Management

Information Systems

LECTURE 10:

AUDIT & CONTROL OF

INFORMATION SYSTEMS
1

Prepared by D.M.Narrainen, MIS Module Team, SBMF, UTM (September 2012)

 THREATS TO THE IS ENVIRONMENT

There are environmental factors like sudden

movements or falls of hardware equipment,
excessive heat or cold, power surges, and dust
and other particles which can cause
damage to IT assets.
Power outages can also interrupt the running of
business transactions.
IS may also be exposed to natural calamities
like flood, cyclone, tsunamis, etc.
2
 THREATS TO THE IS ENVIRONMENT

IS are exposed to is unauthorised people using IT

tools and assets of the company.
People may be authorised/unauthorised depending on their role
and type.
Organisations are also exposed to threats like viruses leak into the
system, through mails, sharing devices like flash memory sticks,
browsing online.
System hacking is common threat that companies performing
transactions over a telecommunication network
people who just break in a companys system without the intent
of causing any damage.
Some companies employ hackers to check the security of their
systems.
There are also crackers who perform the same tasks as hackers
but with the intention of causing damage. 3
ONLINE THREATS
Spam
Cookies

Spyware

Phishing

Hoaxes

4
 It has become imperative that organisations have
different types of controls depending on the sensitivity of
information, volume of transactions and size of the
organisation.

Organisations have to find the right balance between the

number of controls and the performance of the system.

Too many controls can have adverse effects on system

performance with some controls costly to implement.

5
 Viruses: Rogue software program that attaches itself to other
software programs or data files in order to be executed

Worms: Independent computer programs that copy

themselves from one computer to other computers over a
network

Trojan horses: Software program that appears to be benign

but then does something other than expected

SPAM
Junk e-mail
Avoid spam: Separate e-mail account
Spam filters
6
Antispam practices
TYPES OF CONTROL
Physical Control can be implemented is restricting access to a certain
compound, to authorised users only
Software controls through:
access privileges depending on their roles
password protection & authentication
anti-virus software,
Firewalls
intrusion detection systems
encryption
Virtual Private Networks (VPNs).
Surge protectors can be used for power surges and Uninterruptible
Power Supply (UPS) can be used for power outages
Proper backups and disaster recovery plans have to be designed
through program backup and data backup.
Clean-up services of computer hardware are also available which 7
include cleaning keyboards, CPUs, mouse, servers, joystick
 Why Systems Are Vulnerable

Hardware problems
Breakdowns, configuration errors, damage from improper use
or crime
Software problems
Programming errors, installation errors, unauthorized
changes)
Disasters
Power failures, flood, fires, etc.
Use of networks and computers outside of firms control
E.g. with domestic or offshore outsourcing vendors

8
 Hackers and Computer Crime
Hacking activities include
System intrusion

System damage

Cybervandalism
Intentional disruption, defacement,
destruction of Web site or corporate
information system
9
 INTERNAL THREATS: EMPLOYEES
Security threats often originate inside an
organization
Inside knowledge

Sloppy security procedures

User lack of knowledge

Social engineering:

Tricking employees into revealing their passwords

by pretending to be legitimate members of the
company in need of information
10
 SOFTWARE VULNERABILITY
Commercial software contains flaws that
create security vulnerabilities
Hidden bugs (program code defects)

Zero defects cannot be achieved because complete

testing is not possible with large programs

Flaws can open networks to intruders

Patches
Vendors release small pieces of software to repair flaws

However, amount of software in use can mean exploits

created faster than patches be released and implemented

11
INFORMATION SECURITY

System security focuses on protecting

hardware, data, software, computer facilities,
and personnel.

Information security describes the

protection of both computer and non-computer
equipment, facilities, data, and information
from misuse by unauthorized parties.
Includes copiers, faxes, all types of media, paper
documents
12
OBJECTIVES OF INFORMATION
SECURITY
Information security is intended to achieve three main
objectives:
Confidentiality: protecting a firms data and
information from disclosure to unauthorized
persons.
Availability: making sure that the firm's data and
information is only available to those authorized to
use it.
Integrity: information systems should provide an
accurate representation of the physical systems that
they represent.

Firms information systems must protect data and 13

information from misuse, ensure availability to
authorized users, display confidence in its accuracy.
INFORMATION SECURITY MANAGEMENT
Concerned with formulating the firms information
security policy.

Risk management approach is basing the security of

the firms information resources on the risks (threats
imposed) that it faces.
Information security benchmark is a
recommended level of security that in normal
circumstances should offer reasonable protection
against unauthorized intrusion.
Benchmark is a recommended level of performance.
Defined by governments and industry associations
What authorities believe to be components of a good
information security program.
Benchmark compliance is when a firm adheres to
the information security benchmark and recommended 14
standards by industry authorities.
 TYPES OF THREATS

Malicious software (malware) consists of complete

programs or segments of code that can invade a
system and perform functions not intended by the
system owners (i.e., erase files, halt system, etc.).
Virus is a computer program that can replicate itself
without being observable to the user and embed copies
of itself in other programs and boot sectors.
Worm cannot replicate itself within a system, but it
can transmit its copies by means of e-mail.
Trojan horse is distributed by users as a utility and
when the utility is used, it produces unwanted
changes in the systems functionality; cant replicate
nor duplicate itself.
Adware generates intrusive advertising messages.
Spyware gathers data from the users machine.
15
 Spoofing
Misrepresenting oneself by using fake e-mail addresses or
masquerading as someone else

Redirecting Web link to address different from intended one,

with site masquerading as intended destination

Sniffer
Eavesdropping program that monitors information traveling
over network

Enables hackers to steal proprietary information such as e-

mail, company files, etc.

16
 Denial-of-service attacks (DoS)
Flooding server with thousands of false requests to
crash the network.

Distributed denial-of-service attacks

(DDoS)
Use of numerous computers to launch a DoS

Botnets

Networks of zombie PCs infiltrated by bot

malware
17
 Identity theft
Theft of personal Information (social security id,
drivers license or credit card numbers) to impersonate
someone else

Phishing
Setting up fake Web sites or sending e-mail messages
that look like legitimate businesses to ask users for
confidential personal data.

Evil twins
Wireless networks that pretend to offer trustworthy
Wi-Fi connections to the Internet 18
 Pharming
Redirects users to a bogus Web page, even when
individual types correct Web page address into his
or her browser

Click fraud
Occurs when individual or computer program
fraudulently clicks on online ad without any
intention of learning more about the advertiser or
making a purchase

19
 Computer crime
Defined as any violations of criminal law that involve
a knowledge of computer technology for their
perpetration, investigation, or prosecution

Computer may be target of crime, e.g.:

Breaching confidentiality of protected

computerized data

Accessing a computer system without authority

Computer may be instrument of crime, e.g.:

Theft of trade secrets 20

Using e-mail for threats or harassment

INFORMATION SYSTEMS CONTROLS

General controls
Govern design, security, and use of computer programs
and security of data files in general throughout

organizations information technology infrastructure.

Apply to all computerized applications

Combination of hardware, software, and manual

procedures to create overall control environment

21
TYPES OF GENERAL CONTROLS

Software controls
Hardware controls
Computer operations controls
Data security controls
Implementation controls
Administrative controls
22
 Security is defined as

Policies, procedures and technical measures used to prevent

unauthorized access, alteration, theft, or physical damage to
information systems

Controls refer to

Methods, policies, and organizational procedures that ensure

safety of organizations assets; accuracy and reliability of its
accounting records; and operational adherence to
management standards

23
 S AND CONTROLS AUDIT

Application Controls Review - identification of the

inherent risks of technology deployed in client's business
processes and minimization of the company's exposure to
such risks, by ensuring that the necessary controls and
security
General Computer Controls - a review to assess the
policies, standards, procedures, and general computer
controls aimed at providing a secure and stable
environment for the application systems running on
various platforms within the company.
The implementation and monitoring of information security
Controls over computer operations
Controls over the acquisition, development and maintenance
24
of systems
Controls over information systems support.
INFORMATION SECURITY SERVICES

information security management services comprise

of:
Providing guidelines to protect information assets from
business-specific risks
Providing advice on how to effectively and efficiently
protect critical information assets
Engendering confidence in critical business systems
Providing advice on how to protect your organization
from electronic threats
Satisfying computer audit requirements.

25
IS Audit

IS Audit is an examination of the management

controls within anInformation
technology (IT) infrastructure. The evaluation of
obtained evidence determines if the information
systems are safeguarding assets,
maintaining data integrity, and operating
effectively to achieve the organization's goals or
objectives. These reviews may be performed in
conjunction with a financial statement
audit, internal audit, or other form of attestation
engagement.
26
 Reasons for IS Audit

The purposes of an IT audit are to

evaluate the system's internal
control design and effectiveness.
This includes, but is not limited to,
efficiency and security protocols,
development processes, and IT
governance or oversight.
27
ELEMENTS OF AN IS AUDIT
Physical and environmental reviewincludes physical security,
power supply, air conditioning, humidity control and other
environmental factors.
System administration review includes security review of the
operating systems, database management systems, all system
administration procedures and compliance.
Application software review include business application such as
payroll, invoicing, a web-based customer order processing system or an
enterprise resource planning system that actually runs the business.
Network security reviewReview of internal and external
connections to the system, perimeter security, firewall review, router
access control lists, port scanning and intrusion detection are some
typical areas of coverage.
Business continuity review includes existence and maintenance of
fault tolerant and redundant hardware, backup procedures and storage,
and documented and tested disaster recovery/business continuity plan.
Data integrity review to verify adequacy of controls and impact of 28
weaknesses, as noticed from any of the above reviews.
IS Governance

IS governance ensure IS investments of the

organisation is aligned with strategic directions and
priorities
IS governance ensures:
Policies: identifying IS policies affecting the different
departments
Plans : strategic planning of IS department
Projects: recommendations of projects, monitoring and
accepting

29
Securing IS

System & software Vulnerability,

Malicious software: Virus, Worm,
Trojan Horse, Spyware, Malware
Hacking and other cybercrimes
(phishing, social engineering, insider
attacks..etc)
Establishing a security and control
framework
Security tools for protecting IS 30
Firewalls, Intrusion Detection Systems, and Antivirus Software

Firewall:
Combination of hardware and software that prevents unauthorized
users from accessing private networks
Technologies include:
Static packet filtering
Network address translation (NAT)
Application proxy filtering
Intrusion detection systems:
Monitor hot spots on corporate networks to detect and deter intruders
Examines events as they are happening to discover attacks in progress
Antivirus and antispyware software:
Checks computers for presence of malware and can often eliminate it as
well
Require continual updating 31
Encryption

Transforming text or data into cipher text that cannot be read

by unintended recipients
Two methods for encryption on networks

Secure Sockets Layer (SSL) and successor

Transport Layer Security (TLS)
Secure Hypertext Transfer Protocol (S-HTTP)

32
 Digital certificate:
Data file used to establish the identity of users and
electronic assets for protection of online transactions
Uses a trusted third party, certification authority (CA),
to validate a users identity
CA verifies users identity, stores information in CA
server, which generates encrypted digital certificate
containing owner ID information and copy of owners
public key
Public key infrastructure (PKI)
Use of public key cryptography working with certificate
authority 33

Widely used in e-commerce

 Intrusion detection systems (IDS)
recognize an attempt to break the security
before it has an opportunity to inflict damage.

Virusprotection software that is effective

against viruses transported in e-mail.
Identifies virus-carrying message and warns user.

Insidethreat prediction tools classify

internal threats in categories such as:
Possible intentional threat.
Potential accidental threat.
Suspicious.
Harmless.
34
 Cryptography is the use of coding by means of
mathematical processes.
The data and information can be encrypted as it resides in
storage and or transmitted over networks.

If an unauthorized person gains access, the encryption

makes the data and information unreadable and prevents
its unauthorized use.

Special protocols such as SET (Secure Electronic

Transactions) perform security checks using digital
signatures developed for use in e-commerce.

Physical controls against unauthorized intrusions such as

door locks, palm prints, voice prints, surveillance cameras,
and security guards.
Locate computer centers in remote areas that are less
susceptible to natural disasters such as earthquakes, floods,
and hurricanes.
35
IDENTITY MANAGEMENT AND
AUTHENTICATION

36
Access Control

Policies and procedures to prevent improper access

to systems by unauthorized insiders and outsiders
Authorization
Authentication
Password systems
Biometrics
Tokens
Smart cards
Biometric authentication

37
 Access control is the basis for security against
threats by unauthorized persons.
Access control three-step process includes:
User identification.
User authentication.
User authorization.

User profiles-descriptions of authorized users;

used in identification and authorization.

38
INFORMAL CONTROLS
Education.
Training programs.
Management development programs.
Intended to ensure the firms employees both
understand and support the security program.
Good business practice is not to spend more for a
control than the expected cost of the risk that it
addresses.
Establish controls at the proper level.

39
AUDIT TRAILS

An audit trail is a way of tracing the effect of

data through a system.

A good audit trail is one in which someone can

start with the output and go back through the
system to the source document, or vice versa.

40
References

http://www.deloitte.com/view/en_GR/gr/services/enterprise-risk-services/it-
control-assurance/information-systems-and-controls-audit/index.htm

http://www.kpmg.com/CN/en/IssuesAndInsights/ArticlesPublications/Docu
ments/IS-Governance-Services-0804.pdf

http://www.slideshare.net/markroman1/information-systems-governance-
5741792

http://markearnest.net/presentations/security_day_2006.pdf

Business Information Systems, Prentice Hall, 2007

41
CLASS DISCUSSION QUESTIONS

1. By referring to a particular company, identify the

different types of controls which are being implemented
to ensure security in the working environment.

2. What could be the potential problems in having too

many controls in an organisation?

3. Investigate the different types of controls which can be

used when performing transactions over a wireless
network.
42