2.12k likes | 2.25k Views
HAPTER 7. Information Systems Controls for Systems Reliability Part 1: Information Security. INTRODUCTION. Questions to be addressed in this chapter: How does security affect systems reliability?
E N D
HAPTER 7 Information Systems Controls for Systems Reliability Part 1: Information Security
INTRODUCTION • Questions to be addressed in this chapter: • How does security affect systems reliability? • What are the four criteria that can be used to evaluate the effectiveness of an organization’s information security? • What is the time-based model of security and the concept of defense-in-depth? • What types of preventive, detective, and corrective controls are used to provide information security? • How does encryption contribute to security and how do the two basic types of encryption systems work?
INTRODUCTION • One basic function of an AIS is to provide information useful for decision making. In order to be useful, the information must be reliable, which means: • It provides an accurate, complete, and timely picture of the organization’s activities. • It is available when needed. • The information and the system that produces it is protected from loss, compromise, and theft.
INTRODUCTION • The Trust Services framework developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) identified five basic principles that contribute to systems reliability: SYSTEMS RELIABILITY
INTRODUCTION • The Trust Services framework developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) identified five basic principles that contribute to systems reliability: • Security SYSTEMS RELIABILITY • Access to the system and its data is controlled. SECURITY
INTRODUCTION • The Trust Services framework developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) identified five basic principles that contribute to systems reliability: • Security • Confidentiality SYSTEMS RELIABILITY CONFIDENTIALITY • Sensitive information is protected from unauthorized disclosure. SECURITY
INTRODUCTION • The Trust Services framework developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) identified five basic principles that contribute to systems reliability: • Security • Confidentiality • Privacy SYSTEMS RELIABILITY • Personal information about customers collected through e-commerce is collected, used, disclosed, and maintained in an appropriate manner. CONFIDENTIALITY PRIVACY SECURITY
INTRODUCTION • The Trust Services framework developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) identified five basic principles that contribute to systems reliability: • Security • Confidentiality • Privacy • Processing integrity SYSTEMS RELIABILITY • Data is processed: • Accurately • Completely • In a timely manner • With proper authorization CONFIDENTIALITY PROCESSING INTEGRITY PRIVACY SECURITY
INTRODUCTION • The Trust Services framework developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) identified five basic principles that contribute to systems reliability: • Security • Confidentiality • Online privacy • Processing integrity • Availability SYSTEMS RELIABILITY CONFIDENTIALITY PROCESSING INTEGRITY PRIVACY AVAILABILITY • The system is available to meet operational and contractual obligations. SECURITY
INTRODUCTION • Note the importance of security in this picture. It is the foundation of systems reliability. Security procedures: • Restrict system access to only authorized users and protect: • The confidentiality of sensitive organizational data. • The privacy of personal identifying information collected from customers. SYSTEMS RELIABILITY CONFIDENTIALITY PROCESSING INTEGRITY PRIVACY AVAILABILITY SECURITY
INTRODUCTION • Security procedures also: • Provide for processing integrity by preventing: • Submission of unauthorized or fictitious transactions. • Unauthorized changes to stored data or programs. • Protect against a variety of attacks, including viruses and worms, thereby ensuring the system is available when needed. SYSTEMS RELIABILITY CONFIDENTIALITY PROCESSING INTEGRITY PRIVACY AVAILABILITY SECURITY
INTRODUCTION • In this chapter, we will focus on the Trust Services principle of information security. • Chapter 8 will discuss controls relevant to the other four reliability principles. • This chapter provides a broad introduction to the topic of information systems security. • Anyone interested in a career in information systems security would need to undertake additional detailed study.
INTRODUCTION • There has been a dramatic rise in the number of reported security incidents in recent years, including: • Denial of service attacks • Fraud • Loss of trade secrets • Identity theft • Accountants and IS professionals need to understand basic principles of information security in order to protect their organizations and themselves.
FUNDAMENTAL INFORMATION SECURITY CONCEPTS • There are three fundamental information security concepts that will be discussed in this chapter: • Security as a management issue, not a technology issue. • The time-based model of security. • Defense in depth.
FUNDAMENTAL INFORMATION SECURITY CONCEPTS • There are three fundamental information security concepts that will be discussed in this chapter: • Security as a management issue, not a technology issue. • The time-based model of security. • Defense in depth.
SECURITY AS A MANAGEMENT ISSUE • Though information security is a complex technical subject, security is first and foremost a top management issue, not an IT issue.
SECURITY AS A MANAGEMENT ISSUE • Management is responsible for the accuracy of various internal reports and financial statements produced by the organization’s IS. • SOX Section 302 requires that the CEO and CFO certify the accuracy of the financial statements. • SOX Section 404 requires that the annual report include a report on the company’s internal controls. Within this report, management acknowledges their responsibility for designing and maintaining internal controls and assessing their effectiveness. • Security is a key component of the internal control and systems reliability to which management must attest. • As identified in the COSO model, management’s philosophy and operating style are critical to an effective control environment.
SECURITY AS A MANAGEMENT ISSUE • The Trust Services framework identifies four essential criteria for successfully implementing the five principles of systems reliability: • Develop and document policies. • Effectively communicate those policies to all authorized users. • Design and employ appropriate control procedures to implement those policies. • Monitor the system, and take corrective action to maintain compliance with the policies. • Top management involvement and support is necessary to satisfy each of the preceding criteria.
SECURITY AS A MANAGEMENT ISSUE • The Trust Services framework identifies four essential criteria for successfully implementing the five principles of systems reliability: • Develop and document policies. • Effectively communicate those policies to all authorized users. • Design and employ appropriate control procedures to implement those policies. • Monitor the system, and take corrective action to maintain compliance with the policies. • Top management involvement and support is necessary to satisfy each of the preceding criteria.
SECURITY AS A MANAGEMENT ISSUE • Policy Development • It’s more exciting to react to security issues than to prevent them. • However, it is important to develop a comprehensive set of security policies before designing and implementing specific control procedures. • Helps ensure that the security products you ultimately purchase protect each IS resource. • Developing a comprehensive set of security policies begins with taking an inventory of information systems resources, including: • Hardware • Software • Databases
SECURITY AS A MANAGEMENT ISSUE • Once the resources have been identified, they need to be valued in order to select the most cost-effective control procedures. • Not easy—particularly in valuing information itself. • Top management needs to be involved because they have a broader understanding of the organization’s mission and goals that will enable them to better assess the dollar impact caused by loss or disclosure of information resources.
SECURITY AS A MANAGEMENT ISSUE • The Trust Services framework identifies four essential criteria for successfully implementing the five principles of systems reliability: • Develop and document policies. • Effectively communicate those policies to all authorized users. • Design and employ appropriate control procedures to implement those policies. • Monitor the system, and take corrective action to maintain compliance with the policies. • Top management involvement and support is necessary to satisfy each of the preceding criteria.
SECURITY AS A MANAGEMENT ISSUE • Effective Communication of Policies • Security policies must be communicated to and understood by employees, customers, suppliers, and other authorized users. • Needs to be more than having people sign off that they’ve received and read a written document. • Employees should have regular reminders about security policies and training in how to comply. • Training and communication will only be taken seriously if management provides active support and involvement. • Sanctions must also be associated with these violations, again requiring management support for enforcement.
SECURITY AS A MANAGEMENT ISSUE • The Trust Services framework identifies four essential criteria for successfully implementing the five principles of systems reliability: • Develop and document policies. • Effectively communicate those policies to all authorized users. • Design and employ appropriate control procedures to implement those policies. • Monitor the system, and take corrective action to maintain compliance with the policies. • Top management involvement and support is necessary to satisfy each of the preceding criteria.
SECURITY AS A MANAGEMENT ISSUE • Design and Employ Appropriate Control Procedures • Control frameworks such as COBIT and Trust Services identify a variety of specific control procedures and tools that can be used to mitigate various security threats. • Options differ in terms of cost and effectiveness. • Determining the optimal level of investment in security involves evaluating cost-benefit trade-offs. • Systems personnel have knowledge about the technical merits of each alternative, as well as the risk of various threats. • Management insight is needed in identifying potential costs and ensuring that all relevant organizational factors are considered.
SECURITY AS A MANAGEMENT ISSUE • The Trust Services framework identifies four essential criteria for successfully implementing the five principles of systems reliability: • Develop and document policies. • Effectively communicate those policies to all authorized users. • Design and employ appropriate control procedures to implement those policies. • Monitor the system, and take corrective action to maintain compliance with the policies. • Top management involvement and support is necessary to satisfy each of the preceding criteria.
SECURITY AS A MANAGEMENT ISSUE • Monitor and Take Remedial Action • Security is a moving target. • Technology advances create new threats and alter the risks associated with existing threats. • Effective control involves a continuous cycle of: • Developing policies to address identified threats; • Communicating those policies to all employees; • Implementing specific control procedures to mitigate risk; • Monitoring performance; and • Taking corrective action in response to problems.
SECURITY AS A MANAGEMENT ISSUE • Corrective actions often involve the modification of existing cycles, and the cycle starts all over. • Senior management must be involved to ensure that security policies remain consistent with and support the organization’s business strategy.
FUNDAMENTAL INFORMATION SECURITY CONCEPTS • There are three fundamental information security concepts that will be discussed in this chapter: • Security is a management issue, not a technology issue. • The time-based model of security. • Defense in depth.
TIME-BASED MODEL OF SECURITY • Given enough time and resources, any preventive control can be circumvented. • Consequently, effective control requires supplementing preventive procedures with: • Methods for detecting incidents; and • Procedures for taking corrective remedial action. • Detection and correction must be timely, especially for information security, because once preventive controls have been breached, it takes little time to destroy, compromise, or steal the organization’s economic and information resources.
TIME-BASED MODEL OF SECURITY • The time-based model of security focuses on implementing a set of preventive, detective, and corrective controls that enable an organization to recognize that an attack is occurring and take steps to thwart it before any assets have been compromised. • All three types of controls are necessary: • Preventive • Limit actions to those in accord with the organization’s security policy and disallow all others.
TIME-BASED MODEL OF SECURITY • The time-based model of security focuses on implementing a set of preventive, detective, and corrective controls that enable an organization to recognize that an attack is occurring and take steps to thwart it before any assets have been compromised. • All three types of controls are necessary: • Preventive • Detective • Identify when preventive controls have been breached.
TIME-BASED MODEL OF SECURITY • The time-based model of security focuses on implementing a set of preventive, detective, and corrective controls that enable an organization to recognize that an attack is occurring and take steps to thwart it before any assets have been compromised. • All three types of controls are necessary: • Preventive • Detective • Corrective • Repair damage from problems that have occurred • Improve preventive and detective controls to reduce likelihood of similar incidents.
TIME-BASED MODEL OF SECURITY • The time-based model evaluates the effectiveness of an organization’s security by measuring and comparing the relationship among three variables: • P = Time it takes an attacker to break through the organization’s preventive controls • D = Time it takes to detect that an attack is in progress • C = Time to respond to the attack • These three variables are evaluated as follows: • If P > (D + C), then security procedures are effective. • Otherwise, security is ineffective.
TIME-BASED MODEL OF SECURITY • The model provides management with a means to identify the most cost-effective approach to improving security by comparing the effects of additional investments in preventive, detective, or corrective controls.
TIME-BASED MODEL OF SECURITY • EXAMPLE: For an additional expenditure of $25,000, the company could take one of four measures: • Measure 1 would increase P by 5 minutes. • Measure 2 would decrease D by 3 minutes. • Measure 3 would decrease C by 5 minutes. • Measure 4 would increase P by 3 minutes and reduce C by 3 minutes. • Since each measure has the same cost, which do you think would be the most cost-effective choice? (Hint: Your goal is to have P exceed (D + C) by the maximum possible amount.)
The most cost-effective choice would therefore be Measure 4, because for the same money, it creates a greater distance between the time it takes a perpetrator to break into a system and the time it takes the company to detect and thwart the attack. TIME-BASED MODEL OF SECURITY • You may be able to solve this problem by eyeballing it. If not, one way to solve it is to assume some initial values for P, D, and C. • So let’s assume that P = 15 min., D = 5 min., and C = 8 min. • At our starting point, P – (D + C) = 15 – (5 + 8) = 2 min. • With Measure 1, P is increased by 5 minutes: • 20 – (5 + 8) = 7 min. • With Measure 2, D is decreased by 3 minutes: • 15 – (2 + 8) = 5 min. • With Measure 3, C is decreased by 5 min. • 15 – (5 + 3) = 7 min. • With Measure 4, P is increased by 3 minutes and C is reduced by 3 min. • 18 – (5 + 5) = 8 min.
FUNDAMENTAL INFORMATION SECURITY CONCEPTS • There are three fundamental information security concepts that will be discussed in this chapter: • Security is a management issue, not a technology issue. • The time-based model of security. • Defense in depth.
DEFENSE IN DEPTH • The idea of defense-in-depth is to employ multiple layers of controls to avoid having a single point of failure. • If one layer fails, another may function as planned. • Computer security involves using a combination of firewalls, passwords, and other preventive procedures to restrict access. • Redundancy also applies to detective and corrective controls.
DEFENSE IN DEPTH • Major types of preventive controls used for defense in depth include: • Authentication controls (passwords, tokens, biometrics, MAC addresses) • Authorization controls (access control matrices and compatibility tests) • Training • Physical access controls (locks, guards, biometric devices) • Remote access controls (IP packet filtering by border routers and firewalls using access control lists; intrusion prevention systems; authentication of dial-in users; wireless access controls) • Host and Application Hardening procedures (firewalls, anti-virus software, disabling of unnecessary features, user account management, software design, e.g., to prevent buffer overflows) • Encryption
DEFENSE IN DEPTH • Detective controls include: • Log analysis • Intrusion detection systems • Managerial reports • Security testing (vulnerability scanners, penetration tests, war dialing)
DEFENSE IN DEPTH • Corrective controls include: • Computer Emergency Response Teams • Chief Security Officer (CSO) • Patch Management
PREVENTIVE CONTROLS • Major types of preventive controls used for defense in depth include: • Authentication controls (passwords, tokens, biometrics, MAC addresses) • Authorization controls (access control matrices and compatibility tests) • Training • Physical access controls (locks, guards, biometric devices) • Remote access controls (IP packet filtering by border routers and firewalls using access control lists; intrusion prevention systems; authentication of dial-in users; wireless access controls) • Host and Application Hardening procedures (firewalls, anti-virus software, disabling of unnecessary features, user account management, software design, e.g., to prevent buffer overflows) • Encryption
PREVENTIVE CONTROLS • The objective of preventive controls is to prevent security incidents from happening. • Involves two related functions: • Authentication • Focuses on verifying the identity of the person or device attempting to gain access. • Authorization • Restricts access of authenticated users to specific portions of the system and specifies what actions they are permitted to perform.
PREVENTIVE CONTROLS • Users can be authenticated by verifying: • Something they know, such as passwords or PINs. • Something they have, such as smart cards or ID badges. • Some physical characteristic (biometric identifier), such as fingerprints or voice.
PREVENTIVE CONTROLS • Passwords are probably the most commonly used authentication method and also the most controversial. • An effective password must satisfy a number of requirements: • Length • Longer is better. • Should be at least 8 characters.
PREVENTIVE CONTROLS • Passwords are probably the most commonly used authentication method and also the most controversial. • An effective password must satisfy a number of requirements: • Length • Multiple character types • Use a mix of upper-and lower-case alphabetic, numeric, and special characters.
PREVENTIVE CONTROLS • Passwords are probably the most commonly used authentication method and also the most controversial. • An effective password must satisfy a number of requirements: • Length • Multiple character types • Random • Passwords should not be words found in the dictionary or dictionary words preceded or followed by a number such as 4dog or dog4. • Should not be related to the employee’s personal interests or hobbies, because special-purpose, password-cracking dictionaries can be found on the Internet containing the most common passwords related to various topics.
PREVENTIVE CONTROLS • Passwords are probably the most commonly used authentication method and also the most controversial. • An effective password must satisfy a number of requirements: • Length • Multiple character types • Random • Secret • The most important requirement. • A password must be kept secret to be effective.
PREVENTIVE CONTROLS • A password that meets the preceding criteria is typically difficult to memorize—exacerbated by the typical requirement that the password be changed every 90 days. • So most people either: • Select passwords that can be easily guessed but can be memorized; or • Select passwords that meet the criteria for a strong password but write them down. • When the password is written down, it changes from something the employee knows to something the employee has, which can be stolen and used.