Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
HANDOUT
CHAPTER 7 & 8
• One basic function of AIS is to provide information useful for decision making. In order to
be useful, the information must be reliable, which means:
• It provides an accurate, complete, and timely picture of the organization’s activities.
• It is available when needed.
• The information and the system that produces it is protected from loss,
compromise, and theft.
• The five basic principles that contribute to systems reliability:
• Security – Access to the system and its data is controlled.
• Confidentiality - Sensitive information is protected from unauthorized disclosure.
• Privacy - Personal information about customers collected through e-commerce is
collected, used, disclosed, and maintained in an appropriate manner.
• Processing integrity - Data is processed:
• Accurately
• Completely
• In a timely manner
• With proper authorization
• Availability - The system is available to meet operational and contractual
obligations.
SECURITY
• It is the foundation of systems reliability.
• Security procedures restrict system access to only authorized users and protect:
• The confidentiality of sensitive organizational data.
• The privacy of personal identifying information collected from customers.
• Security procedures also:
– Provide for processing integrity by preventing:
• Submission of unauthorized or fictitious transactions.
• Unauthorized changes to stored data or programs.
– Protect against a variety of attacks, including viruses and worms, thereby
ensuring the system is available when needed.
• The press carries many stories about information security incidents including:
– Denial of service attacks
– Fraud
– Loss of trade secrets
– Identity theft
• Accountants and IS professionals need to understand basic principles of information
security in order to protect their organizations and themselves.
Training
o People play a critical role in information security.
The effectiveness of specific control procedures depends on how
well employees understand and follow the organization’s security
policies.
Employees should be taught why security measures are important
to the organization’s long-run survival.
o Employees should be trained to follow safe computing
practices, such as:
Never open unsolicited email attachments.
Use only approved software.
Never share or reveal passwords.
Physically protect laptops, especially when traveling.
o Train employees about social engineering attacks, which
use deception to obtain unauthorized access.
o Do not allow other people (employees or outsiders) to
follow them through restricted-access entrances.
o It is also important to invest in continuing professional
education for information security specialists.
o Top management must also provide support for training.
Physical access controls (locks, guards, biometric devices)
Within a few minutes, a skilled attacker with unsupervised direct
physical access to the system can successfully obtain access to
sensitive data
Physical access control begins with entry points to the building
itself.
Once inside the building, physical access to rooms housing
computer equipment must be restricted.
Access to wiring used in LANs must be restricted to prevent
wiretapping.
Controlling remote access
Devices such as routers, modems, wireless access points, dial up
connections are use to connect the organizations’ IS to the
internet.
These devices should be protected against intrusion both from the
outside and from the inside
Firewalls are either devices or software that prevents
unauthorized access to the organizations data.
There can be one main firewall to prevent unauthorized access
from the outside and several inner firewall to prevent unauthorized
access within the IS.
Host and application hardening procedures (firewalls, anti-virus software,
disabling of unnecessary features, user account
Routers, firewalls, and intrusion prevention systems are designed
to protect the network perimeter.
Information security is enhanced by supplementing preventive
controls on the network perimeter with additional preventive
controls on the workstations, servers, printers, and other devices
(collectively referred to as hosts) that comprise the organization’s
network.
Three areas deserve special attention:
o Host configuration
Hosts can be made more secure by modifying their
configurations.
Turning on unnecessary features and extra services
Every program contains flaws, called
vulnerabilities, and therefore represents a potential
point of attack.
Optional programs and features that are not used
should be disabled.
This process of turning off unnecessary features is
called hardening.
In addition to hardening, two other preventive
controls should be applied to hosts on the network:
Every host should be running anti-virus and
firewall software that is regularly updated.
COBIT states that it is important to harden
and properly configure every device, including
those used to protect the network (e.g.,
firewalls, IPS, routers, etc.) to make them
resistant to tampering.
o User accounts
COBIT stresses the need to carefully manage user
accounts, especially when they have unlimited
(administrative) rights on the computer.
Users who need administrative powers on a
particular computer should be assigned two
accounts:
One with administrative rights.
One with limited privileges.
Users should log in under the limited account to
perform routine duties.
They should be logged into their limited
account when browsing the Web or reading
email.
If they visit a compromised Website or open
an infected email, the attacker will only
acquire limited rights.
o Software design
Encryption
Encrypting sensitive stored data provides one last barrier that
must be overcome by an intruder.
Also strengthens authentication procedures and plays an
essential role in ensuring and verifying the validity of e-business
transactions.
Therefore, accountants, auditors, and systems professionals need
to understand encryption.
Encryption is the process of transforming normal text, called
plaintext, into unreadable gibberish, called ciphertext.
Decryption reverses this process.
Detective controls include:
Preventive controls are never 100% effective in blocking all attacks.
So organizations implement detective controls to enhance security by:
Monitoring the effectiveness of preventive controls; and
Detecting incidents in which preventive controls have been
circumvented.
Authentication and authorization controls (both preventive and detective)
govern access to the system and limit the actions that can be performed
by authorized users.
Actual system use (detective control) must be examined to assess
compliance through:
Log analysis
o Most systems come with extensive capabilities for logging
who accesses the system and what specific actions each
user performed.
Logs form an audit trail of system access.
Are of value only if routinely examined.
Log analysis is the process of examining logs to
monitor security.
o The log may indicate unsuccessful attempts to log in to
different servers.
o The person analyzing the log must try to determine the
reason for the failed attempt. Could be:
The person was a legitimate user who forgot his
password.
Was a legitimate user but not authorized to access
that particular server.
The user ID was invalid and represented an
attempted intrusion.
o Log analysis should be done regularly to detect problems in
a timely manner.
Not easy because logs can quickly grow in size.
So system administrators use software tools to
efficiently strip out routine log entries so that they
can focus their attention on anomalous behavior.
Also supplement log analysis with software tools
called intrusion detection systems to automate the
monitoring process.
Intrusion detection systems
o A major weakness of log analysis is that it is labor intensive
and prone to human error.
o Intrusion detection systems (IDS) represent an attempt to
automate part of the monitoring.
o An IDS creates a log of network traffic that was permitted to
pass the firewall.
Analyzes the logs for signs of attempted or
successful intrusions.
Most common analysis is to compare logs to a
database containing patterns of traffic associated
with known attacks.
An alternative technique builds a model representing
“normal” network traffic and uses various statistical
techniques to identify unusual behavior.
o IDS sensors are usually located in several places.
Most common is just inside the main firewall.
Some may be placed inside each internal firewall to
monitor the effectiveness of policies governing
employee access to resources.
Sometimes located just outside the main firewall.
Provides means to monitor the number of
attempted intrusions that are blocked.
Can provide early warning that the
organization is being targeted.
May also be located on individual hosts to provide
warnings of attempts to compromise those systems.
Managerial reports
o Management reports are another important detective
control.
o Management can use COBIT
o COBIT provides:
Management guidelines that identify crucial success
factors associated with each objective.
Key performance indicators that can be used to
assess their effectiveness.
COBIT key performance indicators:
Number of incidents with business impact
Percent of users who do not comply with
password standards
Percent of cryptographic keys compromised
and revoked
Although regular review of periodic performance
reports can help ensure that security controls are
adequate, surveys indicate that many organizations
fail to regularly monitor security
Periodically testing the effectiveness of existing security
procedures
o The effectiveness of existing security procedures should be
tested periodically.
One approach is vulnerability scans, which use
automated tools designed to identify whether a
system possesses any well-known vulnerabilities.
Security Websites such as the Center for Information
Security (www.cisecurity.org) provide:
Benchmarks for security best practices.
Tools to measure how well a system
conforms.
o Penetration testing provides a rigorous way to test the
effectiveness of an organization’s information security.
o This testing involves an authorized attempt by either an
internal audit team or external security consulting firm to
break into the organization’s IS.
o The teams try every possible way to compromise a
company’s system, including:
Masquerading as custodians, temporary workers, or
confused delivery personnel to get into offices to
locate passwords or access computers.
Using sexy decoys to distract guards.
Climbing through roof hatches and dropping through
ceiling panels.
o Some claim they can get into 90% or more of the
companies they attack.
CORRECTIVE CONTROLS
COBIT specifies the need to identify and handle security incidents.
Two of the Trust Services framework criteria for effective security are the
existence of procedures to:
React to system security breaches and other incidents.
Take corrective action on a timely basis.
Three key components that satisfy the preceding criteria are:
Establishment of a computer emergency response team.
Designation of a specific individual with organization-wide
responsibility for security.
An organized patch management system.
Computer emergency response team
A key component to being able to respond to security incidents
promptly and effectively is the establishment of a computer
emergency response team (CERT).
o Responsible for dealing with major incidents.
o Should include technical specialists and senior operations
management.
Some potential responses have significant economic
consequences (e.g., whether to temporarily shut
down an e-commerce server) that require
management input.
The CERT should lead the organization’s incident response
process through four steps:
o Recognition that a problem exists
Typically occurs when an IDS signals an alert or as
a result of a system administrator’s log analysis.
o Containment of the problem
Once an intrusion is detected, prompt action is
needed to stop it and contain the damage.
o Recovery
Damage must be repaired.
May involve restoring data from backup and
reinstalling corrupted programs
o Follow-up
Once recovery is in process, the CERT should lead
analysis of how the incident occurred.
Steps should be taken to modify existing security
policy and minimize the likelihood of a similar
incident.
An important decision is whether to try to catch and
punish the perpetrator.
If the perpetrator will be pursued, forensic experts
should be involved immediately to ensure that all
possible evidence is collected and maintained in a
manner that makes it admissible in court.
Communication is vital to all four steps, so multiple methods are
needed for notifying members of CERT (e.g., email, phone, cell
phone).
It is also important to practice the incident response plan,
including the alert process, so that gaps can be discovered.
Regular practice helps identify the need for change in response to
technological changes.
o EXAMPLE: A CERT practicing an incident response in
Texas recently realized that the password to a Web
address that was vital to the incident response had been
changed. The CERT did not have the new password.
Better to find this out on a trial run and make provision for
the CERT to be immediately notified of any future
password changes than to discover it in a live incident.
Designation of a specific individual with organization-wide
responsibility for security.
A chief security officer (CSO):
o Should be independent of other IS functions and report to
either the COO or CEO.
o Must understand the company’s technology environment
and work with the CIO to design, implement, and promote
sound security policies and procedures.
o Disseminates info about fraud, errors, security breaches,
improper system use, and consequences of these actions.
o Works with the person in charge of building security, as
that is often the entity’s weakest link.
o Should impartially assess and evaluate the IT environment,
conduct vulnerability and risk assessments, and audit the
CIO’s security measures.
An organized patch management system.
Patch management
Another important corrective control involves fixing known
vulnerabilities and installing latest updates to:
o Anti-virus software
o Firewalls
o Operating systems
o Application programs
The number of reported vulnerabilities rises each year.
A primary cause of the rise in reported vulnerabilities is the ever-
increasing size and complexity of software.
Many widely-used programs contain millions of lines of code.
Even if 99.9% error free, there would still be 100 vulnerabilities
per million lines.
Both hackers and security consultants constantly search for these
vulnerabilities.
Once discovered, the question is how to take advantage of them.
Hackers usually publish instructions for doing so (known as
exploits) on the Internet.
Although it takes skill to discover the exploit, once published, it
can be executed by almost anyone.
Attackers who execute these programmed exploits are referred to
as script kiddies.
A patch is code released by software developers to fix
vulnerabilities that have been discovered.
Patch management is the process for regularly applying patches
and updates to all of an organization’s software.
Challenging to do because:
o Patches can have unanticipated side effects that cause
problems, which means they should be tested before being
deployed.
o There are likely to be many patches each year for each
software program, which may mean that hundreds of
patches will need to be applied to thousands of machines.
Intrusion prevention systems may provide great promise if they
can be quickly updated to respond to new vulnerabilities and block
new exploits, so that the entity can buy time to:
o Thoroughly test the patches.
o Apply the patches.
CONFIDENTIALITY
PROCESSING INTEGRITY
• COBIT control objective DS 11.1 addresses the need for controls over the input,
processing, and output of data.
• Identifies six categories of controls that can be used to satisfy that objective.
• Six categories are grouped into three for discussion.
• Three categories/groups of integrity controls are designed to meet the preceding
objectives:
• Input Control
• Processing Control
• Output Control
Input Controls:
• If the data entered into a system is inaccurate or incomplete, the output will be, too.
(Garbage in garbage out.)
• Companies must establish control procedures to ensure that all source documents are
authorized, accurate, complete, properly accounted for, and entered into the system or
sent to their intended destination in a timely manner.
Range Check
o Similar to a field check, but it checks both ends of a range.
o Example: An hourly wage rate should fall between 150 to 300.
Size or Capacity Check
o Ensures that the data will fit into the assigned field.
o Example: A social security number of 10 digits would not fit in the 9-digit social
security field.
Completeness Check
o Determines if all required items have been entered.
o Example: Has the student’s billing address been entered along with enrollment
details?
Validity Check
o Compares the value entered to a file of acceptable values.
o Example: Does the state code entered for an address match one of the 50 valid
state codes?
Reasonableness Check
o Determines whether a logical relationship seems to be correct.
o Example: A freshman with annual financial aid of $60,000 is probably not
reasonable.
Check Digit Verification
o An additional digit called a check digit can be appended to account numbers,
policy numbers, ID numbers, etc.
o Data entry devices then perform check digit verification by using the original
digits in the number to recalculate the check digit.
o If the recalculated check digit does not match the digit recorded on the source
document that result suggests that an error was made in recording or entering
the number.
• The preceding tests are used for batch processing and online real-time processing.
• Both processing approaches also have some additional controls that are unique to
each approach.
PROCESSING CONTROLS
These are the controls to ensure that data is processed correctly.
• Data matching
• Two or more items must match before processing can proceed.
• Example: The quantity billed on the vendor invoice must match the quantity
ordered on the purchase order and the quantity received on the receiving report.
• File labels
• External labels should be checked visually to ensure the correct and most current
files are being updated.
• There are also two important types of internal labels to be checked.
• The header record, located at the beginning of each file, contains the file name,
expiration date, and other identification data.
• The trailer record at the end of the file contains the batch totals calculated
during input.
• Recalculation of batch totals
• Batch totals should be recomputed as processing takes place.
• These totals should be compared to the totals in the trailer record.
• Discrepancies indicate processing errors, such as:
• If the recomputed record count is smaller than the original count, one or
more records were not processed.
• If the recomputed record count is larger than the original, then additional
unauthorized transactions were processed or some authorized transactions
were processed twice.
• If the discrepancy between totals is evenly divisible by 9, there was probably
a transposition error (two adjacent digits were reversed).
• Cross-footing balance test
• Compares arithmetic results produced by two different methods to verify
accuracy.
• EXAMPLE: Compute the sum of column totals in a spreadsheet and
compare it to a sum of the row totals.
• Write protection mechanisms
• Protect against accidental writing over or erasing of data files but are not
foolproof.
• RFID security
• Many businesses are replacing bar codes and manual tags with radio
frequency identification (RFID) tags that can store up to 128 bytes of data.
• These tags should be write-protected so that unscrupulous customers
cannot change price information on merchandise.
• Database processing integrity procedures
• Database systems use database administrators, data dictionaries, and
concurrent update controls to ensure processing integrity.
• The administrator establishes and enforces procedures for accessing and
updating the database.
• The data dictionary ensures that data items are defined and used
consistently.
• Concurrent update controls protect records from being updated by two users
simultaneously.
• Locks one user out until the other has finished processing.
OUTPUT CONTROLS
• Careful checking of system output provides additional control over processing integrity.
Output Controls include:
• User review of output
• Users carefully examine output for reasonableness, completeness, and to
assure they are the intended recipient.
• Reconciliation procedures
• Periodically, all transactions and other system updates should be reconciled to
control reports, file status/update reports, or other control mechanisms.
• Control accounts should also be reconciled to subsidiary account totals.
• External data reconciliation
• Database totals should periodically be reconciled with data maintained outside
the system.
• EXAMPLE: Compare number of employee records in the payroll file to number
in the human resources file. (Excess records in payroll suggests a “ghost”
employee.)
AVAILABILITY
• Reliable systems are available for use whenever needed.
• Threats to system availability originate from many sources, including:
• Hardware and software failures
• Natural and man-made disasters
• Human error
• Worms and viruses
• Denial-of-service attacks and other sabotage
• Proper controls can minimize the risk of significant system downtime caused by the
preceding threats.
• It is impossible to totally eliminate all threats.
• Consequently, organizations must develop disaster recovery and business continuity
plans to enable them to quickly resume normal operations after such an event.
The objectives of a disaster recovery and business continuity plan are to:
• Minimize the extent of the disruption, damage, and loss
• Temporarily establish an alternative means of processing information
• Resume normal operations as soon as possible
• Train and familiarize personnel with emergency operations
Most experts advise against such policies and recommend that organizations include email in
their backup and archive procedures because:
• There are likely to be copies of the email stored in locations outside the organization.
• Such a policy would mean that the organization would not be able to tell its side of the
story.
• Also, courts have sanctioned companies for failing to provide timely access to email.
• Organizations have three basic options for replacing computer and networking
equipment.
– Reciprocal agreements
• The least expensive approach.
• The organization enters into an agreement with another organization that
uses similar equipment to have temporary access to and use of their
information system resources in the event of a disaster.
• Effective solutions for disasters of limited duration and magnitude, especially
for small organizations.
• Not optimal in major disasters as:
– The host organization may also be affected.
– The host also needs the resources.
• Cold sites
• An empty building is purchased or leased and pre-wired for necessary
telephone and Internet access.
• Contracts are created with vendors to provide all necessary computer and
office equipment within a specified period of time.
• Still leaves the organization without use of the IS for a period of time.
• Hot sites
• Most expensive solution but used by organizations like financial institutions
and airlines which cannot survive any appreciable time without there IS.
• The hot site is a facility that is pre-wired for phone and Internet (like the cold
site) but also contains the essential computing and office equipment.
• It is a backup infrastructure designed to provide fault tolerance in the event
of a major disaster.