ISACA KAMPALA CHAPTER 30TH MAY 2012 AGUMA MPAIRWE B.A(HONS),CISA,CIA,FCCA. DEFINITIONS KEY CONCEPTS APPLICATIONS KEY CONSIDERATIONS POINTS TO NOTE QUESTIONS THIS PRESENTATION HAS BEEN PREPARED FOR EDUCATIONAL PURPOSES. ATTRIBUTION IS MADE TO PARTICULAR SOURCES OF INFORMATION WHICH SHOULD BE RE-CHECKED FOR COMPLETENESS AS CONTENT MAY HAVE BEEN REDUCED FOR THE SAKE OF BREVITY. BIOMETRICS – AUTOMATED METHODS OF DISCOVERING AN INDIVIDUAL BASED ON MEASURABLE BIOLOGICAL AND BEHAVIOURAL CHARACTERISTICS (SOURCE- BIOMETRICS .GOV) BIOMETRIC CHARACTERISTIC – A MEASURABLE PHYSIOLOGICAL OR BEHAVIOURAL TRAIT OF A LIVING PERSON, ESPECIALLY ONE THAT CAN BE USED TO DETERMINE OR VERIFY THE IDENTITY OF A PERSON IN ACCESS CONTROL OR CRIMINAL FORENSICS. (SOURCE-GARTNER GLOSSARY) “BIOMETRICS FOR IDENTIFICATION AND SCREENING TO ENHANCE NATIONAL SECURITY,” SIGNED BY PRESIDENT BUSH ON JUNE 5, 2008. ESTABLISHES A FRAMEWORK TO ENSURE FEDERAL DEPARTMENTS AND AGENCIES USE COMPATIBLE METHODS AND PROCEDURES IN THE COLLECTION, STORAGE, USE, ANALYSIS, AND SHARING OF BIOMETRIC AND ASSOCIATED BIOGRAPHIC AND CONTEXTUAL INFORMATION OF INDIVIDUALS IN A LAWFUL AND APPROPRIATE MANNER, WHILE RESPECTING PRIVACY AND OTHER LEGAL RIGHTS UNDER UNITED STATES LAW. (SOURCE – BIOMETRICS.GOV) GENERAL PHYSICAL ACCESS CONTROL – OFFICES, FINGER,THUMB. INTERNAL AFFAIRS – IMMIGRATION, AIRPORT – IDENTIFICATION OF PASSPORTHOLDER – FINGER/PALM/FACE BIOMETRIC RECOGNITION. ELECTORAL COMMISSION – VOTER REGISTRATION. DRIVING PERMIT – DRIVER RECOGNITION. . VISA APPLICATION – UK VISA. FINANCIAL SERVICES CREDIT REFERENCE BUREAU – COMPUSCAN MICROFINANCE ATM – IN ADDITION TO ATM CARD/PIN POINT OF SALES TERMINALS MOBILE MONEY SERVICES - ENROLLMENT AND IDENTIFICATION AT CASHOUT CLAIM OF IDENTITY – STATEMENT THAT A PERSON IS OR IS NOT THE SOURCE OF A REFERENCE IN A DATABASE, CAN BE POSITIVE (IN THE DATABASE), NEGATIVE (NOT IN THE DATABASE) OR SPECIFIC (I AM USER 123). COMPARISION – PROCESS OF COMPARING A BIOMETRIC REFERENCE WITH A PREVIOUSLY STORED REFERENCE TO MAKE AN IDENTIFICATION OR VERIFICATION DECISION. (SOURCE – BIOMETRICS.GOV) ENROLLMENT – PROCESS OF COLLECTING A BIOMETRIC SAMPLE FROM AN END USER, CONVERTING IT INTO A BIOMETRIC REFERENCE AND STORING IT IN THE DATABASE FOR LATER COMPARISION. EQUAL ERROR RATE (EER) – A STATISTIC USED TO SHOW BIOMETRIC PERFORMANCE. THE LOWER THE EER, THE HIGHER THE ACCURACCY OF THE SYSTEM. (SOURCE – BIOMETRICS.GOV) FAILURE TO ACQUIRE – FAILURE OF A BIOMETRIC SYSTEM TO CAPTURE AND OR EXTRACT USABLE INFORMATION FROM A BIOMETRIC SAMPLE FAILURE TO ENROL – FAILURE OF A BIOMETRIC SYSTEM TO FORM A PROPER ENROLLMENT REFERENCE FOR AN END USER (TRAINING, SENSOR QUALITY). (SOURCE – BIOMETRICS.GOV) FALSE ACCEPTANCE RATE – THE PERCENTAGE OF TIMES A SYSTEM PRODUCES A FALSE ACCEPT – AN INDIVIDUAL IS INCORRECTLY MATCHED TO ANOTHER INDIVIDUAL’S EXISTING BIOMETRIC. T2 FALSE ALARM RATE – THE PERCENTAGE OF TIMES AN ALARM IS INCORRECTLY SOUNDED ON AN INDIVIDUAL WHO IS NOT IN THE BIOMETRIC SYSTEM’S DATABASE (SOURCE – BIOMETRICS.GOV) FALSE REJECTION RATE – THE PRECENTAGE OF TIMES THE SYSTEM PRODUCES A FALSE REJECT. THIS OCCURS WHEN AN INDIVIDUAL IS NOT MATCHED TO HIS/HER OWN EXISTING BIOMETRIC TEMPLATE. T1 ALGORITHM – A LIMITED SEQUENCE OF INSTRUCTIONS OR STEPS THAT TELLS A COMPUTER HOW TO SOLVE A PARTICULAR PROBLEM – IMAGE PROCESSING, TEMPLATE GENERATION, COMPARISIONS E.T.C (SOURCE – BIOMETRICS.GOV) VERIFICATION – A TASK WHERE BIOMETRIC SYSTEM ATTEMPTS TO CONFIRM AN INDIVIDUALS IDENTITY BY COMPARING A SUBMITTED SAMPLE TO ONE OR MORE PREVIOUSLY ENROLLED TEMPLATES –USED TO CONFIRM THAT INDIVIDUAL IS ENROLLED AND HAS CLAIMED AUTHORISATIONS AM I WHO I CLAIM I AM ? – SYS ADMIN IDENTIFICATION – A TASK WHERE A BIOMETRIC SYSTEM ATTEMPTS TO DETERMINE THE IDENTITY OF AN INDIVIDUAL, A BIOMETRIC IS COLLECTED AND COMPARED TO ALL TEMPLATES IN THE DATABASE – WHO AM I ? SOURCES – (MICHIGAN STATE UNIVERSITY ARTICLE, BIOMETRICS .GOV) IDENTIFICATION: CAN BE ‘OPEN SET’ – PERSON NOT GUARANTEED TO EXIST IN THE DATABASE ‘CLOSED SET’ – PERSON IS KNOWN TO EXIST IN THE DATABASE (SOURCE – BIOMETRICS.GOV) FAILURE TO ENROLL RATE (FTER) = NUMBER OF UNSUCCESSFUL ENROLLMENTS/TOTAL NUMBER OF USERS ATTEMPTING TO ENROLL. CROSS-OVER ERROR RATE (CER)—A MEASURE REPRESENTING THE PERCENT AT WHICH FRR EQUALS FAR. THIS IS THE POINT ON THE GRAPH WHERE THE FAR AND FRR INTERSECT. THE CROSS-OVER RATE INDICATES A SYSTEM WITH GOOD BALANCE OVER SENSITIVITY AND PERFORMANCE. (SOURCE ISACA) AS A PHYSICAL ACCESS CONTROL AS A MECHANISM FOR LOGICAL ACCESS CONTROL IN LOGICAL ACCESS CONTROL PART OF IDENTIFICATION AND AUTHENTICATION PROCESS IN LOGICAL ACCESS CONTROL SOFTWARE, IS ‘THE PROCESS OF PROVING ONE’S IDENTITY’ IDENTIFICATION – MEANS BY WHICH USER PROVIDES CLAIMED IDENTITY HELPS ESTABLISH USER ACCOUNTABILITY FIRST LINE OF DEFENSE SOURCE – CISA REVIEW MANUAL 2003 IS A TECHNICAL MEASURE THAT PREVENTS UNAUTHORISED PEOPLE (OR UNAUTHORISED PROCESSES) FROM ENTERING A COMPUTER SYSTEM I & A TECHNIQUES: SOMETHING YOU KNOW – PASSWORD, STATIC PIN SOMETHING YOU HAVE – TOKEN CARD, PIN GENERATOR SOMETHING YOU ARE – BIOMETRIC CHARACTERISTIC SOURCE –CISA REVIEW MANUAL 2003 PHYSIOLOGICAL & BEHAVIOURAL FINGERPRINT FINGERVEIN PALM PRINT HAND GEOMETRY IRIS RECOGNITION RETINA RECOGNITION VOICE RECOGNITION SIGNATURE RECOGNITION FACE RECOGNITION KEYSTROKE DYNAMICS DNA ? DEBATE, AS NOT PERFORMED BY AN ‘AUTOMATED’ METHOD-BIOMETRICS.GOV GAIT ? – IN DEVELOPMENT / PRACTICAL ?? ADVANTAGES MULTIPLE FINGERS! EASY TO USE LOW STORAGE SPACE LARGE EXISTING DATABASES GLOBALLY FOR WATCHLIST CHECKS PROVEN EFFECTIVE OVER TIME DISADVANTAGES PUBLIC PERCEPTIONS – CRIMINAL CONNOTATIONS HEALTH CONCERNS – EBOLA, BIRD FLU AGE, OCCUPATION, WEIGHT GAIN, CUTS (SOURCE – BIOMETRICS.GOV) ADVANTAGES NO CONTACT REQUIRED HIGHLY STABLE OVER TIME DISADVANTAGES DIFFICULT TO CAPTURE- FOR SOME , TRAINING EASILY OBSCURED – REFLECTIONS FROM CORNEA, EYELIDS, EYELASHES PUBLIC FEARS OF ‘SCANNING’ THE EYE WITH LIGHT SOURCE –INFRARED LIGHT USED TO ILLUMINATE IRIS – (SOURCE FINDBIOMETRICS .COM) LIMITED EXISTING DATA FOR WATCHLIST CHECKS (SOURCE – BIOMETRICS.GOV) ADVANTAGES NO CONTACT COMMONLY AVAILABLE SENSORS – CAMERA LARGE AMOUNTS OF EXISTING DATA EASY FOR HUMANS TO VERIFY RESULTS DISADVANTAGES OBSTRUCTION OF IMAGE BY HAIR, GLASSES, HATS. CHANGE OVER TIME (SOURCE – BIOMETRICS.GOV) ADVANTAGES PUBLIC ACCEPTANCE NO CONTACT REQUIRED SENSORS COMMON TELEPHONES, MICROPHONES DISADVANTAGES NOT SUFFICIENTLY DISTINCTIVE OVER LARGE DATABASES (SOURCE – BIOMETRICS.GOV) UNIQUENESS THE TWINS CHALLENGE PERMANENCE ITERATIVE AVERAGING PROCESS. ACQUIRE BIOMETRIC SAMPLE (PHYSICAL /BEHAVIOURAL). EXTRACT UNIQUE FEATURES FROM SAMPLE FEATURES CONVERTED INTO MATHEMATICAL CODE CREATION OF INITIAL ‘TEMPLATE’ – (DIGITAL REPRESENTATION OF THE BIOMETRIC) COMPARISION OF NEW SAMPLES WITH WHAT HAS BEEN STORED DEVELOPING FINAL TEMPLATE ENCRYPTION USE TO IDENTIFY USER (e.g. FINGERPRINT latent v Conventional – Source NIST, BIOMETROCS.GOV) SECURE ? CONVINIENT ? CANNOT BE STOLEN ? CANNOT BE FORGOTTEN DIFFICULT TO FORGE (SOURCE SMARTCARDALLIANCE) TEMPLATE SKIMMING NOT ALWAYS ACCURATE - FAR’s/ FRR’s – 10% OF POPULATION HAVE WORN/CUT/UNRECOGNISABLE FINGERPRINTS!! – SOURCE BIOMETRIC NEWSPORTAL BIOMETRIC FEATURES MAY ALTER DEGRADE WITH AGE, DISEASE, WEIGHT GAIN SECURITY RISKS - CAR THEFT!! VOICE BIOMETRICS – BACKGROUND NOISE STORAGE AND TRANSMISSION QUALITY LOSS MULTIMODAL BIOMETRICS – USE OF MORE THAN ONE BIOMETRIC IDENTIFIER FOR INCREASED ACCURACCY COMBINATION OF BIOMETRICS WITH PINS AND TOKENS SMARTCARDS – ICC, MEMORY, STORAGE OF BIOMETRIC TEMPLATES TO AVOID VERIFICATION AT LONG DISTANCE HOST (SOURCE –VARIOUS) AUDIT CONTROLS IN MATCHING TEMPLATES GENERATED TO OTHER DATA – CRIMINAL RECORDS, FINANCIAL DEFAULT HISTORIES IS AUDIT GUIDELINE ISACA G36 PRIVACY CONCERNS INTRUSIVENESS OF DATA COLLECTION HEALTH CONCERNS SKILL OF SYSTEM USE BY STAFF ROBUSTNESS OF TECHNOLOGY – RELIABLE COST OF DEPLOYMENT LEGISLATIVE AND REGULATORY COMPLIANCE RESISTANCE TO CHANGE/USE COST –BENEFIT CONSIDERATIONS PRACTICALITY AND EFFICIENCY – AIRPORT QUEUES, VOTING PROCESSES. ACCURACCY – FAR, FRR, EER CULTURE – GLOBAL COMPANIES! NON-CO-OPERATION, HEALTH CONCERNS (SOURCE NIST, BIOMETRICS.GOV) WILL IMAGES BE COMPACT ENOUGH FOR EFFECTIVE TRANSMISSION ACROSS NETWORKS WITHOUT DEGRADATION? WILL IMAGES/TEMPLATES BE COMPACT ENOUGH FOR STORAGE ON SMART CARD? INTEROPERABILITY AND STANDARDISATION – IMMIGRATION FACE CAMERA AND FINGER PRINT CAPTURE TO SINGLE APPLICATION/DEVICE (SOURCE NIST) INTEROPERABILITY – ACROSS GOVERNMENT AGENCIES PRIVACY CONCERNS DATA SHARING - ACROSS JURISDICTIONS ? LEGAL IMPLICATIONS ? DATA STORAGE REQUIREMENTS QUESTIONS? CIO MAGAZINE http://www.cio.com/article/573113/Using_Biometric_Access_Systems_Dos_a nd_Don_ts?page=3&taxonomyId=3092 BIOMETRICS.GOV http://www.biometrics.gov/ 2003 CISA REVIEW MANUAL (2003). INFORMATION SYSTEMS AUDIT AND CONTROL ASSOSCIATION. GARTNER IT GLOSSARY - http://www.gartner.com/it-glossary/biometrics/ MULTIMODAL BIOMETRICS – BIOMETRIC NEWS PORTAL http://www.biometricnewsportal.com/multimodal-biometrics.asp NEW NIST BIOMETRIC DATA STANDARD ADDS DNA, FOOTMARKS AND ENHANCED FINGERPRINT DESCRIPTIONShttp://www.nist.gov/itl/iad/biometric-120611.cfm SMARTCARD AND BIOMETRICS - SMARTCARD ALLIANCE – http://www.smartcardalliance.org/pages/publications-smart-cards-andbiometrics IRIS SCANNERS AND RECOGNITION – http://www.findbiometrics.com/irisrecognition/ AN OVERVIEW OF BIOMETRIC RECOGNITION http://biometrics.cse.msu.edu/info.html ISACA AUDIT GUIDELINE 36 – BIOMETRICS http://www.isaca.org/KnowledgeCenter/Standards/Pages/IS-Auditing-Guideline-G36-BiometricControls.aspx