IS Security Control & Management

Overview Why worry? Sources, frequency and severity of

problems Risks to computerized vs. manual

systems Purpose of control mechanisms Types of controls: General & Application Developing and managing control

systems

Why Worry?

Computer Viruses– Rogue software programs that are difficult

to detect that spread rapidly through computer systems, destroying data or disrupting processing and memory systems

• Example: ILOVEYOU virus

Hackers– People who gains unauthorized access

Why Worry?

Information System Outages– Studies show that:

• companies would sustain critical loss of business operations within 15 days of an information system outage

• At that point, firms would have less than a 25% chance of ever recovering

Need for Information System Audits Continuous improvement in hardware

performance and capabilities Decreasing hardware costs Availability of application and database

software with more functionality Advances in communication Sophistication of users Demand for greater control of information

Management’s Concerns Regarding Information Systems

Loss or misstatement of data Unauthorized access to data Loss of confidentiality of data Fraud Errors and omissions Computer downtime/damage Corruption of data

Threats to Systems

Natural disasters Sabotage and theft Operational errors Upgrades & conversions (including

fixes!)

Primary Concerns by Disaster TypeType of Disaster Areas of Concern

Natural Safety, business assets,business continuity

Sabotage or theft (internal orexternal)

Business assets, businesscontinuity

Misfortune (user error,upgrades, systemmalfunctions)

Business continuity, businessassets

Natural Disasters

Broader impact than other types– business and employees both impacted– typically many systems fail at once– often others in the area have the same

problems and are therefore seeking the same resources for recovery

Focus on reasonability of backup and recovery plans

Sabotage or Theft

Points of risk– Layoffs and firings– Mergers & reorganizations

In Fortune 500 companies with over 1,000 laptops, 14 lost per year

Often not covered by insurance Data loss worse than equipment loss

Operational Errors Hardware failures

– Risks with outdated hardware– Impact for e-commerce activities– Reliance on network connections

User generated failures (32% of all data losses involving disks and tapes are caused by user errors)

Mistakes made in attempts to recover lost or damaged data

Upgrades and Conversions

The solution causes the problem! Problem with suppliers and buyers Time lost in conversions often not

considered in cost of “upgrades”

Severity of Problems: The Firm In 1997, Nations Bank, the 4th largest

bank in the U.S. at the time, reviewed their vulnerability, they estimated that their exposure was:– $50 million in financial losses– for an interruption of more than

24 hours– where existing plans would take

2-5 days to restore operations

Severity of Problems: The Individual

A Fortune 500 CFO lost five years’ worth of accounting and stockholder data on a Friday afternoon; he needed it Monday for an annual stockholder’s meeting.

Twice daily backups didn’t help: the backup media had never been tested. When it was proven to be faulty, the CFO thought his career was over.

Data recovery specialists managed to rescue the information in time for the CFO’s Monday morning presentation

System Vulnerability

Complex IS cannot be easily replicated manually

Once an IS has been built, can be hard to decipher processes again

Probability of disasters is the same, but impact may be greater with IS failures

Security in a networked system is significantly more complicated

Quality Assurance vs. Control

Quality assurance as the prevention of errors

Quality control as the identification of errors after they occur

Data vs. system quality– Is the information stored and secured

correctly?– Are things processed correctly?

Quality Assurance in IS

Use of appropriate methods & documentation

Test plans & testing Complete the circle with customer &

employee feedback Communication, communication,

communication

Cost to Fix Mistakes After Implementation versus Before

Testing Approaches Test plans Manual approaches

– Usability tests (handout)– Testers vs. users as guinea pigs!

Automated testing– Main benefits

• simulation of large volumes of users• can be run on many configurations of hardware

– Requires tools & expertise

Testing and Quality

Types of testing: Unit, System, Acceptance

Inability to prove correctness At design phase: test with walkthrough

– Is it what they want? During construction: debugging Pre-implementation: verify goals met

Purpose of Control Mechanisms

Reduce risk of loss of business continuity and legal liability through controls

Methods, policies, and organizational procedures that assure:– Safety of organizational assets– Accuracy & reliability of records– Adherence to organizational standards

Types of Controls

General controls– Design, security & use of IS– Accomplished through system software

and manual procedures Application controls

– Specific to given applications– Accomplished through application software

General Controls

Controls over system development processes

Software system level controls Hardware controls (secure & accurate) Computer operations controls Data security controls Administrative controls (segregation of

functions, adherence to policies, etc.)

Application Controls Based on I-P-O model Input controls

– Control totals, data validations, authorization Processing controls

– Run control totals and “Computer matching” of values (redundancy checks)

Output controls– Reconciliation and Appropriate distribution of

information

Developing Control Systems

Risk analysis and assessment– Financial valuations of business

interruptions– Non-financial valuations

• legal & regulatory compliance• Other benefits

Need for upper management support

Risk Analysis Steps- Identifying and valuing assets;- Identifying threats (whether caused by people

or natural disasters);- Identifying vulnerabilities (i.e., design,

configurations, or procedures that make assets subject to threats);

- Estimating risks (calculating probabilities);- Calculating statistically expected losses; and- Identifying potential protective measures.

Testing & Audits of Control Systems

Backups & recovery plans must be tested to be relied upon– 5 - 25% of firms that do not have plans are not in

business within a year of a major disaster

Major consulting firms such as Ernst & Young have thriving business sectors in IS auditing– Verify general & application controls– Similar to accounting audits but for information systems