CPA FOUNDATION LEVEL 2

ICT NOTES
INFORMATION SYSTEM SECURITY

DEFINITION OF INFORMATION SYSTEM SECURITY

 Commonly referred to as data security, it refers to the policies, procedures and technical measures that are
used to prevent unauthorized access, alteration, theft or physical damage to information system resources.
 Security may also be defined as protection of data from accidental or deliberate threats that might cause
unauthorized qualification disclosure or destruction of data as well as the protection of information systems
from degradation.

SECURITY GOALS
To retain a competitive advantage and to meet basic business requirements, organizations must endeavor to
achieve the following security goals.
1. Confidentiality
Protect information value and preserve the confidentiality of sensitive data. Information should not be
disclosed without authorization. Information the release of which is permitted to a certain section of the
public should be identified and protected against unauthorized disclosure.
2. Integrity
Ensure the accuracy and reliability of the information stored on the computer systems. Information has
integrity if it reflects some real world situation or is consistent with real world situation. Information should
not be altered without authorization. Hardware designed to perform some functions has lost integrity if it
does not perform those functions correctly. Software has lost integrity if it does not perform according to
its specifications. Communication channels should relay messages in a secure manner to ensure that
integrity. People should ensure the system functions according to the specifications.
3. Availability
Ensure the continued availability of the information system and all its assets to legitimate users at an
acceptable level of service or quality of service. Any event that degrades performance or quality of a system
affects availability

SECURITY POLICY
Security failures can be costly to business. Losses may be suffered as a result of the failure itself or costs can
be incurred when recovering from the incident, followed by more costs to secure systems and prevent further
failure. A well-defined set of security policies and procedures can prevent losses and save money.
The information systems security policy is the responsibility of top management of an organization who
delegate its implementation to the appropriate level of management with permanent control.
The policy contributes to the protection of information assets.
Its objective is to protect the information against all types of risks, accidental or intentional. An existing and
enforced security policy should ensure systems conformity with laws and regulations, integrity of data,
confidentiality and availability.
Key components of such a policy include the following
1. Management support and commitment – management should approve and support formal security
awareness and training.
2. Access philosophy – access to computerized information should be based on a documented ‘need-to-know,
need-to-do’ basis.
3. Compliance with relevant legislation and regulations
4. Access authorization – the data owner or manager responsible for the accurate use and reporting of the
information should provide written authorization for users to gain access to computerized information.
1
5. Reviews of access authorization – like any other control, access controls should be evaluated regularly to
ensure they are still effective.

THREATS TO DATA SECURITY

When large amounts of data are stored in electronic form, they are vulnerable to many kinds of threats than
when they exist on manual form.
A vulnerability is a weakness within the system that can potentially lead to loss or harm. The threat of natural
disasters has instances that can make the system vulnerable. If a system has programmes that have threats then
the system is vulnerable
A threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.
Threats may lead to complete data loss, data corruption or inability to access data Threats can originate from
technical, organizational and environmental factors compounded by poor management decisions. Common
threats include
Hardware failure
It may either be partial or complete. When computer hardware fails, data may be completely lost or data will
not be accessible for example when the microprocessor or computer memory fails data will not be accessible
because the computer system will not boot. If the hard drive fails all the data will be lost
Software failure
When computer software (system or application software) fails, computer users will not be able to access the
data stored in the database.
Electrical problems
The electrical problems such as spikes, surges, sags, brownouts and blackouts may result into excess power or
low power levels. Excess power may damage computer equipment and hence destroy the data that is stored in
the storage devices. Low power means that the computer system will not boot hence data will not be accessible
Computer viruses
A computer program that is designed to replicate itself by copying itself into the other programs stored in a
computer. The virus is the program that will destroy data, make data to be inaccessible or corrupt data.
User errors
When computer users accidentally or intentionally delete files or alter contents of files, they are interfering
with the security of an organization’s data.
Natural disasters
Fire, electrical storms, floods etc. are natural disasters that may destroy computer resources.

DATA SECURITY CONTROLS

Controls are a combination of manual and automated measures that safeguard information systems and ensure
that they perform according to management standards.
They consist of all methods, polices and organizations procedures that ensure the safety of organizational
assets, accuracy and reliability of its accounting records and operational adherence to management standards.
Controls are countermeasures to the threats and are required to minimize errors, disasters, interruptions of
service, and computer crime.

Types of data security controls

They are classified into two groups namely general controls and application controls.

GENERAL CONTROLS
They apply to all computerized applications and consist of a combination of hardware, software and manual
procedures that creates an overall control environment.
2
Types of general controls
Administrative controls
These are formalized standards, rules, procedures and control disciplines which are aimed at ensuring that the
organizations resources are properly used. They ensure that job functions are designed to minimize risk of
errors or fraudulent manipulation of organizations data
They include:
 Administrative procedures – may be put in place by an organization to ensure that users only do that which
they have been authorized to do
 Legal provisions – serve as security controls and discourage some form of physical threats
 Ensuring that performance standards are clearly defined and frequently revised
 Definition of procedures for recovering the systems in case of failure
Software controls
They are aimed at minimizing software failure. They are controls that monitor use of software to prevent
unauthorized access to system software, application software and data.
They include
 Definition of passwords and data access permissions
 Installation of antivirus programs
Hardware controls
They ensure that computer hardware is physically secure and check for equipment malfunctions.
They include
 Locking of system units in cabinets to prevent theft of computer parts
 Using surge protectors or uninterruptible power supply units (UPS) to protect the hardware from electrical
problems.
Implementation controls
These are controls that monitor the system development process at various stages to ensure that the process is
properly controlled and managed. They are commonly referred to as system development controls
They include:
 Ensuring that users are involved in the development and implementation of systems.
 Ensuring that systems are properly tested before they are delivered to the users.
 Training of users to minimize user errors
 Use of quality assurance techniques to ensure that the output is qualitative.

APPLICATION CONTROLS
IT application or program controls are designed to ensure the complete and accurate processing of data, from
input through output. They are controls over the input, processing and output functions

TYPES OF APPLICATION CONTROLS

INPUT CONTROLS
They are specific controls which relate to data input.
They verify the data for accuracy and completeness before it is entered into a computer system.
They include
 Ensuring that data capture devices are properly configured.
 Ensuring that the staff who key data are properly trained
 Designing input screens to facilitate easy data entry.

PROCESSING CONTROLS
They establish that the data to be processed is accurate, complete and has value before it can be processed.
They include data validation and data editing controls

3
Data validation identifies data errors, incomplete or missing data and inconsistencies among related data
items. Validation controls ensure that the data to be processed has value i.e will enable the organization to
achieve its objectives.

Types of validation checks are:

Range or limit checks

These checks ensure that the data to be processed is within the pre-defined limits or range
File existence checks
Checks that a file with a specified name exists. This check is essential for programs that use file handling
Format checks
They ensure that the data to be processed is in the appropriate format which may be text, number, date/time,
currency etc.
Consistency checks
Checks fields to ensure data in these fields corresponds, e.g., If Title = "Mr.", then Gender = "M".

OUTPUT CONTROLS
They ensure that the results of processing are accurate, complete and properly distributed.
They include:
1. There should be guidelines on how, where and when to destroy output
2. The output should be clearly labeled with descriptive headings and processing dates.
3. There should be a distribution list to ensure that only those specified will receive the output
4. Those who attempt to access softcopy output should be required key passwords.

COMPUTER CRIME AND ABUSE

COMPUTER CRIME
This is the commissioning of illegal acts through the use of a computer system. It may destroy or corrupt data.
Crime may either be online or offline. Online or cyber-crime/fraud is supported by internet, intranet or extranet
while offline crime involves physical accessibility of data and other resources.
Types of computer crime
Hacking
It involves accessing an organization or individual’s data without permission. Hacking may be online or
offline.
Malicious Software
Cyber criminals use internet based software to transmit computer viruses which destroy or corrupt data.
Sniffing
It is a form of online fraud that involves configuring software to intercept data that is passing from a user to
the computer that is hosting a website.
Spoofing
Spoofers fraudulently misrepresent themselves as other organizations by setting up false websites from where
they can collect information about unsuspecting visitors to the website.

COMPUTER ABUSE
This is the commissioning of acts which are not illegal but are unethical using the computer system.
The two most common types of computer abuse are:
Spamming
This is the sending of unsolicited mass e-mail to people who have not requested for the messages.
4
Jamming
This is the use of software routines to tie up the computer that is hosting the website so that legitimate users
or visitors do not have access to the site.

TECHNIQUES TO PREVENT ONLINE FRAUD/CRIME

Firewalls
They are used to protect sections of websites or the entire network from unauthorized accessibility. A software
firewall is configured to examine the user details before the users can be allowed to access the network
resources.
Intrusion detection systems
They are programs or software tools which are configured to protect the most vulnerable points of public
networks. They are aimed at detecting and deterring intruders.
They scan the entire system and report any hacking attempt by displaying working messages.
Data encryption
This is the encoding of messages before they are transmitted. The message is encrypted by applying a public
encryption key related to the intended receiver. When the receiver gets the message, he/she will decrypt the
message using a matching private key.
Digital signatures
They are electronic codes that are attached to documents being transmitted so that the receiver can determine
the origin of the documents and verify whether they have been tampered with or not.

RISK MANAGEMENT
Risk refers to participating in an activity whose outcome is uncertain or is likely to interfere with data security.
Risk management is the technique for identifying, assessing and mitigating the operational risk facing an
organization. It focuses on evaluating the impact of the risk and looking for ways of correcting it.
Principles of risk management
1. It should be systematic and structured
2. It should address all the uncertainties
3. It should be flexible or responsive to change
4. It should focus on creating value in the organization
5. It should be capable of continual improvement and enhancement
6. It should be tailored to meet specific objectives

RISK IDENTIFICATION
Risk identification is the process of documenting any risks that could keep an organization or program from
reaching its objective. It's the first step in the risk management process, which is designed to help companies
understand and plan for potential risks.

RISK ASSESSMENT
Risk assessment is a systematic process performed by a competent person which involves identifying,
analyzing, and controlling hazards and risks present in a situation or a place. This decision-making tool aims
to determine which measures should be put in place in order to eliminate or control those risks, as well as
specify which of them should be prioritized according to the level of likeliness and impact they have on the
business.

RISK MITIGATION
Risk mitigation, the third process of risk management, involves prioritizing, evaluating, and implementing the
appropriate risk-reducing controls recommended from the risk assessment process.
5
Risk mitigation options (strategies)
Risk mitigation is a systematic methodology used by senior management to reduce mission risk. Risk
mitigation can be achieved through any of the following risk mitigation options or strategies:
Risk Assumption.
To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to
an acceptable level
Risk Avoidance.
To avoid the risk by eliminating the risk cause and/or consequence (e.g., forgo certain functions of the system
or shut down the system when risks are identified)
Risk Limitation.
To limit the risk by implementing controls that minimize the adverse impact of a threat’s exercising a
vulnerability (e.g., use of supporting, preventive, detective controls)
Risk Transference.
To transfer the risk by using other options to compensate for the loss such as purchasing insurance.

BUSINESS CONTINUITY PLANNING (BCP)

 BCP may be a part of an organizational learning effort that helps reduce operational risk. Backup plan to
run any business event uninterrupted is a part of business continuity plan. BCP is aimed at improving the
business processes of an organization in order to achieve its mission and ensure continuity
 As companies increasingly rely on digital networks for their revenue and operations, they need to take
additional steps to ensure that their systems and applications are always available. Many factors can disrupt
the performance of a Web site, including denial of service attacks, network failure, heavy Internet traffic,
and exhausted server resources.
 Computer failures, interruptions, and downtime translate into disgruntled customers, millions of dollars in
lost sales, and the inability to perform critical internal transactions. Downtime refers to periods of time in
which a system is not operational.
 Fault-tolerant computer systems contain redundant hardware, software, and power supply components
that create an environment that provides continuous, uninterrupted service. Fault-tolerant computers
contain extra memory chips, processors, and disk storage devices to back up a system and keep it running
to prevent failure. They use special software routines or self-checking logic built into their circuitry to
detect hardware failures and automatically switch to a backup device. Parts from these computers can be
removed and repaired without disruption to the computer system.
 Fault tolerance should be distinguished from high-availability computing. Both fault tolerance and
high-availability computing are designed to maximize application and system availability. Both use backup
hardware resources. However, high-availability computing helps firms recover quickly from a crash,
whereas fault tolerance promises continuous availability and the elimination of recovery time altogether.
High-availability computing environments are a minimum requirement for firms with heavy electronic
commerce processing or for firms that depend on digital networks for their internal operations.
 High-availability computing requires an assortment of tools and technologies to ensure maximum
performance of computer systems and networks, including redundant servers, mirroring, load balancing,
clustering, high-capacity storage, and good disaster recovery and business continuity plans. The firm’s
computing platform must be extremely robust with scalable processing power, storage, and bandwidth.
Load balancing distributes large numbers of access requests across multiple servers. The requests are
directed to the most available server so that no single device is overwhelmed. If one server starts to get
swamped, requests are forwarded to another server with more capacity.
Mirroring uses a backup server that duplicates all the processes and transactions of the primary server. If
the primary server fails, the backup server can immediately take its place without any interruption in

6
 service. However, server mirroring is very expensive because each server must be mirrored by an identical
server whose only purpose is to be available in the event of a failure.

BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING

Disaster recovery planning devises plans for the restoration of computing and communications services after
they have been disrupted by an event such as an earthquake, flood, or terrorist attack. Disaster recovery plans
focuses primarily on the technical issues involved in keeping systems up and running, such as which files to
back up and the maintenance of backup computer systems or disaster recovery services.
Business continuity planning focuses on how the company can restore business operations after a disaster
strikes. The business continuity plan identifies critical business processes and determines action plans for
handling mission-critical functions if systems go down.
Business managers and information technology specialists need to work together on both types of plans to
determine which systems and business processes are most critical to the company. They must conduct a
business impact analysis to identify the firm’s most critical systems and the impact a systems outage would
have on the business.
Management must determine the maximum amount of time the business can survive with its systems down
and which parts of the business must be restored first.