PART II

Control and Audit of

Accounting Information
Systems

Controls for Information

Security

Chapter 8

Copyright © 2015 Pearson Education, Inc.

 Learning Objectives
After studying this chapter, you should be able to:
1. Explain how security and the other four principles in the
Trust Services Framework affect systems reliability.
2. Explain two fundamental concepts: why information
security is a management issue, and the time-based model of
information security.
3. Discuss the steps criminals follow to execute a targeted
attack against an organization’s information system.
Copyright © 2015 Pearson Education, Inc.
2
 Learning Objectives
After studying this chapter, you should be able to:
4. Describe the preventive, detective, and corrective controls
that can be used to protect an organization’s information.
5. Describe the controls that can be used to timely detect that
an organization’s information system is under attack.
6. Discuss how organizations can timely respond to attacks
against their information system.

Copyright © 2015 Pearson Education, Inc.

3
 Introduction
• One basic function of an AIS is to provide information
useful for decision making. In order to be useful, the
information must be reliable, which means:
▫ It provides an accurate, complete, and timely picture of
the organization’s activities.
▫ It is available when needed.
▫ The information and the system that produces it is
protected from loss, compromise, and theft.
Copyright © 2015 Pearson Education, Inc.
4
Trust Services Framework
• The Trust Services Framework organizes IT-related
controls into five principles that jointly contribute
to systems reliability:

1. Security—access (both physical and logical)to the system

and its data is controlled and restricted to legitimate users.

2. Confidentiality—sensitive organizational information

(e.g., marketing plans, trade secrets) is protected from
unauthorized disclosure.
Copyright © 2015 Pearson Education, Inc.
5
Trust Services Framework
• The Trust Services Framework organizes IT-related controls into five
principles that jointly contribute to systems reliability:

3. Privacy—personal information about customers, employees, suppliers, or

business partners is collected, used, disclosed, and maintained only in compliance
with internal policies and external regulatory requirements and is protected from
unauthorized disclosure.

4. Processing Integrity—data are processed accurately, completely, in a timely

manner, and only with proper authorization.

5. Availability—the system and its information are available to meet operational

and contractual
Copyright © 2015 Pearsonobligations.
Education, Inc.
6
 As the Figure shows, information security is the foundation of systems reliability
and is necessary for achieving each of the other four principles

Copyright © 2015 Pearson Education, Inc.

7
 The Importance of Security
• Information security procedures restrict system access to authorized
users only, thereby protecting the confidentiality of sensitive
organizational data and the privacy of personal information collected
from customers.
• Information security procedures protect information integrity by
preventing submission of unauthorized or fictitious transactions and
preventing unauthorized changes to stored data or programs.
• Finally, information security procedures provide protection against a
variety of attacks, including viruses and worms, thereby ensuring that
the system is available when needed.
Copyright © 2015 Pearson Education, Inc.
8
 Two Fundamental Information
Security Concepts

1. Security Is A Management Issue, Not Just A Technology Issue.

2. The Time-based Model Of Information Security

Copyright © 2015 Pearson Education, Inc.

9
 1. Security Is A Management Issue, Not Just
A Technology Issue.
Although effective information security requires the deployment of
technological tools such as firewalls, antivirus, and encryption, senior
management involvement and support throughout all phases of the
Security Life Cycle is absolutely essential for success.

Copyright © 2015 Pearson Education, Inc.

10
 Security Life Cycle
• The first step in the security life cycle is to assess the
information security-related threats that the organization
faces and select an appropriate response. Information
security professionals possess the expertise to identify
potential threats and to estimate their likelihood and
impact. However, senior management must choose which
of the four risk responses is appropriate to adopt so that
the resources invested in information security reflect the
organization’s risk appetite.
Copyright © 2015 Pearson Education, Inc.
11
 Security Life Cycle
The four risk responses are:
Reduce: Reduce the likelihood and impact of risk by
implementing an effective system of internal controls.
Accept: Accept the likelihood and impact of the risk.
Share: Share risk or transfer it to someone else by buying
insurance, outsourcing an activity, or entering into hedging
transactions.
Avoid: Avoid risk by not engaging in the activity that produces
the risk. This may require the company to sell a division, exit a
product line, or not expand as anticipated.
Copyright © 2015 Pearson Education, Inc.
12
 Security Life Cycle
• Step 2 involves developing information security policies
and communicating them to all employees.
Senior management must participate in developing policies
because they must decide the sanctions they are willing to
impose for noncompliance.
In addition, the active support and involvement of top
management is necessary to ensure that information
security training and communication are taken seriously.

Copyright © 2015 Pearson Education, Inc.

13
 Security Life Cycle
• Step 3 of the security life cycle involves the acquisition or building
of specific technological tools.
Senior management must authorize investing the necessary
resources to mitigate the threats identified and achieve the desired
level of security.

Finally, step 4 in the security life cycle entails regular monitoring

of performance to evaluate the effectiveness of the organization’s
information security program.
Advances in IT create new threats and alter the risks associated with
old threats. Therefore, management must periodically reassess the
organization’s risk response.

Copyright © 2015 Pearson Education, Inc.

14
 2. The Time-based Model Of
Information Security
• The time-based model of security focuses on
implementing a set of preventive, detective, and
corrective controls that enable an organization to
recognize that an attack is occurring and take
steps to thwart it before any assets have been
compromised.
• All three types of controls are necessary:
a) Preventive
b) Detective
c) Corrective
Copyright © 2015 Pearson Education, Inc.
15
 The Time-based Model Of
Information Security
• All three types of controls are necessary:
• Limit actions to those in accord
with the organization’s security
a) Preventive policy and disallows all others.

 Identify when preventive controls

b) Detective have been breached.

• Repair damage from problems that

have occurred.
• Improve preventive and detective
c) Corrective controls to reduce likelihood of similar
Copyright © 2015 Pearson Education, Inc. incidents.
16
 The Time-based Model Of
Information Security
• The model provides management with a means
to identify the most cost-effective approach to
improving security by comparing the effects of
additional investments in preventive, detective,
or corrective controls.

Copyright © 2015 Pearson Education, Inc.

17
 The Time-based Model Of
Information Security
• The time-based model evaluates the effectiveness of an
organization’s security by measuring and comparing
the relationship among three variables:
▫ P = Time it takes an attacker to break through the
organization’s preventive controls.
▫ D = Time it takes to detect that an attack is in progress.
▫ C = Time to respond to the attack.

• These three variables are evaluated as follows:

▫ If P > (D + C), then security procedures are effective.
▫ Otherwise, security is ineffective.

Copyright © 2015 Pearson Education, Inc.

18
 The Time-based Model Of
Information Security
• EXAMPLE: For an additional expenditure of $25,000, the
company could take one of four measures:

▫ Measure 1 would increase P by 5 minutes.

▫ Measure 2 would decrease D by 3 minutes.
▫ Measure 3 would decrease C by 5 minutes.
▫ Measure 4 would increase P by 3 minutes and reduce C by
3 minutes.

• Because each measure has the same cost, which do you

think would be the most cost-effective choice? (Hint: Your
goal is to have P exceed [D + C] by the maximum possible
amount.)
Copyright © 2015 Pearson Education, Inc.
19
 The Time-based Model Of
Information Security
• You may be able to solve this problem by eyeballing it. If not, one way
to solve it is to assume some initial values for P, D, and C.
• So let’s assume that P = 15 min., D = 5 min., and C = 8 min.
• At our starting point, P – (D + C) = 15 – (5 + 8) = 2 min.
• With Measure 1, P is increased by 5 minutes:
▫ 20 – (5 + 8) = 7 min.
• With Measure 2, D is decreased by 3 minutes:
▫ 15 – (2 + 8) = 5 min.
• With Measure 3, C is decreased by 5 min.
▫ 15 – (5 + 3) = 7 min.
• With Measure 4, P is increased by 3 minutes and C is reduced by 3 min.
▫ 18 – (5 + 5) = 8 min.
 The most cost-effective choice would therefore be Measure 4,
because for the same money, it creates a greater distance between
the time it takes a perpetrator to break into a system and the time it
takes
Copyright © the Education,
2015 Pearson company Inc. to detect and thwart the attack.
20
 The Time-based Model Of
Information Security
• Organizations attempt to satisfy the objective of the time-
based model of security by employing the strategy of
Defense-in-depth, which entails using multiple layers of
controls to avoid having a single point of failure.
• If one layer fails, another may function as planned.
Information security involves using a combination of
firewalls, passwords, and other preventive procedures to
restrict access.
Copyright © 2015 Pearson Education, Inc.
21
 Understanding Targeted Attacks
• The basic steps criminals use to attack an
organization’s information system:
1. Conduct reconnaissance: computer attackers begin by collecting
information about their target to learn as much as possible about the
target and to identify potential vulnerabilities.
2. Attempt social engineering: Using deception to obtain
unauthorized access to information resources.
3. Scan and map the target: If an attacker cannot successfully
penetrate the target system via social engineering, the next step is to
conduct more detailed reconnaissance to identify potential points of
remote entry.
Copyright © 2015 Pearson Education, Inc.
22
 Understanding Targeted Attacks
4. Research: Once the attacker has identified specific targets and knows
what versions of software are running on them, the next step is to
conduct research to find known vulnerabilities for those programs and
learn how to take advantage of those vulnerabilities.
5. Execute the attack: The criminal takes advantage of a vulnerability to
obtain unauthorized access to the target’s information system.
6. Cover tracks: After penetrating the victim’s information system, most
attackers attempt to cover their tracks and create “back doors” that they
can use to obtain access if their initial attack is discovered and controls
are implemented to block that method of entry.
Copyright © 2015 Pearson Education, Inc.
23
 Protecting Information Resources
“How to Mitigate Risk of Attack”
Preventive Controls Detective Controls Corrective
• People • Log analysis
• Process • Intrusion detection • Computer
• Physical security systems Incident
• Change controls & • Penetration testing Response Team
change management • Continuous monitoring (CIRT)
• Chief
• IT Solutions
Information
Security Officer
(CISO)

Copyright © 2015 Pearson Education, Inc.

24
 Protecting Information Resources

Copyright © 2015 Pearson Education, Inc.

25
 Preventive: People
• Culture of security “Tone set at the top with management”
Top management must not only communicate the organization’s
security policies, but must also lead by example. Employees are more
likely to comply with information security policies when they see
their managers do so. Conversely, if employees observe managers
violating an information security policy, for example by writing down
a password and affixing it to a monitor, they are likely to imitate that
behavior.

Copyright © 2015 Pearson Education, Inc.

26
 Preventive: People
• Training
▫ Follow safe computing practices
 Never open unsolicited e-mail attachments
 Use only approved software
 Do not share passwords
 Physically protect laptops/cellphones
▫ Protect against social engineering

• Investment in security training will be effective only if

management clearly demonstrates that it supports
employees who follow prescribed security policies.

Copyright © 2015 Pearson Education, Inc.

27
 Preventive: Process “USER ACCESS CONTROLS”

• Outsiders” are not the only threat source.

• An employee may become disgruntled for any number of reasons:
 seek revenge,
 or may be vulnerable to being corrupted because of financial
difficulties,
 or may be blackmailed into providing sensitive information.
Therefore, organizations need to implement a set of
controls designed to protect their information assets from
unauthorized use and access by employees.
Copyright © 2015 Pearson Education, Inc.
28
 Preventive: Process “USER ACCESS CONTROLS”

• Authentication—verifies the identity of the person or device

attempting to access the system.

1. Something person knows such as passwords or personal

identification numbers (PINs)
2. Something person has, such as smart cards or ID badges
3. Biometric identifier‡ A physical or behavioral characteristic that is
used as an authentication credential, such as fingerprints or typing
patterns.
4. Combination of all three

• Authorization—determines what a person can access “restricting

access of authenticated users to specific portions of the system and
limiting what actions they are permitted to perform.
Copyright © 2015 Pearson Education, Inc.
29
 Preventive: Process “USER ACCESS CONTROLS”

• A penetration test is an authorized attempt by either

an internal audit team or an external security consulting
firm to break into the organization’s information
system. These teams try everything possible to
compromise a company’s system.

Copyright © 2015 Pearson Education, Inc.

30
Preventive: Process “Change Controls & Change Management”
• Change control and change management refer to
the formal process used to ensure that modifications to
hardware, software, or processes do not reduce systems
reliability. Good change control often results in better
operating performance because there are fewer problems to
fix. Companies with good change management and change
control processes also experience lower costs when security
incidents do happen.
Copyright © 2015 Pearson Education, Inc.
31
 Preventive: IT Solutions

• Antimalware controls:
1. Malicious software awareness education
2. Installation of antimalware protection tools on all devices

• Network access controls

1. Perimeter defense: routers, firewalls, and intrusion prevention
systems
2. Controlling Access by Filtering Packets

• Device and software hardening controls

• Encryption
Copyright © 2015 Pearson Education, Inc.
32
 Preventive: Physical security access controls

• Physical security access controls

▫ Limit entry to building

▫ Restrict access to network and data

Copyright © 2015 Pearson Education, Inc.

33
 Detective Controls
• Log analysis: is the process of examining logs to
identify evidence of possible attacks.

• Intrusion detection systems: a system that

creates logs of all network traffic that was permitted to pass
the firewall and then analyzes those logs for signs of
attempted or successful intrusions.

• Continuous monitoring: continuously monitoring

both employee compliance with the organization’s information
security policies and overall performance of business processes.
It can timely identify potential problems and identify opportunities
to improve existing controls.
Copyright © 2015 Pearson Education, Inc.
34
 Corrective
• Computer Incident Response Team (CIRT):
 (CIRT): a team that is responsible for dealing with major
security incidents.
 The CIRT should include not only technical specialists but
also senior operations management, because some potential
responses to security incidents have significant economic
consequences. For example, it may be necessary to
temporarily shut down an e-commerce server.
 The CIRT should lead the organization’s incident response
process through the following four steps:
Copyright © 2015 Pearson Education, Inc.
35
 Corrective
 The CIRT should lead the organization’s incident response
process through the following four steps:
1. Recognition that a problem exists: typically, this occurs when an
IPS or IDS signals an Alert.
2. Containment of the problem: once an intrusion is detected,
prompt action is needed to stop it and to contain the damage.
3. Recovery: damage caused by the attack must be repaired. This may
involve eradicating any malware and restoring data from backup and
reinstalling corrupted programs.

4. Follow-up: once recovery is in process, the CIRT should lead the

analysis of how the incident occurred. Steps may need to be taken to
modify existing security policy and procedures to minimize the
likelihood of a similar incident occurring in the future.
Copyright © 2015 Pearson Education, Inc.
36
 Corrective
• Chief Information Security Officer (CISO):
 The CISO should be independent of other information systems
functions and should report to either the chief operating officer (COO)
or the chief executive officer (CEO).
 The CISO must understand the company’s technology environment
and work with the chief information officer (CIO) to design, implement,
and promote sound security policies and procedures.
 The CISO also needs to work closely with the person in charge of
physical security, because unauthorized physical access can allow an
intruder to bypass the most elaborate logical access controls.
Copyright © 2015 Pearson Education, Inc.
37
 Key Terms
• Defense-in-depth
• Time-based model of security
• Social engineering
• Authentication
• Biometric identifier
• Multifactor authentication
• Multimodal authentication
• Authorization
• Access control matrix
• Compatibility test
• Border router
• Firewall
• Demilitarized zone (DMZ)
• Routers
Copyright © 2015 Pearson Education, Inc.
• Access control list (ACL)
• Packet filtering
• Deep packet inspection
• Intrusion prevention system
• Remote Authentication Dial-in
User Service (RADIUS)
• War dialing
• Endpoints
• Vulnerabilities
• Vulnerability scanners
• Hardening
• Change control and change
management
• Log analysis
• Intrusion detection system
38
(IDS)
 Key Terms (continued)

• Penetration test
• Computer incident response
team (CIRT)
• Exploit
• Patch
• Patch management
• Virtualization
• Cloud computing

Copyright © 2015 Pearson Education, Inc.

39
 40

End of Ch. 8

Copyright © 2015 Pearson Education, Inc.