Download - UNPAD03 - IT Environment2 v1
-
7/24/2019 UNPAD03 - IT Environment2 v1
1/64
Technology and SecurityRisk Services
3 Oct 2005 1
Session 3
IT Environment (2)
for Universitas PadjadjaranAccounting Department
IT Audit S1 Regular Class
by Isnaeni Achdiat, CISA, CIA, CISMShinta Marina
Session 3
IT Environment (2)
for Universitas PadjadjaranAccounting Department
IT Audit S1 Regular Class
by Isnaeni Achdiat, CISA, CIA, CISMShinta Marina 1 October 2005
-
7/24/2019 UNPAD03 - IT Environment2 v1
2/64
IS Audit SyllabusIS Audit Syllabus
No Subject Name Date1 Introduction of IS Audit 17-Sep-05
2 IT Environment (1) 24-Sep-05
3 IT Environment (2) 1-Oct-05
4 IT Processes 8-Oct-05
5 General Computer Control Review (1) 15-Oct-05
6 General Computer Control Review (2) 22-Oct-05
7 General Computer Control Case Study 29-Oct-05
8 Mid-semester Exam 12-Nov-05
9 Application Control Review (1) 19-Nov-05
10 Application Control Review (2) 26-Nov-05
11 Application Control Case Study 3-Dec-05
12 IT Sarbanes-Oxley and IT Governance 10-Dec-05
13 IT Security and Data Analysis Approach 17-Dec-05
14 IT Risk Management & ERP Systems 24-Dec-05
15 Final Exam TBA
3 Oct 2005 2
-
7/24/2019 UNPAD03 - IT Environment2 v1
3/64
Technology and SecurityRisk Services
3 Oct 2005 3
AgendaAgenda
Operating Systems Application Software
Database and DBMS
Data Center
Network & telecommunication infrastructure
Internet & Firewalls
Operating Systems Application Software
Database and DBMS
Data Center
Network & telecommunication infrastructure
Internet & Firewalls
-
7/24/2019 UNPAD03 - IT Environment2 v1
4/64
Session 3 ObjectivesSession 3 Objectives
Gain understanding of the importance and role of IT
for the Business Understand IT organization & its requirements
Introduce the students to: The concepts of operating systems, database, applications andData Centers.
The risks and controls associated with them, and
The basic audit/review aspects and considerations of the aboveconcepts.
Gain understanding of the importance and role of IT
for the Business Understand IT organization & its requirements
Introduce the students to: The concepts of operating systems, database, applications and
Data Centers.
The risks and controls associated with them, and
The basic audit/review aspects and considerations of the aboveconcepts.
3 Oct 2005 4
-
7/24/2019 UNPAD03 - IT Environment2 v1
5/64
Technology and SecurityRisk Services
3 Oct 2005 5
Operating SystemsOperating Systems
-
7/24/2019 UNPAD03 - IT Environment2 v1
6/64
Operating SystemsOperating Systems
Operating systems tasks
Major Operating Systems
Operating Systems Software Risks and Controls
Operating systems review/audit techniques
Operating systems Audit Tools
Operating systems tasks
Major Operating Systems
Operating Systems Software Risks and Controls
Operating systems review/audit techniques
Operating systems Audit Tools
3 Oct 2005 6
-
7/24/2019 UNPAD03 - IT Environment2 v1
7/64
Operating Systems
Operating systems task
Operating Systems
Operating systems task
Permits users to share hardware, data
Schedules resources among users Informs users of any errors that occur with the
processor, I/O or programs
Recovery from system errors Communication between the O/S and application
programs, allocating memory to processors, andmaking the memory available upon the completion of a
process System file and system accounting management
Permits users to share hardware, data
Schedules resources among users Informs users of any errors that occur with the
processor, I/O or programs
Recovery from system errors Communication between the O/S and applicationprograms, allocating memory to processors, andmaking the memory available upon the completion of a
process System file and system accounting management
3 Oct 2005 7
-
7/24/2019 UNPAD03 - IT Environment2 v1
8/64
Operating Systems
Major Operating systems
Operating Systems
Major Operating systems
Mainframe
MVS, Unisys, etc
Midrange/Minicomputers
OS/400, VMS, Unix, SunOS, etc
Micro computers Unix, Windows NT, Windows2000, Novell Netware, OS/2, MacOS,DOS, Linux
Mainframe
MVS, Unisys, etc
Midrange/Minicomputers
OS/400, VMS, Unix, SunOS, etc
Micro computers Unix, Windows NT, Windows2000, Novell Netware, OS/2, MacOS,DOS, Linux
3 Oct 2005 8
-
7/24/2019 UNPAD03 - IT Environment2 v1
9/64
Operating Systems
Risks and Controls
Operating Systems
Risks and Controls
Risks Controls
Unauthorized access Strong security management(including user rights and passwordcontrols management)
Separation of duties
Poor logging and audit trails Auditors involvement in requirementand design phase
Periodic review of log
Incompatibility withapplications
Change management
3 Oct 2005 9
-
7/24/2019 UNPAD03 - IT Environment2 v1
10/64
Operating Systems
Review/Audit techniques
Operating Systems
Review/Audit techniques System software selection procedures
Address IS and business plan, meet control requirement, feasibility study, cost benefit analysis
Installation controls Written plan for installation, documentations, identification before being placed to production
Maintenance activities
Change controls for system software Access limitation to library, changes are documented and tested
Systems documentation
Licensing protect against the possibility of penalties
protect from public embarrassment
Security parameters (special functions, passwords)
Audit and logging
System software selection procedures Address IS and business plan, meet control requirement, feasibility study, cost benefit analysis
Installation controls Written plan for installation, documentations, identification before being placed to production
Maintenance activities
Change controls for system software Access limitation to library, changes are documented and tested
Systems documentation
Licensing protect against the possibility of penalties
protect from public embarrassment
Security parameters (special functions, passwords)
Audit and logging
3 Oct 2005 10
-
7/24/2019 UNPAD03 - IT Environment2 v1
11/64
Operating Systems
O/S Audit tools
Operating Systems
O/S Audit tools
AS/400
PentaSafe
Windows NT
Systems Scanner, Kane Security Analyst (KSA), NMAP for NT,Retina, BindView
UNIX
COPS (Computer Oracle and Password System), Tripwire, NMAP,PC-Unix Audit
AS/400
PentaSafe
Windows NT
Systems Scanner, Kane Security Analyst (KSA), NMAP for NT,Retina, BindView
UNIX
COPS (Computer Oracle and Password System), Tripwire, NMAP,PC-Unix Audit
3 Oct 2005 11
Technology and Security
-
7/24/2019 UNPAD03 - IT Environment2 v1
12/64
Technology and SecurityRisk Services
3 Oct 2005 12
Application SoftwaresApplication Softwares
-
7/24/2019 UNPAD03 - IT Environment2 v1
13/64
What is Application Software?
A software that is designed and created to
perform specific personal, business orscientific processing task, such as word
processing, interactive game, business
application, etc.
3 Oct 2005 13
-
7/24/2019 UNPAD03 - IT Environment2 v1
14/64
Categories of software
In-house developed application
Integrated application (e.g. ERP systems:
SAP, JDE, PeopleSoft, Oracle, etc)
Package application (e.g. ACCPAC,
Picador, etc)
3 Oct 2005 14
Technology and Security
-
7/24/2019 UNPAD03 - IT Environment2 v1
15/64
Technology and SecurityRisk Services
3 Oct 2005 15
Database and DBMSDatabase and DBMS
-
7/24/2019 UNPAD03 - IT Environment2 v1
16/64
Database & DBMSDatabase & DBMS
What database is
Database structure
Data management
Database Management Systems (DBMS)
Risks and controls over database
Database audit/review consideration
Sample of ORACLE database review
What database is
Database structure
Data management
Database Management Systems (DBMS)
Risks and controls over database
Database audit/review consideration
Sample of ORACLE database review3 Oct 2005 16
-
7/24/2019 UNPAD03 - IT Environment2 v1
17/64
Database & DBMS
What database is
Database & DBMS
What database is
A collection of information organized in such a
way that a computer program can quicklyselect desired pieces of data
Organized by: Fields
Records Files
A collection of information organized in such a
way that a computer program can quicklyselect desired pieces of data
Organized by:
Fields
Records Files
3 Oct 2005 17
-
7/24/2019 UNPAD03 - IT Environment2 v1
18/64
Database & DBMS
Database structure
Database & DBMS
Database structure Hierarchical database model
Data is organized as a tree structure
Parent and child, child can not have more than 1 parent Ex. IBMs IMS (Information Mgt. Systems)
Network database model Data related through sets, allow reverse pointers
Ex. CAs IDMS
Relational Database model Unlike Hierarchical and Network, RDBMS separated app. and data
Models information in table (column and rows)
Ex. IBMs DB2, Oracle, Sybase, MS Access, Paradox, DBASE
Object-oriented database Simplify programming, flexible, deals with variety of data types
Ex. Objectivity/DB, IBM San Fransisco, ONTOS DB, ObjectStore
Hierarchical database model Data is organized as a tree structure
Parent and child, child can not have more than 1 parent Ex. IBMs IMS (Information Mgt. Systems)
Network database model Data related through sets, allow reverse pointers
Ex. CAs IDMS
Relational Database model Unlike Hierarchical and Network, RDBMS separated app. and data
Models information in table (column and rows)
Ex. IBMs DB2, Oracle, Sybase, MS Access, Paradox, DBASE
Object-oriented database Simplify programming, flexible, deals with variety of data types
Ex. Objectivity/DB, IBM San Fransisco, ONTOS DB, ObjectStore
3 Oct 2005 18
-
7/24/2019 UNPAD03 - IT Environment2 v1
19/64
Database & DBMS
Database structure example
Database & DBMS
Database structure example
3 Oct 2005 19
-
7/24/2019 UNPAD03 - IT Environment2 v1
20/64
Database & DBMS
Data Management
Database & DBMS
Data Management
Data management
Process to control data buffering, performs I/Ooperations and deals with file management activities
Data management file organization Sequential
Indexed sequential
Direct random access
Data management
Process to control data buffering, performs I/Ooperations and deals with file management activities
Data management file organizationSequential
Indexed sequential
Direct random access
3 Oct 2005 20
-
7/24/2019 UNPAD03 - IT Environment2 v1
21/64
Database & DBMS
Database Management Systems
Database & DBMS
Database Management Systems
DBMSs are software that organize, control, and use
the data required by application programs (act as aninterface).
Purpose:
To manage data Relieves the application of file handling
Maintains the integrity of data
Ensures that the data is available to multiple applications
Provide access control and security over data
DBMSs are software that organize, control, and use
the data required by application programs (act as aninterface).
Purpose:
To manage data Relieves the application of file handling
Maintains the integrity of data
Ensures that the data is available to multiple applications
Provide access control and security over data
3 Oct 2005 21
-
7/24/2019 UNPAD03 - IT Environment2 v1
22/64
Database & DBMS
Risks and Controls
Database & DBMS
Risks and Controls
Risks Controls
Confidentiality Access control mechanism
Data ownership assignment
Integrity (incl. alteration) Referential integrity checkLogging
Change management
Availability Backup and recovery procedure
3 Oct 2005 22
-
7/24/2019 UNPAD03 - IT Environment2 v1
23/64
Database & DBMS
Review/audit consideration
Database & DBMS
Review/audit consideration
Security (protection from unauthorized access)
User can only access authorized data (by logon ID password, andaccess control)
Program can only access the required data to complete atransaction (by schema or subschema)
Integrity (protection from accidental or erroneousdestruction of data) How DBMS handle concurrent updates
DBMS maintenance (including fixing and testing) Functions performed by DBA
Security (protection from unauthorized access) User can only access authorized data (by logon ID password, and
access control)
Program can only access the required data to complete atransaction (by schema or subschema)
Integrity (protection from accidental or erroneousdestruction of data) How DBMS handle concurrent updates
DBMS maintenance (including fixing and testing) Functions performed by DBA
3 Oct 2005 23
Technology and SecurityRisk Services
-
7/24/2019 UNPAD03 - IT Environment2 v1
24/64
Risk Services
3 Oct 2005 24
Data CenterData Center
Data CenterData Center
-
7/24/2019 UNPAD03 - IT Environment2 v1
25/64
Data CenterData Center
Data Center is the business of providing a physicallocation as well as the applicable IT services (i.e.bandwidth to the Internet, facilities management,
hardware/software, IT services, etc.) to run computerapplications (i.e. website, e-mail, trading systems etc.) ata site that is generally, remotely located from a corporate
or individuals owned premises. The eventual goal is tofully outsource corporate IT requirements, leveragingeconomies of scale at price points and service levels that
are difficult to achieve in-house.
Data Center is the business of providing a physicallocation as well as the applicable IT services (i.e.bandwidth to the Internet, facilities management,
hardware/software, IT services, etc.) to run computerapplications (i.e. website, e-mail, trading systems etc.) ata site that is generally, remotely located from a corporate
or individuals owned premises. The eventual goal is tofully outsource corporate IT requirements, leveragingeconomies of scale at price points and service levels thatare difficult to achieve in-house.
3 Oct 2005 25
-
7/24/2019 UNPAD03 - IT Environment2 v1
26/64
3 Oct 2005 26
-
7/24/2019 UNPAD03 - IT Environment2 v1
27/64
3 Oct 2005 27
-
7/24/2019 UNPAD03 - IT Environment2 v1
28/64
3 Oct 2005 28
-
7/24/2019 UNPAD03 - IT Environment2 v1
29/64
3 Oct 2005 29
-
7/24/2019 UNPAD03 - IT Environment2 v1
30/64
3 Oct 2005 30
Di i (T K l k)Di i (T K l k)
-
7/24/2019 UNPAD03 - IT Environment2 v1
31/64
Discussion (Tugas Kelompok)Discussion (Tugas Kelompok)
What are the risks associated with Data
Center??
and what controls can mitigate the risks??
What are the risks associated with Data
Center??
and what controls can mitigate the risks??
3 Oct 2005 31
Technology and SecurityRisk Services
-
7/24/2019 UNPAD03 - IT Environment2 v1
32/64
3 Oct 2005 32
NetworkNetwork
Network & telecommunication infrastructureNetwork & telecommunication infrastructure
-
7/24/2019 UNPAD03 - IT Environment2 v1
33/64
Network & telecommunication infrastructureNetwork & telecommunication infrastructure
Network Eras
Network architecture
Data Communication
Network Protocols
Transmission media
Local area network and Wide Area Network
Risks and controls Audit and Evaluation Techniques
Network Eras
Network architecture
Data Communication
Network Protocols
Transmission media
Local area network and Wide Area Network
Risks and controls Audit and Evaluation Techniques
3 Oct 2005 33
N t k i f t tNetwork infrastructure
-
7/24/2019 UNPAD03 - IT Environment2 v1
34/64
Network infrastructure
Network Eras
Network infrastructure
Network Eras ERA 1: Mainframe Networks (1965 - 1975)
ERA 2: Minicomputer Networks (1975 - 1985) ERA 3: Shared-bandwidth LANs (1985 - 1995)
ERA 4: Switching LANs (1995 - )
ERA 1: Mainframe Networks (1965 - 1975)
ERA 2: Minicomputer Networks (1975 - 1985) ERA 3: Shared-bandwidth LANs (1985 - 1995)
ERA 4: Switching LANs (1995 - )
3 Oct 2005 34
Network ErasNetwork Eras
-
7/24/2019 UNPAD03 - IT Environment2 v1
35/64
Network Eras
Mainframe Networks
Network Eras
Mainframe Networks
Groups of terminals
attached to clustercontrollers
Controllers were
connected to the front-end processor throughpoint-to-point cables (forlocal connections) orleased telephone lines(for remote connections).
Groups of terminalsattached to clustercontrollers
Controllers were
connected to the front-end processor throughpoint-to-point cables (forlocal connections) orleased telephone lines(for remote connections).
3 Oct 2005 35
Network ErasNetwork Eras
-
7/24/2019 UNPAD03 - IT Environment2 v1
36/64
Network Eras
Minicomputers Networks
Network Eras
Minicomputers Networks Terminals connected directly
to a port on the mini.
Statistical multiplexers providewide area fine sharing anderror protection.
Data PBXs were central tomany networks, allowingterminal users to selectcomputers and contend forexpensive computer ports.
Terminals connected directlyto a port on the mini.
Statistical multiplexers providewide area fine sharing anderror protection.
Data PBXs were central tomany networks, allowingterminal users to selectcomputers and contend forexpensive computer ports.
3 Oct 2005 36
Network ErasNetwork Eras
-
7/24/2019 UNPAD03 - IT Environment2 v1
37/64
Network Eras
Shared-bandwidth LANs
Network Eras
Shared-bandwidth LANs LAN-based network operating
systems emerged
Shared bandwidth, PCs andother devices were attachedto a single Ethernet segment
or a single token ring
LAN-based network operatingsystems emerged
Shared bandwidth, PCs andother devices were attachedto a single Ethernet segment
or a single token ring
3 Oct 2005 37
Network ErasNetwork Eras
-
7/24/2019 UNPAD03 - IT Environment2 v1
38/64
Network Eras
Switched LANs
Network Eras
Switched LANs The rapid growth in the power of PCs (servers), which can handle
throughput rates significantly higher than Ethernet or token ring
provides.
Data representation through images rather than text.
Emergence of the World Wide Web, document imaging, medical
radiology, CAD, video training, and pre-press editing (require largeamounts of bandwidth).
The rapid growth in the power of PCs (servers), which can handlethroughput rates significantly higher than Ethernet or token ring
provides.
Data representation through images rather than text.
Emergence of the World Wide Web, document imaging, medical
radiology, CAD, video training, and pre-press editing (require largeamounts of bandwidth).
3 Oct 2005 38
Network architectureNetwork architecture
-
7/24/2019 UNPAD03 - IT Environment2 v1
39/64
Network architecture
Bus configuration
Ring configuration
Star configuration
Mesh configuration
Bus configuration
Ring configuration
Star configuration
Mesh configuration
3 Oct 2005 39
Network architectureNetwork architecture
-
7/24/2019 UNPAD03 - IT Environment2 v1
40/64
Network architecture
Bus configuration
Network architecture
Bus configurationAdvantages
Reliable in very small networks
Easy to use and understand
Requires less amount of cables,
less expensive
Is easy to extend
A repeater can be used to
extend the configuration
Disadvantages
Heavy network traffic can
slow the performance
Each connection between
two cables weakens the
electrical signal
Difficult to locate network
error. Difficult to trouble
shoot
3 Oct 2005 40
Network architectureNetwork architecture
-
7/24/2019 UNPAD03 - IT Environment2 v1
41/64
Network architecture
Ring configuration
Network architecture
Ring configuration
Advantages
Every computer is given equalaccess, since a token is passedaround the ring indicatingauthorization to transmit
The network degradesgracefully
Advantages
Every computer is given equalaccess, since a token is passedaround the ring indicatingauthorization to transmit
The network degradesgracefully
Disadvantages
Failure of one computer in thenetwork can affect the whole
network
Difficult to trouble shoot
Adding or removing computers
can disrupt the network
3 Oct 2005 41
Network architectureNetwork architecture
-
7/24/2019 UNPAD03 - IT Environment2 v1
42/64
Network architecture
Star configuration
Network architecture
Star configurationAdvantages
Easy to modify and add new
computers
The center of the star is a good placeto diagnose network problems
Single computer failures do not bringdown the network
Several cable types can be used in theconfiguration
Advantages
Easy to modify and add new
computers
The center of the star is a good placeto diagnose network problems
Single computer failures do not bring
down the network
Several cable types can be used in theconfiguration
Disadvantages
If the central hub fails the wholenetwork cease to function
Require a device at the center to
rebroadcast or switch network
traffic
More cable is required than busconfiguration
3 Oct 2005 42
Network architectureNetwork architecture
-
7/24/2019 UNPAD03 - IT Environment2 v1
43/64
Network architecture
Mesh configuration
Network architecture
Mesh configurationDisadvantages
Difficult to install andreconfigure, since there is a
connection with every
machine on the network
High cost of installations
Advantages
Fault tolerant Easy to diagnose problems
Guaranteed channel capacity
Advantages
Fault tolerant Easy to diagnose problems
Guaranteed channel capacity
3 Oct 2005 43
Telecommunication infrastructureTelecommunication infrastructure
-
7/24/2019 UNPAD03 - IT Environment2 v1
44/64
Telecommunication infrastructure
Data Communication
Telecommunication infrastructure
Data Communication Simply put, it involves the
transmission of speech and, ordata between two connecteddevices.
Data communications describesthe use of protocols (rules) andspecific equipment to coordinateand facilitate the successful
transmission and receipt of databetween source and destination.
Simply put, it involves thetransmission of speech and, ordata between two connecteddevices.
Data communications describesthe use of protocols (rules) andspecific equipment to coordinateand facilitate the successful
transmission and receipt of databetween source and destination.
3 Oct 2005 44
Telecommunication infrastructureTelecommunication infrastructure
-
7/24/2019 UNPAD03 - IT Environment2 v1
45/64
Telecommunication infrastructure
Network Protocols
Telecommunication infrastructure
Network ProtocolsProtocols are the set of rules for the packagingand transmission of data.
Examples:
Transmission Control Protocol/Internet Protocol(TCP/IP)
Virtual telecommunications Access Method (VTAM)
IPX/SPX
AppleTalk PPP (Point-to-Point Protocols), X.25
Protocols are the set of rules for the packagingand transmission of data.
Examples:
Transmission Control Protocol/Internet Protocol(TCP/IP)
Virtual telecommunications Access Method (VTAM)
IPX/SPX
AppleTalkPPP (Point-to-Point Protocols), X.25
3 Oct 2005 45
Telecommunication infrastructureTelecommunication infrastructure
-
7/24/2019 UNPAD03 - IT Environment2 v1
46/64
Telecommunication infrastructure
Transmission mediaTransmission media Copper (twisted pair) circuits
Coaxial cables Fiber optic systems
Radio systems
Microwave radio systems
Satellite radio link systems
Copper (twisted pair) circuits
Coaxial cables Fiber optic systems
Radio systems
Microwave radio systems
Satellite radio link systems
3 Oct 2005 46
Telecommunication infrastructureTelecommunication infrastructure
-
7/24/2019 UNPAD03 - IT Environment2 v1
47/64
Telecommunication infrastructure
LANs and WANsLANs and WANs LANs
Within buildings or departments
Digital signals used
Computer to computer transmission
Use high quality cables
WANs: Spread over multiple sites
Require the use of special communications hardware
May use public long distance communications links Tend to be more complex than LANs.
LANs Within buildings or departments
Digital signals used
Computer to computer transmission
Use high quality cables
WANs: Spread over multiple sites
Require the use of special communications hardware
May use public long distance communications links Tend to be more complex than LANs.
3 Oct 2005 47
Telecommunication infrastructureTelecommunication infrastructure
-
7/24/2019 UNPAD03 - IT Environment2 v1
48/64
Network Risks and ControlsNetwork Risks and ControlsRisks` Controls
Unauthorized access (incl.tapping)
Encryption
Access controls
Performance degradation Performance monitoringResponse time reports
Down time reportsOnline monitors (Echo checking)
Help desk reports
Remote access & dial-up Call back facility
Viruses, trojan Anti-virus and forced-update
Clear policy
Astalavista.box.sk
3 Oct 2005 48
Telecommunication infrastructureTelecommunication infrastructure
-
7/24/2019 UNPAD03 - IT Environment2 v1
49/64
Audit and Evaluation TechniquesAudit and Evaluation Techniques
LAN review
Physical security Observe LAN and transmission wiring closet, server
location, test access key
Environmental controls
Surge protector, Air conditioning, humidity, powersupply, backup media protection, fire extinguisher
Logical security
Interview LAN admin, penetration test, search forwritten password, test log off period, dial-upconnection
LAN review
Physical security Observe LAN and transmission wiring closet, server
location, test access key
Environmental controls
Surge protector, Air conditioning, humidity, powersupply, backup media protection, fire extinguisher
Logical security
Interview LAN admin, penetration test, search forwritten password, test log off period, dial-upconnection
3 Oct 2005 49
Technology and SecurityRisk Services
-
7/24/2019 UNPAD03 - IT Environment2 v1
50/64
3 Oct 2005 50
InternetInternet
InternetInternet
-
7/24/2019 UNPAD03 - IT Environment2 v1
51/64
What is Internet
Why use Internet
The risk of Internet How to control Internet use
What is a Firewall
How Firewall works
What can Firewall do
What cant Firewall do
What is Internet
Why use Internet
The risk of Internet How to control Internet use
What is a Firewall
How Firewall works
What can Firewall do
What cant Firewall do
3 Oct 2005 51
What is Internet ?What is Internet ?
-
7/24/2019 UNPAD03 - IT Environment2 v1
52/64
Worlds largest computer network.
Based on TCP/IP protocol suite
Links Universities, gov, companies, etc.
Large international presence > 170 countries
Worlds largest computer network.
Based on TCP/IP protocol suite
Links Universities, gov, companies, etc.
Large international presence > 170 countries
3 Oct 2005 52
Why Use Internet ?Why Use Internet ?
-
7/24/2019 UNPAD03 - IT Environment2 v1
53/64
Provides cost effective communication for:
eCommerce Electronic Mail (SMTP)
Remote Terminal Access (Telnet)
File Transfer (FTP)
Good information source World Wide Web access (HTTP)
Provides cost effective communication for:
eCommerceElectronic Mail (SMTP)
Remote Terminal Access (Telnet)
File Transfer (FTP)
Good information sourceWorld Wide Web access (HTTP)
3 Oct 2005 53
The Risk of InternetThe Risk of Internet
-
7/24/2019 UNPAD03 - IT Environment2 v1
54/64
Perhaps the biggest risk.......You dont know who isout there!
Because the Internet is so convenient to use, securityimplications are often overlooked
Possible network backdoor connections open tohackers
Viruses from downloaded software (e.g. screensavers)
Disclosure of sensitive info (e.g. credit card numbers)
Perhaps the biggest risk.......You donYou dont know who ist know who isout there!out there!
Because the Internet is so convenient to use, securityimplications are often overlooked
Possible network backdoor connections open tohackers
Viruses from downloaded software (e.g. screensavers)
Disclosure of sensitive info (e.g. credit card numbers)
3 Oct 2005 54
How to Control Internet Use ?How to Control Internet Use ?
-
7/24/2019 UNPAD03 - IT Environment2 v1
55/64
Develop policies to define acceptable usage
Personal use Business use (encrypting messages to business
partners)
Educate users on internet risks
Use of Firewalls
Develop policies to define acceptable usage
Personal useBusiness use (encrypting messages to business
partners)
Educate users on internet risks
Use of Firewalls
3 Oct 2005 55
What is a Firewall ?What is a Firewall ?
-
7/24/2019 UNPAD03 - IT Environment2 v1
56/64
A firewall is a combination of hardware and software thatenforces an existing network access policy
Prevents unauthorized traffic in and out of a securenetwork
It restricts people to entering at a carefully controlled
point It prevents attackers from getting close to other network
security defenses
A firewall is a combination of hardware and software thatenforces an existing network access policy
Prevents unauthorized traffic in and out of a securenetwork
It restricts people to entering at a carefully controlled
point It prevents attackers from getting close to other network
security defenses
3 Oct 2005 56
How Firewall works?How Firewall works?
-
7/24/2019 UNPAD03 - IT Environment2 v1
57/64
Mainframe/
Legacy
Systems
Local Area Network
Internet
Wide Area Network
FirewallFirewall
Firewall
Gateway
Rejected externaltraffic
3 Oct 2005 57
What can Firewall Do ?What can Firewall Do ?
-
7/24/2019 UNPAD03 - IT Environment2 v1
58/64
A firewall is a focus for security decisions. Think
of a firewall as a choke point. All traffic in andout must pass through this single checkpoint, orGateway
A Firewall can enforce security policy. Many ofthe services that people want from the Internetare inherently insecure. A Firewall acts as the
traffic cop for these services.
A firewall is a focus for security decisions. Thinkof a firewall as a choke point. All traffic in andout must pass through this single checkpoint, orGateway
A Firewall can enforce security policy. Many ofthe services that people want from the Internetare inherently insecure. A Firewall acts as the
traffic cop for these services.
3 Oct 2005 58
What can Firewall Do ? (Contd)What can Firewall Do ? (Contd)
-
7/24/2019 UNPAD03 - IT Environment2 v1
59/64
A Firewall can effectively log Internet activity. Becauseall traffic passes through the firewall gateway, it a good
place to collect information about the system andnetwork use .... AND misuse.
A firewall reduces external network exposure. It can also
be used to keep sections of a network separate fromother sections.
e.g. Preventing certain employees attaching documents
to e-mails
A Firewall can effectively log Internet activity. Becauseall traffic passes through the firewall gateway, it a good
place to collect information about the system andnetwork use .... AND misuse.
A firewall reduces external network exposure. It can also
be used to keep sections of a network separate fromother sections.
e.g. Preventing certain employees attaching documents
to e-mails
3 Oct 2005 59
What cant Firewall Do ?What cant Firewall Do ?
-
7/24/2019 UNPAD03 - IT Environment2 v1
60/64
A firewall cant protect you against malicious
insiders. If the fox is inside the hen house, afirewall can do nothing for you.
A firewall cant protect you against connections
that dont go through it. There is nothing it cando for traffic that does not go through it.
A firewall cant protect you against maliciousinsiders. If the fox is inside the hen house, afirewall can do nothing for you.
A firewall cant protect you against connections
that dont go through it. There is nothing it cando for traffic that does not go through it.
3 Oct 2005 60
What cant Firewall Do ? (Contd)What cant Firewall Do ? (Contd)
-
7/24/2019 UNPAD03 - IT Environment2 v1
61/64
A firewall cant completely protect against new
threats. A firewall can only protect againstknown threats. You cant set up a firewall onceand expect it to protect you forever.
A firewall cant protect against viruses as theseare typically spread within documents
A firewall cant completely protect against newthreats. A firewall can only protect againstknown threats. You cant set up a firewall onceand expect it to protect you forever.
A firewall cant protect against viruses as theseare typically spread within documents
3 Oct 2005 61
SummarySummary
-
7/24/2019 UNPAD03 - IT Environment2 v1
62/64
The hardware, systems software, communication lines,networks, Internet and Data Center are all organizations assetsthat should be properly controlled and managed bymanagement.
Todays auditors should familiar and be prepared to deal withvarious rapid development in IT (hardware, OS,communication, Networks, Internet and Data Center) and its
risks IS Auditors tasks:
Review the existing controls available
Test the compliance
Recommend adequate controls
The hardware, systems software, communication lines,networks, Internet and Data Center are all organizations assetsthat should be properly controlled and managed bymanagement.
Todays auditors should familiar and be prepared to deal withvarious rapid development in IT (hardware, OS,communication, Networks, Internet and Data Center) and its
risks IS Auditors tasks:
Review the existing controls available
Test the compliance
Recommend adequate controls
3 Oct 2005 62
Technology and SecurityRisk Services
-
7/24/2019 UNPAD03 - IT Environment2 v1
63/64
3 Oct 2005 63
Question and AnswerQuestion and Answer
Technology and SecurityRisk Services
-
7/24/2019 UNPAD03 - IT Environment2 v1
64/64
3 Oct 2005 64
Thank YouThank You