Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Chapter 8
Information Systems Controls for System Reliability— Part 1: Information Security
Copyright © 2012 Pearson Educa...
Learning Objectives
 Discuss how the COBIT framework can be used to
develop sound internal control over an organization’s...
AIS Controls
 COSO and COSO-ERM address general internal control
 COBIT addresses information technology internal contro...
Information for Management Should
Be:
 Effectiveness
 Information must be relevant
and timely.
 Efficiency
 Informatio...
COBIT Framework
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-5
Information
Criteria
COBIT Cycle
 Management develops plans to organize information
resources to provide the information it needs.
 Managemen...
COBIT Controls
 210 controls for ensuring information integrity
 Subset is relevant for external auditors
 IT control o...
Trust Services Framework
 Security
 Access to the system and its data is controlled and restricted to legitimate
users.
...
Trust Services Framework
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-9
Security / Systems Reliability
 Foundation of the Trust Services Framework
 Management issue, not a technology issue
 S...
Management’s Role in IS Security
 Create security aware culture
 Inventory and value company information resources
 Ass...
Time-Based Model
 Combination of detective and corrective controls
 P = the time it takes an attacker to break through t...
Steps in an IS System Attack
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-13
Mitigate Risk of Attack
 Preventive Control
 Detective Control
 Corrective Control
Copyright © 2012 Pearson Education, ...
Preventive Control
 Training
 User access controls (authentication and authorization)
 Physical access controls (locks,...
Authentication vs.
Authorization
 Authentication—verifies who a person is
1. Something person knows
2. Something person h...
Network Access Control
(Perimeter Defense)
 Border router
 Connects an organization’s information system to the Internet...
Internet Information Protocols
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-18
Device and Software
Hardening (Internal Defense)
 End-Point Configuration
 Disable unnecessary features that may be vuln...
Detective Controls
 Log Analysis
 Process of examining logs to identify evidence of possible
attacks
 Intrusion Detecti...
Corrective Controls
 Computer Incident Response Team
 Chief Information Security Officer (CISO)
 Independent responsibi...
Computer Incident Response
Team
 Recognize that a problem exists
 Containment of the problem
 Recovery
 Follow-up
Copy...
New Considerations
 Virtualization
 Multiple systems are
run on one computer
 Cloud Computing
 Remotely accessed
resou...
Upcoming SlideShare
Loading in …5
×

】=

460 views

Published on

  • Be the first to comment

  • Be the first to like this

】=

  1. 1. Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-1
  2. 2. Learning Objectives  Discuss how the COBIT framework can be used to develop sound internal control over an organization’s information systems.  Explain the factors that influence information systems reliability.  Describe how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about information security. Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-2
  3. 3. AIS Controls  COSO and COSO-ERM address general internal control  COBIT addresses information technology internal control Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-3
  4. 4. Information for Management Should Be:  Effectiveness  Information must be relevant and timely.  Efficiency  Information must be produced in a cost-effective manner.  Confidentiality  Sensitive information must be protected from unauthorized disclosure.  Integrity  Information must be accurate, complete, and valid.  Availability  Information must be available whenever needed.  Compliance  Controls must ensure compliance with internal policies and with external legal and regulatory requirements.  Reliability  Management must have access to appropriate information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities. Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-4
  5. 5. COBIT Framework Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-5 Information Criteria
  6. 6. COBIT Cycle  Management develops plans to organize information resources to provide the information it needs.  Management authorizes and oversees efforts to acquire (or build internally) the desired functionality.  Management ensures that the resulting system actually delivers the desired information.  Management monitors and evaluates system performance against the established criteria.  Cycle constantly repeats, as management modifies existing plans and procedures or develops new ones to respond to changes in business objectives and new developments in information technology. Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-6
  7. 7. COBIT Controls  210 controls for ensuring information integrity  Subset is relevant for external auditors  IT control objectives for Sarbanes-Oxley, 2nd Edition  AICPA and CICA information systems controls  Controls for system and financial statement reliability Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-7
  8. 8. Trust Services Framework  Security  Access to the system and its data is controlled and restricted to legitimate users.  Confidentiality  Sensitive organizational information (e.g., marketing plans, trade secrets) is protected from unauthorized disclosure.  Privacy  Personal information about customers is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure.  Processing Integrity  Data are processed accurately, completely, in a timely manner, and only with proper authorization.  Availability  The system and its information are available to meet operational and contractual obligations. Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-8
  9. 9. Trust Services Framework Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-9
  10. 10. Security / Systems Reliability  Foundation of the Trust Services Framework  Management issue, not a technology issue  SOX 302 states:  CEO and the CFO responsible to certify that the financial statements fairly present the results of the company’s activities.  The accuracy of an organization’s financial statements depends upon the reliability of its information systems.  Defense-in-depth and the time-based model of information security  Have multiple layers of control Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-10
  11. 11. Management’s Role in IS Security  Create security aware culture  Inventory and value company information resources  Assess risk, select risk response  Develop and communicate security:  Plans, policies, and procedures  Acquire and deploy IT security resources  Monitor and evaluate effectiveness Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-11
  12. 12. Time-Based Model  Combination of detective and corrective controls  P = the time it takes an attacker to break through the organization’s preventive controls  D = the time it takes to detect that an attack is in progress  C = the time it takes to respond to the attack  For an effective information security system:  P > D + C Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-12
  13. 13. Steps in an IS System Attack Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-13
  14. 14. Mitigate Risk of Attack  Preventive Control  Detective Control  Corrective Control Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-14
  15. 15. Preventive Control  Training  User access controls (authentication and authorization)  Physical access controls (locks, guards, etc.)  Network access controls (firewalls, intrusion prevention systems, etc.)  Device and software hardening controls (configuration options) Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-15
  16. 16. Authentication vs. Authorization  Authentication—verifies who a person is 1. Something person knows 2. Something person has 3. Some biometric characteristic 4. Combination of all three  Authorization—determines what a person can access Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-16
  17. 17. Network Access Control (Perimeter Defense)  Border router  Connects an organization’s information system to the Internet  Firewall  Software or hardware used to filter information  Demilitarized Zone (DMZ)  Separate network that permits controlled access from the Internet to selected resources  Intrusion Prevention Systems (IPS)  Monitors patterns in the traffic flow, rather than only inspecting individual packets, to identify and automatically block attacks Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-17
  18. 18. Internet Information Protocols Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-18
  19. 19. Device and Software Hardening (Internal Defense)  End-Point Configuration  Disable unnecessary features that may be vulnerable to attack on:  Servers, printers, workstations  User Account Management  Software Design  Programmers must be trained to treat all input from external users as untrustworthy and to carefully check it before performing further actions. Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-19
  20. 20. Detective Controls  Log Analysis  Process of examining logs to identify evidence of possible attacks  Intrusion Detection  Sensors and a central monitoring unit that create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions  Managerial Reports  Security Testing Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-20
  21. 21. Corrective Controls  Computer Incident Response Team  Chief Information Security Officer (CISO)  Independent responsibility for information security assigned to someone at an appropriate senior level  Patch Management  Fix known vulnerabilities by installing the latest updates  Security programs  Operating systems  Applications programs Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-21
  22. 22. Computer Incident Response Team  Recognize that a problem exists  Containment of the problem  Recovery  Follow-up Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-22
  23. 23. New Considerations  Virtualization  Multiple systems are run on one computer  Cloud Computing  Remotely accessed resources  Software applications  Data storage  Hardware Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 8-23  Risks  Increased exposure if breach occurs  Reduced authentication standards  Opportunities  Implementing strong access controls in the cloud or over the server that hosts a virtual network provides good security over all the systems contained therein

×