Accounting Information Systems: Fourteenth Edition

Accounting Information Systems
Fourteenth Edition
Chapter 8
Controls for Information
Security
ALWAYS LEARNING Copyright ©

Copyright © 2017,
2017, 2016,
2016, 2015
2015 Pearson
Pearson Education,
Education, Inc.
Inc. All
All Rights
Rights Reserved
Reserved
Learning Objectives (1 of 2)
• Explain how security and the other four principles in the
Trust Services Framework affect systems reliability.
• Explain two fundamental concepts; why information
security is a management issue, and the time-based model
of information security.
• Discuss the steps criminals follow to execute a targeted
attack against an organization’s information system.
• Describe the preventive, detective, and corrective controls
that can be used to protect an organization’s information.
• Describe the controls that can be used to timely detect that
an organization’s information system is under attack.
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Learning Objectives (2 of 2)
• Discuss how organizations can timely respond to attacks
against their information system.
• Explain how virtualization, cloud computing, and the
Internet of Things affect information security.
Trust Services Framework (1 of 2)
• Security
– Access to the system and data is controlled and restricted to
legitimate users.
• Confidentiality
– Sensitive organizational data is protected.
• Privacy
– Personal information about trading partners, investors, and
employees are protected.
• Processing integrity
– Data are processed accurately, completely, in a timely manner,
and only with proper authorization.
• Availability
– System and information are available.
Trust Services Framework (2 of 2)
Security Life Cycle
Security is a management issue
Security Approach
• Time-based model, security is effective if:
– P > D + C where
 P is time it takes an attacker to break through preventive controls
 D is time it takes to detect an attack is in progress
 C is time it takes to respond to the attack and take corrective action
Understanding Targeted Attacks
• Conduct reconnaissance
• Attempt social engineering
• Scan and map the target
• Research
• Execute the attack
• Cover tracks
How to Mitigate Risk of Attack
Preventive Controls Detective Controls
• People • Log analysis
• Process • Intrusion detection systems
• IT Solutions • Continuous monitoring
• Physical security
Response
• Computer Incident Response
Teams (CIRT)
• Chief Information Security Officer
(CISO)
Preventive: People
• Culture of security
– Tone set at the top with management
• Training
– Follow safe computing practices
 Never open unsolicited e-mail attachments
 Use only approved software
 Do not share passwords
 Physically protect laptops/cellphones
– Protect against social engineering
Preventive Process: User Access Controls
• Authentication—verifies the person
1. Something person knows
2. Something person has
3. Some biometric characteristic
4. Combination of all three
• Authorization—determines what a person can access
Preventive Process: Change Controls and
Change Management
• Formal process used to ensure that modifications to
hardware, software, or processes do not reduce systems
reliability
• Good change management and control requires
– Documentation
– Approval
– Testing
– Develop “backout” plan
– Monitoring
Preventive: IT Solutions
• Antimalware controls
• Network access controls
• Device and software hardening controls
• Encryption
Preventive: Physical Security: Access
Controls
• Physical security access controls
– Limit entry to building
– Restrict access to network and data
Detecting Attacks
• Log Analysis—examining logs to identify evidence of
possible attacks
• Intrusion Detection Systems (IDSs) —system that
creates logs of network traffic that was permitted to pass
the firewall and then analyzes those logs for signs of
attempted or successful intrusions
• Continuous Monitoring—employee compliance with
organization’s information security policies and overall
performance of business processes
Responding to Attacks
• Computer Incident Response Team (CIRT)
• Chief Information Security Officer (CISO)
Security Implications of Virtualization, Cloud
Computing, and the Internet of Things
• Virtualization and Cloud Computing
– Positive impact on security
 Implementing strong access controls is good security over all the systems
– Negative impact on security
 Reliability issues
 Risk of theft or destruction if unsupervised physical access
Key Terms
• Time-based model of security • Access control list (ACL)
• Defense-in-depth • Packet filtering
• Social engineering • Deep packet inspection
• Authentication • Intrusion prevention system
• Biometric identifier • Endpoints
• Multifactor authentication • Vulnerabilities
• Multimodal authentication • Vulnerability scanners
• Authorization • Exploit
• Access control matrix • Patch
• Compatibility test • Patch management
• Penetration test • Hardening
• Change control and change • Log analysis
management • Intrusion detection system (IDS)
• Border router • Computer incident response team
• Firewall (CIRT)
• Demilitarized zone (DMZ) • Virtualization
• Routers • Cloud Computing

Accounting Information Systems: Fourteenth Edition

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Accounting Information Systems: Fourteenth Edition

Uploaded by

Copyright:

Available Formats

Accounting Information Systems

ALWAYS LEARNING Copyright ©

You might also like