Chapter 8

Information Systems Controls for System Reliability Part 1: Information Security

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-1

Learning Objectives
Discuss how the COBIT framework can be used to develop sound internal control over an organizations information systems.
Explain the factors that influence information systems reliability. Describe how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about information security.

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-2

AIS Controls
COSO and COSO-ERM address general internal control
COBIT addresses information technology internal control

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-3

COBIT Framework
Information Criteria

Monitor and Evaluate IT Resources

Plan and Organize

Deliver and Support

Acquire and Implement

8-4

Information Criteria
Effectiveness
Information must be relevant and timely.

Availability
Information must be available whenever needed.

Efficiency
Information must be produced in a costeffective manner.

Compliance
Controls must ensure compliance with internal policies and with external legal and regulatory requirements.

Confidentiality
Sensitive information must be protected from unauthorized disclosure.

Reliability
Management must have access to appropriate information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities.
8-5

Integrity
Information must be accurate, complete, and valid.

COBIT Cycle
Management develops plans to organize information resources to provide the information it needs.
Management authorizes and oversees efforts to acquire (or build internally) the desired functionality.

Management ensures that the resulting system actually delivers the desired information.
Management monitors and evaluates system performance against the established criteria. Cycle constantly repeats, as management modifies existing plans and procedures or develops new ones to respond to changes in business objectives and new developments in information technology.
8-6

COBIT vs. Trust Services Framework

Specifies 210 controls for ensuring information integrity
Subset is relevant for external auditors
IT control objectives for Sarbanes-Oxley, 2nd Edition

AICPA and CICA information systems controls

Trust Services Framework
Controls for system and financial statement reliability

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-7

Trust Services Framework

Security
Access to the system and its data is controlled and restricted to legitimate users.

Confidentiality
Sensitive organizational information (e.g., marketing plans, trade secrets) is protected from unauthorized disclosure.

Privacy
Personal information about customers is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure.

Processing Integrity
Data are processed accurately, completely, in a timely manner, and only with proper authorization.

Availability
The system and its information are available to meet operational and contractual obligations.
8-8

Trust Services Framework

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-9

Security / Systems Reliability

Foundation of the Trust Services Framework
Management issue, not a technology issue
SOX 302 states: CEO and the CFO responsible to certify that the financial statements fairly present the results of the companys activities. The accuracy of an organizations financial statements depends upon the reliability of its information systems.

Defense-in-depth and the time-based model of information security

Have multiple layers of control

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-10

Managements Role in IS Security

Create security aware culture
Inventory and value company information resources

Assess risk, select risk response

Develop and communicate security:
Plans, policies, and procedures

Acquire and deploy IT security resources Monitor and evaluate effectiveness

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-11

Time-Based Model
Combination of detective and corrective controls
P = the time it takes an attacker to break through the organizations preventive controls D = the time it takes to detect that an attack is in progress C = the time it takes to respond to the attack For an effective information security system:
P>D+C

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-12

Steps in an IS System Attack

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-13

Mitigate Risk of Attack

Preventive Control
Detective Control Corrective Control

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-14

Preventive Controls
Training
User access controls (authentication and authorization)

Physical access controls (locks, guards, etc.)

Network access controls (firewalls, intrusion prevention systems, etc.) Device and software hardening controls (configuration options)

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-15

Identification, Authentication, and Authorization

Identificationidentifies a person
Authenticationverifies who a person is
1. 2. 3. 4. Something person knows Something person has Some biometric characteristic Combination of all three

Authorizationdetermines what a person can access

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-16

Network Access Control (Perimeter Defense)

Border router
Connects an organizations information system to the Internet

Firewall
Software or hardware used to filter information

Demilitarized Zone (DMZ)

Separate network that permits controlled access from the Internet to selected resources

Intrusion Prevention Systems (IPS)

Monitors patterns in the traffic flow, rather than only inspecting individual packets, to identify and automatically block attacks
Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-17

Device and Software Hardening (Internal Defense)

End-Point Configuration
Disable unnecessary features that may be vulnerable to attack on:
Servers, printers, workstations

User Account Management

Software Design
Programmers must be trained to treat all input from external users as untrustworthy and to carefully check it before performing further actions.

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-18

Detective Controls
Log Analysis
Process of examining logs to identify evidence of possible attacks

Intrusion Detection
Sensors and a central monitoring unit that create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions

Managerial Reports
Security Testing

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-19

Corrective Controls
Computer Incident Response Team
Chief Information Security Officer (CISO)
Independent responsibility for information security assigned to someone at an appropriate senior level

Patch Management
Fix known vulnerabilities by installing the latest updates
Security programs Operating systems Applications programs

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-20

Computer Incident Response Team

Recognize that a problem exists
Containment of the problem Recovery Follow-up

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-21

New Considerations
Virtualization
Multiple systems are run on one computer

Risks
Increased exposure if breach occurs Reduced authentication standards

Cloud Computing
Remotely accessed resources
Software applications Data storage Hardware

Opportunities
Implementing strong access controls in the cloud or over the server that hosts a virtual network provides good security over all the systems contained therein

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-22