Chapter 8

Information Systems Controls for System Reliability Part 1: Information Security

Copyright 2012 Pearson Education, Inc. publishing as Prentice
Hall

8-1

Learning Objectives
Discuss how the COBIT framework can be used to
develop sound internal control over an organizations
information systems.
Explain the factors that influence information systems
reliability.
Describe how a combination of preventive, detective,
and corrective controls can be employed to provide
reasonable assurance about information security.

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-2

AIS Controls
COSO and COSO-ERM address general internal control
COBIT addresses information technology internal
control

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-3

Information for Management Should

Be:

Effectiveness
Information must be relevant
and timely.

Availability
Information must be
available whenever needed.

Efficiency
Information must be
produced in a cost-effective
manner.

Confidentiality
Sensitive information must
be protected from
unauthorized disclosure.

Compliance
Controls must ensure
compliance with internal
policies and with external
legal and regulatory
requirements.

Reliability
Management must have
access to appropriate
information needed to
conduct daily activities and
to exercise its fiduciary and
governance responsibilities.

Integrity
Information must be
accurate, complete, and
valid.

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-4

COBIT Framework

Information
Criteria

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-5

COBIT Cycle

Management develops plans to organize information

resources to provide the information it needs.

Management authorizes and oversees efforts to acquire

(or build internally) the desired functionality.

Management ensures that the resulting system actually

delivers the desired information.

Management monitors and evaluates system performance

against the established criteria.

Cycle constantly repeats, as management modifies

existing plans and procedures or develops new ones to
respond to changes in business objectives and new
developments in information technology.

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-6

COBIT Controls
210 controls for ensuring information integrity

Subset is relevant for external auditors

IT control objectives for Sarbanes-Oxley, 2nd Edition

AICPA and CICA information systems controls

Controls for system and financial statement reliability

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-7

Trust Services Framework

Security

Confidentiality

Personal information about customers is collected, used, disclosed, and

maintained only in compliance with internal policies and external
regulatory requirements and is protected from unauthorized disclosure.

Processing Integrity

Sensitive organizational information (e.g., marketing plans, trade secrets)

is protected from unauthorized disclosure.

Privacy

Access to the system and its data is controlled and restricted to legitimate
users.

Data are processed accurately, completely, in a timely manner, and only

with proper authorization.

Availability

The system and its information are available to meet operational and
contractual obligations.

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-8

Trust Services Framework

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-9

Security / Systems Reliability

Foundation of the Trust Services Framework

Management issue, not a technology issue

SOX 302 states:

CEO and the CFO responsible to certify that the

financial statements fairly present the results of
the companys activities.

The accuracy of an organizations financial

statements depends upon the reliability of its
information systems.

Defense-in-depth and the time-based model of

information security
Have multiple layers of control

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-10

Managements Role in IS Security

Create security aware culture
Inventory and value company information resources
Assess risk, select risk response
Develop and communicate security:

Plans, policies, and procedures

Acquire and deploy IT security resources

Monitor and evaluate effectiveness

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-11

Time-Based Model
Combination of detective and corrective controls

P = the time it takes an attacker to break through the

organizations preventive controls

D = the time it takes to detect that an attack is in

progress

C = the time it takes to respond to the attack

For an effective information security system:

P>D+C

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-12

Steps in an IS System Attack

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-13

Mitigate Risk of Attack

Preventive Control
Detective Control
Corrective Control

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-14

Preventive Control
Training
User access controls (authentication and authorization)
Physical access controls (locks, guards, etc.)
Network access controls (firewalls, intrusion prevention
systems, etc.)
Device and software hardening controls (configuration
options)

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-15

Authentication vs.
Authorization

Authenticationverifies who a person is

1. Something person knows
2. Something person has
3. Some biometric characteristic
4. Combination of all three

Authorizationdetermines what a person can access

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-16

Network Access Control

(Perimeter Defense)

Border router

Firewall

Software or hardware used to filter information

Demilitarized Zone (DMZ)

Connects an organizations information system to the

Internet

Separate network that permits controlled access from the

Internet to selected resources

Intrusion Prevention Systems (IPS)

Monitors patterns in the traffic flow, rather than only

inspecting individual packets, to identify and automatically
block attacks

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-17

Internet Information Protocols

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-18

Device and Software

Hardening (Internal Defense)
End-Point Configuration

Disable unnecessary features that may be vulnerable to

attack on:
Servers, printers, workstations

User Account Management

Software Design

Programmers must be trained to treat all input from

external users as untrustworthy and to carefully check it
before performing further actions.

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-19

Detective Controls
Log Analysis

Process of examining logs to identify evidence of possible

attacks

Intrusion Detection

Sensors and a central monitoring unit that create logs of

network traffic that was permitted to pass the firewall and
then analyze those logs for signs of attempted or
successful intrusions

Managerial Reports
Security Testing

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-20

Corrective Controls
Computer Incident Response Team
Chief Information Security Officer (CISO)

Independent responsibility for information security

assigned to someone at an appropriate senior level

Patch Management

Fix known vulnerabilities by installing the latest updates

Security programs

Operating systems

Applications programs

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-21

Computer Incident Response

Team
Recognize that a problem exists
Containment of the problem
Recovery
Follow-up

Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

8-22

New Considerations
Virtualization

Risks
Increased exposure if
breach occurs
Reduced
authentication
standards

Multiple systems are

run on one
computer

Cloud Computing
Remotely accessed
resources

Opportunities

Software
applications
Data storage
Hardware
Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

Implementing strong
access controls in the
cloud or over the server
that hosts a virtual
network provides good
security over all the
systems contained
therein
8-23