Scribd Logo
Upload

Welcome to Scribd!

  • Chapter 8

    Uploaded by

    Ria Bago
    11 views25 pages
    Accounting materials

    Original Title

    Chapter 8 Copy

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Accounting materials

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    11 views25 pages

    Chapter 8

    Uploaded by

    Ria Bago
    Accounting materials

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    of 25
    Controls for Information Security Ween e aka ‘After studying this chapter, you should be able to: 41. Explain how security and the other four principles in the Trust Services Frame- work affect systems relibilty. 2. Explain two fundamental concepts: why information security is a management jsue, and the time-based model of information security. 13. Discuss the steps criminals follow to execute a targeted attack against an or- _ganization’s information system. 4. Describe the preventive, detective, and corrective controle that can be used to protect an organization’ information. a ee at tet teeter information system is under attack. 46. Discuss how organizations can timely respond to attacks against their infor- mation system. 7. Explain how virtualization, loud computing, and the Internet of Things affect information security. TLC Northwest Industr Jason Scott's next assignment isto review the internal controls over Northwest Indus- ‘vies’ information systems. Jason obtains a copy of Control Objectives for Information and Related Technology 5 (COBIT S) and is impressed by its thoroughness. However, he ‘alls his friend that he feels overwhelmed in trying to use COBIT 5 to plan his audit of Northwest Industries, His friend suggests that he examine the Trust Services Frame- ‘work developed jointly by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) to guide auditors in assessing the reliability of an organization's information system. After reviewing the framework, Jason concludes that he can use it to guide his audit effort. He decides ‘hat he will begin by focusing on the controls designed to provide reasonable assurance about information security He writes down the fllowing sions that wil guide hit estat 2 Whar conuols does Northwest mndusiies employ to prevent unsuthosized access to its acceunting system? 2. How can successful and unsuccessful attempts to compromise the company's ac counting oytem be detected in timely manner? {Wha procedures arein place to respond vo securtry incidents? Introduction ‘Today, every organization recs on information technology (TT). Many organizations ae also Pertion of tei information sysims tothe coud. Managenicn wats ast dance tht the information predoce ty the organization's ava azcourting sysem fs reliable and also about te reabiltyof the claudservice providers with whom i contracts. Inaditon, ‘management also wants assurance thatthe organization is corophast with an ever-increasing aay of regulatory and industry requirements inclding Surbanes-Oaley (SOX), the Health Insurance Pertabilty ard Accountability Act (HIPAA), and the Payment Card Industry Data Security Standards (PCLDSS. Acneted in Chanter 7 CORTT § ics enmprchonsve Framework of hee scion rane ‘rly thooe portions of COBIT § that moxt directly pertain tothe reabily f an information ‘pttem end conplance wit agility tacards. Consequently, we engaies ts chap sod {We sex two around the principles inthe Trust Services Framework, which was developed jelly by the AICPA ad the CICA to pide guidance fo asseniy etellabilty Uf ‘mation systems. Neverticlss, because COBIT 3 is an inemationally recognized framework tused by many organizations, audios and accountants need to be familar With it Therefore, {Uroughout cur discussion we reference the relevant sections of COBIT 5 that relate to each topic so that you can usderstand how the principles that cemtribate to systems rliabity are ako esenil to effectively managing an organization’ investment in IT. The Trust Sevvices Puamenerk organizes [Taelated coniols ilo Fixe peiaciples dat jointly contribute systems reliability 1. Seeurity access (botn physical and logical) t the sytem and its data is controlled and restricted to legitimate wer 2. Comfidentialiy-—sensiive organizations information (cg. marketing plas, trade se cnet protest from unaathorized disclose, a 238 PARTI. CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS FIGURE 6-4 Relationships Among the Five Trust Services Principles for Systems Reiiabitty Foon of ‘Cheer 8 3. Privacy—personal information about customer, employees, supplies, oF business part- ners is collected, used, disclosed, and maintained only in compliance with intemal poli- lot and external nagulattey requirernens and in protected tren unauthorized disclowre 4. Processing Integrty—data are processed accurately, completely, in atimely manner, and ‘only with proper authorization, '. Availability—the systern and its information are available to meet operational und con- ‘actual obligations ‘As Figure 8-1 shows, information security isthe foundation of systems reliability and is necessary for achieving each of the other four principles. Information security procedures resiit system acces to authonzed users only, thereby protecting the confidentially of sensi tive organizational éata and the privacy of personal information collected from customers. Information security procedures protect information integrity by preventing submission of ‘unauthorired or Fictitious transactions ard preventing unauthorized changes to stored data ‘or programs. Finally, information security procedures provide protection against a variety of atacks, including viruses and worms, thereby ensuring that the system is available when ‘needed. Consequently this chapter focuses on information security. Chapter 9 discusses the IT ‘controls relevant to rotecting the confidently of an organization's intellectual property and the privacy of information it collects about its customers and business partners. Chapter 10, then covers the IT controls designed to ensure the inegrity and availabilty ofthe information produced by an organization's accounting system. Two Fundamental Information Security Concepts 1. SECURITY IS A MANAGEMENT ISSUE, NOT JUST A TECHNOLOGY ISSUE Although effective information security equires the deployment of techrological tools such as firewal’s, antivirus, and encryption, senior management involvement and support through- fut all phases of the Security Ife cycle (see Figure 8-2) is absolutely esential for success. ‘The first step in the security life eyce is to assess the information security-related threats thal the cxganization fies and select an appropriate retpemse.Lnfermation Soctriy profes. sionals possess the expertise to identify potential teats and to estimate their likelitood and ‘impact. However senior management must choose which ofthe four risk responses described in Chapter 7 (reduce, accep, share, or avoid) is appropriate to adopt so that the resources i ‘ested in information security reflect the organizations risk appetite. ‘Sep 2 involves developing information security policies and communicating them to all, ‘employees. Senior management must participate in developing policies because they must CHAPTER 8 CONTROLS FOR INFORMATIONSECURITY 230 ‘decide the sanctions they are willing to impose for noacompliance. In addition, the active suppor and involvement of top management Is necessary to ensure that information scurity training and communication are taken seriously. To be effective, this communication must involve movsthan jst handing peoplea written document or sending thers an e-mail restage and asking them to sign an acknowledgment that they received and read the note. Instead, ‘employees must receive regula. periodic reminders about security policies ané training on bow tocomply with them. Step 3 ofthe security life cycle imolvesthe acquisition or building of specific techmslogi- ‘al tools, Serior management must authorize investing the necessary resources to mitigate the threats identified and achieve the desired level of security. Finally, step inthe secur life ‘gyele entails regular monitoring of performance te evaluate the effeciveness ofthe {Gon's information security program. Advances in IT create new threats and ater the risks sssoclted with old eats. Therefore, management must periadically reassess the organiza- tion's isk response and, when necessary, make changes to information security polices and Jnvest in now solution tons thatthe organization's information security efforts support its business straegy ina manner that s consistent with managements risk appetite. 2. THE TIME-BASED MODEL OF INFORMATION SECURITY ‘The goal ofthe time-based model of information security isto employ a combination of preventive, detective, and coretive controls to protec information assets long enough for an “organization to detect that an tack is occuring and to take timely steps to thwart the attack before any information is lost or compromised. The time based model of information security ‘can be expressed inthe following formal: P>D+R where P= the time it takes an attacker to break through the various contrels th protect the ‘organization’s information assets D= the ime it takes for the organization to detect that an attack s in progress [R= the ime ittakeso respond to and stop the attack the equation is seisied (Le, if P > D + Ris trae), then the organization's information se- ‘arity procedures are effective Dtheruise, security is ineffective Organizations stem to satisly the objective of the time-based model of security by em- ploying th stratexy of defense-in-depth. which entails using multiple layers of controls in ‘order to avoid having a single point of failure. Defense-n-depsh recognizes that although no ‘control can be 100% effective, the use of overlapping, complementary, and redundant centrols increases overall effectiveness because if one contol fails or gets circumvented, another may succeed. "The time-hased model of secunty provides a means for management to identity the most costeflective approach to improving security by comparing the effects of additional ‘The Security Lite Cycle detcsoindepth Employes ‘muti jer coma ‘pods urge poof ave. 24) PART CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS. cil engineering Usng de epson abtan unachorsed investments in preventive, detective, or corrective controls. For example, management may bbe considering the investment of an additional $100,000 to enhance security. One option ‘might be the purchase of a new firewall that would increase the value of P by 10 minutes. ‘A second option might be to upgrade the organization's intrusion detection system in a ‘manner that would decrease the value of D by 12 minutes. A third option might be to in- ‘vest in new methods for responding to information security incidens so as to decrease the value of R by 30 minutes. In this example, the most cost-effective choice would be to invest in additional corrective controls that enable the organization to respond to attacks more quickly. ‘Alltaugh the time-based model of security provides a sound theoretical basis for evaluat- ing and managing an organization's information security practices, it should aot be viewed as ‘a precise mathematical formula. One problem is that it is hard, if not impossible, to derive ac- curate, relable measures of the parameters PD, and R In addition, even when those parame- ter values can be reliably calculated, new IT developments can quickly diminish their validity. For example, discovery of a major new vulnerability can effectively reduce the value of P to zero. Consequently, the time-based model of security is best used as a high-level framework for strategic analysis, to clearly ilustrate the principle of defense-in-depth and the need to employ multiple preventive, detective, and corrective controls. Understanding Targeted Attacks Although many information security threats, such as viruses, worms, natural disasters, hard- ‘ware failures, and human erro ae often random (antargeted) events, oxganizations are also frequently the target of deliberate attacks. Before we discuss the preventive, detective, and corrective controls that can be used to mitigate the risk of systems intrusions, i is helpful to ‘understand the basi stop criminals use to attack an organization’ information system 1. Conduct issance, Bank robbers usually do not just drive ap to a bank and at- tempt to rob it. Instead, they frst study their target's physical layoat to learn about the contol it has in place (alarms, numberof guarde, placement of cameras, et). Similarly, ‘ewipiter steelers hegin by electing iaftwiution shoal thee target Dositing a exp nizatio’s financial statements, Securities and Exchange Commission (SEC) filings, web- site, and press releases can yield much valuable information. The objective of this initial reconnaissance isto learn as much as possible about the target and to identify potential ‘vulerabiitis. 2. Attempt social engineering. Why go through al the trouble of trying to break into asys- tem if you can get someone to lt you in? Attackers will often try to use the informa tion cbtained during their intial reconnaissance to “trick” an unsuspecting employee into ‘granting them access. Such use of deception to obtain unauthorized acess to information resources is referred to as wcial engineering, Social engineering can take place in count less ways, limited only by the creativity and imagination of the atacker. Social engineer ‘ng atacks often take place over the telephone. One common technique is forthe attacker to impersonate an executive who cannot obtain remote access to important files. The at- tacker calls a newly hired administrative assistant and asks that person to help obtain the critical files. Another common ruse is forthe attacker to pose asa clueless temporary. ‘worker who cannot log onto the system and calls the help desk for assistance. Social cengincering attacks can aio take place via e-muil. A particularly effective attack known, as spear phishing involves sending e-mails purportedly from someone thatthe victim knows. The spear phishing e mul asks the victim to lick on an embedded ink or open an attachment. Ifthe recipient does so. a Trojan horse program is execated that enables the attacker to obtain access tothe system. Yet ancther social engineering tactic is to spread USB drives in the targeted organization's parking lt. An unsuspecting or curious em- ployee who picks up the crive and plugs it into their computer wil load a Trojan horse that enables the attacker to gain accessto the system, 3. Scan and map the target. If an atacker cannot successfully penetrate the target system ‘via scial engineering, the aext step isto conduct more detailed reconnaissance to identify CHAPTER ® CONTROLS FOR INFORMATION SECURITY potential points of remote entry. The attacker uses a variety of automated tons to identify ‘computersthat can be remotely accessed and the types of software they are running. 44. Research. Once the attacker has identified specific targets and knows what versions of software ae running on them, te next step isto conduct research to find known vulner- abilities fr those programs and lear how to take advantage of those vulnerabilities. 5, Execute the attack. The criminal takes advantage ofa vulnerability to obtain unauthor- ined accesso the targets information system. {6 Cover tracks. After penetrating the victim's information system, most attackers attempt to ‘cover thei tracks and ereate “back doors” that they can use to obtain access if hei initial fttck ic discovered and controls are implemented to Black that method of entry. [Now that we have a basic understanding of how criminals attack an organization's infor- mation system, we can proceed to diseuss methods for mitigating the risk that such attack, as ‘well as random threats such as viruses and worms, will be successful. The following sections discus the major types of preventive, detective, and corrective controls listed in Table 8-1 that ‘organizations use to provide information security through defense-in-depth Protecting Information Resources ‘This section discusses the preventive, detective, and corrective controls listed in Table 8-1 that organizations commonly use to protect information resources. As Figure 8-3 shows, these various preventive controls fit together like piecesin a puzzle to collectively provide “defense-in-depth. Although al ofthe pieces are necessary, we discuss the “people” compo- rent frst because it isthe most important. Management must create &“security-conscious” ‘culture and employees must be traized to follow security policies and practice safe comput- ing behaviors. TABLE 8-1 Preventive, Detectve, and Corrective Controls Used to Satisfy the ‘Time-Based Model of Security “TIMEBASED [MODEL COMPONENT EXAMPLES Protection «People Creation of a “securty-anere™ cure Training Process: User acces conte authentication and authorization) Process: Penevation Testing Process: Change contols and change management FT achtions Artimalvare oNework access contel (renal, itsion prevention ss- tens ete) © Device and software hardening (configuration corto) © Enerypton Physical secur: access conto Yorks, gud et) Loganalsis Irtsion detection systems ‘Continuous monitoring ‘Conputer incident response teams (IRM) Chie information security ce (C150) 28 PART | CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS FIGURE 8.2 Various Preventive Controls: Pieces of the Security Puzzle PEOPLE: CREATION OF A “SECURITY-CONSCIOUS” CULTURE ‘The discussion ofthe COSO and COSO-ERM (Enterprise Risk Management) frameworks in (Chapter 7 stressed how top management's isk attitudes ad behaviors create either 2 internal ‘environment that supports and teinforces sound intemal control or one tht effectively negates ‘written contol policies. The same principle holds regarding information security. Indeed, CO- [BITS spevitically identifies an organization's culture and ethics as one ofthe critical enablers for effective information security. To create a securty-conscious culture in which employ- ees comply with organizational policies. top management must not only commuaicate the ‘organization’ security polices, but must also lead by example. Employees are more likely to comply with information secunty policies when they see their managers do so. Conversely, if employees observe managers violating an information security policy, for example by waiting down a password and affixing it toa monitor, they are ikely to imitate tht behavior COBIT S identities employee skills and competencies as another critical enabler for effective information security. Employees must understand how to follow the organization's security| policies. Thus, raining is a criical preventive contol. Indeed, its imponance is reflected in the fact that security awareness training is discussed as a key practice to support several of COBIT 5's 32 management processes. All employees should be taught why security measures areimportant to the organization's long-run survival. They also need to be tained to follow safe computing practices, such as ‘never opeaing unsolicited e-mail attachments, using only approved software, not sharing pass- ‘wonds, and taking steps to physically protct laptops. Training is especially needed wo educate ‘employees about social engineering attacks. For example, employees should be taught never todivulge passwords or other information about thei accounts or their workstation configura tions to anyone who contacts them by telephone, e-mail, or instant messaging and claims to bbe part ofthe organization’ information systems security function. Employees also need 10 bo trained not to allow other people to follow them through restricted access entrances. This social engineering atack, called piggybacking, can take place not only atthe main entrance to the building but also at any internal locked doors, especially to rooms that contain computer equipment: Piggybacking may be atteenpied not caly by outsider but alo by other employ- fees who are not authorized to enter a particular area. Piggybicking often succeeds because ‘many people feel i is nade to rot lt another person come through the door with them or be- {cause they want to avoid confrontations. Role-playing exercises are particularly ellectve for increasing sensitivity to and skills for dealing with social engineering stacks. Security awareness training is important for senior management, too, because in recent ‘years many social engineering attacks, such as spear phishing, have been targeted at them. CHAPTER ® CONTROLS FOR INFORMATION SECURITY ‘Training of information security professionals is also important. New developments in tech- nology continuously create new security threats and make old solutions obsolete. Therefore, it is important for organizations to support continuing professional education for their security speciakets However, an organization's investment in security training willbe effective only if man- ‘agement clearly demonstrates that it supports employees who follow prescribed security policies. This is especially important fer combating social engineering atacks, beause coun {ermeasures may sometimes create embarrassing confrontations with other employees. For ‘example, one of the authors heard an anecdote about a systems professional at amajor bank ‘who refused to allow a person who was not on the list of authorized employees to enter the room housing the servers that contained the bank's key fnagcial information. The person de~ tied entry happened to be a new execstive who Was just hired. Instead of reprinanding the ‘employee, the executive demonstrated the bank's commitmeat to and support for strong secu- rity by writing a formal letter of commendation for meritorious performance to be placed in the employee's performance file. Is ths type of visible top management support for security that enhances the effectiveness of all security policies. Top management also needs to support the enforcement of sanctions, up to and including dismissal, against employees who willfully violate security policies. Doing so not only sends a strong message to other employees but also may sometimes lessen the consequences to the organization if an employee engages in illegal behavior. Its important to understand that “outsilrs” are not the only threat source. An employee may become disgruntied for any number of reasons (e-g., being passed over for a promotion) and seek revenge, or may be vulnerable to being corrupted because of financial dfficulies, or may be blackmailed int providing sensitive information. Therefore, organizations need to imple- ment a set of controls designed to protct their information assets from unauthorized use and access by employees. To accomplish that objective, COBIT § management practice DSS0S.04 stresses the need for controls to manage user identity and logical access so that it is possible to ‘uniquely identify everyone who accesses the organization's inforsation systems and track the actions that they perform. Implementing DSS05.04 involves the use of to related but distinct {ypes of user access controls: authentication controls and authorization controls. Authenti- ‘cation controls restrict who can access the organization's information system. Authorization ‘controls limit what those individuals ean do once they have been granted access, AUTHENTICATION CONTROLS Authentication isthe process of verifying the identity of the enon or devie atempaing tae syste, The ev sense hate ei fate user can access the system, “Thrce types of eedentals can be wie to verify a person's identity 1. Something the person knows, such as passwords or personal identification numbers @INS: 2. Something the person has, such as smart cards or ID badges |. Some physical or behavieral characteristic (referred toas a biometric Kdentifier) ofthe person, such a fingerprints or typing patterns. lundividually, cach authentication method has its limitations. Passwords cau be guessed, lost, watten dowa, o given away. Fouus 8-1 discusses soe of the sequisemens for eat ing strong passwords as well as the ongoing debate about their continued use inthe future. Physical identification techniques (cards, badges, USB devices, etc.) can be los, stolen, or “duplicated. Even biometric techniques are not 100% accurate, sometimes rejecting legitimate tusers (eg. voice recognition systems may not recognize an employee who has a cold) and sometimes allowing access to unauthorized people. Moreover, some biometric techniques, such as fingerprints, carry negative cosnotations that may hinder their acceptance. There are also security concerns about storage of the biometric information itself. Biometric templates, such asthe digital representation of an individual's fingerprints or voice, must be sored some ‘where. The compromising of those templates would create serious, lifelong problems forthe ‘Sotipere pecan eet seomtnpingioswen be Spee pire PART I CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS Ll FOCUS 8-1 Effectiveness of Passwords as Authentication Credentials ‘The effectiveness of using passwords as authentication credentials depends upon many factors * Length. The sength of a password is directly related ‘0 ts length The longer, the better ‘+ Multiple character types. Using a micure of upper and lowercase alphabetic, numeric, and special char acters greatly increases the avength of the password. + Randomness. Passwords should not be easily (uessed. Therefore, they should not be words found in dictionaries, Nor should they be words wth ether a preceding or fllowing numeric character (suchas 3D- mond oF Diamond3). They must also not be related ‘0 the employee's persona interests or hobbies; spe- cial purpose password-cracking dictionaries that con- ‘ain the most common passwords related to various ‘topics are available on the tenet. For example, the password Neci701 appears, at frst glance, 10 fi the requirements ofa strong patoword because it contains ‘a mixture of upper and lowercase characte and num- bers. But StarTrek fans will netantly ecognize as the designation ofthe starship Enterprise. Consequently, 'Nec1701 and many variations on it (changing which leer ae capitalized, replacing the number 1 with the "symbol ete) are included in most password-acking

    You might also like