Risk Management Training-UCC

advertisement
ISACA KAMPALA CHAPTER
30TH MAY 2012
AGUMA MPAIRWE
B.A(HONS),CISA,CIA,FCCA.

DEFINITIONS

KEY CONCEPTS

APPLICATIONS

KEY CONSIDERATIONS

POINTS TO NOTE

QUESTIONS


THIS PRESENTATION HAS BEEN PREPARED FOR
EDUCATIONAL PURPOSES.
ATTRIBUTION IS MADE TO PARTICULAR
SOURCES OF INFORMATION WHICH SHOULD
BE RE-CHECKED FOR COMPLETENESS AS
CONTENT MAY HAVE BEEN REDUCED FOR THE
SAKE OF BREVITY.


BIOMETRICS – AUTOMATED METHODS OF
DISCOVERING AN INDIVIDUAL BASED ON
MEASURABLE BIOLOGICAL AND BEHAVIOURAL
CHARACTERISTICS (SOURCE- BIOMETRICS .GOV)
BIOMETRIC CHARACTERISTIC – A
MEASURABLE PHYSIOLOGICAL OR
BEHAVIOURAL TRAIT OF A LIVING PERSON,
ESPECIALLY ONE THAT CAN BE USED TO
DETERMINE OR VERIFY THE IDENTITY OF A
PERSON IN ACCESS CONTROL OR CRIMINAL
FORENSICS. (SOURCE-GARTNER GLOSSARY)





“BIOMETRICS FOR IDENTIFICATION AND SCREENING TO
ENHANCE NATIONAL SECURITY,”
SIGNED BY PRESIDENT BUSH ON JUNE 5, 2008.
ESTABLISHES A FRAMEWORK TO ENSURE FEDERAL
DEPARTMENTS AND AGENCIES USE COMPATIBLE
METHODS AND PROCEDURES IN THE COLLECTION,
STORAGE, USE, ANALYSIS, AND SHARING OF BIOMETRIC
AND ASSOCIATED BIOGRAPHIC AND CONTEXTUAL
INFORMATION OF INDIVIDUALS IN A LAWFUL AND
APPROPRIATE MANNER, WHILE RESPECTING PRIVACY
AND OTHER LEGAL RIGHTS UNDER UNITED STATES LAW.
(SOURCE – BIOMETRICS.GOV)





GENERAL PHYSICAL ACCESS CONTROL –
OFFICES, FINGER,THUMB.
INTERNAL AFFAIRS – IMMIGRATION, AIRPORT –
IDENTIFICATION OF PASSPORTHOLDER –
FINGER/PALM/FACE BIOMETRIC RECOGNITION.
ELECTORAL COMMISSION – VOTER
REGISTRATION.
DRIVING PERMIT – DRIVER RECOGNITION.
.

VISA APPLICATION – UK VISA.
FINANCIAL SERVICES





CREDIT REFERENCE BUREAU – COMPUSCAN
MICROFINANCE
ATM – IN ADDITION TO ATM CARD/PIN
POINT OF SALES TERMINALS
MOBILE MONEY SERVICES - ENROLLMENT
AND IDENTIFICATION AT CASHOUT



CLAIM OF IDENTITY – STATEMENT THAT A
PERSON IS OR IS NOT THE SOURCE OF A
REFERENCE IN A DATABASE, CAN BE POSITIVE
(IN THE DATABASE), NEGATIVE (NOT IN THE
DATABASE) OR SPECIFIC (I AM USER 123).
COMPARISION – PROCESS OF COMPARING A
BIOMETRIC REFERENCE WITH A PREVIOUSLY
STORED REFERENCE TO MAKE AN
IDENTIFICATION OR VERIFICATION DECISION.
(SOURCE – BIOMETRICS.GOV)



ENROLLMENT – PROCESS OF COLLECTING A
BIOMETRIC SAMPLE FROM AN END USER,
CONVERTING IT INTO A BIOMETRIC
REFERENCE AND STORING IT IN THE
DATABASE FOR LATER COMPARISION.
EQUAL ERROR RATE (EER) – A STATISTIC USED
TO SHOW BIOMETRIC PERFORMANCE. THE
LOWER THE EER, THE HIGHER THE
ACCURACCY OF THE SYSTEM.
(SOURCE – BIOMETRICS.GOV)



FAILURE TO ACQUIRE – FAILURE OF A
BIOMETRIC SYSTEM TO CAPTURE AND OR
EXTRACT USABLE INFORMATION FROM A
BIOMETRIC SAMPLE
FAILURE TO ENROL – FAILURE OF A
BIOMETRIC SYSTEM TO FORM A PROPER
ENROLLMENT REFERENCE FOR AN END USER
(TRAINING, SENSOR QUALITY).
(SOURCE – BIOMETRICS.GOV)



FALSE ACCEPTANCE RATE – THE PERCENTAGE
OF TIMES A SYSTEM PRODUCES A FALSE
ACCEPT – AN INDIVIDUAL IS INCORRECTLY
MATCHED TO ANOTHER INDIVIDUAL’S
EXISTING BIOMETRIC. T2
FALSE ALARM RATE – THE PERCENTAGE OF
TIMES AN ALARM IS INCORRECTLY SOUNDED
ON AN INDIVIDUAL WHO IS NOT IN THE
BIOMETRIC SYSTEM’S DATABASE
(SOURCE – BIOMETRICS.GOV)



FALSE REJECTION RATE – THE PRECENTAGE OF
TIMES THE SYSTEM PRODUCES A FALSE
REJECT. THIS OCCURS WHEN AN INDIVIDUAL
IS NOT MATCHED TO HIS/HER OWN EXISTING
BIOMETRIC TEMPLATE. T1
ALGORITHM – A LIMITED SEQUENCE OF
INSTRUCTIONS OR STEPS THAT TELLS A
COMPUTER HOW TO SOLVE A PARTICULAR
PROBLEM – IMAGE PROCESSING, TEMPLATE
GENERATION, COMPARISIONS E.T.C
(SOURCE – BIOMETRICS.GOV)




VERIFICATION – A TASK WHERE BIOMETRIC SYSTEM
ATTEMPTS TO CONFIRM AN INDIVIDUALS IDENTITY
BY COMPARING A SUBMITTED SAMPLE TO ONE OR
MORE PREVIOUSLY ENROLLED TEMPLATES –USED
TO CONFIRM THAT INDIVIDUAL IS ENROLLED AND
HAS CLAIMED AUTHORISATIONS
AM I WHO I CLAIM I AM ? – SYS ADMIN
IDENTIFICATION – A TASK WHERE A BIOMETRIC
SYSTEM ATTEMPTS TO DETERMINE THE IDENTITY
OF AN INDIVIDUAL, A BIOMETRIC IS COLLECTED
AND COMPARED TO ALL TEMPLATES IN THE
DATABASE – WHO AM I ? SOURCES – (MICHIGAN STATE UNIVERSITY ARTICLE, BIOMETRICS
.GOV)
IDENTIFICATION: CAN BE



‘OPEN SET’ – PERSON NOT GUARANTEED TO
EXIST IN THE DATABASE
‘CLOSED SET’ – PERSON IS KNOWN TO EXIST
IN THE DATABASE
(SOURCE – BIOMETRICS.GOV)





FAILURE TO ENROLL RATE (FTER) = NUMBER
OF UNSUCCESSFUL ENROLLMENTS/TOTAL
NUMBER OF USERS ATTEMPTING TO ENROLL.
CROSS-OVER ERROR RATE (CER)—A MEASURE
REPRESENTING THE PERCENT AT WHICH FRR
EQUALS FAR. THIS IS THE POINT ON THE GRAPH
WHERE THE FAR AND FRR INTERSECT.
THE CROSS-OVER RATE INDICATES A SYSTEM WITH
GOOD BALANCE OVER SENSITIVITY AND
PERFORMANCE.
(SOURCE ISACA)



AS A PHYSICAL ACCESS CONTROL
AS A MECHANISM FOR LOGICAL ACCESS
CONTROL
IN LOGICAL ACCESS CONTROL PART OF
IDENTIFICATION AND AUTHENTICATION
PROCESS


IN LOGICAL ACCESS CONTROL SOFTWARE, IS
‘THE PROCESS OF PROVING ONE’S IDENTITY’
IDENTIFICATION – MEANS BY WHICH USER
PROVIDES CLAIMED IDENTITY

HELPS ESTABLISH USER ACCOUNTABILITY

FIRST LINE OF DEFENSE

SOURCE – CISA REVIEW MANUAL 2003






IS A TECHNICAL MEASURE THAT PREVENTS
UNAUTHORISED PEOPLE (OR UNAUTHORISED
PROCESSES) FROM ENTERING A COMPUTER
SYSTEM
I & A TECHNIQUES:
SOMETHING YOU KNOW – PASSWORD, STATIC
PIN
SOMETHING YOU HAVE – TOKEN CARD, PIN
GENERATOR
SOMETHING YOU ARE – BIOMETRIC
CHARACTERISTIC
SOURCE –CISA REVIEW MANUAL 2003

PHYSIOLOGICAL & BEHAVIOURAL

FINGERPRINT

FINGERVEIN

PALM PRINT

HAND GEOMETRY

IRIS RECOGNITION

RETINA RECOGNITION

VOICE RECOGNITION

SIGNATURE RECOGNITION

FACE RECOGNITION



KEYSTROKE DYNAMICS
DNA ? DEBATE, AS NOT PERFORMED BY AN
‘AUTOMATED’ METHOD-BIOMETRICS.GOV
GAIT ? – IN DEVELOPMENT / PRACTICAL ??
ADVANTAGES
 MULTIPLE FINGERS!
 EASY TO USE
 LOW STORAGE SPACE
 LARGE EXISTING DATABASES GLOBALLY FOR
WATCHLIST CHECKS
 PROVEN EFFECTIVE OVER TIME
DISADVANTAGES
 PUBLIC PERCEPTIONS – CRIMINAL
CONNOTATIONS
 HEALTH CONCERNS – EBOLA, BIRD FLU
 AGE, OCCUPATION, WEIGHT GAIN, CUTS

(SOURCE – BIOMETRICS.GOV)
ADVANTAGES
 NO CONTACT REQUIRED
 HIGHLY STABLE OVER TIME
DISADVANTAGES
 DIFFICULT TO CAPTURE- FOR SOME ,
TRAINING
 EASILY OBSCURED – REFLECTIONS FROM
CORNEA, EYELIDS, EYELASHES
 PUBLIC FEARS OF ‘SCANNING’ THE EYE WITH
LIGHT SOURCE –INFRARED LIGHT USED TO
ILLUMINATE IRIS – (SOURCE FINDBIOMETRICS .COM)
 LIMITED EXISTING DATA FOR WATCHLIST
CHECKS

(SOURCE – BIOMETRICS.GOV)
ADVANTAGES
 NO CONTACT
 COMMONLY AVAILABLE SENSORS – CAMERA
 LARGE AMOUNTS OF EXISTING DATA
 EASY FOR HUMANS TO VERIFY RESULTS
DISADVANTAGES
 OBSTRUCTION OF IMAGE BY HAIR, GLASSES,
HATS.
 CHANGE OVER TIME

(SOURCE – BIOMETRICS.GOV)
ADVANTAGES
 PUBLIC ACCEPTANCE
 NO CONTACT REQUIRED
 SENSORS COMMON TELEPHONES,
MICROPHONES
DISADVANTAGES
 NOT SUFFICIENTLY DISTINCTIVE OVER LARGE
DATABASES

(SOURCE – BIOMETRICS.GOV)

UNIQUENESS

THE TWINS CHALLENGE

PERMANENCE




ITERATIVE AVERAGING PROCESS.
ACQUIRE BIOMETRIC SAMPLE (PHYSICAL
/BEHAVIOURAL).
EXTRACT UNIQUE FEATURES FROM SAMPLE
FEATURES CONVERTED INTO MATHEMATICAL
CODE


CREATION OF INITIAL ‘TEMPLATE’ – (DIGITAL
REPRESENTATION OF THE BIOMETRIC)
COMPARISION OF NEW SAMPLES WITH WHAT
HAS BEEN STORED

DEVELOPING FINAL TEMPLATE

ENCRYPTION

USE TO IDENTIFY USER

(e.g. FINGERPRINT latent v Conventional – Source NIST,
BIOMETROCS.GOV)

SECURE ?

CONVINIENT ?

CANNOT BE STOLEN ?

CANNOT BE FORGOTTEN

DIFFICULT TO FORGE

(SOURCE SMARTCARDALLIANCE)

TEMPLATE SKIMMING

NOT ALWAYS ACCURATE - FAR’s/ FRR’s –


10% OF POPULATION HAVE
WORN/CUT/UNRECOGNISABLE
FINGERPRINTS!! – SOURCE BIOMETRIC NEWSPORTAL
BIOMETRIC FEATURES MAY ALTER DEGRADE
WITH AGE, DISEASE, WEIGHT GAIN

SECURITY RISKS - CAR THEFT!!

VOICE BIOMETRICS – BACKGROUND NOISE

STORAGE AND TRANSMISSION QUALITY LOSS




MULTIMODAL BIOMETRICS – USE OF MORE
THAN ONE BIOMETRIC IDENTIFIER FOR
INCREASED ACCURACCY
COMBINATION OF BIOMETRICS WITH PINS
AND TOKENS
SMARTCARDS – ICC, MEMORY, STORAGE OF
BIOMETRIC TEMPLATES TO AVOID
VERIFICATION AT LONG DISTANCE HOST
(SOURCE –VARIOUS)

AUDIT CONTROLS IN MATCHING TEMPLATES
GENERATED TO OTHER DATA – CRIMINAL
RECORDS, FINANCIAL DEFAULT HISTORIES
IS AUDIT GUIDELINE ISACA G36
 PRIVACY CONCERNS
 INTRUSIVENESS OF DATA COLLECTION
 HEALTH CONCERNS
 SKILL OF SYSTEM USE BY STAFF
 ROBUSTNESS OF TECHNOLOGY – RELIABLE
 COST OF DEPLOYMENT
 LEGISLATIVE AND REGULATORY COMPLIANCE
 RESISTANCE TO CHANGE/USE


COST –BENEFIT CONSIDERATIONS
PRACTICALITY AND EFFICIENCY – AIRPORT
QUEUES, VOTING PROCESSES.

ACCURACCY – FAR, FRR, EER

CULTURE – GLOBAL COMPANIES!

NON-CO-OPERATION, HEALTH CONCERNS

(SOURCE NIST, BIOMETRICS.GOV)




WILL IMAGES BE COMPACT ENOUGH FOR
EFFECTIVE TRANSMISSION ACROSS
NETWORKS WITHOUT DEGRADATION?
WILL IMAGES/TEMPLATES BE COMPACT
ENOUGH FOR STORAGE ON SMART CARD?
INTEROPERABILITY AND STANDARDISATION –
IMMIGRATION FACE CAMERA AND FINGER
PRINT CAPTURE TO SINGLE
APPLICATION/DEVICE
(SOURCE NIST)

INTEROPERABILITY – ACROSS GOVERNMENT
AGENCIES

PRIVACY CONCERNS

DATA SHARING - ACROSS JURISDICTIONS ?

LEGAL IMPLICATIONS ?

DATA STORAGE REQUIREMENTS
 QUESTIONS?










CIO MAGAZINE http://www.cio.com/article/573113/Using_Biometric_Access_Systems_Dos_a
nd_Don_ts?page=3&taxonomyId=3092
BIOMETRICS.GOV http://www.biometrics.gov/
2003 CISA REVIEW MANUAL (2003). INFORMATION SYSTEMS AUDIT AND
CONTROL ASSOSCIATION.
GARTNER IT GLOSSARY - http://www.gartner.com/it-glossary/biometrics/
MULTIMODAL BIOMETRICS – BIOMETRIC NEWS PORTAL
http://www.biometricnewsportal.com/multimodal-biometrics.asp
NEW NIST BIOMETRIC DATA STANDARD ADDS DNA, FOOTMARKS AND
ENHANCED FINGERPRINT DESCRIPTIONShttp://www.nist.gov/itl/iad/biometric-120611.cfm
SMARTCARD AND BIOMETRICS - SMARTCARD ALLIANCE –
http://www.smartcardalliance.org/pages/publications-smart-cards-andbiometrics
IRIS SCANNERS AND RECOGNITION – http://www.findbiometrics.com/irisrecognition/
AN OVERVIEW OF BIOMETRIC RECOGNITION
http://biometrics.cse.msu.edu/info.html
ISACA AUDIT GUIDELINE 36 – BIOMETRICS http://www.isaca.org/KnowledgeCenter/Standards/Pages/IS-Auditing-Guideline-G36-BiometricControls.aspx
Download