Chapter 8:

Controls for
Information Security
 After studying this chapter, you should be able to:

1. Explain how security and the other four principles in the Trust Services Framework affect
systems reliability.
2. Explain two fundamental concepts: why information security issue, and the time-based model of
information security.
3. Discuss the steps criminals follow to execute a targeted attack an organization's information
system.
4. Describe the preventive, detective, and corrective controls that can be used to protect an
organization's information.
5. Describe the controls that can be used to timely detect that an organization's information system
is under attack.
6. Discuss how organizations can timely respond to attacks against their information system.
7. Explain how virtualization, cloud computing, and the Internet of Things affect information
security.
2
 Integrative Case: Northwest Industries
Jason Scott's next assignment is to review the internal controls over Northwest
Industries' information systems. Jason obtains a copy of Control Objectives for
Information and Related Technology 5 (COBIT 5) and is impressed by its
thoroughness. However, he tells his friend that he feels overwhelmed in trying to
use COBIT 5 to plan his audit of Northwest Industries. His friend suggests that he
examine the Trust Services Framework developed jointly by the American
Institute of Certified Public Accountants (AICPA) and the Canadian Institute of
Chartered Accountants (CICA) to guide auditors in assessing the reliability of an
organization's information system. After reviewing the framework, Jason
concludes that he can use it to guide his audit effort. He decides that he will begin
by focusing on the controls designed to provide reasonable assurance about
information security.

3
 Integrative Case: Northwest Industries

He writes down the following questions that will guide his investigation:
1. What controls does Northwest Industries employ to prevent unauthorized
access to its accounting system?
2. How can successful and unsuccessful attempts to compromise the
company's accounting system be detected in a timely manner?
3. What procedures are in place to respond to security incidents?

4
As noted in Chapter 7, COBIT 5 is a comprehensive
framework of best practices relating to all aspects of the
governance and management of IT.
We organize this chapter and the next two around the
principles in the Trust Services Framework, which was
developed jointly by the AICPA and the CICA to provide
guidance for assessing the reliability of information
systems.

5
The Trust Services Framework organizes IT-related controls into five
principles that jointly contribute to systems reliability:
1. Security - access (both physical and logical) to the system and its data is controlled and
restricted to legitimate users.
2. Confidentiality - sensitive organizational information (e.g.. marketing plans, trade
secrets) is protected from unauthorized disclosure.
3. Privacy - personal information about customers, employees, suppliers, or business
partners is collected, used, disclosed, and maintained only in compliance with internal
policies and external regulatory requirements.
4. Processing Integrity - data are processed accurately, completely, in a timely manner,
and only with proper authorization.
5. Availability - the system and its information are available to meet operational and
contractual obligations.

6
FIGURE 8-1
Relationships Among the
Five Trust Services
Principles for Systems
Reliability

7
 Two Fundamental Information Security Concepts

1. SECURITY IS A MANAGEMENT ISSUE, NOT JUST A

TECHNOLOGY ISSUE
Although effective information security requires the deployment of
technological tools such as firewalls, antivirus, and encryption,
senior management involvement and support throughout all phases
of the security life cycle (see Figure 8-2) is absolutely essential for
success.

8
 FIGURE 8-2
The Security Life Cycle

9
 Two Fundamental Information Security Concepts

2. THE TIME-BASED MODEL OF INFORMATION

SECURITY
The goal of the time-based model of information security is to
employ a combination of preventive, detective, and corrective
controls to protect information assets long enough for an
organization to detect that an attack is occurring and to take timely
steps to thwart the attack before any information is lost or
compromised.

10
The time-based model of information security can be
expressed in the following formula:
P>D+R, where
 
P = the time it takes an attacker to break through the various controls that protect
the organization's information assets
D = the time it takes for the organization to detect that an attack is in progress
R = the time it takes to respond to and stop the attack

11
The time-based model of security provides a
means for management to identify the most
cost-effective approach to improving security
by comparing the effects of additional
investments in preventive, detective, or
corrective controls.

12
Organizations attempt to satisfy the objective of the time-based model of
security by employing the strategy of defense-in-depth.

13
For example, management may be considering the investment of an
additional $100,000 to enhance security.

• One option might be the purchase of a new firewall that would

increase the value of P by 10 minutes.
• A second option might be to upgrade the organization's intrusion
detection system in a manner that would decrease the value of D by 12
minutes.
• A third option might be to invest in new methods for responding to
information security incidents so as to decrease the value of R by 30
minutes.
14
 Understanding Targeted Attacks

Although many information security threats, such as

viruses, worms, natural disasters, hardware failures, and
human errors are often random (untargeted) events,
organizations are also frequently the target of deliberate
attacks.

15
Basic steps criminals use to attack an organization's
information system:
 
1. Conduct reconnaissance. The objective of this initial
reconnaissance is to learn as much as possible about the
target and to identify potential vulnerabilities.

16
2. Attempt social engineering. Such use of deception to
obtain unauthorized access to information resources is
referred to as social engineering. Social engineering can
take place in countless ways, limited only by the creativity
and imagination of the attacker.

17
• Social engineering attacks often take place over the
telephone.
• Social engineering attacks can also take place via e-mail.
Spear phishing involves sending e-mails purportedly
from someone that the victim knows.
• Another social engineering tactic is to spread USB
drives in the targeted organization's parking lot.

18
3. Scan and map the target. The attacker uses a variety of automated tools
to identify computers that can be remotely accessed and the types of
software they are running.
4. Research. The next step is to conduct research to find known
vulnerabilities for those programs and learn how to take advantage of those
vulnerabilities.
5. Execute the attack. The criminal takes advantage of a vulnerability to
obtain unauthorized access to the target's information system.
6. Cover tracks. After penetrating the victim's information system, most
attackers attempt to cover their tracks and create "back doors".

19
 Protecting Information Resources

This section discusses the preventive, detective, and

corrective controls listed in Table 8-1 that organizations
commonly use to protect information resources.

20
TABLE 8-1
Preventive,
Detective, and
Corrective
Controls Used to
Satisfy the Time-
Based Model of
Security

21
PEOPLE: CREATION OF A “SECURITY-CONSCIOUS” CULTURE

COBIT 5 specifically identifies an organization's culture and

ethics as one of the critical enablers for effective information
security. To create a security-conscious culture in which
employees comply with organizational policies, top
management must not only communicate the organization's
security policies, but must also lead by example.

22
 PEOPLE: TRAINING

COBIT 5 identifies employee skills and competencies as another

critical enabler for effective information security. Employees must
understand how to follow the organization’s security policies.
Thus, training is a critical preventive control. Indeed, its
importance is reflected in the fact that security awareness training
is discussed as a key practice to support several of COBIT 5’s 32
management processes.

23
• All employees should be taught why security measures are important to
the organizations long-run survival.
• They also need to be trained to follow safe computing practices.
• Training is especially needed to educate employees about social
engineering attack. Such as piggybacking which can take place not only
at the main entrance to the building but also at any internal locked doors,
especially to rooms that contain computer equipment.
• Security awareness training for senior management is important for spear
phishing.
• Training of information security professionals is also important.

24
However, an organization's investment in security training will be effective
only if management clearly demonstrates that it supports employees who
follow prescribed security policies. For example, one of the authors heard
an anecdote about a systems professional at a major bank who refused to
allow a person who was not on the list of authorized employees to enter the
room housing the servers that contained the bank's key financial
information. The person denied entry happened to be a new executive who
was just hired. Instead of reprimanding the employee, the executive
demonstrated the bank's commitment to and support for strong security by
writing a formal letter of commendation for meritorious performance to be
placed in the employee's performance file.

25
 PROCESS: USER ACCESS CONTROLS

It is important to understand that "outsiders" are not the only threat

source. An employee may become disgruntled for any number of
reasons and seek revenge, or may be vulnerable to being corrupted
because of financial difficulties, or may be blackmailed into
providing sensitive information.

26
To accomplish that objective, COBIT 5 management practice
DSS05.04 stresses the need for controls to manage user
identity and logical access so that it is possible to uniquely
identify everyone who accesses the organization's information
system and track the actions that they perform.
Implementing DSS05.04 involves the use of two related but
distinct types of user access controls: authentication controls
and authorization controls.

27
 AUTHENTICATION CONTROLS
Authentication is the process of verifying the identity of the person or device attempting
to access the system. The objective is to ensure that only legitimate users can access the
system. 

Three types of credentials can be used to verify a person's identity:

1. Something the person knows, such as passwords or personal identification numbers

(PINS)
2. Something the person has, such as smart cards or ID badges

3. Some physical or behavioral characteristic (referred to as a biometric identifier) person,

such as fingerprints or typing patterns.

Individually, each authentication method has its limitations.

28
Although none of the three basic authentication credentials, by
itself, is foolproof, the use of two or all three types in
conjunction, a process referred to as multifactor
authentication, is quite effective. In some situations, using
multiple credentials of the same type, a process referred to as
multimodal authentication, can also improve security.

29
It is important to authenticate not only people but also every
device attempting to connect to the network. Every
workstation, printer, or other computing device needs a
network interface card (NIC) to connect to the
organization’s internal network. Each NIC has a unique
identifier, referred to as its media access control (MAC)
address.

30
 Effectiveness of Passwords as Authentication Credentials

• Length. The strength of a password is directly related to its length. The longer, the
better.
• Multiple character types. Using a mixture of upper and lowercase alphabetic,
numeric, and special characters greatly increases the strength of the password.
• Randomness. Passwords should not be easily guessed. Therefore, they should not be
words found in dictionaries. Nor should they be words with either a preceding or
following numeric character (such as 3Diamond or Diamond3).
• Changed frequently. Passwords should be changed at regular intervals.
• Kept secret. Most important, passwords must be kept secret to be effective.

31
 AUTHORIZATION CONTROLS

Authorization is the process of restricting access of authenticated users to

specific portions of the system and limiting what actions they are permitted to
perform.

Authorization controls are often implemented by creating an access control

matrix (Figure 8-4). When an authenticated employee attempts to access a
particular information systems resource, the system performs a compatibility
test that matches the user’s authentication credentials against the access control
matrix to determine whether that employee should be allowed to access that
resource and perform the requested action.

32
FIGURE 8-4
Example of an
Access Control
Matrix

33
FIGURE 8-5 Implementing Authorization Controls in an ERP System

34
Like authentication controls, authorization controls can and
should be applied not only to people but also to devices.

Applying authentication and authorization controls to both

humans and devices is another way in which defense-in-depth
increases security.

35
 PROCESS: PENETRATION TESTING

COBIT 5 control processes MEA01 and MEA02 state the need to

periodically test the effectiveness of business processes and
internal controls (including security procedures). Penetration
testing provides a rigorous way to test the effectiveness of an
organization’s information security. A penetration test is an
authorized attempt by either an internal audit team or an external
security consulting firm to break into the organization’s
information system.

36
PROCESS: CHANGE CONTROLS AND CHANGE MANAGEMENT

Organizations constantly modify their information systems to

reflect new business practices and to take advantage of advances in
IT. Change control and change management refer to the formal
process used to ensure that modifications to hardware, software, or
processes do not reduce systems reliability.

37
Characteristics of a well-designed change control and change
management process include:

• Documentation of all change requests, identifying the nature of the change,

its rationale, date of the request, and outcome of the request.
• Documented approval of all change requests by appropriate levels of
management.
• Testing of all changes in a separate system, not the one used for daily
business processes.
• Conversion controls to ensure that data is accurately and completely
transferred from the old to the new system.
• Updating of all documentation (program instructions, system descriptions,
procedures manuals, etc.) to reflect the newly implemented changes.

38
• A special process for timely review, approval, and documentation of
“emergency changes” as soon after the crisis as is practical.
• Development and documentation of “backout” plans to facilitate reverting
to previous configurations if the new change creates unexpected problems.
• Careful monitoring and review of user rights and privileges during the
change process to ensure that proper segregation of duties is maintained.

39
 IT SOLUTIONS: ANTIMALWARE CONTROLS

Malware (e.g., viruses, worms, keystroke logging software, etc.) is a major threat.
Malware can damage or destroy information or provide a means for unauthorized
access. Therefore, COBIT 5 section DSS05.01 lists malware protection as one of
the keys to effective security, specifically recommending the following:
1. Malicious software awareness education
2. Installation of antimalware protection tools on all devices
3. Centralized management of patches and updates to antimalware software
4. Regular review of new malware threats
5. Filtering of incoming traffic to block potential sources of malware
6. Training employees not to install shared or unapproved software

40
IT SOLUTIONS: NETWORK ACCESS CONTROLS

Most organizations provide employees, customers, and suppliers

with remote access to their information systems. Usually this
access occurs via the Internet, but some organizations still maintain
their own proprietary networks or provide direct dial-up access by
modem. Many organizations also provide wireless access to their
systems. We now discuss the various methods that can be used to
satisfy COBIT 5 management practice DSS05.02, which addresses
security of the organization’s network and all means of connecting
to it.

41
Perimeter Defense: Routers, Firewalls, And Intrusion Prevention Systems

Border Router - A device that connects an organization’s

information system to the Internet.
Firewall - A special-purpose hardware device or software running
a general-purpose computer that controls both inbound and
outbound communication between the system behind the firewall
and other networks.
Demilitarized Zone (DMZ) - A separate network located outside
the organization’s internal information system that permits
controlled access from the Internet.

42
FIGURE 8-6
Example
Organizational
Network Architecture

43
FIGURE 8-7
How Files Are
Broken into Packets
to Be Sent Over
Networks and Then
Reassembled by the
Receiving Device

44
The TCP header contains fields that specify the sequential
position of that packet in relation to the entire file and the port
numbers (addresses) on the sending and receiving devices from
which the file originates and where it is to be reassembled. The IP
header contains fields that specify the network address (IP
address) of the sending and receiving devices. The Ethernet
header contains the MAC addresses of the sending and receiving
device, which is used to control the flow of traffic on the local
area network (LAN).

45
 Controlling Access by Filtering Packets

Routers and firewalls control access by filtering individual

packets. Organizations own one or more border routers that
connect their internal networks to the Internet Service Provider.
Those border routers and the organization’s main firewall use sets
of IF-THEN rules, called Access Control Lists (ACLs), to
determine what to do with arriving packets.

46
Packet filtering - A process that uses various fields in a packet’s IP and
TCP headers to decide what to do with the packet.

Deep packet inspection - A process that examines the data in the body
of a TCP packet to control traffic, rather than looking only at the
information in the IP and TCP headers.

Intrusion prevention systems (IPS) - Software or hardware that

monitors patterns in the traffic flow to identify and automatically block
attacks.

47
 Using Defense-in-Depth to Restrict Network Access

The use of multiple perimeter filtering devices is more efficient and effective
than relying on only one device. Thus, most organizations use border routers to
quickly filter out obviously bad packets and pass the rest to the main firewall.
The main firewall does more detailed checking, and then other firewalls perform
deep packet inspection to more fully protect specific devices such as the
organization’s web server and e-mail server. In addition, an IPS monitors the
traffic passed by the firewalls to identify and block suspicious network traffic
patterns that may indicate that an attack is in progress.

48
 Securing Wireless Access

Many organizations also provide wireless access to their

information systems. Wireless access is convenient and easy, but it
also provides another venue for attack and extends the perimeter
that must be protected.

49
The following procedures need to be followed to adequately secure wireless access:

• Turn on available security features.

• Authenticate all devices attempting to establish wireless access to the network
before assigning them an IP address.
• Configure all authorized wireless devices to operate only in infrastructure mode,
which forces the device to connect only to wireless access points.
• Use noninformative names for the access point’s address, which is called a
service set identifier (SSID)
• Reduce the broadcast strength of wireless access points, locate them in the
interior of the building, and use directional antennas to make unauthorized
reception off-premises more difficult.
• Encrypt all wireless traffic.

50
IT SOLUTIONS: DEVICE AND SOFTWARE HARDENING
CONTROLS

Firewalls and IPSs are designed to protect the network perimeter.

However, just as many homes and businesses supplement exterior door
locks and alarm systems with locked cabinets and safes to store valuables,
an organization can enhance information system security by
supplementing preventive controls on the network perimeter with
additional preventive controls on the workstations, servers, printers, and
other devices (collectively referred to as endpoints) that comprise the
organization’s network. Three areas deserve special attention: (1) endpoint
configuration, (2) user account management, and (3) software design.

51
 ENDPOINT CONFIGURATION

- Endpoints can be made more secure by modifying their configurations.

- Every program that is running represents a potential point of attack
because it probably contains flaws, called vulnerabilities, that can be
exploited to either crash the system or take control of it.
- Vulnerability Scanners - Automated tools designed to identify whether a
given system possesses any unused and unnecessary programs that
represent potential security threats.

52
Exploit - A program designed to take advantage of a known
vulnerability.
Patch - Code released by software developers that fixes a particular
vulnerability.
Patch Management - The process of regularly applying patches
and updates to software.
Hardening - The process of modifying the default configuration of
endpoints to eliminate unnecessary settings and services.

53
The trend towards permitting employees to use their own personal devices at work, referred
to as Bring Your Own Device (BYOD), makes endpoint configuration much more complex
to manage effectively.

54
 USER ACCOUNT MANAGEMENT

 COBIT 5 management practice DSS05.04 stresses the need to carefully

manage all user accounts, especially those accounts that have unlimited
(administrative) rights on that computer.
 Administrative rights are needed in order to install software and alter
most configuration settings.
 Employees who need administrative powers on a particular computer
should be assigned two accounts: one with administrative rights and
another that has only limited privileges.

55
 SOFTWARE DESIGN

Buffer overflows, SQL injection, and cross-site scripting are common examples of attacks against the software
running on websites.

 Buffer overflows occur when a program or process attempts to write more data to a fixed-length block of
memory, or buffer, than the buffer is allocated to hold.

 SQL injection attacks occur whenever web application software that interfaces with a database server does not
filter user input, thereby permitting an attacker to embed SQL commands within a data entry request and have
those commands executed on the database server.

 Cross-site scripting attacks occur when web application software does not carefully filter user input before
returning any of that data to the browser, in which case the victim’s browser will execute any embedded
malicious script.

Section BAI03 of the COBIT 5 framework specifies the need to carefully design security into all new applications
and section APO10 prescribes best practices for managing the risks associated with purchasing software.

56
 IT SOLUTIONS: ENCRYPTION

Encryption provides a final layer of defense to prevent

unauthorized access to sensitive information.

57
 PHYSICAL SECURITY: ACCESS CONTROLS

 Physical access control begins with entry points to the building itself.

 Once inside the building, physical access to rooms housing computer equipment must be restricted.
 Access to the wiring used in the organization’s LANs needs to be restricted in order to prevent
wiretapping.

 Laptops, cell phones, and tablets require special attention to their physical security because they
frequently store sensitive information and are so easily lost or stolen.

 COBIT 5 management practice DSS05.06 stresses the importance of restricting physical access to
network printers, because they often store document images on their hard drives.

 Finally, an especially promising way to achieve defense-in-depth is to integrate physical and remote
access control systems.

58
 Detecting Attacks

THREE TYPES OF DETECTIVE CONTROLS

1. Log Analysis
2. Intrusion Detection Systems
3. Continuous Monitoring

59
LOG ANALYSIS - The process of examining logs to identify evidence of possible attacks.

FIGURE 8-8
Example of a
System Log

60
 INTRUSION DETECTION SYSTEMS (IDS) 

A system that creates logs of all network traffic that was

permitted to pass the fire-wall and then analyzes those logs
for signs of attempted or successful intrusions.

61
 CONTINUOUS MONITORING

COBIT 5 management practice APO01.08 stresses the

importance of continuously monitoring both employee
compliance with the organization’s information security
policies and overall performance of business processes.

62
 RESPONDING TO ATTACKS

Two Important Corrective Controls

1. Establishment of a Computer Incident Response Team (CIRT)
2. Designation of a Chief Information Security Officer (CISO)

63
 COMPUTER INCIDENT RESPONSE TEAM (CIRT)

- A team that is responsible for dealing with major security incidents.

- The CIRT should include not only technical specialists but also senior operations
management, because some potential responses to security incidents have significant
economic consequences.

The CIRT should lead the organization’s incident response process through the
following four steps:

1. Recognition that a problem exists

2. Containment of the problem

3. Recovery

4. Follow-up
64
 CHIEF INFORMATION SECURITY OFFICER (CISO)

CHIEF INFORMATION SECURITY OFFICER (CISO) This is to create

the position of CISO, who should be independent of other information
systems functions and should report to either the objective chief operating
officer (COO) or the chief executive officer (CEO).

65
 CHIEF INFORMATION SECURITY OFFICER (CISO)

The CISO must:

• Understand the company’s technology environment and work with the chief
information officer (CIO) to design, implement, and promote sound security policies
and procedures.
• Also be an impartial assessor and evaluator of the IT environment.
• Have responsibility for ensuring that vulnerability and risk assessments are performed
regularly and that security audits are carried out periodically.
• Needs to work closely with the person in charge of physical security, because
unauthorized physical access can allow an intruder to bypass the most elaborate logical
access controls.
66
Security Implications of Virtualization, Cloud Computing, and the
Internet of Things

Virtualization - Running multiple systems simultaneously on one

physical computer.
Cloud Computing - Using a browser to remotely access software, data
storage, hardware, and applications. Cloud computing can potentially
generate significant cost savings.
Internet of Things (IoT) - refers to the embedding of sensors in a
multitude of devices (lights, heating and air conditioning, appliances, etc.)
so that those devices can now connect to the Internet.

67
68
69
 Thanks!
Any questions?
You can find me at:
@username
user@mail.me

70
 Team Presentation

Imani Jackson Marcos Galán Ixchel Valdía Nils Årud

JOB TITLE JOB TITLE JOB TITLE JOB TITLE
Blue is the colour of the clear Blue is the colour of the clear Blue is the colour of the clear Blue is the colour of the clear
sky and the deep sea sky and the deep sea sky and the deep sea sky and the deep sea

71