Part 1: Information Security: Information Systems Controls For System Reliability

Chapter 8
Information Systems Controls

for System Reliability
Agoestina M - 126202001
Ahmad Sanusi - 126202002 Part 1: Information Security
Akhmad Gojali - 126202003
Leny Marlina - 126202023
Lilies Suphany - 126202024
Irianti Pudji L - 126202021
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
8-1
Learning Objectives
 Discuss how the COBIT framework can be used to develop sound

internal control over an organization’s information systems.
 Explain the factors that influence information systems reliability.
 Describe how a combination of preventive, detective, and corrective

controls can be employed to provide reasonable assurance about
information security.
8-2
AIS Controls
 COSO and COSO-ERM address general internal control
 COBIT addresses information technology internal control
8-3
Information for Management Should Be:
 Effectiveness  Availability
 Information must be relevant and  Information must be available
timely. whenever needed.
 Efficiency  Compliance
 Information must be produced in a  Controls must ensure compliance
cost-effective manner. with internal policies and with
external legal and regulatory
 Confidentiality requirements.
 Sensitive information must be
protected from unauthorized
 Reliability
disclosure.  Management must have access to
appropriate information needed to
 Integrity conduct daily activities and to
exercise its fiduciary and governance
 Information must be accurate,
responsibilities.
complete, and valid.
8-4
COBIT Framework
Plan &
Organize
Monitor & Information Acquire &

Evaluate Criteria Implement
Deliver &
Support
8-5
COBIT Cycle
 Management develops plans to organize information resources to

provide the information it needs.
 Management authorizes and oversees efforts to acquire (or build
internally) the desired functionality.
 Management ensures that the resulting system actually delivers the
desired information.
 Management monitors and evaluates system performance against the
established criteria.
 Cycle constantly repeats, as management modifies existing plans and
procedures or develops new ones to respond to changes in business
objectives and new developments in information technology.
8-6
COBIT Controls
 210 controls for ensuring information integrity

 Subset is relevant for external auditors
 IT control objectives for Sarbanes-Oxley, 2nd Edition
 AICPA and CICA information systems controls

 Controls for system and financial statement reliability
8-7
Trust Services Framework
 Security
 Access to the system and its data is controlled and restricted to legitimate users.
 Confidentiality
 Sensitive organizational information (e.g., marketing plans, trade secrets) is protected from
unauthorized disclosure.
 Privacy
 Personal information about customers is collected, used, disclosed, and maintained only in
compliance with internal policies and external regulatory requirements and is protected from
unauthorized disclosure.
 Processing Integrity
 Data are processed accurately, completely, in a timely manner, and only with proper
authorization.
 Availability
 The system and its information are available to meet operational and contractual obligations.
8-8
Trust Services Framework
8-9
Security / Systems Reliability
 Foundation of the Trust Services Framework

 Management issue, not a technology issue
 SOX 302 states:
 CEO and the CFO responsible to certify that the financial
statements fairly present the results of the company’s
activities.
 The accuracy of an organization’s financial statements
depends upon the reliability of its information systems.
 Defense-in-depth and the time-based model of information security
 Have multiple layers of control
8-10
Management’s Role in IS Security
 Create security aware culture
 Inventory and value company information resources
 Assess risk, select risk response
 Develop and communicate security:

 Plans, policies, and procedures
 Acquire and deploy IT security resources
 Monitor and evaluate effectiveness
8-11
Time-Based Model
 Combination of detective and corrective controls

 P = the time it takes an attacker to break through the organization’s
preventive controls
 D = the time it takes to detect that an attack is in progress
 C = the time it takes to respond to the attack
 For an effective information security system:
 P>D+C
8-12
Steps in an IS System Attack
Conduct
Reconnaissance
Attempt Social
Cover Tracks
Engineering
Scan & Map

Execute Attack
Target
Research
8-13
Mitigate Risk of Attack
 Preventive Control
 Detective Control
 Corrective Control
8-14
Preventive Control
 Training
 User access controls (authentication and authorization)
 Physical access controls (locks, guards, etc.)
 Network access controls (firewalls, intrusion prevention systems,

etc.)
 Device and software hardening controls (configuration options)
8-15
Authentication vs. Authorization
 Authentication—verifies who a person is
1. Something person knows
2. Something person has
3. Some biometric characteristic
4. Combination of all three
 Authorization—determines what a person can access
8-16
Network Access Control
(Perimeter Defense)
 Border router
 Connects an organization’s information system to the Internet
 Firewall
 Software or hardware used to filter information
 Demilitarized Zone (DMZ)

 Separate network that permits controlled access from the Internet to selected
resources
 Intrusion Prevention Systems (IPS)

 Monitors patterns in the traffic flow, rather than only inspecting individual
packets, to identify and automatically block attacks
8-17
Internet Information Protocols
8-18
Device and Software Hardening
(Internal Defense)
 End-Point Configuration
 Disable unnecessary features that may be vulnerable to attack on:
 Servers, printers, workstations
 User Account Management
 Software Design
 Programmers must be trained to treat all input from external users as
untrustworthy and to carefully check it before performing further actions.
8-19
Detective Controls
 Log Analysis
 Process of examining logs to identify evidence of possible attacks
 Analyze logs of failed attempts to log on to a system and failed attempts
to obtain access to specific information resources
 Logs need to be analyzed regularly to detect problems in a timely
manner
 Log analysis requires human judgement to interpret and identify
situations that are not “ normal “
8-20
Detective Controls
 Intrusion Detection
 Consists of sensors and a central monitoring unit that create logs of
network traffic that was permitted to pass the firewall and then analyze
those logs for signs of attempted or successful intrusions
 Intrusion detection can be installed on a specific device to monitor
unauthorized attempts to change the device’s configuration
 Produces warning alerts when it detects a suspicious pattern of network
traffic
8-21
Detective Controls
 Managerial Reports
 Continuously monitoring both employee compliance with the
organization ‘s information security policies and overall performance of
business process
 Help management design effective reports that highlight areas most in
need of attention
8-22
Detective Controls
 Security Testing
 Periodically test the effectiveness of business process and internal
controls including security procedures
 Is authorized attempt by either an internal audit team or external security
consulting firm to break into organization’s information system
 To identify where additional protections are most needed to increase the
time and effort required to compromise the system
8-23
Corrective Controls
 Computer Incident Response Team

 A team that is responsible for dealing with major security incidents
 Through 4 steps :
a. Recognition of problems : signals of alert
b. Containment of problems : action
c. Recovery : back up & disaster recovery procedures
d. Follow-up : modify existing to minimize similar incidents
8-24
Corrective Controls
 Chief Information Security Officer (CISO)

 Independent responsibility for information security assigned to someone
at an appropriate senior level
 Design, implement and promote security policies and procedures
 Ensuring the vulnerability and risk assessment are performed regularly
 Patch Management
 Fix known vulnerabilities by installing the latest updates
 Security programs
 Operating systems
 Applications programs
8-25
Corrective Controls
 Patch Management
 Fix known vulnerabilities by installing the latest updates
 Security programs
 Operating systems
 Applications programs
 Process of regularly applying patches and updates to all software used by

organization
 Patches represents modification to already complex software
8-26
Computer Incident Response Team
 Recognize that a problem exists
signals of alerts from Intrusion Detection System and results of

log analysis
 Containment of the problem
action to stop problems and to contain the damage
 Recovery
damage repaired. Restoring data from backup and reinstalling

corrupted programs.
8-27
Computer Incident Response Team
 Follow-up
Analysis on how incident occurred
Modify existing security policy and procedures
Decision to catch and punish the perpetrator
8-28
New Considerations
8-29
New Considerations
 Virtualization
 Multiple systems are run on one computer
 Cuts hardware costs – fewer servers needed
- maintenance cost lower
- data center cost lower
8-30
New Considerations
 Cloud Computing
 Remotely accessed resources
 Software
 Data storage
 Hardware
 Applications
 Cost savings in IT capital investments vs subscription basis
 Improving flexibility – easier to change software and
hardware
8-31
New Considerations
 Risks
 Increased exposure if breach ( hack ) occurs
risk of theft and destruction
unauthorized access to multiple systems
Confidentiality, privacy , processing integrity and availability
 Reduced authentication standards
 Opportunities
 Implementing strong access controls in the cloud or over the server that hosts a
virtual network provides good security over all the systems contained therein
 Use multifactor authentication and physical access control
 Virtual firewalls and intrusion detection system by cloud providers and by
organizations
 Depends on preventive, detective and corrective controls
8-32

Part 1: Information Security: Information Systems Controls For System Reliability

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Part 1: Information Security: Information Systems Controls For System Reliability

Uploaded by

Copyright:

Available Formats

Chapter 8

Information Systems Controls

 Discuss how the COBIT framework can be used to develop sound

 Explain the factors that influence information systems reliability.

 Describe how a combination of preventive, detective, and corrective

 COSO and COSO-ERM address general internal control

 COBIT addresses information technology internal control

Monitor & Information Acquire &

 Management develops plans to organize information resources to

 210 controls for ensuring information integrity

 AICPA and CICA information systems controls

 Foundation of the Trust Services Framework

 Create security aware culture

 Inventory and value company information resources

 Assess risk, select risk response

 Develop and communicate security:

 Acquire and deploy IT security resources

 Monitor and evaluate effectiveness

 Combination of detective and corrective controls

Scan & Map

 User access controls (authentication and authorization)

 Physical access controls (locks, guards, etc.)

 Network access controls (firewalls, intrusion prevention systems,

 Device and software hardening controls (configuration options)

 Authorization—determines what a person can access

 Demilitarized Zone (DMZ)

 Intrusion Prevention Systems (IPS)

 User Account Management

 Computer Incident Response Team

 Chief Information Security Officer (CISO)

 Process of regularly applying patches and updates to all software used by

signals of alerts from Intrusion Detection System and results of

 Containment of the problem

action to stop problems and to contain the damage

damage repaired. Restoring data from backup and reinstalling

Analysis on how incident occurred

Modify existing security policy and procedures

Decision to catch and punish the perpetrator

 Reduced authentication standards

You might also like