Chapter 8

Information Systems Controls

for System Reliability
Agoestina M - 126202001
Ahmad Sanusi - 126202002 Part 1: Information Security
Akhmad Gojali - 126202003
Leny Marlina - 126202023
Lilies Suphany - 126202024
Irianti Pudji L - 126202021
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
8-1
 Learning Objectives

 Discuss how the COBIT framework can be used to develop sound

internal control over an organization’s information systems.

 Explain the factors that influence information systems reliability.

 Describe how a combination of preventive, detective, and corrective

controls can be employed to provide reasonable assurance about
information security.

8-2
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 AIS Controls

 COSO and COSO-ERM address general internal control

 COBIT addresses information technology internal control

8-3
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Information for Management Should Be:

 Effectiveness  Availability
 Information must be relevant and  Information must be available
timely. whenever needed.

 Efficiency  Compliance
 Information must be produced in a  Controls must ensure compliance
cost-effective manner. with internal policies and with
external legal and regulatory
 Confidentiality requirements.
 Sensitive information must be
protected from unauthorized
 Reliability
disclosure.  Management must have access to
appropriate information needed to
 Integrity conduct daily activities and to
exercise its fiduciary and governance
 Information must be accurate,
responsibilities.
complete, and valid.

8-4
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 COBIT Framework

Plan &
Organize

Monitor & Information Acquire &

Evaluate Criteria Implement

Deliver &
Support

8-5
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 COBIT Cycle

 Management develops plans to organize information resources to

provide the information it needs.
 Management authorizes and oversees efforts to acquire (or build
internally) the desired functionality.
 Management ensures that the resulting system actually delivers the
desired information.
 Management monitors and evaluates system performance against the
established criteria.
 Cycle constantly repeats, as management modifies existing plans and
procedures or develops new ones to respond to changes in business
objectives and new developments in information technology.

8-6
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 COBIT Controls

 210 controls for ensuring information integrity

 Subset is relevant for external auditors
 IT control objectives for Sarbanes-Oxley, 2nd Edition

 AICPA and CICA information systems controls

 Controls for system and financial statement reliability

8-7
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Trust Services Framework

 Security
 Access to the system and its data is controlled and restricted to legitimate users.

 Confidentiality
 Sensitive organizational information (e.g., marketing plans, trade secrets) is protected from
unauthorized disclosure.

 Privacy
 Personal information about customers is collected, used, disclosed, and maintained only in
compliance with internal policies and external regulatory requirements and is protected from
unauthorized disclosure.

 Processing Integrity
 Data are processed accurately, completely, in a timely manner, and only with proper
authorization.

 Availability
 The system and its information are available to meet operational and contractual obligations.

8-8
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Trust Services Framework

8-9
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Security / Systems Reliability

 Foundation of the Trust Services Framework

 Management issue, not a technology issue
 SOX 302 states:
 CEO and the CFO responsible to certify that the financial
statements fairly present the results of the company’s
activities.
 The accuracy of an organization’s financial statements
depends upon the reliability of its information systems.
 Defense-in-depth and the time-based model of information security
 Have multiple layers of control

8-10
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Management’s Role in IS Security

 Create security aware culture

 Inventory and value company information resources

 Assess risk, select risk response

 Develop and communicate security:

 Plans, policies, and procedures

 Acquire and deploy IT security resources

 Monitor and evaluate effectiveness

8-11
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Time-Based Model

 Combination of detective and corrective controls

 P = the time it takes an attacker to break through the organization’s
preventive controls
 D = the time it takes to detect that an attack is in progress
 C = the time it takes to respond to the attack
 For an effective information security system:
 P>D+C

8-12
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Steps in an IS System Attack

Conduct
Reconnaissance

Attempt Social
Cover Tracks
Engineering

Scan & Map

Execute Attack
Target

Research

8-13
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Mitigate Risk of Attack

 Preventive Control

 Detective Control

 Corrective Control

8-14
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Preventive Control

 Training

 User access controls (authentication and authorization)

 Physical access controls (locks, guards, etc.)

 Network access controls (firewalls, intrusion prevention systems,

etc.)

 Device and software hardening controls (configuration options)

8-15
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Authentication vs. Authorization
 Authentication—verifies who a person is
1. Something person knows
2. Something person has
3. Some biometric characteristic
4. Combination of all three

 Authorization—determines what a person can access

8-16
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Network Access Control
(Perimeter Defense)
 Border router
 Connects an organization’s information system to the Internet

 Firewall
 Software or hardware used to filter information

 Demilitarized Zone (DMZ)

 Separate network that permits controlled access from the Internet to selected
resources

 Intrusion Prevention Systems (IPS)

 Monitors patterns in the traffic flow, rather than only inspecting individual
packets, to identify and automatically block attacks

8-17
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Internet Information Protocols

8-18
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Device and Software Hardening
(Internal Defense)
 End-Point Configuration
 Disable unnecessary features that may be vulnerable to attack on:
 Servers, printers, workstations

 User Account Management

 Software Design
 Programmers must be trained to treat all input from external users as
untrustworthy and to carefully check it before performing further actions.

8-19
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Detective Controls

 Log Analysis
 Process of examining logs to identify evidence of possible attacks
 Analyze logs of failed attempts to log on to a system and failed attempts
to obtain access to specific information resources
 Logs need to be analyzed regularly to detect problems in a timely
manner
 Log analysis requires human judgement to interpret and identify
situations that are not “ normal “

8-20
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Detective Controls

 Intrusion Detection
 Consists of sensors and a central monitoring unit that create logs of
network traffic that was permitted to pass the firewall and then analyze
those logs for signs of attempted or successful intrusions
 Intrusion detection can be installed on a specific device to monitor
unauthorized attempts to change the device’s configuration
 Produces warning alerts when it detects a suspicious pattern of network
traffic

8-21
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Detective Controls

 Managerial Reports
 Continuously monitoring both employee compliance with the
organization ‘s information security policies and overall performance of
business process
 Help management design effective reports that highlight areas most in
need of attention

8-22
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Detective Controls

 Security Testing
 Periodically test the effectiveness of business process and internal
controls including security procedures
 Is authorized attempt by either an internal audit team or external security
consulting firm to break into organization’s information system
 To identify where additional protections are most needed to increase the
time and effort required to compromise the system

8-23
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Corrective Controls

 Computer Incident Response Team

 A team that is responsible for dealing with major security incidents
 Through 4 steps :
a. Recognition of problems : signals of alert
b. Containment of problems : action
c. Recovery : back up & disaster recovery procedures
d. Follow-up : modify existing to minimize similar incidents

8-24
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Corrective Controls

 Chief Information Security Officer (CISO)

 Independent responsibility for information security assigned to someone
at an appropriate senior level
 Design, implement and promote security policies and procedures
 Ensuring the vulnerability and risk assessment are performed regularly

 Patch Management
 Fix known vulnerabilities by installing the latest updates
 Security programs
 Operating systems
 Applications programs

8-25
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Corrective Controls

 Patch Management
 Fix known vulnerabilities by installing the latest updates
 Security programs
 Operating systems
 Applications programs

 Process of regularly applying patches and updates to all software used by

organization
 Patches represents modification to already complex software

8-26
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Computer Incident Response Team
 Recognize that a problem exists

signals of alerts from Intrusion Detection System and results of

log analysis

 Containment of the problem

action to stop problems and to contain the damage

 Recovery

damage repaired. Restoring data from backup and reinstalling

corrupted programs.

8-27
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 Computer Incident Response Team
 Follow-up

Analysis on how incident occurred

Modify existing security policy and procedures

Decision to catch and punish the perpetrator

8-28
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 New Considerations

8-29
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 New Considerations

 Virtualization
 Multiple systems are run on one computer
 Cuts hardware costs – fewer servers needed
- maintenance cost lower
- data center cost lower

8-30
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 New Considerations

 Cloud Computing
 Remotely accessed resources
 Software
 Data storage
 Hardware
 Applications
 Cost savings in IT capital investments vs subscription basis
 Improving flexibility – easier to change software and
hardware

8-31
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
 New Considerations

 Risks
 Increased exposure if breach ( hack ) occurs
risk of theft and destruction
unauthorized access to multiple systems
Confidentiality, privacy , processing integrity and availability

 Reduced authentication standards

 Opportunities
 Implementing strong access controls in the cloud or over the server that hosts a
virtual network provides good security over all the systems contained therein
 Use multifactor authentication and physical access control
 Virtual firewalls and intrusion detection system by cloud providers and by
organizations
 Depends on preventive, detective and corrective controls

8-32
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall