social engineering - use the information obtained during their initial
reconnaissance to trick the unsuspecting employee into granting them access.
3. Scan and map the target- more detailed reconnaissance to identify the potential points
of remote entry.
4. Research - find known vulnerabilities and learn how to take advantage of the system.
6. Cover the tracks - Creating a backdoor so that they can obtain access if the attack is
discovered.
Preventive Controls
• Process: Users Access Control – it is important to understand that outsiders are not
the only threat source. A certain employee may be disgruntled by some reasons like
being passed over a promotion and seek revenge.
(Dial Up Connections)
(Wireless Access)
Detective Controls
• Log Analysis – the process of examining logs to identify evidence of possible attacks.
The goal of log analysis is to determine the reason for the failed log-in attempt.
• Intrusion Detective System – set of sensors and a central monitoring unit that creates
logs of network traffic that was permitted to pass the firewall and analyse those logs for
signs of intrusions.
Corrective Controls
• Computer Incident Response Team (CIRT) – it should include noit only technical
specialist but also senior operations management, because some potential responses
have significant economic consequences.
1. Confidentiality
2. Privacy
- The next step is to classify the value of any information to the organization.
According to COBIT 5, classification is the responsibility of information owners, other
than the information security professionals.
4. Training - one of the most important controls in information security. Employees must
know what information they can share with outsiders. They also need to be taught how
to protect confidential data and to know how to code reports to reflect the importance of
the information.
Privacy
- The controls that need to be implemented to protect privacy are the same ones
they use to protect confidentiality.
Privacy controls
Privacy concerns
1. SPAM - unsolicited email that contains either advertising or offensive content. It does
not only reducing the efficiency benefits but is also the source of virus, worms, and other
types of malware. To deal with these problems, the US congress passed “the Controlling
of Assault of non solicited pornography and marketing (CAN SPAM) act of 2003.
2. Identity theft - it is the unauthorized use of someone's personal info for the benefit of
the perpetrator. Examples are Medical entity, financial theft, and tax identity.
Organization also has a role to play in preventing identity to theft. Therefore, an
organization has its obligations to implement controls that protect personal info.
3. Choice and consent - explaining the choices available to individuals and obtaining
their consent in collecting personal information.
4. Collection - an organization must collect only the information really needed to fulfill
the purposes stated in its privacy policies. One issue concerning this principle is the use
of cookie. It is a text file created by a website and stored on a visitor’s hard disk which
stores information on what users had done the site. the issue with the cookies is that
they contain personal information that may led to identity theft and other privacy threats.
5. Use and retention - the need of retention policies and assign responsibility for
ensuring compliance with the policies.
6. Access - the opportunity given to the individuals to access, review, correct and delete
the information about them.
9. Quality - providing the customers with a certain way to review the information stored
in the organization is one way to achieve this objective. It would ensure the customers
that the information is accurate.
Encryption
- A preventive control use to protect privacy and confidentiality. but it also
strengthens authentication procedures and plays the part of verifying the validity of
business transactions.
What is decryption?
- Both encryption and decryption make use of a key and algorithm. Computers
represent both plaintext and ciphertext as a series of binary digits, usually consisting a
256-key (256 0s and 1s). The algorithm is the formula for using the keys to transform the
plaintext into ciphertext and vice versa.
1. Key length - longer keys provide stronger encryption by reducing the number of
repeating blocks. it makes it harder to spot patterns in the ciphertext that reflects
patterns in the plaintext.
1. Symmetric encryption systems - uses the same key both to encrypt and decrypt
2. Asymmetric encryption systems - uses two keys namely public key and private key.
Both can be used to encrypt. But only the other key can decrypt the ciphertext.
- In case of lost or identity theft, organizations must use encryption software that
creates built-in master key. An alternative process is the key escrow, which involves
making copies of all encryption keys used and storing those securely.
Hashing
- The process that takes plaintext and creates a short code called hash.
1. Encryption always produces ciphertext similar in size to the original plaintext but
hashing produce hash that is of a fixed-short length.
2. Encrypted text can be decrypted, but it is not possible to transform the hash back into
the original plaintext.
Digital signature
- The resulting hash is a digital signature that provides assurance that (1) a copy
of a document has not been altered and (2) who created the original version of the
document.
- The system for issuing pairs of public and private key and corresponding digital
certificates. It hinges on trusting the certificate authorities that issues the keys and
certificates.
- it also include controls to authenticate the parties exchanging information and to create
an audit trail of the exchange.