You are on page 1of 30

C

HAPTER 7

Information Systems Controls for Systems Reliability Part 1: Information Security

© 2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

1 of 222

INTRODUCTION
• One basic function of an AIS is to provide information useful for decision making. In order to be useful, the information must be reliable, which means:
– It provides an accurate, complete, and timely picture of the organization’s activities. – It is available when needed. – The information and the system that produces it is protected from loss, compromise, and theft.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 2 of 222

INTRODUCTION
SYSTEMS RELIABILITY

• The five basic principles that contribute to systems reliability:

© 2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

3 of 222

SECURITY © 2008 Prentice Hall Business Publishing Accounting Information Systems.INTRODUCTION SYSTEMS RELIABILITY • The five basic principles that contribute to systems reliability: – Security • Access to the system and its data is controlled. 11/e Romney/Steinbart 4 of 222 .

11/e Romney/Steinbart 5 of 222 . SECURITY © 2008 Prentice Hall Business Publishing Accounting Information Systems.INTRODUCTION SYSTEMS RELIABILITY • The five basic principles that contribute to systems reliability: – Security – Confidentiality CONFIDENTIALITY • Sensitive information is protected from unauthorized disclosure.

11/e Romney/Steinbart 6 of 222 PRIVACY . CONFIDENTIALITY SECURITY © 2008 Prentice Hall Business Publishing Accounting Information Systems. used. disclosed. and maintained in an appropriate manner.INTRODUCTION SYSTEMS RELIABILITY • The five basic principles that contribute to systems reliability: – Security – Confidentiality – Privacy  Personal information about customers collected through e-commerce is collected.

INTRODUCTION SYSTEMS RELIABILITY PROCESSING INTEGRITY CONFIDENTIALITY • The five basic principles that contribute to systems • reliability: Data is processed: – Accurately ––Security Completely In a timely manner ––Confidentiality – With proper authorization PRIVACY – Privacy – Processing integrity SECURITY © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 7 of 222 .

integrity – Availability Romney/Steinbart 8 of 222 SECURITY © 2008 Prentice Hall Business Publishing PRIVACY Accounting Information Systems.INTRODUCTION SYSTEMS RELIABILITY PROCESSING INTEGRITY CONFIDENTIALITY AVAILABILITY • The five basic principles that contribute to systems reliability: – Security – Confidentiality  Online The system is available to meet – privacy operational and contractual – Processing obligations. 11/e .

INTRODUCTION SYSTEMS RELIABILITY PROCESSING INTEGRITY CONFIDENTIALITY AVAILABILITY • Note the importance of security in this picture. • The privacy of personal identifying information collected from customers. Romney/Steinbart 9 of 222 SECURITY © 2008 Prentice Hall Business Publishing PRIVACY Accounting Information Systems. It is the foundation of systems reliability. 11/e . Security procedures: – Restrict system access to only authorized users and protect: • The confidentiality of sensitive organizational data.

including viruses and worms. 11/e . • Unauthorized changes to stored data or programs. Romney/Steinbart 10 of 222 Accounting Information Systems.INTRODUCTION • Security procedures also: SYSTEMS RELIABILITY PROCESSING INTEGRITY – Provide for processing integrity by preventing: AVAILABILITY CONFIDENTIALITY PRIVACY • Submission of unauthorized or fictitious transactions. SECURITY © 2008 Prentice Hall Business Publishing – Protect against a variety of attacks. thereby ensuring the system is available when needed.

– Defense in depth. 11/e Romney/Steinbart 11 of 222 . © 2008 Prentice Hall Business Publishing Accounting Information Systems. – The time-based model of security.FUNDAMENTAL INFORMATION SECURITY CONCEPTS • There are three fundamental information security concepts that will be discussed in this chapter: – Security as a management issue. not a technology issue.

11/e Romney/Steinbart 12 of 222 . – The time-based model of security.FUNDAMENTAL INFORMATION SECURITY CONCEPTS • There are three fundamental information security concepts that will be discussed in this chapter: – Security is a management issue. not a technology issue. © 2008 Prentice Hall Business Publishing Accounting Information Systems. – Defense in depth.

11/e Romney/Steinbart 13 of 222 . especially for information security. because once preventive controls have been breached.TIME-BASED MODEL OF SECURITY • Given enough time and resources. effective control requires supplementing preventive procedures with: – Methods for detecting incidents. or steal the organization’s economic and information resources. compromise. it takes little time to destroy. any preventive control can be circumvented. and – Procedures for taking corrective remedial action. • Detection and correction must be timely. • Consequently. © 2008 Prentice Hall Business Publishing Accounting Information Systems.

– The time-based model of security. not a technology issue.FUNDAMENTAL INFORMATION SECURITY CONCEPTS • There are three fundamental information security concepts that will be discussed in this chapter: – Security is a management issue. – Defense in depth. 11/e Romney/Steinbart 14 of 222 . © 2008 Prentice Hall Business Publishing Accounting Information Systems.

• If one layer fails.DEFENSE IN DEPTH • The idea of defense-in-depth is to employ multiple layers of controls to avoid having a single point of failure. passwords. • Redundancy also applies to detective and corrective controls. and other preventive procedures to restrict access. 11/e Romney/Steinbart 15 of 222 . • Information security involves using a combination of firewalls. © 2008 Prentice Hall Business Publishing Accounting Information Systems. another may function as planned.

© 2008 Prentice Hall Business Publishing Accounting Information Systems.PREVENTIVE CONTROLS • The objective of preventive controls is to prevent security incidents from happening. – Authorization • Restricts access of authenticated users to specific portions of the system and specifies what actions they are permitted to perform. • Involves two related functions: – Authentication • Focuses on verifying the identity of the person or device attempting to gain access. 11/e Romney/Steinbart 16 of 222 .

– Passwords – Physical identification techniques – Biometric techniques © 2008 Prentice Hall Business Publishing Accounting Information Systems.PREVENTIVE CONTROLS • Each authentication method has its limitations. 11/e Romney/Steinbart 17 of 222 .

is quite effective. the use of two or three in conjunction. known as multi-factor authentication. 11/e Romney/Steinbart 18 of 222 . © 2008 Prentice Hall Business Publishing Accounting Information Systems.PREVENTIVE CONTROLS • Although none of the three basic authentication methods is foolproof by itself. • Example: Using a palm print and a PIN number together is much more effective than using either method alone.

the system performs a compatibility test that matches the user’s authentication credentials against the matrix to determine if the action should be allowed.PREVENTIVE CONTROLS • Authorization controls are implemented by creating an access control matrix. – When an employee tries to access a particular resource. 11/e Romney/Steinbart 19 of 222 . © 2008 Prentice Hall Business Publishing Accounting Information Systems. – Specifies what part of the IS a user can access and what actions they are permitted to perform.

update. display. create. and update 3 = Read. display.PREVENTIVE CONTROLS User Identification Code Number Password 12345 ABC 12346 DEF 12354 KLM 12359 NOP 12389 RST 12567 XYZ Files A 0 0 1 3 0 1 B 0 2 1 0 1 1 C 1 0 1 0 0 1 1 0 0 0 0 0 1 Programs 2 0 0 0 0 3 1 3 0 0 0 0 0 1 4 0 0 0 0 0 1 • Who has the authority to delete Program 2? Codes for type of access: 0 = No access permitted 1 = Read and display only 2 = Read. 11/e Romney/Steinbart 20 of 222 . and delete © 2008 Prentice Hall Business Publishing Accounting Information Systems.

© 2008 Prentice Hall Business Publishing Accounting Information Systems.PREVENTIVE CONTROLS  These are the multiple layers of preventive controls that reflect the defense-in-depth approach to satisfying the constraints of the time-based model of security. 11/e Romney/Steinbart 21 of 222 .

11/e Romney/Steinbart 22 of 222 . • So organizations implement detective controls to enhance security by: – Monitoring the effectiveness of preventive controls. and – Detecting incidents in which preventive controls have been circumvented. © 2008 Prentice Hall Business Publishing Accounting Information Systems.DETECTIVE CONTROLS • Preventive controls are never 100% effective in blocking all attacks.

DETECTIVE CONTROLS • Authentication and authorization controls (both preventive and detective) govern access to the system and limit the actions that can be performed by authorized users. • Actual system use (detective control) must be examined to assess compliance through: – – – – Log analysis Intrusion detection systems Managerial reports Periodically testing the effectiveness of existing security procedures © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 23 of 222 .

11/e Romney/Steinbart 24 of 222 . • Two of the Trust Services framework criteria for effective security are the existence of procedures to: – React to system security breaches and other incidents.CORRECTIVE CONTROLS • COBIT specifies the need to identify and handle security incidents. © 2008 Prentice Hall Business Publishing Accounting Information Systems. – Take corrective action on a timely basis.

© 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 25 of 222 . – An organized patch management system.CORRECTIVE CONTROLS • Three key components that satisfy the preceding criteria are: – Establishment of a computer emergency response team. – Designation of a specific individual with organization-wide responsibility for security.

whether to temporarily shut down an e-commerce server) that require management input.g. • • Responsible for dealing with major incidents. Accounting Information Systems. Should include technical specialists and senior operations management.CORRECTIVE CONTROLS • Computer emergency response team – A key component to being able to respond to security incidents promptly and effectively is the establish of a computer emergency response team (CERT). 11/e Romney/Steinbart 26 of 222 © 2008 Prentice Hall Business Publishing .. – Some potential responses have significant economic consequences (e.

– An organized patch management system.CORRECTIVE CONTROLS • Three key components that satisfy the preceding criteria are: – Establishment of a computer emergency response team. © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 27 of 222 . – Designation of a specific individual with organization-wide responsibility for security.

– Should impartially assess and evaluate the IT environment. and consequences of these actions. security breaches. improper system use. – Disseminates info about fraud. errors. © 2008 Prentice Hall Business Publishing Accounting Information Systems. – Must understand the company’s technology environment and work with the CIO to design. and promote sound security policies and procedures. – Works with the person in charge of building security. implement. 11/e Romney/Steinbart 28 of 222 . and audit the CIO’s security measures. as that is often the entity’s weakest link.CORRECTIVE CONTROLS • A chief security officer (CSO): – Should be independent of other IS functions and report to either the COO or CEO. conduct vulnerability and risk assessments.

– An organized patch management system. – Designation of a specific individual with organization-wide responsibility for security.CORRECTIVE CONTROLS • Three key components that satisfy the preceding criteria are: – Establishment of a computer emergency response team. © 2008 Prentice Hall Business Publishing Accounting Information Systems. 11/e Romney/Steinbart 29 of 222 .

• Challenging to do because: – Patches can have unanticipated side effects that cause problems. which means they should be tested before being deployed.CORRECTIVE CONTROLS • Patch management is the process for regularly applying patches and updates to all of an organization’s software. which may mean that hundreds of patches will need to be applied to thousands of machines. © 2008 Prentice Hall Business Publishing Accounting Information Systems. – There are likely to be many patches each year for each software program. 11/e Romney/Steinbart 30 of 222 .