ch7 lecture slides

7/28/2019 CH7 Lecture Slides

1/30

2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 1 of 222

C HAPTER 7

Information Systems Controls

for Systems Reliability

Part 1: Information Security


2/30


INTRODUCTION

One basic function of an AIS is to provideinformation useful for decision making. Inorder to be useful, the information must be

reliable, which means: It provides an accurate, complete, and timely

picture of the organizations activities.

It is available when needed.

The information and the system that producesit is protected from loss, compromise, andtheft.


3/30


INTRODUCTION

The five basic principles that

contribute to systems reliability:SYSTEMSRELIABILITY


4/30


INTRODUCTION


contribute to systems reliability:

Security

SECURITY

SYSTEMS

RELIABILITY

Access to the system and its data

is controlled.


5/30


INTRODUCTION



Security

Confidentiality

SECURITY

CON

FIDENTIALITY

SYSTEMS

RELIABILITY

Sensitive information is protected

from unauthorized disclosure.


6/30


INTRODUCTION



Security

Confidentiality

Privacy

SECURITY

CON

FIDENTIALITY

PRIVACY

SYSTEMS

RELIABILITY

Personal information about

customers collected through

e-commerce is collected, used,

disclosed, and maintained in an

appropriate manner.


7/30 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 7 of 222

INTRODUCTION

The five basic

principles that

contribute to systems

reliability:

Security

Confidentiality

Privacy

Processing integrity

SECURITY

CON

FIDENTIALITY

PRIVACY

PROCES

SINGI

NTEGRITY

SYSTEMS

RELIABILITY

Data is processed:

Accurately

Completely

In a timely manner

With proper authorization



INTRODUCTION

The five basic

principles that

contribute to systems

reliability:

Security

Confidentiality

Online privacy

Processing integrity

AvailabilitySECURITY

CON

FIDENTIALITY

PRIVACY

PROCES

SINGI

NTEGRITY

AV

AILABILITY

SYSTEMS

RELIABILITY

The system is available to meetoperational and contractual

obligations.



INTRODUCTION

Note the importance ofsecurity in this picture. It isthe foundation of systemsreliability. Securityprocedures: Restrict system access to

only authorized users andprotect:

The confidentiality of sensitiveorganizational data.

The privacy of personalidentifying informationcollected from customers.SECURITY

CON

FIDENTIALITY

PRIVACY

PROCES

SINGI

NTEGRITY

AV

AILABILITY

SYSTEMS

RELIABILITY



INTRODUCTION

Security procedures also:

Provide for processing

integrity by preventing:

Submission of unauthorized orfictitious transactions.

Unauthorized changes to

stored data or programs.

Protect against a variety of

attacks, including virusesand worms, thereby

ensuring the system is

available when needed.SECURITY

CON

FIDENTIALITY

PRIVACY

PROCES

SINGI

NTEGRITY

AV

AILABILITY

SYSTEMS

RELIABILITY



FUNDAMENTAL INFORMATION

SECURITY CONCEPTS

There are three fundamental information

security concepts that will be discussed in

this chapter:

Security as a management issue, not a

technology issue.

The time-based model of security.

Defense in depth.




SECURITY CONCEPTS



this chapter:

Security is a management issue, not a

technology issue.


Defense in depth.



TIME-BASED MODEL OF SECURITY

Given enough time and resources, anypreventive control can be circumvented.

Consequently, effective control requiressupplementing preventive procedures with:

Methods for detecting incidents; and Procedures for taking corrective remedial action.

Detection and correction must be timely,especially for information security, because once

preventive controls have been breached, it takeslittle time to destroy, compromise, or steal theorganizations economic and informationresources.




SECURITY CONCEPTS



this chapter:

Security is a management issue, not a

technology issue.


Defense in depth.



DEFENSE IN DEPTH

The idea of defense-in-depth is to employ

multiple layers of controls to avoid having a

single point of failure.

If one layer fails, another may function asplanned.

Information security involves using a

combination of firewalls, passwords, and other

preventive procedures to restrict access.

Redundancy also applies to detective and

corrective controls.



PREVENTIVE CONTROLS

The objective of preventive controls is to

prevent security incidents from happening.

Involves two related functions:

Authentication

Focuses on verifying the identity of the person or

device attempting to gain access.

Authorization Restricts access of authenticated users to specific

portions of the system and specifies what actions

they are permitted to perform.



PREVENTIVE CONTROLS

Each authentication method has its

limitations.

Passwords

Physical identification techniques

Biometric techniques



PREVENTIVE CONTROLS

Although none of the three basic authentication

methods is foolproof by itself, the use of two or

three in conjunction, known as mult i - factor

authent icat ion, is quite effective. Example: Using a palm print and a PIN number

together is much more effective than using either

method alone.



PREVENTIVE CONTROLS

Authorization controls are implemented by

creating an access con tro l matr ix.

Specifies what part of the IS a user can

access and what actions they are permitted toperform.

When an employee tries to access a

particular resource, the system performs acompat ib i l i ty testthat matches the users

authentication credentials against the matrix

to determine if the action should be allowed.



PREVENTIVE CONTROLS

Who has

the

authority

to delete

Program2?

Code

Number Password A B C 1 2 3 4

12345 ABC 0 0 1 0 0 0 0

12346 DEF 0 2 0 0 0 0 012354 KLM 1 1 1 0 0 0 0

12359 NOP 3 0 0 0 0 0 0

12389 RST 0 1 0 0 3 0 0

12567 XYZ 1 1 1 1 1 1 1

Codes for type of access:0 = No access permitted

1 = Read and display only

2 = Read, display, and update

3 = Read, display, update, create, and delete

User Identification Files Programs



PREVENTIVE CONTROLS

These are the

multiple layers of

preventive

controls that

reflect thedefense-in-depth

approach to

satisfying the

constraints of thetime-based

model of security.



DETECTIVE CONTROLS

Preventive controls are never 100%

effective in blocking all attacks.

So organizations implement detective

controls to enhance security by:

Monitoring the effectiveness of preventive

controls; and

Detecting incidents in which preventivecontrols have been circumvented.



DETECTIVE CONTROLS

Authentication and authorization controls (both

preventive and detective) govern access to the system

and limit the actions that can be performed by authorized

users.

Actual system use (detective control) must be examined

to assess compliance through:

Log analysis

Intrusion detection systems

Managerial reports Periodically testing the effectiveness of existing security

procedures



CORRECTIVE CONTROLS

COBIT specifies the need to identify and handle

security incidents.

Two of the Trust Services framework criteria for

effective security are the existence ofprocedures to:

React to system security breaches and other

incidents.

Take corrective action on a timely basis.


25/30


CORRECTIVE CONTROLS

Three key components that satisfy the

preceding criteria are:

Establishment of a computer emergency

response team.

Designation of a specific individual with

organization-wide responsibility for security.

An organized patch management system.


26/30


CORRECTIVE CONTROLS

Computer emergency response team

A key component to being able to respondto security incidents promptly and effectively

is the establish of a compu ter emergencyresponse team (CERT). Responsible for dealing with major incidents.

Should include technical specialists and senioroperations management.

Some potential responses have significanteconomic consequences (e.g., whether totemporarily shut down an e-commerce server)that require management input.


27/30


CORRECTIVE CONTROLS




response team.


organization-wide responsibility for

security.An organized patch management system.


28/30


CORRECTIVE CONTROLS

A chief security officer (CSO): Should be independent of other IS functions and report to either

the COO or CEO.

Must understand the companys technology environment andwork with the CIO to design, implement, and promote sound

security policies and procedures.

Disseminates info about fraud, errors, security breaches,improper system use, and consequences of these actions.

Works with the person in charge of building security, as that isoften the entitys weakest link.

Should impartially assess and evaluate the IT environment,conduct vulnerability and risk assessments, and audit the CIOssecurity measures.


29/30


CORRECTIVE CONTROLS




response team.


organization-wide responsibility for security.

An organized patch management system.


30/30

CORRECTIVE CONTROLS

Patch managementis the process for regularly

applying patches and updates to all of an

organizations software.

Challenging to do because: Patches can have unanticipated side effects that

cause problems, which means they should be tested

before being deployed.

There are likely to be many patches each year foreach software program, which may mean that

hundreds of patches will need to be applied to

thousands of machines.

ch7 lecture slides

Documents