WEEK 3

SECURITY PART I: AUDITING OPERATING SYSTEMS AND NETWORKS

REVIEW QUESTIONS

1. What are the five control objectives of an operating system?

2. What are the three main tasks the operating system performs?

3. What is the purpose of an access control list?

4. What are the four techniques that a virus could use to infect a system?

5. What is an access token?

6. Explain discretionary access privileges.

DISCUSSION QUESTIONS

1. Why is human behavior considered one of the biggest potential threats to operating
system integrity?

.2. Why would a systems programmer create a back door if he or she has access to the
program in his or her day-to-day tasks.

3. Discuss the issues that need to be considered before implementing keystroke

monitoring.

4. Explain how an access token and an access control list are used to approve or deny
access.

PROBLEMS
1. Network Access Control
Ajax Automotive services retail automotive centers the east coast by supplying them with
quality car and truck parts such as brake pads, oil filters, water pumps, etc. The
company’s 123 sales representatives work exclusively in the field visiting client company
locations and submitting sales orders from laptop computers via an internet connection to
the corporate offices in Delaware. All of Ajax’s sales orders are received in this manner.
Customer account, sales history, inventory, and cash receipts records are stored on a
central server at the corporate site. Customers are billed digitally from the corporate
office on a net 30 basis.
Required;
Outline the access controls that would be appropriate for this situation. Explain why these
controls are necessary.

2. Network System Controls

 Three years ago the Triumph Manufacturing implemented a networked transaction
processing system to link their various departments and allow data sharing. Prior to then,
Triumph employed a system based on stand-alone PCs. When the new system was
implemented each employee was given a user ID and assigned a four digit password to
permit access to the system. Once in the system, they had the option of changing their
passwords or keeping the one originally assigned. Since everyone in the organization
was new to the system, the operating philosophy adopted by Triumph was to establish an
open system that would facilitate efficient processing with minimal inconvenience.
Towards this end, employee access privileges to data and processes were assigned based
on functional affiliation. For example sales staff had access to all processes and data
pertaining to sales transactions such as order entry procedures, inventory control, credit
checking, customer credit files, sales invoices, inventory records, etc. Similarly, all
accounting staff were granted access to such processes as updating accounts receivable,
accounts payable, cash receipts and all journals, subsidiary ledgers, and general ledger
accounts related to these tasks.
Recently, the internal auditor identified material errors and possible irregularities in the
financial statements. She is concerned about the lack of security and the potential for
fraud and unauthorized access from internet hackers.
Required:
Outline the control procedures and policies that would reduce these risks and explain your
solution.