By:- Wondwossen J.

1
INTRODUCTION
 Questions to be addressed in this chapter:
 How does security affect systems reliability?
 What are the four criteria that can be used to evaluate
the effectiveness of an organization’s information
security?
 What is the time-based model of security and the
concept of defense-in-depth?
 What types of preventive, detective, and corrective
controls are used to provide information security?
 How does encryption contribute to security and how do
the two basic types of encryption systems work?

2
INTRODUCTION
 One basic function of an AIS is to provide
information useful for decision making. In
order to be useful, the information must be
reliable, which means:
 It provides an accurate, complete, and
timely picture of the organization’s
activities.
 It is available when needed.
 The information and the system that
produces it is protected from loss,
compromise, and theft.
3
INTRODUCTION
 The five basic principles that
SYSTEMS contribute to systems
RELIABILITY reliability:
 Security
PROCESSING INTEGRITY

 Confidentiality
CONFIDENTIALITY

 Online privacy
AVAILABILITY

 Processing integrity
 Availability
PRIVACY

SECURITY

4
INTRODUCTION
 Note the importance of
SYSTEMS security in this picture. It is
RELIABILITY the foundation of systems
reliability. Security
PROCESSING INTEGRITY

procedures:
 Restrict system access to only
CONFIDENTIALITY

authorized users and protect:

AVAILABILITY

 The confidentiality of sensitive

organizational data.
PRIVACY

 The privacy of personal

identifying information collected
from customers.
SECURITY

5
INTRODUCTION
 Security procedures also:
SYSTEMS  Provide for processing
RELIABILITY
integrity by preventing:
 Submission of unauthorized or
PROCESSING INTEGRITY

fictitious transactions.
Unauthorized changes to stored
CONFIDENTIALITY


data or programs.
AVAILABILITY

 Protect against a variety of

attacks, including viruses and
PRIVACY

worms, thereby ensuring the

system is available when
SECURITY needed.

6
INTRODUCTION
 The press carries many stories about information
security incidents including:
 Denial of service attacks
 Fraud
 Loss of trade secrets
 Identity theft
 Accountants and IS professionals need to understand
basic principles of information security in order to
protect their organizations and themselves.

7
COBIT and Trust Services
 Control Objectives for
Information
Technology (COBIT)
 Information systems Adequate Controls
controls required for
achieving business and
governance objectives
 COBIT and Trust Services
 COBIT IT resources:
 Applications
 Information
 Infrastructures
 People
 COBIT information criteria:
 Effectiveness
 Efficiency
 Confidentiality
 Integrity
 Availability
 Compliance
 Reliability

9
FUNDAMENTAL INFORMATION SECURITY CONCEPTS
 There are three fundamental information security
concepts that will be discussed in this part:
 Security as a management issue, not a technology issue.
 The time-based model of security.
 Defense in depth.
1. Security as a management issue, not a technology
issue
 Though information security is a complex technical
subject, security is first and foremost a top management
issue, not an IT issue.

10
1. SECURITY AS A MANAGEMENT ISSUE……..
 SOX Section 302 requires that the CEO and CFO
certify the accuracy of the financial statements.
 SOX Section 404 requires that the annual report
include a report on the company’s internal controls.
 Within this report, management acknowledges their
responsibility for designing and maintaining internal
controls and assessing their effectiveness.
 Security is a key component of the internal control
and systems reliability to which management must
attest.
 As identified in the COSO model, management’s
philosophy and operating style are critical to an
effective control environment.
11
 SECURITY AS A MANAGEMENT ISSUE
 The Trust Services framework identifies four
essential criteria for successfully implementing the
five principles of systems reliability:
 Develop and document policies.
 Effectively communicate those policies to all
authorized users.
 Design and employ appropriate control
procedures to implement those policies.
 Monitor the system, and take corrective action
to maintain compliance with the policies.
 Top management involvement and support is
necessary to satisfy each of the preceding criteria.
12
 2. TIME-BASED MODEL OF SECURITY
 Given enough time and resources, any
preventive control can be circumvented.
 Consequently, effective control requires
supplementing preventive procedures with:
 Methods for detecting incidents; and
 Procedures for taking corrective remedial
action.
 Detection and correction must be timely,
especially for information security,
 because once preventive controls have been
breached, it takes little time to destroy,
compromise, or steal the organization’s
economic and information resources.
13
TIME-BASED MODEL OF SECURITY
 The time-based model of security focuses on
implementing a set of preventive, detective, and
corrective controls,
 That enable an organization to recognize that an
attack is occurring and take steps to thwart it before
any assets have been compromised.
 All three types of controls are necessary:
 Preventive
 Detective
 Corrective

14
3. DEFENSE IN DEPTH
 The idea of defense-in-depth is to employ multiple
layers of controls to avoid having a single point of
failure.
 If one layer fails, another may function as planned.
 Information security involves using a combination of
firewalls, passwords, and other preventive procedures
to restrict access.
 Redundancy also applies to detective and corrective
controls.

15
 DEFENSE IN DEPTH
 Major types of preventive controls used for defense in depth
include:
 Authentication controls (passwords, tokens, biometrics,
MAC addresses)
 Authorization controls (access control matrices and
compatibility tests)
 Training
 Physical access controls (locks, guards, biometric devices)
 Remote access controls (IP packet filtering by border
routers and firewalls using access control lists; intrusion
prevention systems; authentication of dial-in users;
wireless access controls)
 Host and application hardening procedures (firewalls,
anti-virus software, disabling of unnecessary features,
user account management, software design, e.g., to
prevent buffer overflows)
 Encryption
16
 DEFENSE IN DEPTH
 Detective controls include:
 Log analysis
 Intrusion detection systems
 Managerial reports
 Security testing (vulnerability scanners, penetration tests,
war dialing)
 Corrective controls include:
 Computer emergency response teams
 Chief Security Officer (CSO)
 Patch Management

17
PREVENTIVE CONTROLS
 These are the
multiple layers of
preventive
controls that
reflect the
defense-in-depth
approach to
satisfying the
constraints of the
time-based model
of security.

18
PREVENTIVE CONTROLS
 Controlling
Remote Access
 The third layer
of defense is
control of
remote access.

19
PREVENTIVE CONTROLS
 Perimeter Defense:
Routers, Firewalls,
and Intrusion
Prevention Systems
 This figure shows
the relationship
between an
organization’s
information
system and the
Internet.
 A device called a
border router
connects an
organization’s
information
system to the
Internet.

20
PREVENTIVE CONTROLS
 Behind the
border router is
the main firewall,
either a special-
purpose hardware
device or software
running on a
general purpose
computer.

21
PREVENTIVE CONTROLS
 Another dimension
of the defense-in-
depth concept is
the use of a number
of internal firewalls
to segment
different
departments within
the organization.

22
 Plaintext
This is a Key
contract + PREVENTIVE
for . . .
CONTROLS
 Encryption is the
Encryption process of transforming
algorithm
normal text, called
plaintext, into
Cipher-
Key
Xb&j &m 2
+ unreadable gibberish,
text ep0%fg . . .
called ciphertext.
 Decryption reverses this
Decryption
process.
algorithm  To encrypt or decrypt,
both a key and an
Plain- This is a algorithm are needed.
text contract for
...
23
24
 Questions to be addressed in this part include:
 What controls are used to protect the confidentiality of
sensitive information?
 What controls are designed to protect privacy of customers’
personal information?
 What controls ensure processing integrity?
 How are information systems changes controlled to ensure
that the new system satisfies all five principles of systems
reliability?

25
CONFIDENTIALITY
 Reliable systems maintain the
SYSTEMS confidentiality of sensitive
RELIABILITYPROCESSING INTEGRITY
information.
CONFIDENTIALITY

AVAILABILITY
PRIVACY

SECURITY

26
CONFIDENTIALITY
 Maintaining confidentiality requires that
management identify which information is
sensitive.
 Each organization will develop its own definitions
of what information needs to be protected.
 Most definitions will include:
 Business plans
 Pricing strategies
 Client and customer lists
 Legal documents

27
CONFIDENTIALITY
 Encryption is a fundamental control procedure for
protecting the confidentiality of sensitive information.
 Confidential information should be encrypted:
 While stored
 Whenever transmitted
 The Internet provides inexpensive transmission, but
data is easily intercepted.
 Encryption solves the interception issue.
 If data is encrypted before sending it, a virtual private
network (VPN) is created.
 Provides the functionality of a privately owned network
 But uses the Internet
28
CONFIDENTIALITY
 Use of VPN software creates private
communication channels, often referred to as
tunnels.
 The tunnels are accessible only to parties who have the
appropriate encryption and decryption keys.
 Cost of the VPN software is much less than costs of
leasing or buying a privately-owned, secure
communications network.
 Also, makes it much easier to add or remove sites from
the “network.”

29
PRIVACY
 In the Trust Services
framework, the privacy
SYSTEMS
RELIABILITY
principle is closely related to
the confidentiality principle.
PROCESSING INTEGRITY

 Primary difference is that

CONFIDENTIALITY

AVAILABILITY privacy focuses on protecting

personal information about
PRIVACY

customers rather than

organizational data.
 Key controls for privacy are the
same that were previously
listed for confidentiality.
SECURITY

30
PRIVACY
 COBIT section DS 11 addresses the management of
data and specifies the need to comply with
regulatory requirements.
 A number of regulations, including the Health
Insurance Portability and Accountability Act
(HIPAA) and the Financial Services Modernization
Act (aka, Gramm-Leach-Billey Act) require
organizations to protect the privacy of customer
information.

31
PRIVACY
 The Trust Services privacy framework of the AICPA and CICA
lists ten internationally recognized best practices for protecting
the privacy of customers’ personal information:
 Management
 Notice
 Choice and consent
 Collection
 Use and retention
 Access
 Disclosure to Third Parties
 Security
 Quality
 Monitoring and enforcement

32
PROCESSING INTEGRITY
 COBIT control objective DS
SYSTEMS 11.1 addresses the need for
RELIABILITY
controls over the input,
PROCESSING INTEGRITY

processing, and output of

CONFIDENTIALITY

AVAILABILITY
data.
PRIVACY

 Identifies six categories of

controls that can be used to
satisfy that objective.
 Six categories are grouped
SECURITY
into three for discussion.
33
PROCESSING INTEGRITY
 Three categories/groups of integrity controls are designed to
meet the preceding objectives:
 Input controls
 Processing controls
 Output controls
 The following input controls regulate integrity of input:
 Forms design
 Pre-numbered forms sequence test
 Turnaround documents
 Cancellation and storage of documents
 Authorization and segregation of duties
 Visual scanning
 Check digit verification
 RFID security
34
PROCESSING INTEGRITY
 Processing Controls
 Processing controls to ensure that data is
processed correctly include:
 Data matching

 File labels

 Recalculation of batch totals

 Cross-footing balance test

 Write-protection mechanisms

 Database processing integrity procedures

35
PROCESSING INTEGRITY
 Output Controls
 Careful checking of system output
provides additional control over
processing integrity.
 Output controls include:
 User review of output
 Reconciliation procedures
 External data reconciliation

36
AVAILABILITY
 Reliable systems are available for
SYSTEMS use whenever needed.
RELIABILITY  Threats to system availability
originate from many sources,
PROCESSING INTEGRITY

including:
CONFIDENTIALITY

AVAILABILITY
 Hardware and software failures
PRIVACY

 Natural and man-made disasters

 Human error
 Worms and viruses
 Denial-of-service attacks and other
sabotage

SECURITY

37
AVAILABILITY
 Minimizing Risk of System Downtime
 Loss of system availability can cause significant financial
losses, especially if the system affected is essential to e-
commerce.
 Organizations can take a variety of steps to minimize the
risk of system downtime.
 Physical and logical access controls can reduce the risk of
successful denial-of-service attacks.
 Good information security reduces risk of theft or sabotage of
IS resources.

38
AVAILABILITY
 Disaster Recovery and Business Continuity
Planning
 Disaster recovery and business continuity
plans are essential if an organization hopes
to survive a major catastrophe.
 Being without an IS for even a short period of
time can be quite costly—some report as
high as half a million dollars per hour.
 Yet many large U.S. companies do not have
adequate disaster recovery and business
continuity plans.
39
AVAILABILITY
 Key components of effective disaster
recovery and business continuity plans
include:
 Data backup procedures
 Provisions for access to replacement
infrastructure (equipment, facilities,
phone lines, etc.)
 Thorough documentation
 Periodic testing
 Adequate insurance

40
…………..END of Chapter 5…………..

41