Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

View

advertisement 
C HAPTER 7
Information Systems Controls
for Systems Reliability
Part 1: Information Security
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart1 of 28
INTRODUCTION
• Questions to be addressed in this chapter:
– How does security affect systems reliability?
– What is the time-based model of security and
the concept of defense-in-depth?
– What types of preventive, detective, and
corrective controls are used to provide
information security?
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 2 of 28
INTRODUCTION
• One basic function of an AIS is to provide
information useful for decision making. In
order to be useful, the information must be
reliable, which means:
– It provides an accurate, complete, and timely
picture of the organization’s activities.
– It is available when needed.
– The information and the system that produces
it is protected from loss, compromise, and
theft.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 3 of 28
INTRODUCTION
SECURITY
© 2006 Prentice Hall Business Publishing
AVAILABILITY
PROCESSING INTEGRITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
• The Trust Services framework
developed by the AICPA and
the Canadian Institute of
Chartered Accountants (CICA)
identified five basic principles
that contribute to systems
reliability:
–
–
–
–
–
Security
Confidentiality
Online privacy
Processing integrity
Availability
Accounting Information Systems, 10/e
Romney/Steinbart 4 of 28
FUNDAMENTAL INFORMATION
SECURITY CONCEPTS
• In this chapter, we will focus on the Trust
Services principle of information security.
• There are three fundamental information
security concepts that will be discussed in
this chapter:
– Security as a management issue, not a
technology issue.
– The time-based model of security.
– Defense in depth.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 5 of 28
SECURITY AS A MANAGEMENT ISSUE
• Management is responsible for the
accuracy of various internal reports and
financial statements produced by the
organization’s IS.
– Security is a key component of the internal
control and systems reliability to which
management must attest.
– management’s philosophy and operating style
are critical to an effective control environment.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 6 of 28
TIME-BASED MODEL OF SECURITY
• The time-based model of security focuses on
implementing a set of preventive, detective, and
corrective controls that enable an organization to
recognize that an attack is occurring and take
steps to thwart it before any assets have been
compromised.
• All three types of controls are necessary:
– Preventive
– Detective
– Corrective
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 7 of 28
TIME-BASED MODEL OF SECURITY
• The time-based model evaluates the
effectiveness of an organization’s security by
measuring and comparing the relationship
among three variables:
– P = Time it takes an attacker to break through the
organization’s preventive controls
– D = Time it takes to detect that an attack is in
progress
– C = Time to respond to the attack
• These three variables are evaluated as follows:
– If P > (D + C), then security procedures are effective.
– Otherwise, security is ineffective.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 8 of 28
DEFENSE IN DEPTH
• The idea of defense-in-depth is to employ
multiple layers of controls to avoid having
a single point of failure.
• If one layer fails, another may function as
planned.
• Computer security involves using a
combination of firewalls, passwords, and
other preventive procedures to restrict
access.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 9 of 28
Wed 27-10 PREVENTIVE CONTROLS

Major types of preventive controls used
for defense in depth include:
1.
2.
3.
4.
5.
6.
7.
Authentication controls
Authorization controls
Training
Physical access controls
Remote access controls
Host and Application Hardening procedures
Encryption
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 10 of 28
PREVENTIVE CONTROLS
1. Authentication - focuses on verifying the
identity of the person or device attempting to
gain access.
• Passwords are probably the most commonly
used authentication method and also the most
controversial.
– An effective password must satisfy a number of
requirements:
•
•
•
•
Length
Multiple character types
Random
Secret
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 11 of 28
PREVENTIVE CONTROLS
 These are the
multiple layers of
preventive
controls that
reflect the
defense-in-depth
approach to
satisfying the
constraints of the
time-based
model of security.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 12 of 28
PREVENTIVE CONTROLS
• Other authentication methods have their
own limitations like:
– Biometric techniques
• Multi-factor authentication
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 13 of 28
PREVENTIVE CONTROLS
2. Authorization - restricts access of
authenticated users to specific portions of the
system and specifies what actions they are
permitted to perform.
• Authorization controls are implemented by
creating an access control matrix.
– Specifies what part of the IS a user can access and
what actions they are permitted to perform.
– When an employee tries to access a particular
resource, the system performs a compatibility test
that matches the user’s authentication credentials
against the matrix to determine if the action should
be allowed.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 14 of 28
PREVENTIVE CONTROLS
User Identification
Code
Number Password
12345
ABC
12346
DEF
12354
KLM
12359
NOP
12389
RST
12567
XYZ
Files
A
0
0
1
3
0
1
B
0
2
1
0
1
1
Programs
C
1
0
1
0
0
1
1
0
0
0
0
0
1
2
0
0
0
0
3
1
3
0
0
0
0
0
1
4
0
0
0
0
0
1
Codes for type of access:
0 = No access permitted
1 = Read and display only
2 = Read, display, and update
3 = Read, display, update, create, and delete
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
• Who has
the
authority to
delete
Program
2?
• Which files
can user
12354
access?
• Which
programs
can user
12354
access?
Romney/Steinbart 15 of 28
PREVENTIVE CONTROLS
3. Training
• Employees should be trained to follow
safe computing practices, such as:
–
–
–
–
Never open unsolicited email attachments.
Use only approved software.
Never share or reveal passwords.
Physically protect laptops, especially when
traveling.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 16 of 28
PREVENTIVE CONTROLS
4.
•
Controlling Physical Access
Within a few minutes, a skilled attacker with unsupervised direct
physical access to the system can successfully obtain access to
sensitive data.
Physical access control begins with entry points to the building
itself.
•
–
Should be one regular entry point unlocked during normal office
hours.
Fire codes require emergency exits.
–
•
•
–
These should not permit entry from outside.
Should be connected to an alarm that is triggered if someone leaves
through the exit.
A receptionist or security guard should be stationed at the main
entrance of the building to:
•
•
Verify the identity of employees.
Require that visitors sign in and be escorted to their destination.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 17 of 28
PREVENTIVE CONTROLS
5. Controlling Remote Access
• Information sent over the Internet is governed
by TCP/IP, two protocols for transmitting
information over the Internet.
– Transmission Control Protocol (TCP) specifies the
procedures for dividing files and documents into
packets and for reassembly at the destination.
– Internet Protocol (IP) specifies the structure of the
packets and how to route them to the proper
destination.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 18 of 28
PREVENTIVE CONTROLS
6. Host and Application Hardening
•
Routers and firewalls are designed to protect the network
perimeter.
Information security is enhanced by supplementing
preventive controls on the network perimeter with additional
preventive controls on the workstations, servers, printers,
and other devices (collectively referred to as hosts) that
comprise the organization’s network.
Three areas deserve special attention:
•
•
–
–
–
Host configuration (of devices and OS ----- Default setting or tuning to
parameters)
User accounts (rights and powers)
Software design (buffer overflow attack):
• Attacker sends a program more data than it can handle.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 19 of 28
PREVENTIVE
CONTROLS
• Perimeter Defense:
Routers, Firewalls,
and Intrusion
Prevention Systems
– This figure
shows the
relationship
between an
organization’s
information
system and the
Internet.
– A device called a
border router
connects an
organization’s
information
system to the
Internet.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 20 of 28
PREVENTIVE CONTROLS
7. Encryption
• Encrypting sensitive stored data provides one
last barrier that must be overcome by an
intruder.
• Encryption plays an essential role in ensuring
and verifying the validity of e-business
transactions.
• Therefore, accountants, auditors, and systems
professionals need to understand encryption.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 21 of 28
DETECTIVE CONTROLS
1. Log Analysis
– Most systems come with extensive
capabilities for logging who accesses the
system and what specific actions each user
performed.
•
•
•
Logs form an audit trail of system access.
Are of value only if routinely examined.
Log analysis is the process of examining logs to
monitor security.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 22 of 28
DETECTIVE CONTROLS
• The log may indicate unsuccessful attempts to
log in to different servers.
• The person analyzing the log must try to
determine the reason for the failed attempt.
Could be:
– The person was a legitimate user who forgot his
password.
– Was a legitimate user but not authorized to access
that particular server.
– The user ID was invalid and represented an
attempted intrusion.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 23 of 28
DETECTIVE CONTROLS
2. Intrusion Detection Systems
•
An IDS creates a log of network traffic that was
permitted to pass the firewall.
•
•
•
–
–
–
The router hides your pc's ip address. It also blocks certain types of scans.
The software firewall will help block anything that does get through.
More importantly, the firewall blocks outgoing stuff
Analyzes the logs for signs of attempted or successful
intrusions.
Most common analysis is to compare logs to a database
containing patterns of traffic associated with known attacks.
An alternative technique builds a model representing “normal”
network traffic and uses various statistical techniques to
identify unusual behavior.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 24 of 28
DETECTIVE CONTROLS
3. Managerial Reports
–
The Information Systems Audit and Control Association
(ISACA) and the IT Governance Institute have developed a
comprehensive framework for information systems controls
called Control Objectives for Information and Related
Technology (COBIT).
• Specifies 34 IT-related control objectives
• Provides:
– Management guidelines that identify crucial success
factors associated with each objective.
– Key performance indicators (KPI) that can be used to
assess their effectiveness.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 25 of 28
DETECTIVE CONTROLS
• COBIT key performance indicators:
– Number of incidents with business impact
– Percent of users who do not comply with
password standards
– Percent of cryptographic keys compromised
and revoked
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 26 of 28
DETECTIVE CONTROLS
4. Security Testing - the effectiveness of
existing security procedures should be
tested periodically.
•
One approach is vulnerability scans,
which use automated tools designed to
identify whether a system possesses any
well-known vulnerabilities.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 27 of 28
CORRECTIVE CONTROLS
•
•
Detection of attempted and successful
intrusions is important but is worthless if not
followed by corrective action.
Three key components that satisfy the
preceding criteria are:
1. Establishment of a computer emergency response
team.
2. Designation of a specific individual with
organization-wide responsibility for security.
3. An organized patch management system.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 28 of 28
CORRECTIVE CONTROLS
1. Computer Emergency Response
Team (CERT)
•
•
Responsible for dealing with major incidents.
Should include technical specialists and senior
operations management.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 29 of 28
CORRECTIVE CONTROLS
2.
A chief security officer (CSO):
–
–
–
–
–
Should be independent of other IS functions and report to
either the COO or CEO.
Must understand the company’s technology environment and
work with the CIO to design, implement, and promote sound
security policies and procedures.
Disseminates info about fraud, errors, security breaches,
improper system use, and consequences of these actions.
Works with the person in charge of building security, as that is
often the entity’s weakest link.
Should impartially assess and evaluate the IT environment,
conduct vulnerability and risk assessments, and audit the
CIO’s security measures.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 30 of 28
CORRECTIVE CONTROLS
3. Patch Management
• A patch is code released by software
developers to fix vulnerabilities that have been
discovered.
• Patch management is the process for
regularly applying patches and updates to all
of an organization’s software.
–
Another important corrective control involves fixing
known vulnerabilities and installing latest updates
to:
•
•
•
•
Anti-virus software
Firewalls
Operating systems
Application programs
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart 31 of 28
Related documents
Accounting Information Systems 9th Edition
Accounting Information Systems 9th Edition
Accounting Information Systems 9th Edition
Accounting Information Systems 9th Edition
Accounting Information Systems 9th Edition
Accounting Information Systems 9th Edition
Employee
Employee
Lecture_02
Lecture_02
Accounting Information Systems 9th Edition
Accounting Information Systems 9th Edition
Accounting Information Systems 9th Edition
Accounting Information Systems 9th Edition
EMBM03 (v1) Managing Operations
EMBM03 (v1) Managing Operations
Accounting Information Systems 9th Edition
Accounting Information Systems 9th Edition
Mmhurem Syllabus
Mmhurem Syllabus
Accounting Information Systems 9th Edition
Accounting Information Systems 9th Edition
View
View
Download
advertisement