IS Control

ch.3 - part ii
Please note: This notes is meant for the presentation purposes only, it’s compact and summarised.
Students are requested to study from jksc notes or module in parallel to this for best results

Your coach N guide

- Abhishek Mehta
Policies, Procedures, Practices and
Organisational Structures
 designed to provide
reasonable assurance
that

Business Objectives will be

achieved
 and any undesired events

are

P,D&C
Prevented, Detected and Corrected.
 Classi cation of control

OBJECTIVE IS RESOURCES IS FUNCTION

(maksad)
Physical.A.C Managerial
Preventive Logical.A.C Application
Corrective
Environmental A C
Detective
fi
DETECT
EOM
elude pc
Bypassed away
 RT
PO
E
char
1 understand lawful activities
1 understand lawful activities
2 report unlawful
1 understand lawful activities
2 report unlawful
3 interact with pc &
prevent reoccurrence
1 understand lawful activities
2 report unlawful
3 interact with pc &
prevent reoccurrence
4
Surprise check
by supervisor
 #1
ENVIRONMENTAL CONTROL
 re
water
electricity ⚡
pollution
fi
 Fire
Exposure
xxxxxxxxxx

xxxxxxxxxx
xxxxxxxxxx
xxxxxxxxxx
 waterproof walls ceiling & oors
adequate drainage
installations on upper oors,not top
Water leakage alarms
Install alarms at strategic points
fl
fl
Electrical
Exposures
 non availability
or
spikes/voltage
fl
uctuation
UPS / Generator
Voltage regulators
And
Circuit
breaker
In case of emergency
 Pollution
major pollutant is dust…caught between
surface of hard disk and R/W head.
 Prohibition of
eating , drinking, smoking within the facility
 Others

we must have power lead from two substation

 LOGICAL ACESS CONTROLS
ensure that
access to systems, data and programs is restricted to
authorized users
to safeguard information
against
unauthorized use, disclosure or modi cation, damage, or
loss.

fi
on
tr
ol
la’C
s
 LOGICAL ACCESS CONTROLS
app
user
&
access
monitoring
mgmt
sys
access
ctrl
network os
user
access access
responsibility
ctrl ctrl
1. User access
management
 Registration

User
Review access Privilege
mgmt
Password
 user info
documented

who

Registration
why

user accepts data owner

responsibility approval
 Registration

User
Review access Privilege
mgmt
Password
 requirements

Privilege responsibilities

minimal w.r.t
job function
 Registration

User
Review access Privilege
mgmt
Password
 Password

default educate
screen

functions

allocate reissue

store revoke
 Registration

User
Review access Privilege
mgmt
Password
 need changes

periodic
Review
job
pro le
anomalies

privileges
granted
fi
 Registration

User
Review access Privilege
mgmt
Password
 2) User
Responsibility
 Mandatory

to maintain con dentiality

fi
 1) Password Use

Mandatory

to maintain con dentiality

fi
 equipment
under
responsibility
 secured
with
passwords
 not left
accessible to
others
Unattended
user
equipments
 2) User Responsibility
1) Password Use 2) Unattended user equipments

• equipment under
Mandatory responsibility protected
• secured with passwords
• not leave accessible to
others
to maintain con dentiality
fi
3) Network access
control
Policy on internet ser vice
use
of =
network
services business needs only

selection of service &

approvals
Network connection
& routing control

• restricted n/w
traffic
• based on source
and
• access policy
 Enforced path
• specify the exact path or
route.
• pass through proxy & rewall

fi
 what’s
the time
what’s www
the time

proxy

it’s 9
it’s 9
Access Control between network

from only
from
both authorised
both
sides user
sides
Can be placed within intranet
Company’s
Intranet
 vpn

S
O
N

public
 vpn

Segregation of
S
Network O
based on sensitive N
info

public
 vpn

S
O
N

public
what : process…converts data to secret code
why: for safety of data during transmission or storage
in DB
how: using encryption algorithm key we convert clear
text to cipher text..decrypted by receiver.
approached using
private key and public key
 vpn

S
O
N

public
 keeps intruder off the net
user enters pwd and on authorisation
connection is est.
only authorised terminal or telephones
 vpn

S
O
N

public
Policy on use of network
services
 applicable to internet service requirements
based on business need

includes: Selection of appropriate services and

approval to access them
Network connection and
routing control
 The traf c between networks should be
restricted, based on identi cation of source
and authentication access policies
implemented across the enterprise network
facility.

Traf c management
fi
fi
fi
Enforced path
 • Based on risk assessment,
It is necessary to specify the exact path or
route connecting the networks.

e.g. internet access by employees will be

routed through a proxy & rewall.

fi
Firewall
 System that enforces access control between two
networks.

all traf c must pass through the rewall that will allow only
authorized traf c between the organization and the outside
to pass through it.
The rewall must be immune to penetrate from both side
Can be used to insulate portions of the organization’s
Intranet from internal access also.
fi
fi
fi
fi
 ctrl bet network
only authorised user
from both sides
can be placed within intranet
SON
 • Segregation of networks:
Based on the sensitive information handling
function.

eg : VPN
Encryption
 what: conversion of data into a secret code
why: for storage in databases and transmission over networks.
T
how: The sender uses an encryption algorithm with a key to
convert the original message called the Clear text into Cipher
text. This is decrypted at the receiving end. Two general
approaches are used for encryption viz. private key and
public key encryption.
Call back devices
 Call Back Devices:
to keep the intruder off the network rather than imposing
security measure after the criminal has connected to the network.
The call- back device requires the user to enter a password
and then the system breaks the connection.
If the caller is authorized, the call back device dials the
caller’s number to establish a new connection.
This limits access only from authorized terminals or telephone
numbers and prevents an intruder masquerading as a legitimate
user.
 keeps intruder off the net
user enters pwd and on authorisation
connection is est.
only authorised terminal or telephones
Policy on use of network
services
Network connection and
routing control
Enforced path
Firewall
SON
Encryption
Call back devices
Network access control
III) Operating System
access control
 OS is
computer control program
allows users and their applications
to access computer resources,
such as processor, main memory, database
and printers,etc.
Terminal log-on procedures
Prevent unauthorized access.
Validates ID and Password.
Key security feature
Password management
system
 STRONG
PASSWORD

INACCESSIBLE TO USERS ONE WAY

Hashing#
ALGORITHM
 enforce strong passwords.

Internal storage of password should use

one-way Hashing algorithms
and
the password le should not be accessible to
users.
fi
 strong pwd
store: one way encrypted
fi
password le inaccessible
Limitation of connection time
 De ne the available time slot.
No transaction beyond this time.
8am-8pm✔
8pm-8am✖
fi
fix
no
transaction
beyond
slot
 ID
,
us pa
er ss
Pr g w
ro o
i r
up d
gr vi
an leg ,
te e s
d
Access Tokens
 creates access token on successful login

contain key information

UserID, password, user group and access
rights granted to user.

Used to approve all actions during the session

• On successful login
• Creates token

• contain key info : u_id,pwd,group,priveleges

• Approve actions
when is token created
what it contains
+
Access control list
 d,
ou or
p
gr w
er ss

s
us, pa

ht
gs ig
ID

lo r
ss
ce
ac
compare Contains
access privileges
info
Grant
Access
Use of System Utilities
Use of System Utilities
• manage critical functions
• e.g. +/- Users
• Not accessible to general
users
• strictly controlled and
logged.
contains critical functions of OS

e.g. +/- users.

Not accessible to a general

Controlled and logged.

 Use of System Utilities
what it controls critical functions
eg +/- users
should it be accessible to general users No
If access granted then control and log
Terminal timeout
 ⌛ prevent
logout if inactive misuse
 Discretionary
Access Control
 usual sys admin: grants access control
but in distributed sys…resources controlled by
end-user
End user are given DAC
they can grant access privilege to others users
 In distributed sys
End user or resource owner given DAC
they can grant access to other users
what if someone threatens to execute a
instruction
Duress alarm to safeguard
user
 forced
Under Alert
to
threat authorities
execute
what to do if someone threatens
press duress alarm

what will happen?

authorities will get alerts
 I&A

O.S.A.C
 I&A

O.S.A.C
 (V)
Application and monitoring
system
access control
1) Information access
restriction

R/W
2.Sensitive System Isolation
 critical
isolated
monitor
report
sys with critical constitution
isolated environment—>pc
monitoring system access —
>dc
Report unauthorised access
 critical
isolated
monitor
report
3.Event logging
 Maintain all events log
Review logging
archive logs properly.
All ⇄ requests 🔴 transaction log.

🔴 User ID, the time ,terminal location

 Maintain log
Archive log
Review log
all ⇄ transaction
🔴
4. Monitor System Use
 based on risk assessment…monitoring of critical
component is essential
de ne: accesses,operations,events & alerts
extent of detail
frequency of reviewing
eg: log les reviewing and attention must be given to
any gaps in the log le
fi
fi
fi
 Monitor critical component
De ne: accesses,operations,events & alerts
Extent of detail
Freq of reviewing
eg: log les reviewing and attention must be given
to any gaps in the log le
fi
fi
fi
Clock Synchronisation
which chapter are we studying
information system…

provides information

for decision making

 all logs maintained
helps in correlating events
& generating reports
important to sync with
std
time

GMT / IST

( GMT+5:30 )
 Event logs maintained across an enterprise network
plays a signi cant role in correlating an event and
generating report on it.

Hence, the need for synchronizing clock time across

the network as per a standard time is mandatory.
fi
Application and monitoring
system access control
CONTROLS
WHEN
MOBILE
 Registration

User
Review access Privilege
mgmt
Password
 2) User Responsibility
1) Password Use 2) Unattended user equipments

• equipment under
Mandatory responsibility protected
• secured with passwords
• not leave accessible to
others
to maintain con dentiality
fi
Network access control
 I&A

O.S.A.C
Application and monitoring
system access control
2) Physical access control
 Related to physical security
of the tangible resources and intangible
resources stored on tangible media
e.g.:
cctv monitoring
access ctrl doors
security guards,etc.
 4 PAC:
• lock on doors
• physical identi cation medium
• logging on facilities
• others
fi
 4 PAC:
• Lock
• PIM
• Logs
• Others
i)locks on door
1)Cipher lock:
2)bolting door lock
 3)
electronic
door locks
ii)physical identi cation
medium

fi
 1) PIN
2)Plastic card
3)identi cation badges
fi
iii)logging on facilities
 manual logging
electronic logging
(electronic+biometric)
iv) Others
Perimeter Fencing
SECURITY GUARDS
video camera
CONTROLLED VISITOR ACCESS
an employee hired to escort a visitor
 Bonded personnel
all service contract personnel made to sign a
bond
Controlled single entry point
Dead man door
 Computer terminal locks
Ensure devices
not turned on
or
disengaged
by unauthorised.
Non-exposure of sensitive
facilities
Control over Out of Hours
for Employees
Secured report/
document
distribution cart

eg: mail cart

Covered n locked
Always attended
Alarm system
 #3
Based on Information System
Function
1 managerial control
2 application control
 Managerial controls
ensure
development, implementation, operation and
maintenance
of IS in a planned and controlled manner.
 Mgmt. Ctrl
maksad: D.I.O.M
Top Management Control
or
IS management control
WHAT do TOP managers do?
 Top managers
face responsibility for IS,
face challenges
 ensure
IS function correctly
and
meet the strategic business objectives.
 O
C
O
N
L
R
G P
TOP
T
E
A
A
N
L
A
MANAGEMENT
R
O
D I
S
N
CONTROL
L
E
 O
C
O
L
R
G
determine
TOP goal P
N
means 2 achieve
MANAGEMENT
E A L
T A
A N
R N
D I
O
L
S
E
steering committee &
CONTROL
IT personnel
 Gather,alocate
document and O
C
O determine
TOP goal R
N
L Coordinate resources
org structures,roles, G P

means
MANAGEMENT 2 achieve
E A L
T
R
A to achieve goal as
responsibility, and jd N A
N
O
D
per planning
steering
CONTROL committee
I
S
L
E
 motivating O
C
O determine
TOP goal L R
N guiding & E G P

means 2 achieve DA
MANAGEMENT A L
T A
communicating
R N
I N
O
L steering committee
CONTROL S
(objective harmony) E
comparing
Jaisa actuals
meine plan Kiyawith C O
determine
planned
TOP
Waise Hua k nahin goal L O R
P
E N G
means
MANAGEMENT2 achieve T A L
if deviates >> apply A
D R N A
N
corrections
steering
CONTROL committee
O
L
I
S
E
 Planning:
Resource req: s/w dev,acquisition &
1
implementation
2 factors:
• S/w Size
• Uncertainty of user req &
supporting technology
 Design
2
>systematic
>structured or OO
 Coding
>module implementation
3
and integration
>documented
 Testing
• unit
4
• integration
• whole of program
 Operation & Maintenance
Implement & monitor operations
3 types
repair

RAP
5
adaptive
perfective
 Control
> monitor progress vs
plan…deviation corrected
6
> ctrl to ensure accurate &
complete
PERT
WBS
GANTT
CHART
 PLANNING
CONTROL
DESIGN

OP &
CODING
MAINTENANCE

TESTING
System Development
Management Control
'3
'3
'3
'3
'3
'3
'3
'3
'3
'3
'3
'3
'3
'3
'3
 Problem de nition and feasibility
assessment

Analysis of existing system

Info processing and system design

Hardware and software acquisition &

procedure development

Acceptance Testing & conversion

Operation and maintenance

Hardware El Software
fi
DRMC
 5
Security Management Control
 IS Assets
H/w Sys App Data
s/w s/w

Personnel Facility

Doc
 Assets are secure
when the expected losses that will occur
over some time,
are at an acceptable level.
 Physical ctrl

Logical access ctrl

Environmental ctrl
DISASTER
business continuity
 to
recover operations
&
mitigate losses
Disaster Recovery Plan
&
insurance
 6
Operation
Mgmt
Ctrl
Computer Operations
 Data preparation and entry
directly
indirectly
need speed
N
accuracy
Documentation and Program Library
DOCUMENTATION
LIBRARIAN
PP STORED

SECURED
JD
UP-TO DATE

ADEQUATE B.U
SOD
 Doc > Librarians
-stored securely
-kept up-to- date
- and backup

DOC:
includes PP,SOD,JD,Responsibility & authority of each
function of org
 File Library:

organising machine-readable storage media

like magnetic tapes, cartridges, and optical disks.

Network Operations
CAPACITY PLANNING and performance Monitoring

Monitoring
PERFORMANCE

MAKE
RESOURCE
IDENTIFY
AVAILABLE
RESOURCE
DEFICIENCY
HELPDESK/ TECHNICAL SUPPORT

PROVIDE TECHNICAL
ASSISTANCE

ASSIST END
USER
MANAGEMENT OF OUTSOURCED
OPERATIONS
 PRODUCTION CONTROL
basically all production jargons…

Receipt n
dispatch of
input and Managing acquisition of
output SLA computer
consumables

JOB
transfer
SCHEDULING pricing
 OMC
Computer
Helpdesk
operation Data prep & Entry

Network Mgmt of Outsourced

operation Doc Ops
Librarian

Capacity Production
planning control
File library
 Quality Assurance management is concerned with ensuring that the –
♦ Information produced by the information systems function achieve certain
quality goals; and

♦ Development, implementation, operation and maintenance of Information

systems comply with a set of quality standards.

Quality Assurance (QA) personnel should work to improve the quality of information
systems produced, implemented, operated, and maintained in an organization. They
perform a monitoring role for management to ensure that –
♦ Quality goals are established and understood clearly by all stakeholders; and

♦ Compliance occurs with the standards that are in place to attain quality
information systems.
Best industrial practices incorporated
 Quality Assurance Mgmt Control
Info produced >> Quality Goal
DIOM>>> Std

Quality assurance (QA)

Personnel:
• quality goals are set n understood by stakeholders
• Comply to stds
• Best industrial practices incorporated
Application Controls
1. boundary control
2. input control
3. process control
4. output control
5. Db control
6. communication control
1.boundary control
🚪
PIN
 Digital Signatures:

Establishing the authenticity of persons and preventing the denial of

message or contracts are critical requirements when data is exchanged in
electronic form.
A counterpart known as Digital Signature (a string of 0’s and 1’s) is used as
an analog signature for such e-documents.

Digital Signatures are not constant like analog signatures – they vary across
messages and cannot be forged.
Cryptography
Plain text
Cipher text
3 ways
>transposition
>substitution
>product cipher
 transposition
1234>>> 2143

substitution
1234>>>abcd

product cipher
1234>>>badc
 Accounting audit trail…boundary control

All material application-oriented

events occurring within the boundary subsystem should be recorded

that may include the data related to

• identity of the would-be user of system;
• authentication information supplied;
• resources requested/provided or denied;
• terminal Identi er
• Start/Finish Time
• number of Sign-on attempts &
• Action privileges allowed/denied.
fi
 Operations Audit trail

resource usage from log-on to log-out time

and
log of resource consumption.
substantial
human
time
intervention
spent

fraud

error
SOURCE
DOC
CONTROL

use
physical
source doc
for txn.

fraud
to remove
assets
 Input Controls:

input data must be validated for

authorization,
reasonableness,
accuracy , completeness,
and
integrity.
4 types
 transcription
1. addition
12345 —> 712345

2. truncation
✂12345 —> 2345

DATA 3. substitution
CODE 12345 —> 92345
CONTROL
transposition
Reduces errors ⇌12345 —> 21345;
during data feed
 grouping
BATCH
related
CONTROL
transaction

B.control
prevent or detect
errors

1. nancial total
2. hash total
3.doc or record counts
fi
 VALIDATION
Detect err b4 processing
CONTROL

1.Field 2.Record
3.File
Check Check
Check
• examine the type of
• version
characters reasonableness
• labelling i/e
• picture check check
• data le sec
• limit check • sequence check
• data le updation &
• valid code check • sign check
maintenance

Batch check
• Transaction type
• Sequence check
fi
fi
 Input Control VALIDATION
SOURCE DATA BATCH CONTROL
DOC CODE CONTROL detect err b4 processing
CONTROL CONTROL
grouping 1.Field
use transcription related Check
physical 1. addition transaction examine characters
source doc 12345 > 712345
for txn. prevent pic/lim/valid code check
or detect
fraud 2. truncation 2.Record
errors
to remove ✂12345 > 2345 Check
1. nancial total reasonable/seq/sign
assets
2. hash total
3. substitution 3.File
3.doc/record counts
12345 > 92345 Check
ver/lab/sec/
transposition Batch check updating.maintenance
⇌12345 > 21345;
• Transaction type
• Sequence check
fi
III Communication
Control
 Physical
Component
Ctrl
Line
Flow
Error
Ctrl
Ctrl
Link Channel
Ctrl Access
Ctrl

Ctrl over Internetworking

subversive threat Ctrl

Topology ctrl
Processing Control
where does processing takes place?

PROCESSOR
 program execution done in

PROCESSOR
program k instructions kaha store hote hai

Real Memory
or
Virtual Memory
who manages memory resources, application
programs etc

O.S
 Processor Control
Error Detection
Multiple
&
Execution Timing Component
Correction
States control Replication
malfunction determine OS may get processor
number stuck failure…
transient(temp)
and in in nite loop loss
intermittent(bar bar) nature of
execution states utilising important to
permanent have
processor
Helps auditor redundant
making it
understand processors
unavailable
where
for other
unauthorised
programs
access is
possible
fi
 2.Real memory Control
what: primary storage in which data/prog reside
controls :
• det n correct err
• also protect areas assigned to a particular prog
from illegal access of other prog
 3) Virtual Memory Control
• when real memory is insuf cient for a task
• mechanism that maps real mem to virtual memory
addresses

fi
Some poeple wish to see you fail,

Disappoint them
https://tinyurl.com/eischap3part2
https://tinyurl.com/tallysod