it internal controls

Information Technology (IT) Internal Controls Presentation for the

Central Bank of Libya

Royce WalkerFinancial Services Volunteer Corps

March 23 - 25, 2009

IT Internal Controls

Introduction

Topics of Discussion:

• Definition of Internal Control

• Overview of Internal Control/Risk Management Frameworks

• Information Technology Internal Controls


Definition of Internal Control

Internal Control is a process, effected by an entity’s board of directors, management and other personnel. This process is designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.

Source: The Committee on Sponsoring Organizations of the Treadway Commission. – http://www.coso.org/resources.htm .


Internal Control/Risk Management FrameworksEnterprise-wide Frameworks

• The Cadbury Committee (United Kingdom)

• The Canadian Criteria of Control Committee (CoCo) (Canada)

• The Committee on Sponsoring Organizations (COSO) (United States)

IT Frameworks

• The Information Systems Audit and Control Association – Control Objectives for Information Technology (COBIT)

• Information Technology Infrastructure Library (ITIL)

• The International Organization for Standardization (ISO)


Information Technology Internal Controls

Governance

Who is in charge of IT?

Governance is one of the most important controls. If someone or some group is not actively overseeing the IT

function, the result will be chaos.


Governance (continued)

• Achieved through management structure, assignment of responsibilities and authority, establishment of policies, standards and procedures, allocation of resources, monitoring, and accountability.

• Required to ensure tasks are completed appropriately, accountability is maintained, and risk is managed for the entire enterprise.

• Responsibility of the board of directors and executive management.

• Fundamentally concerned with two issues: 1) IT delivers value, 2) IT risks are mitigated.

Source: Federal Financial Institutions Examination Council, Information Security, IT Examination Handbook, and Information Systems and Control Association CISA Review Manual 2006, Chapter 2, IT Governance


Governance (continued)

Management StructureIT should be governed/supported by:• Board of Directors. • IT officers and supervisory personnel.• IT employees.• IT users.• Auditors.• Service providers and contractors.


IT Risk Assessment

An IT risk assessment includes three parts:

1. Gathering technical and non-technical information about the IT function.

2. Analyzing the information to

• classify and rank sensitive data, systems, and applications.

• assess threats and vulnerabilities.

• evaluate control effectiveness.

3. Setting priorities for responses.


IT Risk Assessment (continued)

Necessary Information

Examples of technical information include:

• Data and systems to be protected (electronic and paper).

• Network diagrams of internal and external connectivity.

• Hardware, software, database file inventories.

Examples of non-technical information include:

• Policies, standards, and procedures for security.

• Vendor contracts, including insurance coverage

• Reports of security monitoring, self-assessments, metrics, and independent tests.



Classify/Rank Sensitive Data, Systems, and Applications

Assess/classify relative importance of information systems, classify data to identify and rank data, systems, and applications in order of importance.

Assess Threats and Vulnerabilities

Determine which threats and vulnerabilities deserve priority attention relative to value of the information or information systems being protected.



Evaluate Control Effectiveness

Identify controls that will mitigate impact threat/vulnerability.

• Preventive Control – Keeps something from occurring.

• Detective Control – Finds something after it occurred.

• Corrective Control – Corrects problems that occurred.

Assign Risk Ratings

Risk ratings should be assigned to information systems and data to establish importance and criticality.


Information Security Strategy

Typical steps to building an information security strategy include:

• Defining control objectives.

• Identifying and assessing approaches to security.

• Establishing of benchmarks and metrics.

• Preparing and implementing testing plans.


Information Security Strategy (continued)

Control Framework Considerations

• Using a widely recognized technology standard, such as:

COBIT, ITIL, ISO 17799, etc.

Policies and Procedures

• Primary component of strategy; guides decisions made by users, administrators, and managers.

• Inform individuals of their responsibilities, specify ways of meeting responsibilities.

• Provide guidance in acquiring, configuring, and auditing information systems.



Technology Design

• Provides effective network-level monitoring, limits intruder’s ability to traverse the network, offers minimum level of services required by business needs.

• If updated in a timely manner, mitigates newly discovered threats and vulnerabilities.



Outsourced Security Services

• Security services may be outsourced to obtain greater expertise, greater range of services, and lower costs.

• Institution retains same responsibilities for security as if those services were performed in-house.

• Sufficient expertise is needed to oversee and manage outsourced security service relationship properly.

• Detailed contract is needed for scope and nature of services as well as for expected and required service levels.


Information Security Internal ControlsInternal controls should be established to minimize IT Risk.

• Access Control• Physical and Environmental Protections• Encryption• Malicious Code Prevention• Systems Development, Acquisition, and Maintenance• Personnel Security• Data Security• Service Provider Oversight• Business Continuity Considerations• Insurance • Monitoring


Access Control

Goal of access control is to allow access by authorized individuals and devices and to disallow access by all others.

• Limit to specifically authorized persons.• Authorize only individuals whose identity is established.• Limit activities to those required for business purposes.• Approve device installation in accordance policy.• Use change controls for devices and software used inside

the external perimeter, configure institution devices to accept authorized connections from outside the perimeter.


Access Rights Administration

Implement an effective process to administer access rights.

• Assign users and devices only the access required to perform their required functions (business need).

• Update access rights based on personnel and system changes.

• Review users’ access rights at periodic intervals.

• Design acceptable-use policies and require users to agree to them in writing.

• Review exception reports.


Authentication

Use effective authentication methods.

• Select authentication mechanisms based on risk associated with application or services.

• Consider when multi-factor authentication is appropriate.

• Encrypt transmission and storage of authenticators (e.g., passwords, personal identification numbers (PINs), digital certificates, biometric templates).


Authentication (continued)

Shared Secret Systems – Uniquely identify user by matching knowledge on system to knowledge only system and user are expected to share.

• Passwords, pass phrases, current transaction knowledge.

• Password string – C2$v73#L

• Pass phrase – My favorite candy is peppermint.

• Current transaction knowledge – Account balance on the last statement mailed to the user/customer.

• Controls should prevent user from re-using shared secrets that were compromised, or recently used by user.



Shared Secret Systems (continued)

• Passwords and pass phrases should be difficult to guess.

• Strength is lack of disclosure of and about the secret, difficulty in guessing it, length of time before it is changed.

• User should select passwords and pass phrases without assistance from other users. (Exception – Temporary password to create new account).



Shared Secret Systems (continued)

• Automated tools can assist enforcement of shared secret system policies.

• Length

• Complexity

• Periodic changes (e.g., every 30, 60, 90 days)

• Lock out after unsuccessful password attempts

• Disallow re-use of password



Other Authentication Systems

Token Systems – Two-factor authentication of something user has and something user knows.

Public Key Infrastructure (PKI) – Combines hardware components, system software, policies, practices, standards for authentication, data integrity, defense against customer repudiation, and confidentiality.

Biometrics – Verifies user by reference to unique physical or behavioral characteristics (e.g., thumbprint, iris pattern). May or may not require use of a token.



Other Authentication Systems (continued)

Authenticator Reissuance – Needed when user forgets shared secret, loses token, biometric identifier changes.

Behavioral Authentication – Assurance gained from comparing connection-related or activity-related information with expectations.

Device Authentication – Supplements authentication of individuals or when assurance is needed that the device is authorized to be on the network.


Network Access

Secure access to computer networks through multiple layers of access controls to protect against unauthorized access.

• Group servers, applications, data, users into security domains (e.g., untrusted external networks, external service providers, various internal user systems).

• Establish access requirements within/between domains.

• Implement technological controls to meet access requirements consistently.

• Monitor cross-domain access for security policy violations and anomalous activity.


Network Access (continued)

Firewalls – Devices (computers, routers, and software) that mediate access between different security domains. All traffic between security domains must pass through the firewall, regardless of the direction of the flow.

Malicious Code Filtering – Devices that act as a control point to enforce the institution’s security policy over incoming communications (e.g., anti-virus, anti-spyware, and anti-spam filtering, blocking of downloading of executable files, and other actions).



Outbound Filtering – Devices that inspect outbound communications for compliance with the institution’s security policy (e.g., forbid origination of outbound communications from certain computers).

Network Intrusion Prevention System (IPS) – Devices that allow or disallow access based on an analysis of packet headers and packet payloads (similar to firewalls).

Intrusion Detection System (IDS) – Software and/or devices designed to detect unwanted attempts to access, manipulate, disabling computer systems or information.



• Vulnerability Assessment Systems – Systems to identify, quantify, prioritize vulnerabilities in networked systems.

• Data Loss Prevention - System to identify, monitor, and protect data while it is being used, stored, transmitted; designed to detect and prevent the unauthorized use and transmission of confidential information.

• Security Information Management System (SIMS) - Consolidates reports from firewalls, IPS, IDS, and system and event logs into a central repository for trend analysis.


Operating System Access

Secure access to operating systems of all system components.

• Secure access to system utilities.

• Restrict and monitor privileged access.

• Log and monitor user/program access to sensitive resources and alert on security events.

• Update operating systems with security patches.

• Secure devices that can access the operating system through physical and logical means.


Application Access

Control access to applications.

• Use authentication and authorization controls appropriately robust for the risk of the application.

• Monitor access rights to ensure they are the minimum required for user’s current business needs.

• Use time-of-day limitations on access as appropriate.

• Log access and security events.

• Use software that enables rapid analysis of user activities.


Remote Access

Secure remote access to and from systems.

• Disable remote communications if no business need exists.

• Control access via management approval and review.

• Implement robust controls over configurations at both ends of the remote connection to prevent malicious use.

• Log and monitor all remote access communications.

• Secure remote access devices.

• Use strong authentication and encryption to secure communications.


Physical and Environmental Protection

Define physical security zones and implement preventive and detective controls in each zone to protect against:

• Physical access by malicious or unauthorized people.

• Damage from environmental contaminants.

• Electronic access through active or passive electronic emissions.


Physical and Environmental Protection (continued)

Data Center Security

Major objective is to limit risk of exposure from internal and external sources.

• Choose an area relatively safe from exposure to fire, flood, explosion, or similar environmental hazards.

• Deter intruders with guards, fences, barriers, surveillance equipment, etc.

• Ensure air conditioning equipment maintains temperature for optimal equipment operation.



Data Center Security (continued)

• Record access by vendors and other persons not assigned to data center.

• Secure doors and windows with switches that activate alarm systems.

• Do not identify location by signage or other indicators.

• Use detection devices (e.g., security cameras) to prevent theft and safeguard equipment.




• Minimize risk from environmental threats with fire suppression systems, smoke alarms, raised flooring, and heat sensors.

• Use maintenance logs to determine whether devices are appropriately maintained.

• Periodically test the devices to determine they are operating correctly.




• Require visitors to sign in and wear proper IDs so that they can be monitored and identified easily.

• Install power supply conditioning equipment (e.g., surge protection).

• Install uninterruptible power supply equipment that will activate immediately in the event of power loss from the main power supply.



Cabinet and Vault Security

• Install protective containers designed to meet fire-resistant and theft-resistant standards.

Physical Security In Distributed Environments

• Protect personal computers in unrestricted areas such as lobbies by securing them to workstations, locking or removing disk drives and unnecessary physical ports, and activating screensaver passwords or automatic timeouts.


Encryption

Implement encryption to mitigate risk of disclosure or alteration of sensitive information in storage and in transit.

• Encryption strength sufficient to protect information from disclosure until disclosure poses no material risk.

• Effective key management practices.

• Robust reliability.

• Appropriate protection of the encrypted communication’s endpoints.


Malicious Code Prevention

Implement appropriate controls to prevent and detect malicious code, and engage in user education.

• Malicious code is any program that acts in unexpected and potentially damaging ways.

• Common types of malicious code are viruses, worms, Trojan horses, monitoring programs such as spyware, and cross-site scripts, key-stroke loggers, and screen-shot transmissions.


Malicious Code Prevention (continued)

Controls To Protect Against Malicious Code

Controls use technology, policies and procedures, and training, all applied in a layered manner from perimeters inward to hosts and data. Controls are applied at the host, network, and user levels.

Host Level

• Host hardening, including patch application and security-minded configurations of the operating system (OS), browsers, and other network-aware software.


Malicious Code Prevention (continued)

Controls To Protect Against Malicious Code (continued)

Network Level

• Limit transfer of executable files through the perimeter, and use IDS and IPS to monitor incoming and outgoing network traffic.

User Level

• User education in awareness, safe computing practices, indicators of malicious code, and response actions.


Systems Development, Acquisition, and Maintenance

Ensure that systems are developed, acquired, and maintained with appropriate security controls.

• Ensure systems are developed and implemented with appropriate security features enabled.

• Ensure software is trustworthy by implementing appropriate controls in the development process, reviewing source code, reviewing the history and reputation of vendors and third party developers, and implementing appropriate controls outside of the software to mitigate unacceptable risks from any deficiencies.


Systems Development, Acquisition, and Maintenance (continued)

• Maintain appropriately robust configuration management and change control processes.

• Establish an effective patch management process.

• Use a separate system to test software changes/patches before moving into the production environment.


Personnel Security

Mitigate risks posed by employees and other internal users.

• Perform background checks/screening of new employees.

• Obtain agreements covering confidentiality, nondisclosure, and authorized use.

• Use job descriptions, employment agreements, and training to increase accountability for security.

• Provide training to support awareness/policy compliance.


Data Security

Control and protect access to paper, film, and computer-based media to avoid loss or damage.

• Develop a data classification policy.

• Establish/ensure compliance with policies for handling and storing information,

• Ensure safe and secure disposal of sensitive media.

• Secure information in transit or transmission to third parties.


Service Provider Oversight

Exercise security responsibilities for outsourced operations.

• Conduct due diligence in service provider research and selection.

• Obtain contractual assurances regarding security responsibilities, controls, and reporting.

• Get nondisclosure agreements regarding systems and data.

• Require independent review of service provider’s security though appropriate audits and tests.

• Coordinate incident response policies and contractual notification requirements.


Business Continuity Considerations

Implement an effective business continuity plan.

• Identify personnel with key security roles during continuity plan implementation, and train personnel in those roles.

• Identify security needs for back-up sites and alternate communication networks.

• Periodically test the business continuity plan.

• Update the plan when business processes change or new technologies are implemented.


Insurance

Evaluate the extent and availability of insurance coverage in relation to the specific risks being mitigated.

• Insurance can be an effective method to transfer risks from the institution to insurance carriers.

• Insurance not a substitute for an effective security program.

• Insurance companies typically require companies to certify that certain security practices are in place.


Security Monitoring

Assure adequacy of risk mitigation strategy/implementation.

• Monitor to identify policy violations, anomalous behavior.

• Monitor to identify unauthorized configuration, conditions that increase risk of intrusion, or other security events.

• Analyze results to accurately and quickly identify, classify, escalate, report, and guide responses to security events.

• Respond to intrusions, other security events.

• Continuously gather and analyze information regarding new threats, vulnerabilities, actual attacks, effectiveness of existing security controls.


Conclusion

I hope this presentation has given you a better understanding of internal controls that can be implemented for

information technology to protect the institution and its customers.

Thank you for your interest and attention today!!!


Bibliography

1. The Committee on Sponsoring Organizations of the Treadway Commission. – http://www.coso.org/resources.htm.

2. Federal Financial Institutions Examination Council, IT Examination Handbook, 2006.

3. Information Systems Audit and Control Association, CISA Review Manual, 2006.

http://www.coso.org/resources.htm

it internal controls

Documents

internal controls presentation

network diagrams of

information security

control effectiveness

executive management

entitys board of directors

achievement of objectives

examination handbook