Today, every organization relies on information
technology (IT). Many organizations are also
moving at least portions of their information
systems to the cloud. Management wants
assurance that the information produced by the
organization’s own accounting system is reliable
and also about the reliability of the cloud
service providers with whom it contracts. In
addition, management also wants assurance
that the organization is compliant with an ever-
increasing array of regulatory and industry
requirements.
The Trust Services Framework organizes IT-
related controls into five principles that jointly
contribute to systems reliability:
1. Security—access (both physical and logical)
to the system and its data is controlled and
restricted to legitimate users.
2. Confidentiality—sensitive organizational
information (e.g., marketing plans, trade
secrets) is protected from unauthorized
disclosure.
3. Privacy—personal information about
customers, employees, suppliers, or business
partners is collected, used, disclosed, and
maintained only in compliance with internal
policies and external regulatory requirements
and is protected from unauthorized disclosure.
4. Processing Integrity—data are processed
accurately, completely, in a timely manner, and
only with proper authorization.
5. Availability—the system and its information
are available to meet operational and
contractual obligations.
Two Fundamental Information Security
Concepts
1. SECURITY IS A MANAGEMENT ISSUE, NOT
JUST A TECHNOLOGY ISSUE
Although effective information security requires
the deployment of technological tools such as
firewalls, antivirus, and encryption, senior
management involvement and support
throughout all phases of the security life cycle is
absolutely essential for success.
The first step in the security life cycle is to
assess the information security-related threats
that the organization faces and select an
appropriate response. Information security
professionals possess the expertise to identify
potential threats and to estimate their
likelihood and impact. However, senior
management must choose which of the four
risk responses described in Chapter 7 (reduce,
accept, share, or avoid) is appropriate to adopt
so that the resources invested in information
security reflect the organization’s risk appetite.
Step 2 involves developing information security
policies and communicating them to all
employees. Senior management must
participate in developing policies because they
must decide the sanctions they are willing to
impose for noncompliance. In addition, the
active support and involvement of top
management is necessary to ensure that
information security training and
communication are taken seriously. To be
effective, this communication must involve
more than just handing people a written
document or sending them an e-mail message
and asking them to sign an acknowledgment
that they received and read the notice. Instead,
employees must receive regular, periodic
reminders about security policies and training
on how to comply with them.
Step 3 of the security life cycle involves the
acquisition or building of specific technological
tools. Senior management must authorize
investing the necessary resources to mitigate
the threats identified and achieve the desired
level of security.
Finally, Step 4 in the security lifecycle entails
regular monitoring of performance to evaluate
the effectiveness of the organization’s
information security program. Advances in IT
create new threats and alter the risks
associated with old threats. Therefore,
management must periodically reassess the
organization’s risk response and, when
necessary, make changes to information
security policies and invest in new solutions to
ensure that the organization’s information
security efforts support its business strategy in a
manner that is consistent with management’s
risk appetite.
2. THE TIME-BASED MODEL OF INFORMATION
SECURITY
The goal of the time-based model of
information security is to employ a combination
of preventive, detective, and corrective controls
to protect information assets long enough for
an organization to detect that an attack is
occurring and to take timely steps to thwart the
attack before any information is lost or
compromised. The time-based model of
information security can be expressed in the
following formula:
P >D + R, where
P = the time it takes an attacker to break
through the various controls that protect the
organization’s information assets
D =the time it takes for the organization to
detect that an attack is in progress
R =the time it takes to respond to and stop the
attack If the equation is satisfied (i.e., if P > D +
R is true), then the organization’s information
security procedures are effective. Otherwise,
security is ineffective.
Organizations attempt to satisfy the objective of
the time-based model of security by employing
the strategy of defense-in-depth, which entails
using multiple layers of controls in order to
avoid having a single point of failure. Defense-
in-depth recognizes that although no control
can be 100% effective, the use of overlapping,
complementary, and redundant controls
increases overall effectiveness because if one
control fails or gets circumvented, another may
succeed.
The time-based model of security provides a
means for management to identify the most
cost-effective approach to improving security by
comparing the effects of additional investments
in preventive, detective, or corrective controls.
For example, management may be considering
the investment of an additional $100,000 to
enhance security. One option might be the
purchase of a new firewall that would increase
the value of P by 10 minutes.
A second option might be to upgrade the
organization’s intrusion detection system in a
manner that would decrease the value of D by
12 minutes. A third option might be to invest in
new methods for responding to information
security incidents so as to decrease the value of
R by 30 minutes. In this example, the most cost-
effective choice would be to invest in additional
corrective controls that enable the organization
to respond to attacks more quickly.
Although the time-based model of security
provides a sound theoretical basis for
evaluating and managing an organization’s
information security practices, it should not be
viewed as a precise mathematical formula. One
problem is that it is hard, if not impossible, to
derive accurate, reliable measures of the
parameters P, D, and R. In addition, even when
those parameter values can be reliably
calculated, new IT developments can quickly
diminish their validity.
Understanding Targeted Attacks
1. Conduct reconnaissance-Bank robbers
usually do not just drive up to a bank
and attempt to rob it. Instead, they first
study their target’s physical layout to
learn about the controls it has in place
(alarms, number of guards, placement
of cameras, etc.). Similarly, computer
attackers begin by collecting
information about their target. Perusing
an organization’s financial statements,
Securities and Exchange Commission
(SEC) filings, website, and press releases
can yield much valuable information.
The objective of this initial
 Reconnaissance is to learn as much as
possible about the target and to
identify potential vulnerabilities.
2. Attempt social engineering

3. Scan and map the target- If an attacker

cannot successfully penetrate the
target system via social engineering, the
next step is to conduct more detailed
reconnaissance to identify potential
points of remote entry. The attacker
uses a variety of automated tools to
identify computers that can be
remotely accessed and the types of
software they are running.

4. Research-Once the attacker has

identified specific targets and knows
what versions of software are running
on them, the next step is to conduct
research to find known vulnerabilities
for those programs and learn how to
take advantage of those vulnerabilities.
5. Execute the attack- The criminal takes
advantage of a vulnerability to obtain
unauthorized access to the target’s
information system.
6. Cover tracks- After penetrating the
victim’s information system, most
attackers attempt to cover their tracks
and create “back doors” that they can
use to obtain access if their initial attack
is discovered and controls are
implemented to block that method of
entry.