View
advertisement
C HAPTER 7 Information Systems Controls for Systems Reliability Part 1: Information Security © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart1 of 28 INTRODUCTION • Questions to be addressed in this chapter: – How does security affect systems reliability? – What is the time-based model of security and the concept of defense-in-depth? – What types of preventive, detective, and corrective controls are used to provide information security? © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 2 of 28 INTRODUCTION • One basic function of an AIS is to provide information useful for decision making. In order to be useful, the information must be reliable, which means: – It provides an accurate, complete, and timely picture of the organization’s activities. – It is available when needed. – The information and the system that produces it is protected from loss, compromise, and theft. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 3 of 28 INTRODUCTION SECURITY © 2006 Prentice Hall Business Publishing AVAILABILITY PROCESSING INTEGRITY PRIVACY CONFIDENTIALITY SYSTEMS RELIABILITY • The Trust Services framework developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) identified five basic principles that contribute to systems reliability: – – – – – Security Confidentiality Online privacy Processing integrity Availability Accounting Information Systems, 10/e Romney/Steinbart 4 of 28 FUNDAMENTAL INFORMATION SECURITY CONCEPTS • In this chapter, we will focus on the Trust Services principle of information security. • There are three fundamental information security concepts that will be discussed in this chapter: – Security as a management issue, not a technology issue. – The time-based model of security. – Defense in depth. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 5 of 28 SECURITY AS A MANAGEMENT ISSUE • Management is responsible for the accuracy of various internal reports and financial statements produced by the organization’s IS. – Security is a key component of the internal control and systems reliability to which management must attest. – management’s philosophy and operating style are critical to an effective control environment. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 6 of 28 TIME-BASED MODEL OF SECURITY • The time-based model of security focuses on implementing a set of preventive, detective, and corrective controls that enable an organization to recognize that an attack is occurring and take steps to thwart it before any assets have been compromised. • All three types of controls are necessary: – Preventive – Detective – Corrective © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 7 of 28 TIME-BASED MODEL OF SECURITY • The time-based model evaluates the effectiveness of an organization’s security by measuring and comparing the relationship among three variables: – P = Time it takes an attacker to break through the organization’s preventive controls – D = Time it takes to detect that an attack is in progress – C = Time to respond to the attack • These three variables are evaluated as follows: – If P > (D + C), then security procedures are effective. – Otherwise, security is ineffective. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 8 of 28 DEFENSE IN DEPTH • The idea of defense-in-depth is to employ multiple layers of controls to avoid having a single point of failure. • If one layer fails, another may function as planned. • Computer security involves using a combination of firewalls, passwords, and other preventive procedures to restrict access. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 9 of 28 Wed 27-10 PREVENTIVE CONTROLS Major types of preventive controls used for defense in depth include: 1. 2. 3. 4. 5. 6. 7. Authentication controls Authorization controls Training Physical access controls Remote access controls Host and Application Hardening procedures Encryption © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 10 of 28 PREVENTIVE CONTROLS 1. Authentication - focuses on verifying the identity of the person or device attempting to gain access. • Passwords are probably the most commonly used authentication method and also the most controversial. – An effective password must satisfy a number of requirements: • • • • Length Multiple character types Random Secret © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 11 of 28 PREVENTIVE CONTROLS These are the multiple layers of preventive controls that reflect the defense-in-depth approach to satisfying the constraints of the time-based model of security. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 12 of 28 PREVENTIVE CONTROLS • Other authentication methods have their own limitations like: – Biometric techniques • Multi-factor authentication © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 13 of 28 PREVENTIVE CONTROLS 2. Authorization - restricts access of authenticated users to specific portions of the system and specifies what actions they are permitted to perform. • Authorization controls are implemented by creating an access control matrix. – Specifies what part of the IS a user can access and what actions they are permitted to perform. – When an employee tries to access a particular resource, the system performs a compatibility test that matches the user’s authentication credentials against the matrix to determine if the action should be allowed. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 14 of 28 PREVENTIVE CONTROLS User Identification Code Number Password 12345 ABC 12346 DEF 12354 KLM 12359 NOP 12389 RST 12567 XYZ Files A 0 0 1 3 0 1 B 0 2 1 0 1 1 Programs C 1 0 1 0 0 1 1 0 0 0 0 0 1 2 0 0 0 0 3 1 3 0 0 0 0 0 1 4 0 0 0 0 0 1 Codes for type of access: 0 = No access permitted 1 = Read and display only 2 = Read, display, and update 3 = Read, display, update, create, and delete © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e • Who has the authority to delete Program 2? • Which files can user 12354 access? • Which programs can user 12354 access? Romney/Steinbart 15 of 28 PREVENTIVE CONTROLS 3. Training • Employees should be trained to follow safe computing practices, such as: – – – – Never open unsolicited email attachments. Use only approved software. Never share or reveal passwords. Physically protect laptops, especially when traveling. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 16 of 28 PREVENTIVE CONTROLS 4. • Controlling Physical Access Within a few minutes, a skilled attacker with unsupervised direct physical access to the system can successfully obtain access to sensitive data. Physical access control begins with entry points to the building itself. • – Should be one regular entry point unlocked during normal office hours. Fire codes require emergency exits. – • • – These should not permit entry from outside. Should be connected to an alarm that is triggered if someone leaves through the exit. A receptionist or security guard should be stationed at the main entrance of the building to: • • Verify the identity of employees. Require that visitors sign in and be escorted to their destination. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 17 of 28 PREVENTIVE CONTROLS 5. Controlling Remote Access • Information sent over the Internet is governed by TCP/IP, two protocols for transmitting information over the Internet. – Transmission Control Protocol (TCP) specifies the procedures for dividing files and documents into packets and for reassembly at the destination. – Internet Protocol (IP) specifies the structure of the packets and how to route them to the proper destination. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 18 of 28 PREVENTIVE CONTROLS 6. Host and Application Hardening • Routers and firewalls are designed to protect the network perimeter. Information security is enhanced by supplementing preventive controls on the network perimeter with additional preventive controls on the workstations, servers, printers, and other devices (collectively referred to as hosts) that comprise the organization’s network. Three areas deserve special attention: • • – – – Host configuration (of devices and OS ----- Default setting or tuning to parameters) User accounts (rights and powers) Software design (buffer overflow attack): • Attacker sends a program more data than it can handle. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 19 of 28 PREVENTIVE CONTROLS • Perimeter Defense: Routers, Firewalls, and Intrusion Prevention Systems – This figure shows the relationship between an organization’s information system and the Internet. – A device called a border router connects an organization’s information system to the Internet. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 20 of 28 PREVENTIVE CONTROLS 7. Encryption • Encrypting sensitive stored data provides one last barrier that must be overcome by an intruder. • Encryption plays an essential role in ensuring and verifying the validity of e-business transactions. • Therefore, accountants, auditors, and systems professionals need to understand encryption. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 21 of 28 DETECTIVE CONTROLS 1. Log Analysis – Most systems come with extensive capabilities for logging who accesses the system and what specific actions each user performed. • • • Logs form an audit trail of system access. Are of value only if routinely examined. Log analysis is the process of examining logs to monitor security. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 22 of 28 DETECTIVE CONTROLS • The log may indicate unsuccessful attempts to log in to different servers. • The person analyzing the log must try to determine the reason for the failed attempt. Could be: – The person was a legitimate user who forgot his password. – Was a legitimate user but not authorized to access that particular server. – The user ID was invalid and represented an attempted intrusion. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 23 of 28 DETECTIVE CONTROLS 2. Intrusion Detection Systems • An IDS creates a log of network traffic that was permitted to pass the firewall. • • • – – – The router hides your pc's ip address. It also blocks certain types of scans. The software firewall will help block anything that does get through. More importantly, the firewall blocks outgoing stuff Analyzes the logs for signs of attempted or successful intrusions. Most common analysis is to compare logs to a database containing patterns of traffic associated with known attacks. An alternative technique builds a model representing “normal” network traffic and uses various statistical techniques to identify unusual behavior. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 24 of 28 DETECTIVE CONTROLS 3. Managerial Reports – The Information Systems Audit and Control Association (ISACA) and the IT Governance Institute have developed a comprehensive framework for information systems controls called Control Objectives for Information and Related Technology (COBIT). • Specifies 34 IT-related control objectives • Provides: – Management guidelines that identify crucial success factors associated with each objective. – Key performance indicators (KPI) that can be used to assess their effectiveness. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 25 of 28 DETECTIVE CONTROLS • COBIT key performance indicators: – Number of incidents with business impact – Percent of users who do not comply with password standards – Percent of cryptographic keys compromised and revoked © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 26 of 28 DETECTIVE CONTROLS 4. Security Testing - the effectiveness of existing security procedures should be tested periodically. • One approach is vulnerability scans, which use automated tools designed to identify whether a system possesses any well-known vulnerabilities. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 27 of 28 CORRECTIVE CONTROLS • • Detection of attempted and successful intrusions is important but is worthless if not followed by corrective action. Three key components that satisfy the preceding criteria are: 1. Establishment of a computer emergency response team. 2. Designation of a specific individual with organization-wide responsibility for security. 3. An organized patch management system. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 28 of 28 CORRECTIVE CONTROLS 1. Computer Emergency Response Team (CERT) • • Responsible for dealing with major incidents. Should include technical specialists and senior operations management. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 29 of 28 CORRECTIVE CONTROLS 2. A chief security officer (CSO): – – – – – Should be independent of other IS functions and report to either the COO or CEO. Must understand the company’s technology environment and work with the CIO to design, implement, and promote sound security policies and procedures. Disseminates info about fraud, errors, security breaches, improper system use, and consequences of these actions. Works with the person in charge of building security, as that is often the entity’s weakest link. Should impartially assess and evaluate the IT environment, conduct vulnerability and risk assessments, and audit the CIO’s security measures. © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 30 of 28 CORRECTIVE CONTROLS 3. Patch Management • A patch is code released by software developers to fix vulnerabilities that have been discovered. • Patch management is the process for regularly applying patches and updates to all of an organization’s software. – Another important corrective control involves fixing known vulnerabilities and installing latest updates to: • • • • Anti-virus software Firewalls Operating systems Application programs © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 31 of 28
