Chapter 8: Information Systems Controls for System Reliability— Part 1: Information Security

Chapter 8Information Systems Controls for System Reliability— Part 1: Information SecurityCopyright © 2012 Pearson Education8-1Learning ObjectivesDiscuss how the COBIT framework can be used to develop sound internal control over an organization’s information systems.Explain the factors that influence information systems reliability.Describe how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about information security.Copyright © 2012 Pearson Education8-2AIS ControlsCOSO and COSO-ERM address general internal controlCOBIT addresses information technology internal controlCopyright © 2012 Pearson Education8-3Information for Management Should Be:EffectivenessInformation must be relevant and timely.EfficiencyInformation must be produced in a cost-effective manner.ConfidentialitySensitive information must be protected from unauthorized disclosure.IntegrityInformation must be accurate, complete, and valid.AvailabilityInformation must be available whenever needed.ComplianceControls must ensure compliance with internal policies and with external legal and regulatory requirements.ReliabilityManagement must have access to appropriate information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities.Copyright © 2012 Pearson Education8-4COBIT FrameworkCopyright © 2012 Pearson Education8-5InformationCriteriaCOBIT CycleManagement develops plans to organize information resources to provide the information it needs.Management authorizes and oversees efforts to acquire (or build internally) the desired functionality.Management ensures that the resulting system actually delivers the desired information.Management monitors and evaluates system performance against the established criteria.Cycle constantly repeats, as management modifies existing plans and procedures or develops new ones to respond to changes in business objectives and new developments in information technology.Copyright © 2012 Pearson Education8-6COBIT Controls210 controls for ensuring information integritySubset is relevant for external auditorsIT control objectives for Sarbanes-Oxley, 2nd EditionAICPA and CICA information systems controlsControls for system and financial statement reliabilityCopyright © 2012 Pearson Education8-7Trust Services FrameworkSecurityAccess to the system and its data is controlled and restricted to legitimate users.ConfidentialitySensitive organizational information (e.g., marketing plans, trade secrets) is protected from unauthorized disclosure.PrivacyPersonal information about customers is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure. Processing IntegrityData are processed accurately, completely, in a timely manner, and only with proper authorization.AvailabilityThe system and its information are available to meet operational and contractual obligations.Copyright © 2012 Pearson Education8-8Trust Services FrameworkCopyright © 2012 Pearson Education8-9Security / Systems ReliabilityFoundation of the Trust Services FrameworkManagement issue, not a technology issueSOX 302 states:CEO and the CFO responsible to certify that the financial statements fairly present the results of the company’s activities.The accuracy of an organization’s financial statements depends upon the reliability of its information systems.Defense-in-depth and the time-based model of information securityHave multiple layers of control Copyright © 2012 Pearson Education8-10Management’s Role in IS SecurityCreate security aware cultureInventory and value company information resourcesAssess risk, select risk responseDevelop and communicate security:Plans, policies, and proceduresAcquire and deploy IT security resourcesMonitor and evaluate effectivenessCopyright © 2012 Pearson Education8-11Time-Based ModelCombination of detective and corrective controlsP = the time it takes an attacker to break through the organization’s preventive controlsD = the time it takes to detect that an attack is in progressC = the time it takes to respond to the attackFor an effective information security system:P > D + CCopyright © 2012 Pearson Education8-12Steps in an IS System AttackCopyright © 2012 Pearson Education8-13Mitigate Risk of AttackPreventive ControlDetective ControlCorrective ControlCopyright © 2012 Pearson Education8-14Preventive ControlTrainingUser access controls (authentication and authorization)Physical access controls (locks, guards, etc.)Network access controls (firewalls, intrusion prevention systems, etc.)Device and software hardening controls (configuration options)Copyright © 2012 Pearson Education8-15Authentication vs. AuthorizationAuthentication—verifies who a person isSomething person knowsSomething person hasSome biometric characteristicCombination of all threeAuthorization—determines what a person can accessCopyright © 2012 Pearson Education8-16Network Access Control (Perimeter Defense)Border routerConnects an organization’s information system to the InternetFirewallSoftware or hardware used to filter informationDemilitarized Zone (DMZ)Separate network that permits controlled access from the Internet to selected resourcesIntrusion Prevention Systems (IPS) Monitors patterns in the traffic flow, rather than only inspecting individual packets, to identify and automatically block attacks Copyright © 2012 Pearson Education8-17Internet Information ProtocolsCopyright © 2012 Pearson Education8-18Device and Software Hardening (Internal Defense)End-Point ConfigurationDisable unnecessary features that may be vulnerable to attack on:Servers, printers, workstationsUser Account ManagementSoftware DesignProgrammers must be trained to treat all input from external users as untrustworthy and to carefully check it before performing further actions.Copyright © 2012 Pearson Education8-19Detective ControlsLog AnalysisProcess of examining logs to identify evidence of possible attacksIntrusion DetectionSensors and a central monitoring unit that create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusionsManagerial ReportsSecurity TestingCopyright © 2012 Pearson Education8-20Corrective ControlsComputer Incident Response TeamChief Information Security Officer (CISO)Independent responsibility for information security assigned to someone at an appropriate senior levelPatch ManagementFix known vulnerabilities by installing the latest updatesSecurity programsOperating systemsApplications programsCopyright © 2012 Pearson Education8-21Computer Incident Response TeamRecognize that a problem existsContainment of the problemRecoveryFollow-upCopyright © 2012 Pearson Education8-22New ConsiderationsVirtualizationMultiple systems are run on one computerCloud ComputingRemotely accessed resourcesSoftware applicationsData storageHardwareCopyright © 2012 Pearson Education8-23RisksIncreased exposure if breach occursReduced authentication standardsOpportunitiesImplementing strong access controls in the cloud or over the server that hosts a virtual network provides good security over all the systems contained therein