Scribd Logo
Upload

Welcome to Scribd!

  • 26 views

    013255271X PPT 08

    Uploaded by

    Kumpulan Dzb
    AIS

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    013255271X PPT 08

    Uploaded by

    Kumpulan Dzb
    26 views23 pages
    AIS

    Original Title

    013255271X_ppt_08.pptx

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    AIS

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    26 views23 pages

    013255271X PPT 08

    Uploaded by

    Kumpulan Dzb
    AIS

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 23

    Chapter 8

    Information Systems Controls for System Reliability Part 1: Information Security


    8-1
    Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

    Learning Objectives
    Discuss how the COBIT framework can be used to develop sound internal control over an organizations information systems.
    Explain the factors that influence information systems reliability. Describe how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about information security.

    Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

    8-2

    AIS Controls
    COSO and COSO-ERM address general internal control
    COBIT addresses information technology internal control

    Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

    8-3

    Information for Management Should Be:


    Effectiveness Information must be relevant and timely.
    Efficiency Information must be produced in a cost-effective manner. Confidentiality Sensitive information must be protected from unauthorized disclosure.

    Availability Information must be available whenever needed.


    Compliance Controls must ensure compliance with internal policies and with external legal and regulatory requirements. Reliability Management must have access to appropriate information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities.

    Integrity Information must be accurate, complete, and valid.

    Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

    8-4

    COBIT Framework

    Information Criteria

    Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

    8-5

    COBIT Cycle
    Management develops plans to organize information resources to provide the information it needs.
    Management authorizes and oversees efforts to acquire (or build internally) the desired functionality.

    Management ensures that the resulting system actually delivers the desired information.
    Management monitors and evaluates system performance against the established criteria.

    Cycle constantly repeats, as management modifies existing plans and procedures or develops new ones to respond to changes in business objectives and new developments in information technology.

    Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

    8-6

    COBIT Controls
    210 controls for ensuring information integrity
    Subset is relevant for external auditors IT control objectives for Sarbanes-Oxley, 2nd Edition

    AICPA and CICA information systems controls


    Controls for system and financial statement reliability

    Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

    8-7

    Trust Services Framework


    Security
    Access to the system and its data is controlled and restricted to legitimate users.

    Confidentiality
    Sensitive organizational information (e.g., marketing plans, trade secrets) is protected from unauthorized disclosure.

    Privacy
    Personal information about customers is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure.

    Processing Integrity
    Data are processed accurately, completely, in a timely manner, and only with proper authorization.

    Availability
    The system and its information are available to meet operational and contractual obligations.

    Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

    8-8

    Trust Services Framework

    Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

    8-9

    Security / Systems Reliability


    Foundation of the Trust Services Framework
    Management issue, not a technology issue SOX 302 states: CEO and the CFO responsible to certify that the financial statements fairly present the results of the companys activities. The accuracy of an organizations financial statements depends upon the reliability of its information systems.

    Defense-in-depth and the time-based model of information security


    Have multiple layers of control

    Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

    8-10

    Managements Role in IS Security


    Create security aware culture
    Inventory and value company information resources Assess risk, select risk response

    Develop and communicate security:


    Plans, policies, and procedures

    Acquire and deploy IT security resources

    Monitor and evaluate effectiveness

    Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

    8-11

    Time-Based Model
    Combination of detective and corrective controls
    P = the time it takes an attacker to break through the organizations preventive controls D = the time it takes to detect that an attack is in progress C = the time it takes to respond to the attack For an effective information security system: P>D+C

    Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

    8-12

    Steps in an IS System Attack

    Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

    8-13

    Mitigate Risk of Attack


    Preventive Control
    Detective Control Corrective Control

    Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

    8-14

    Preventive Control
    Training
    User access controls (authentication and authorization) Physical access controls (locks, guards, etc.)

    Network access controls (firewalls, intrusion prevention systems, etc.)


    Device and software hardening controls (configuration options)

    Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

    8-15

    Authentication vs. Authorization


    Authenticationverifies who a person is
    1. Something person knows 2. Something person has 3. Some biometric characteristic

    4. Combination of all three

    Authorizationdetermines what a person can access

    Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

    8-16

    Network Access Control (Perimeter Defense)


    Border router
    Connects an organizations information system to the Internet

    Firewall
    Software or hardware used to filter information

    Demilitarized Zone (DMZ)


    Separate network that permits controlled access from the Internet to selected resources

    Intrusion Prevention Systems (IPS)


    Monitors patterns in the traffic flow, rather than only inspecting individual packets, to identify and automatically block attacks

    Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

    8-17

    Internet Information Protocols

    Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

    8-18

    Device and Software Hardening (Internal Defense)


    End-Point Configuration
    Disable unnecessary features that may be vulnerable to attack on: Servers, printers, workstations

    User Account Management Software Design


    Programmers must be trained to treat all input from external users as untrustworthy and to carefully check it before performing further actions.

    Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

    8-19

    Detective Controls
    Log Analysis
    Process of examining logs to identify evidence of possible attacks

    Intrusion Detection
    Sensors and a central monitoring unit that create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions

    Managerial Reports Security Testing

    Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

    8-20

    Corrective Controls
    Computer Incident Response Team
    Chief Information Security Officer (CISO)
    Independent responsibility for information security assigned to someone at an appropriate senior level

    Patch Management
    Fix known vulnerabilities by installing the latest updates Security programs

    Operating systems
    Applications programs

    Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

    8-21

    Computer Incident Response Team


    Recognize that a problem exists
    Containment of the problem Recovery

    Follow-up

    Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

    8-22

    New Considerations
    Virtualization
    Multiple systems are run on one computer

    Risks
    Increased exposure if breach occurs Reduced authentication standards Opportunities
    Implementing strong access controls in the cloud or over the server that hosts a virtual network provides good security over all the systems contained therein
    8-23

    Cloud Computing
    Remotely accessed resources
    Software applications Data storage Hardware

    Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall

    You might also like