IT Security and Risk Mitigation

CHAPTER 7: IT Security and
Risk Mitigation
MUKALELE Rogers SSEMUJJU Bernard MPEIRWE Nobles MUSANA Evans
13/U/21067/EVE 13/U/21338/EVE 13/U/21046/EVE 13/U/21078/EVE
213024992 213012016 213005087 213004582
Makerere University
By EVE Group G Members:

/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
In this lecture, we look at the following chapter topics:
d) Business continuity (Disaster recovery planning)
c) Security governance and management
a) Basic principles and Banking security standards
b) Risk Mitigation controls: Admin, Logical & Physical
e) Professionalism and ethical standards
f) IT audit framework/ standardization






Learning Objectives
g) International certifications & standards in IT security

Class Ground Rules
1. DO Give chance to the presenters to deliver their content
un-diverted.
(Lets keep focused, we have limited time.)
2. DO Openly participate in the class activities.
3. DON’T interrupt the progress of the presentation by raising
your hand to ask questions. Instead Note down your
questions on the pieces of paper provided. There will be a
general Q&A session towards the end of the presentation.
4. DO give precise supplements ONLY upon authorisation by
the presenter.
5. DO switch off your phones or put them in silent mode.
6. DO Settle. Avoid unnecessary movements.

List of icons used in this presentation
The description of Icons used in this presentation as follows:
This icon indicates that
the content being
looked at is a solution
to a question that
appeared in the MUELE
assignment, and so is a
likely Exam Qn.
This icon indicates a
caution or advice on a
concept being looked at
that is often mistaken or
confused with other
concepts.
This icon indicates a
that the concept being
looked at is a key
concept that will be
referred to or used later.
This icon is put against
a reference to a
resource on the world
wide web.

Topic a)
Basic IT Security principles and
Banking security standards
Presented by Mukalele Rogers
i. IT Security Key concepts
ii. Authenticity
iii. Banking security standards
iv. Risk of password sharing

Definitions: IT Security
Information security, sometimes shortened to InfoSec, is the practice
of defending information from unauthorized access, use, disclosure,
disruption, modification, perusal, inspection, recording or destruction.
Information security as applied to
computing devices, as well as
computer networks like the Internet
IT
security

Basic Principles: Key Concepts of IT Security
Information and the knowledge based on IT have increasingly become
recognized as ‘information assets’, which are vital enablers of business
operations. Hence, they require organizations to provide adequate levels
of protection.
For decades, information security has held Confidentiality, Integrity and
Availability (known as the CIA triad) to be the core principles.
There is continuous debate about extending this classic trio. Other
principles such as Authenticity, Non-repudiation and Accountability are
also now becoming key considerations for practical security systems.

Basic Principles: Key Concepts of IT Security cont’d
For example, a credit card transaction on the Internet requires the credit
card number to be transmitted from the buyer to the merchant and from
the merchant to a transaction processing network.
The system attempts to enforce confidentiality by encrypting the card
number during transmission, and by restricting access to the places
where it is stored.
If an unauthorized party obtains the card number in any way, a breach of
confidentiality has occurred. Breaches of confidentiality take many forms
like Hacking, Phishing, Vishing, Email-spoofing, SMS spoofing, and
sending malicious code through email spam or Bot Networks.
Confidentiality is the prevention of disclosure of
information to unauthorized individuals or systems.
Confidentiality

For example, Integrity is violated when an employee accidentally or with
malicious intent deletes important data files, modifies his own salary in a
payroll database, uses programmes and deducts small amounts of
money from all customer accounts and adds it to his/her own account
(also called salami technique), when an unauthorized user vandalizes a
web site, and so on.
Bulk updates to a database could alter data in an incorrect way, leaving
the integrity of the data compromised (corrupted). Information security
professionals are tasked with finding ways to implement controls that
enforce integrity.
Integrity is the prevention of unauthorised
modification of information.
Integrity

For any information system to serve its purpose, the information must be
available when it is needed.
This means that the computing systems used to store and process the
information, the security controls used to protect it, and the
communication channels used to access it must be functioning correctly.
High availability systems aim to remain available at all times, preventing
service disruptions due to power outages, hardware failures, and system
upgrades.
Ensuring availability also involves preventing denial-of-service (DoS)
attacks.
Availability is the prevention of unauthorised
withholding of information, to that it is accessible
when needed.
Availability

In IT security, it is necessary to ensure that the data, transactions,
communications or documents (electronic or physical) are genuine.
Authenticity is the property that ensures that the identity of a
subject or resource is the identity claimed.
Authenticity applies to individuals (users), but also to any other
entity (applications, processes, systems, etc.). It is an
identification, i.e. the recognition of a name indicating an entity
without the slightest doubt.
Authenticity is the verification to prove that all parties
involved in a transaction/matter are who they claim
they are.
Authenticity

1. User ID and password input is the most prevalent method of
authentication.
However, passwords can be stolen or forgotten. Cracking
passwords can be simple for hackers if the passwords aren't
complex enough.
Remembering dozens of passwords for dozens of applications can
be frustrating for home users and business users alike.
2. Multi-factor authentication is more common in the
enterprise for mission critical applications and systems. Multi-
factor authentication systems may use Key cards, smart cards,
or USB tokens.
Authenticity cont’d Ensuring authenticity

3. Public Key Infrastructure (PKI) Authentication uses digital
certificates issued by a central or 3rd party authority.
4. Secure Socket Layer (SSL) connections to web sites provide
not only encryption for the session, but also (usually) provide
verification that the web site is authentically the site it claims to
be.
5. Electronic Signatures and Digital Signature
can be used to enforce authenticity.
On the next slide, we look at the differences
between these two.
Authenticity cont’d Ensuring authenticity (cont’d)

Electronic Signatures Digital Signatures
An electronic signature, or eSignature, is an
electronic indication of intent to agree to or
approve the contents of a document.
They can be used for Signing electronic
contracts, invoices, and leases.
A digital signature is one form
of electronic signature that
uses asymmetric
cryptography specifically to
enable users to ensure the
authenticity of the signer and
to trust that a signature is
valid through the use of a
public and private key pair.
Differences between Electronic Signatures Digital Signatures
Though these terms are often used interchangeably, they are not
the same.

Non-repudiation: In law, non-repudiation implies one's
intention to fulfill one’s obligations under a contract /
transaction.
It also implies that a party to a transaction cannot deny having
received or having sent an electronic record.
Non Repudiation refers to the prevention of any party
to a transaction denying their involvement.
Non-
repudiation

In addition to the above principles, there are other security-
related concepts when designing a security policy and
deploying a security solution.
They include identification, authorization, accountability.
Accountability: Security can be maintained only if subjects
are held accountable for their actions.
Identification is the process by which a subject presents an
identity (such as a user name) and accountability is initiated.
The process of authorization ensures that the requested
activity or access to an object is possible given the rights and
privileges assigned to the authenticated identity.

Risk of password sharing
How would you feel about being interviewed by the Police or
Internal Audit as a suspect in a crime?
If you happen to share your password with someone who
embezzles funds, you will be considered a suspect because
your name is associated with those transactions.
You are sharing your identity when you share your password.
Businesses and consumers alike find convenience in sharing
passwords but doing so is highly risky.
For example, in a recent incidence, Vodafone’s customer
database was compromised using login information that was
shared among employees.

Banking security standards
Standards are detailed statements containing what must be
done to comply with written policies.
A policy refers to a laid out plan or course of action
that influences & determines decisions.
Policies are important reference documents for internal audits
& for resolution of legal disputes. They can act as a clear
statement of management’s intent.
The policies need to be supported with relevant standards,
practices, guidelines and procedures.
Practices, procedures & guidelines explain exactly how
employees will comply with the standards.

Banking security standards cont’d

Key components essential to an
organization wide IT policy
List of physical, logical, and network
assets to be protected
Specifications on how communications
across the firewall will be audited
Acceptable Use Policy that tells
employees what constitutes
acceptable use of company resources
Description of organization’s approach
to security and how it affects the
firewall
Essential Information
in a Security Policy
Date last updated
Name of office that
developed the policies
Clear list of policy
topics
Equal emphasis on
positive points (access
to information) and
negative points
(unacceptable policies)

Banks need standards and procedures indicating:
The detailed objectives and requirements of individual
information security-specific technology solutions,
Authorisation for individuals who would be handling the
technology,
Addressing segregation of duties issues,
Appropriate configurations of the devices that provide the
best possible security,
Regularly assessing their effectiveness and fine-tuning
them accordingly, and identification of any unauthorised
changes.

In order to consider information security from a bank-wide
perspective, a steering committee of executives should be formed.
An IT Security Steering Committee has representatives from the IT,
HR, legal and business sectors.
Among other functions, this committee carries out the following:
1. Consult and advice on the selection of technology within
standards, Verify compliance with technology standards and
guidelines
2. Reviewing the status of security awareness programmes, and
monitoring activities across the bank.
3. Assessing new developments or issues relating to information
security.

Functions of An IT Security Steering Committee cont’d
4. Reporting to the Board of Directors on information security
activities.
5. Educating employees. The bank’s employees need to be fully
aware of relevant security policies, procedures and standards to
which they are accountable.
6. Evaluating vendor managed processes or specific vendor
relationships as they relate to information systems and
technology. All outsourced information systems and operations
may be subject to risk management and security and privacy
policies that meet the Bank’s own standards.

Suppose you have been appointed to
be part of the IT Security Steering
Committee of Centenary bank Uganda.
In groups of two, Identify examples of
the critical policies and Banking security
standards that you would propose as
necessary in such an environment.
Class Activity 1!

Examples of Specific IT Security policies that
would be required in a banking environment
include, but not limited to the following:
i. Logical Access Control
ii. Asset Management
iii. Network Access Control
iv. Password management
v. E-mail security
vi. Remote access
vii. Mobile computing
viii. Network security
ix. Application security
x. Backup and archival
xi. Operating system security
xii. Database administration and security
xiii. Physical security
xiv. Capacity Management
xv. Incident response and management
xvi. Malicious software
xvii. IT asset/media management
xviii. Change Management
xix. Patch Management
xx. Internet security
xxi. Desktop
xxii. Encryption
xxiii. Security of electronic delivery channels
xxiv. Wireless security
xxv. Application/data migration, etc.

Topic b)
Risk Mitigation controls
Presented by Musana Evans
i. Administrative
ii. Logical
iii. Physical

Definitions: Risk Mitigation
Risk: The chance that an investment's actual return will be different than
expected.
The increasing dependencies of modern society on information and
computers networks has led to a new terms like IT risk and Cyber Risk.
IT risk, is a risk related to information technology.
Risk Mitigation is the process by which an organization introduces
specific measures to minimize or eliminate risks associated with its
operations.
Risk Mitigation controls are measures or actions taken to avoid, or
transfer risks within a project.

Risk Mitigation controls
There are three, commonly accepted forms of Controls:
(i) Administrative controls -
These are the laws, regulations, policies, practices and guidelines
that govern the overall requirements for an IT Security risk
mitigation program.
For example, a law or regulation may require merchants and
financial institutions to protect and implement controls for customer
account data to prevent identity theft.
The business, in order to comply with the law or regulation, may
adopt policies and procedures laying out the internal requirements
for protecting this data, which requirements are a form of control.

Risk Mitigation controls cont’d
(ii) Logical controls -
These are the virtual or technical controls used to ensure that
processes are followed.
They include (systems and software), such as firewalls, anti
virus software, encryption and maker/checker application
routines.
A policy may require that significant processes have some
form of checker to ensure the integrity of the data and
minimize the possibility of unauthorized activity.

(ii) Logical controls - cont’d
To implement this policy, the business
may use logical controls such as a
function within an application that
requires that a manager indicate
review and approval of a check
request before the payment can be
processed.

(ii) Logical controls - Illustration

(iii) Physical Controls -
These are the physical controls, such as locks, security
cameras and guards, that are used to minimize the risk of loss.
For example, a physical control requirement could be met, in
part, by locking the check stock in a file cabinet and giving the
key to a person who is not part of the check request process.
That person would review the check request and indicate
approval by unlocking the cabinet and providing the check
book for processing.

(iii) Physical Controls cont’d
Whereas a firewall provides a "logical" key to obtain access to
a network, a "physical" key to a door can be used to gain
access to an office space or storage room.
Other examples of physical controls are video surveillance
systems, gates and barricades, the use of guards or other
personnel to govern access to an office, and remote backup
facilities.

(iii) Physical Controls - Illustration

A typical Security Risk Mitigation Process has 4 phases:
Implementing
Controls
3
Conducting
Decision Support
2
Measuring Program
Effectiveness
4 Assessing Risk1

Phases of the Security Risk Mitigation Process explained
Phase 1: Assessing Risk.
This includes planning, data gathering, and risk prioritization.
The output from the Assessing Risk phase is a list of
significant risks with detailed analysis that the team can use to
make business decisions during the next phase of the process.
Phase 2: Conducting Decision Support.
The list created during the risk assessment phase is used
during the decision support phase to propose and evaluate
potential control solutions, and the best ones for mitigating the
top risks are then recommended to the organization’s Security
Steering Committee.

Phases of the Security Risk Mitigation Process (cont’d)
Phase 3: Implementing Controls.
During this phase, the Security Steering Committee create and
execute plans based on the list of control solutions that
emerged during the decision support process and actually put
control solutions in place.
Phase 4: Measuring Program Effectiveness.
Organizations estimate their progress with regard to security
risk management as a whole.
They can use the concept of a "Security Risk Scorecard" to
assist in this effort.

Risk Mitigation Risk Assessment
Goal
Manage risks across
business to acceptable
level
Identify and
prioritize risks
Cycle
Overall program across
all four phases
Single phase of risk
management
program
Schedule Scheduled activity Continuous activity
Differences between Risk Mitigation and Risk
Assessment

Topic c)
Security processes and
management
Presented by Semujju Bernard
i. Security governance
ii. Incident response
iii. Risk management and IT auditing

Security governance
Governance is the set of responsibilities and practices exercised by
the board and executive management with the goal of providing
strategic direction, ensuring that objectives are achieved,
ascertaining that risks are managed appropriately and verifying that
the enterprise’s resources are used responsibly.
IT security governance is the process by which an organization
directs and controls IT security.
IT Governance Stakeholders include: Board of Directors, CEOs,
Business Executives, IT Steering Committees and Risk
Committees

Security governance cont’d
IT security governance should not be confused with IT security
management:
IT security management is concerned with making decisions to
mitigate risks; governance determines who is authorized to make
decisions.
Governance specifies the accountability framework and provides
oversight to ensure that risks are adequately mitigated, while
management ensures that controls are implemented to mitigate
risks.
Management recommends security strategies. Governance
ensures that security strategies are aligned with business
objectives and consistent with regulations.

Security Governance Security Management
‘Doing the right thing.’ ‘Doing things right’
Oversight Implementation
Authorizes decision rights
Authorized to make
decisions
Enact policy Enforce policy
Strategic planning Project planning
Resource allocation Resource utilization
Differences between Security Governance and
Management

Characteristics of effective security governance
1. It is an institution-wide issue
2. Leaders are accountable
3. It is viewed as an institutional
requirement (cost of doing
business)
4. It is risk-based
5. Roles, responsibilities and
segregation of duties are
defined
6. It is addressed and enforced in
policy
7. Adequate resources are
committed
8. Staff are aware and
trained
9. A development life
cycle is required
10. It is planned, managed,
measureable and
measured
11. It is reviewed and
audited

Benefits of information security governance
Increased predictability and reduced uncertainty of business
operations
Protection from the potential for civil and legal liability
Structure to optimize the allocation of resources
Assurance of security policy compliance
Foundation for effective risk management.
A level of assurance that critical decisions are not based on
faulty information
Accountability for safeguarding information

Incident response
An IT security incident, is defined as an event that impacts or
has the potential to impact the confidentiality, availability, or
integrity of IT resources.
Incident response is an organized approach to addressing and
managing the aftermath of a security breach or attack (also
known as an incident).
The goal is to handle the situation in a way that limits damage
and reduces recovery time and costs.
An incident response plan includes a policy that defines, in
specific terms, what constitutes an incident and provides a
step-by-step process that should be followed when an incident
occurs.

Incident response cont’d
Procedures, and guidelines regarding IT security incident
response vary depending on the type of incident, but all
procedures include the following steps:
IT Security Incident Response steps
1. Discovery (maintaining systems to discover incidents
involving IT resources)
2. Documentation (documentation of IT incidents in a tracking
system)
3. Notification (sends notifications to unit IT workers identifying
the type of incident)

Incident response cont’d
IT Security Incident Response steps cont’d
4. Acknowledgment (Unit must acknowledge the notification)
5. Containment (Unit must contain the incident as soon as
possible)
6. Investigation (investigation and update of the tracking system
with details of the investigation)
7. Resolution (The Incident Response Team, using details from
the investigation, determines incident severity)
8. Closure (reviews incidents in the tracking system and closes
tickets as appropriate)

Risk management and IT auditing
The objective of the IT Risk Management Audit is to provide senior
management with an understanding and assessment of the efficiency
and effectiveness of the IT risk management process, supporting
framework and policies and assurance that IT risk management is
aligned with the enterprise risk management process.
Risk Management involves analysis of IT Operation environment,
including technology, human resources and implemented processes, to
identify threats and vulnerabilities.
Financial institutions should conduct a periodic risk assessment which
should identify:
• Internal and external risks
• Risks associated with individual platforms, systems, or processes, as
well as automated processing units

Risk management and IT auditing cont’d
Different threats to IT security that financial institutions must be aware of
Categories of Threats Examples
1. Acts of human error or failure Accidents, employee mistakes
2. Compromises to intellectual property Piracy, copyright infringement
3. Deliberate acts of espionage or
trespass
Unauthorized access and/or
data collection
4. Deliberate acts of information
extortion
Blackmail of information
disclosure
5. Deliberate acts of sabotage or
vandalism
Destruction of systems or
information
6. Deliberate acts of theft Illegal confiscation of equipment
or information

Categories of Threat (cont’d) Examples
7. Deliberate software attacks Viruses, worms, denial-of-service
8. Forces of nature Fire, flood, earthquake lightning
9. Deviations in quality of service
from service providers
Power and WAN service issues
10. Technical hardware failures or
errors
Equipment failure
11. Technical software failures or
errors
Bugs, code problems, unknown
loopholes
12. Technological obsolescence Antiquated or outdated technologies

Why target financial institutions?
Financial institutions could be targeted for a variety of reasons:
-- in an effort to steal funds;
-- to gain access to information;
-- to disrupt normal business;
-- to create costly distractions;
-- to shake confidence and cause panic.

Which measures have financial institutions put in
place to curb down attacks?
Categories of Attack Counter Measures
Theft or loss: Computers and laptops,
portable electronic devices, electronic
media, paper files
Ensure proper physical
security of electronic and
physical restricted data
wherever it lives.
Insecure storage or transmission of PII
and other sensitive information
Encryption
Password hacked or revealed: Use good, cryptic passwords
that are difficult to guess,
and keep them secure

Which measures have financial institutions put in place to
curb down attacks?
Attack Counter Measures
Missing "patches"
and updates:
Make sure all systems that contain or access
Restricted Data have all necessary operating
system (OS)and third-party application security
“patches” and updates.
Computer infected
with a virus:
Install anti-virus and anti-spyware software
and make sure it is always up-to-date.
Improperly
configured or risky
software:
Don’t put sensitive information in places
where access permissions are too broad.

Which measures have financial institutions put in place to
curb down attacks?
Categories of Attack Counter Measures
Insecure disposal & re-use: Shred sensitive paper records before
disposing of them.
Application vulnerabilities and
mis-configuration
Make sure controls are in place to prevent
access to secure databases through
insecure databases.
Network attacks such as Denial of
Service Dos, DDoS, Man-in-the-
middle attack, packet sniffing, IP
spoofing, etc.
Use encrypted delivery protocol over a
Virtual Private Network (VPN), eg Secure
Sockets Layer (SSL)..

IT auditing
Information Technology Audit Services are used to identify
areas of technical risk including application, infrastructure,
systems, and process risks.
IT Audit Services can facilitate the selection of controls and
the identification of technical risk in order to allow
management to make strong strategic and tactical
decisions.
In addition to assessing current computer applications, IT
Audit consults on the development and implementation of
new systems to ensure that internal controls are
established and comply with industry standards.

Topic d)
Business continuity
Presented by Mpeirwe Nobles
i. Introduction
ii. Disaster recovery planning

Introduction
1-minute Introductory Dummies Video showing the need for
business continuity.
Please click on graphic below to play.

Business Continuity
Business continuity includes a set of planning, and preparatory
activities which are intended to ensure that an organization's critical
business functions will either continue to operate despite serious
incidents or disasters that might otherwise have interrupted them, or will
be recovered to an operational state within a reasonably short period.
If there is no Business Continuity plan implemented, then the organization is
facing a rather severe threat or disruption that may lead to bankruptcy.
The foundation of business continuity are the standards, program development,
and supporting policies; guidelines, and procedures needed to ensure a firm to
continue without stoppage, irrespective of the adverse circumstances or events.
The management of business continuity falls largely within the sphere of risk
management, with some cross-over into related fields such as governance, and
IT security.

Business Continuity
Types of business continuity plans
1. Resilience: critical business functions and the supporting
infrastructure are designed and engineered in such a way that they are
materially unaffected by most disruptions, for example through the use of
redundancy and spare capacity.
2. Recovery: arrangements are made to recover or restore critical and
less critical business functions that fail for some reason.
3. Contingency: the organization establishes a generalized capability
and readiness to cope effectively with whatever major incidents and
disasters occur, including those that were not, and perhaps could not,
have been foreseen. Contingency preparations constitute a last-resort
response if resilience and recovery arrangements should prove
inadequate in practice.

Business Continuity
Main features of a good BCP
Identifies and Prioritises Critical Business Functions
Determines Recovery Time Objectives Critical Assets
Includes a Comprehensive Risk Assessment Conducted On Critical
Facilities
Contains Succession Plans for Key Employees or Consultants
Includes a Technology Backup Strategy that Exists and Is Tested
Regularly
Lists Multiple Sources Available for Critical Supplies and Processes
Tools and Training Are In Place to Provide Advanced Warning of
Incidents
All Projects Include a Disaster Recovery Component

Disaster recovery planning
Disaster recovery is the process by which you resume
business after a disruptive event.
The event might be something huge-like an earthquake or the
terrorist attacks on the World Trade Center-or something small,
like malfunctioning software caused by a computer virus.
Disaster recovery planning suggests a more comprehensive
approach to making sure you can keep making money, not
only after a natural calamity but also in the event of smaller
disruptions including illness or departure of key staffers, supply
chain partner problems or other challenges that businesses
face from time to time.

Disaster recovery planning cont’d
3 minute Video showing how QUEST
company plans for Disaster recovery.
Please click on graphic below to play.

Examples of ideas in a good Disaster continuity plan.
1. Develop and practice a contingency (eventuality) plan that includes a
succession plan for the CEO.
2. Train backup employees to perform emergency tasks. The employees
you count on to lead in an emergency will not always be available.
3. Determine offsite crisis meeting places and crisis communication
plans for top executives. Practice crisis communication with
employees, customers and the outside world.
4. Invest in an alternate means of communication in case the phone
networks go down.
5. Make sure that all employees-as well as executives-are involved in
the exercises so that they get practice in responding to an emergency.

Examples of ideas in a good Disaster continuity plan cont’d.
6. Make business continuity exercises realistic enough to tap into
employees' emotions so that you can see how they'll react when the
situation gets stressful.
7. Form partnerships with local emergency response groups—
firefighters, police and EMTs—to establish a good working
relationship. Let them become familiar with your company and site.
8. Evaluate your company's performance during each test, and work
toward constant improvement. Continuity exercises should reveal
weaknesses.

In groups of two, outline at least 5
benefits of carrying out a Disaster
recovery planning in a business.
Why do you think many businesses
don’t carry out disaster recovery
planning despite the above benefits?
Class Activity 2!

Advantages of disaster recovery planning:
Time: Assurance of rapid recovery of
normal operating functions
Finances:Competitive advantage given by
response to crisis situations.
Corporate Reputation: With increased
confidence in your company's ability to
operate in unexpected circumstances,
your reputation grows with customers,
staff, partners and investors.
IT Security enforcement: Not only does DRP
protect data, hardware, software, etc., but the
people that compose your organization will be
better safeguarded should a disaster occur.
Disadvantages of
disaster recovery
planning:
Time: Time-
consuming
requirement to
implement DRP in
the organization.
Finances: Higher
financial burden.

Topic e)
Professionalism and ethical
standards
Presented by Mukalele Rogers
i. Professionalism
ii. Ethical standards

Professionalism
Professionalism (Professional ethics) encompass the
personal, organizational and corporate standards of behaviour
expected of professionals.
Professionals, and those working in acknowledged
professions, exercise specialist knowledge and skill.
How the use of this knowledge should be governed when
providing a service to the public can be considered a moral
issue and is termed professional ethics.

Computer Ethics
• Ethics are a set of moral principles that govern the
behaviour of a group or individual.
• Computer ethics is set of moral principles that
regulate the use of computers.
• In other words, Computer Ethics refers to the right or
wrong behavior exercised when using computers.
• Some common issues of computer ethics include
intellectual property rights (such as copyrighted
electronic content), privacy concerns, and how
computers affect society.

Deterrence to Unethical and Unprofessional Behavior
Deterrence: best method for preventing an unprofessional
or unethical activity; e.g., laws, policies, technical controls
Laws and policies only deter if three conditions are
present:
Fear of penalty
Probability of being caught
Probability of penalty being administered
As the world of computers evolves, organisations continue to
create ethical standards that address new issues raised by
new technologies.

Codes of Ethics and Professional Organizations
A number of professional organizations have established
codes of professional conduct and codes of ethics that
members are expected to follow.
Codes of ethics can have a positive effect on an individual’s
judgment regarding computer use.
It is the responsibility of security professionals to act ethically
and according to the policies and procedures of their employer,
their professional organization, and the laws of society.

Examples of Professional Organizations
1. The Computer Ethics Institute(CEI) was founded in 1985 as the Coalition
for Computer Ethics. CEI's mission is to facilitate the examination and
recognition of ethics in the development and use of computer
technologies. The output of this discussion provides educational
resources and governing rules.
In 1991, CEI held its first National Computer Ethics Conference in
Washington, D.C.
The Ten Commandments of Computer Ethics were
first presented in Dr. Ramon C. Barquin's paper
prepared for the conference,
"In Pursuit of a 'Ten Commandments' for Computer
Ethics."

Ethics and Information Security
CEI WEBSITE: http://computerethicsinstitute.org

Other Examples of Professional Organizations
2. Association of Computing Machinery. (www.acm.org)
3. International Information Systems Security
Certification Consortium (www.isc2.org)
4. The System Administration, Networking, and Security
Institute, or SANS (www.sans.org)
5. The Information Systems Audit and Control
Association or ISACA (www.isaca.org)
6. The Computer Security Institute (www.gocsi.com)
7. The Information Systems Security Association (ISSA)
(www.issa.org)
8. The Internet Society or ISOC (www.isoc.org)

Topic f)
IT audit framework/
standardization
Presented by Musana Evans
i. IT audit framework
ii. Types of IT Audits
iii. Rationale of an IT Audit
iv. Steps of an IT Audit
v. Examples of IT Audit Systems
vi. Case Study: SBP IT Audit

IT Audit: Introductory Activity
1. Who are auditors?
2. Have you ever witnessed the auditing
process? If so, where?
3. Some people view the auditing process
as a confrontation. Why do you think
people have negative attitude towards
the audit process?
4. Why is the auditing process essential to
a financial institution?
Class Activity 3!

IT audit framework
IT audit is the process of assessing a computer system
to determine whether it has been designed to maintain
IT Security principles(CIA), allows organisational goals
to be achieved effectively and uses resources
efficiently.
An IT audit is different from a financial audit. While a financial
audit's purpose is to evaluate whether an organization is
adhering to standard accounting practices, the purposes of an
IT audit are to evaluate the system's internal control design
and effectiveness.
This includes, but is not limited to, efficiency and security protocols,
development processes, and IT governance or oversight.

Types of IT audits
Systems and Applications Audit: - Verifies that systems and
applications are appropriate, are efficient, and adequately controlled to
ensure CIA.
Information Processing Facilities Audit: - Assesses the processing
facilities to ensure timely, accurate, and efficient processing of
applications.
Systems Development Audit: An audit to verify that the systems under
development meet the objectives and standards of the organization.
IT Management Audit: Verifies that IT management has developed an
organizational structure and procedures to ensure a controlled and
efficient environment for information processing.
Telecommunications / Network Audit:- An audit to verify that
telecommunications controls are in place across the network connecting
the clients and servers.

Rationale of conducting IT audit
The rationale (general objective/justification) of an IT audit is to
evaluate the computerised information system (CIS) in order to
ascertain whether it produces timely, accurate, complete and
reliable information outputs, as well as ensuring confidentiality,
integrity, availability and reliability of data and adherence to
relevant legal and regulatory requirements.
The objectives of undertaking an IT audit include:
1. To assess how well management capitalises on the use of IT to improve
its business processes;
2. To assess the effect of IT on the client’s business processes, including
the development of the financial statements and the business risks
related to these processes;
3. To assess how the client’s use of IT for the processing, storage and
communication of financial information affects the internal control
systems and our consideration of inherent risk and control risk;

Rationale of conducting IT audit
4. To Identify and understand the controls that management uses to
measure, manage and control the IT processes;
5. To Assess the effectiveness of controls over the IT processes that
have a direct and important impact on the processing of financial
information.
6. IT Audit as a subset of performance audit seeks assurance that all
aspects of the IT systems, including necessary controls, are being
effectively enforced.
7. IT Audit as a subset of performance audit may examine the efficiency
and effectiveness of a IT based business process/government
program
As such, the focus of the IT audit is to provide assurance that the IT
systems can be relied upon to help deliver the required services.

Steps of An IT Audit
Below is the General
approach to IT Auditing,
NB: Ideally it’s a continuous
cycle and varies depending
on type of audit
1. Planning Phase
Define Scope, Learn
Controls, Historical
Incidents, review Past
Audits, Do Site Survey,
Review Current Policies,
Define Objectives, Develop
Audit Plan / Checklist,
Design Questionnaires
2. Testing Phase
Meet With Site Managers, Learn What
data will be collected, How/when will it
be collected, Do Site employee
involvement, Do Data Collection Based
on scope/objectives
3. Reporting Phase
 Prepare and present reports entailing:
Preliminary findings, Introduction
defining objectives/scope, How data
was collected, Summary of problems,
In depth description of problems,
Glossary of terms and References

Examples of IT Audit Systems
1. Tripwire
Auditing system
(Below)
2. IT Audit
using a
Firewall Log
(above)

Case Study: SBP IT Audit
We look at the case study of the STATE BANK OF PAKISTAN (SBP)
because it is one of the institutions that are tremendously moving on
an advanced IT trend in the world. (see letter in notes section)
Information Technology Audits evaluate system processing controls,
data security, physical security, systems development procedures,
contingency planning, and systems requirements.

Case Study: SBP IT Audit
The SBP Internal Audit Department was
established for the purpose of providing
management and the Audit Committee of the
State Bank of Pakistan Banking Services
Corporation with reasonable assurance that the
management control systems throughout the
SBPBSC (Bank) are adequate and operating
effectively.
The Internal Audit Department provides valuable support in
maintaining the public's confidence by performing
independent and objective reviews and subsequent
reporting.
SBP Audit WEBSITE: http://www.sbp.org.pk/sbp_bsc/BSC/audit/

Case Study: SBP IT Audit cont’d
The following activities are done during SBP IT Audit:
The bank logs are analysed to check who logged into the bank systems
ATM logs of the clients are analysed for validity to prevent hacker attacks
Also software are set/programmed to restrict and report unauthenticated
access to the SBP system
The system that is being compromised according to the logs is then
monitor closely before it is being reported to the police of Pakistan.
SBP also provides authentication/access control levels with the CEO,
directors, managers and other subordinates having limits of access
according to the set bank Security policy
The bank, as a security procedure educates staff on the good practices
to prevent breaches

Topic g)
International certifications &
standards in IT security
Presented by Ssemujju Bernard
i. Introduction
ii. International standards of IT security
iii. International certifications in IT security

Introduction
While information security plays an important role in protecting the
data and assets of an organisation, we often hear news about
security incidents, such as defacement of websites, server
hacking and data leakage.
Organisations need to be fully aware of the need to devote more
resources to the protection of information assets, and information
security must become a top concern in both government and
business.
To address the situation, a number of governments and
organisations have set up benchmarks, standards and in some
cases, legal regulations on information security to help ensure an
adequate level of security is maintained, resources are used in the
right way, and the best security practices are adopted

Introduction cont’d
Some industries, such as banking, are regulated, and the
guidelines or best practices put together as part of those
regulations often become a de facto standard among members of
these industries.
In this section, we give a brief introduction to the most commonly
adopted standards and regulations for information security,
including ISO standards, COBIT, the Sarbanes-Oxley Act, and so
on.
We shall also look at International certifications in IT security,
which are qualifications or designations earned by a person to
certify that he is qualified to perform a job.

a) ISO STANDARDS
The International Organisation for Standardisation (ISO), established in
1947, is a non- governmental international body that collaborates with
the International Electrotechnical Commission (IEC) and the
International Telecommunication Union (ITU) on information and
communications technology (ICT) standards.
The following are commonly referenced ISO security standards:
NB: See Notes Area for details and references
1. ISO/IEC27002:2005 (Code of Practice for Information Security Management)
2. ISO/IEC 27001:2005 (Information Security Management System - Requirements)
3. ISO/IEC 15408 (Evaluation Criteria for IT Security)
4. ISO/IEC 13335 (IT Security Management)15

b). PAYMENT CARD INDUSTRY DATA SECURITY STANDARD
The Payment Card Industry (PCI) Data
Security Standard (DSS) 16 was
developed by a number of major credit
card companies (including American
Express, Discover Financial Services,
JCB, MasterCard Worldwide and Visa
International) as members of the PCI
Standards Council to enhance payment
account data security.
The standard consists of 12 core
requirements, which include security
management, policies, procedures,
network architecture, software design
and other critical measures.
These requirements are organised
into the following areas:
1. Build and Maintain a Secure
Network
2. Protect Cardholder Data
3. Maintain a Vulnerability
Management Program
4. Implement Strong Access
Control Measures
5. Regularly Monitor and Test
Networks
6. Maintain an Information Security
Policy

c) COBIT
The Control Objectives for Information and related Technology (COBIT)
is “a control framework that links IT initiatives to business requirements,
organises IT activities into a generally accepted process model, identifies
the major IT resources to be leveraged and defines the management
control objectives to be considered”.
The IT GOVERNANCE INSTITUTE (ITGI) first released it in 1995,
and the latest update is version 4.1, published in 2007.
COBIT is increasingly accepted internationally as a set of guidance
materials for IT governance that allows managers to bridge the gap
between control requirements, technical issues and business risks.

EXAMPLES OF STANDARDS INCLUDE;
1.Standard Of Good Practice; This was published by the Information Security
Forum(ISF) as a comprehensive list of best practices of information security.
2.Standards By North American Electric Reliability Corporation(NERC)
• NERC 1200
• NERC 1300(CIP=Critical Infrastructure Protection)
3.National Institute of Standards and Technology(NIST);
N.B: Standards are used to secure bulk electricity systems . They also provide
network security administration while still supporting test practice industry
processes
Special Publication 800-12
 Provides a broad view of computer security and control areas
 Emphasizes the importance of the security controls and ways to implement them.

EXAMPLES OF STANDARDS CONT’D;
Special publication 800-14: -Describes common security principles that are used
-provides a high level of what should be incorporated with in a computer security policy
-Also describes what can be done to improve existing security as well as developing a
security practice.
Special publication 800-26: Provides advice on how to manage IT security.
• Emphasizes the importance of self assessments as well as risk assessment.
Special publication 800-37
• It was updated in 2010. Provides a near risk approach (Guide for applying the risk
management)
Special publication 800-53 rev 3
• Guide for assessing security controls that are applied to a system to make it more
secure.

International certifications in IT security
Definition: A professional certification, trade certification, or professional
designation often called simply certification or qualification is a
designation earned by a person to certify that he is qualified to perform a
job.
Certification indicates that the individual has a specific set of knowledge,
skills, or abilities in the view of the certifying body.
Professional certifications are awarded by professional bodies and
corporations.
The difference between licensure and certification is licensure is required
by law, whereas certification is generally voluntary. Wikipedia

Examples of certifications of IT security
Certified Protection Professional :The Certified Protection
Professional designation is awarded to experienced security
practitioners who have demonstrated in-depth knowledge and
management skills in eight key areas of security.
Professional Certified Investigator: Is a specialty certification
awarded to security practitioners who have demonstrated
knowledge and experience in case management, evidence
collection, and preparation of reports and testimony to
substantiate findings.
Physical Security Professional : is a specialty certification
awarded to security practitioners who have demonstrated
knowledge and experience in threat assessment and risk
analysis.

Question and Answer Session

MUELE Assignment Questions on this chapter
1 (a). What is an IT policy?
(b). List the key components essential
to an organization wide IT policy
(c). Define the types of user
restrictions that can be
implemented through the IT policy
(d). Prepare an IT policy for any
financial institution of your choice
2 (a). Differentiate between authorization
and authentication
(b). Explain the rationale of conducting
IT audit in a financial institution
(c). State the importance of electronic
signatures
3. (a) Define the concept of a Business
Continuity Plan (BCP)
(b). List the main features of a good
BCP
(c). Describe the impact of not having a
BCP
4 (a). Explain the different threats to
information security that financial
institutions must be aware of.
(b). Explain the measures put in place
by financial institutions to curb down
attacks
5 (a). What is IS/IT audit?
(b).Why is information systems audit
essential to a financial institution?

IT Security and Risk Mitigation

More Related Content

What's hot

Similar to IT Security and Risk Mitigation

More from Mukalele Rogers

Recently uploaded

IT Security and Risk Mitigation