2Business ObjectivesTo retain competitive advantage and to meet basic business requirements organizations must:Ensure the integrity of information stored on their computer systemsPreserve the confidentiality of sensitive dataEnsure the continued availability of their information systemsEnsure conformity to laws, regulations, and standards.
3Session Agenda 1. Components of a Security Policy 2. Paths of Logical Access3. Logical Access Issues and Exposures4. Access Control Software5. Logical Security Features, Tools, and Procedures6. Auditing Logical Access
4Security Policy requirement Security losses can be costly to business.Losses suffered as a result of the failure itself or costs incurred while recovering from the incident, followed by more costs to secure the systems and prevent further failure.A well-defined set of security policies and procedures can prevent losses and save money.
5Security Policy - Components Management Support and CommitmentAccess PhilosophyCompliance with Relevant RegulationsAccess AuthorizationReviews of Access AuthorizationSecurity AwarenessRole of Security AdministratorSecurity Committee
6Paths of Logical Access Logical Access into the computer can be gained through several avenues. Each avenue is subject to appropriate levels of security. Methods of access include the following:Operator ConsoleOnline TerminalsBatch Job ProcessingDial-up PortsTelecommunications Network
7Logical Access Exposures Inadequate logical access controls increase the potential for losses. These exposures can result in minor inconveniences or total shutdown of the computer system.Technical ExposuresVirus ExposuresComputer Crime ExposuresAgents of Exposures
8Access Control Software Access Control Software is designed to prevent unauthorized access to data, use of system function and programs, unauthorized changes to data and to detect and prevent unauthorized attempts to access computer resources.Access Control Software tasksAccess Control Software functionsAccess Control Software authorization componentsDecentralized / Remote Processing issues
9Logical Security Features Two phase User Identification / Authentication processLogging Computer AccessComputer features that bypass securityData ClassificationSafeguarding Confidential Data on a PCNaming conventions for Access Controls
10Auditing Logical Access Evaluating Logical Access ControlsReview Reports from Access Control SoftwareData Ownership IssuesBypass Security Controls
11Management Support Management Support and Commitment Management must demonstrate a concern for securityManagement must clearly approve and support formal security awareness and training.This may require special management security training since security is not necessarily a part of management expertise.
12Access Philosophy Access Philosophy Access to computerized resources and information must be based on a documented “need-to-know, need-to-do” basis only.“need-not-know” basis ?
13Compliance Compliance with Relevant Legislation and Regulations The policy should state that compliance is required with all relevant legislation, such as that requiring confidentiality of personal information, or specific regulations relating to particular industries; e.g. banking or financial institutions.
14Access Authorization Access Authorization The data owner or manager who is responsible for the accurate use and reporting of the information should provide written authorization for users to gain access to computerized information.The manager should give this documentation directly to the security administrator so mishandling or alteration of the authorization does not occur.
15Reviews of Access Authorization Like any other control, access controls should be evaluated regularly to ensure that they are still effective.Personnel and departmental changes, malicious efforts and just plain carelessness can impact the effectiveness of access controls.The security manager, with the assistance of the managers who provide access authorization, should review the access controls.Any access exceeding the “need-to-know, need-to-do” philosophy should be changed accordingly.
16Raising Security Awareness Distribution of a written security policy.Training on a regular basis for new employees, users, and support staff.Non-disclosure statements signed by the employeesUse of newsletter, web page, videos to promulgate security awarenessVisible enforcement of security rules.Simulate security incidents for improving security procedures.Reward employees who report suspicious eventsPeriodic audits
17Employee Responsibilities Reading the security policyKeeping logon-Ids and passwords secretReporting suspected violations of security to the security administrator.Maintaining good physical security by keeping doors locked, safeguarding access keys, not disclosing access door lock combinations and questioning unfamiliar people.Conforming to local laws and regulationsAdhering to privacy regulations with regard to confidential information (health, legal, etc)
18Employee Responsibilities Non-employees with access to company systems should also be held accountable for security policies and responsibilities.These include contract employees, vendors, programmers/analysts, maintenance personnel and clients.
19Role of Security Administrator The security administrator, typically a member of the IS department, is responsible for implementing, monitoring and enforcing the security rules that management has established and authorized.In large organization, the security administrator is usually a full-time function; in small organizations someone may perform this function with other non-conflicting responsibilities.
20Role of Security Administrator For proper segregation of duties, the security administrator should NOT beresponsible for updating application dataan end userapplication programmercomputer operatordata entry clerk.
21Security CommitteeSecurity guidelines, policies, and procedures affect the entire organization and as such should have the support and suggestions of end users, executive management, security administration, IS personnel, and legal counsel.Individuals representing various management levels should meet as a committee to discuss these issues and establish security practices.The committee should be formally established with appropriate terms of reference and regular minuted meetings with action items, which are followed up on at each meeting.
22Operator ConsoleThese privileged computer terminals control most computer operations and functions.Most operator consoles do not have strong logical access controls and provide a high level of computer system access - a high risk combination.These terminals should be be placed in a suitably controlled facility so that physical access can only be gained by authorized personnel.
23Online TerminalOnline access to computer systems through terminals typically requires entry of at least a logon-ID and password.May also require further entry of authentication or identification data for access to specific application systems.Personal Computers (PCs) are often used as online access terminals through terminal emulation software.This poses a particular risk as the PCs can be programmed to store and recall user access codes and passwords.
24Batch Job ProcessingThis mode of access is indirect since access is achieved via processing of transactions.It involves accumulating input transactions and processing them as a batch after a given interval of time or after a certain number of transactions.Security is achieved by restricting who can accumulate transactions (data entry clerks) and who can initiate batch processing (computer operators or the automatic job scheduling system)Additionally, procedures and authorization to manipulate accumulated transactions prior to processing the batch should be carefully controlled.
25Dial-up PortsInvolves hooking a remote terminal or PC to a telephone line and gaining access to the computer by dialing a telephone number that is connected to the computer.Security is achieved by providing a means of identifying the remote user to determine authorization to access.This may be done by means of a call-back feature, use of logon-ID and password, use of access control software, or by requiring a computer operator to verify the identity of the caller and then provide the connection to the computer.
26Telecommunications Network Involves linking a number of computer terminals or PCs to the host computer through a network of telecommunication lines.The telecommunication lines may be private (dedicated to one user) or public, such as the public switched network..Security should be provided in the same manner as applied to online terminals.
27Technical ExposuresTechnical Exposures involve unauthorized or unintentional implementation or modification of data and software.Data Diddling - Involves changing data before or as it is entered into the computer. This is one of the most common abuses because it requires limited technical knowledge and occurs before computer security can protect data.
28Technical Exposures Trojan Horses Involves hiding malicious, fraudulent code in an authorized computer programThis hidden code will be executed whenever the authorized program is executed.A classic case is the Trojan horse in a payroll calculating program that shaves a barely noticeable amount off each paycheck and credits it to the perpetrator’s payroll account.
29Technical Exposures Logic Bombs The creation of logic bombs requires some specialized knowledge, as it involves programming the destruction or modification of data at a specific time in the future.They are very difficult to detect before they blow up; thus of all the computer crime schemes they have the greatest potential for damage.Detonation can be timed to cause maximum damage and to take place long after the departure of the perpetrator.Could also be used in extortion schemes.
30Technical Exposures Rounding Down Involves drawing off small fractions of money from a computerized transaction or account and rerouting this amount to the perpetrator’s account.Since the amounts are so small, they are rarely noticed.For example, if a transaction amount were Rs.12,30,456.39, the rounding down technique may round the transaction to Rs. 12,30,456.35
31Technical Exposures Salami Techniques Involves slicing small amounts of money from a computerized transaction or account and is similar to rounding down technique.For example, if a transaction amount were Rs.12,30,456.39, the Salami technique truncates the last few digits from the transaction amount so that it becomes Rs. 12,30, or Rs. 12,30, depending on the calculation built into the program.
32Technical Exposures Worms These are destructive programs that may destroy data or utilize tremendous communication resources but do not replicate like viruses.These do not change other programs, but can run independently and travel from machine to machine across network connections.Worms may also have portions of themselves called segments running on different machines.
33On 2 November 1988, Robert Tappan Morris, a graduate student at Cornell University, unleashed a program which spawned copies of itself and spread throughout the network.Within hours, the worm had invaded 2,000 to 6,000 computers, about 10% of the Internet at the time. The program also clogged all the systems it hit, dialing virtually every computer it invaded.When Morris saw the damage that was taking place, he posted a message on the Net with instructions for disabling the worm. However by then the damage was done. On 16 May 1990, Morris was convicted and fined $10,000 and sentenced to 3 years probation.
34Technical Exposures Trap Doors Are exits out of an authorized program that allow for insertion of specific logic, such as program interrupts, to permit a review of data during processing.These holes also permit insertion of unauthorized logic.
35Technical Exposures Asynchronous Attacks These occur in multiprocessing environments where data moves asynchronously (one character at a time with start and stop bits).As a result, numerous data transmissions must wait for the line to be free.Data that are waiting are susceptible to unauthorized access called asynchronous attacks.These attacks, usually small pin-like insertions into cable, may be committed via hardware and are extremely hard to detect.
36Technical Exposures Data Leakage Involves siphoning or leaking information out of the computer. This can involve dumping files to paper or can be as simple as stealing computer reports and tapes.
37Technical ExposuresWire-tapping - involves eavesdropping on information transmitted over transmission lines. Also known as sniffing.Piggybacking - is an act of following an authorized person through a secured door or electronically attaching to an authorized telecommunication link.
38Technical Exposures Shut down of the Computer Can be initiated through terminals or microcomputers connected directly (online) or indirectly (dial-up lines) to the computer.Only individuals having high-level systems logon-ID can usually initiate the shut down process.Some systems have proven to be vulnerable to shutting themselves down under certain conditions of overload.
39Technical Exposures Denial of Service Attack This is an attack that disrupts or completely denies service to legitimate users, networks, systems, or other resources.The intent of any such attack is usually malicious in nature and often takes little skill because the requisite tools are readily available.
40VirusesViruses are the colds and flus of computer security: ubiquitous, at times impossible to avoid despite the best efforts, and often very costly to an organization's productivity.
41VirusesViruses are a significant and a very real logical access issue.The term “virus” is a generic term applied to a variety of malicious computer program code inserted into other executable code that can self-replicate and spread from computer to computer.Traditional viruses attach themselves to other executable code, infect the user’s computer, replicate themselves on the user’s hard disk and then damage data, hard disk or files.
42How many viruses are there? By early 2002, there were more than 15,000 computer viruses !The huge number is explained in part by the ease with which potential viral writers can get the tools and actual viral code to work with, either from the Internet or other channels.In May 1997, the Digital Hackers’ Alliance announced the availability of a CD-ROM with over 10,000 viruses. They also offered to give the first 100 customers a collection of 50 virus creation tools free of charge.
43Viruses Viruses usually attack the following parts of the computer Executable program files (.exe or .com files) - 85% of all viruses are program viruses.File-directory system that tracks the location of all the computer’s files. (FAT table)Boot and system areas that are needed to start the computer. - Michelangelo virusMacro Viruses (Microsoft Word viruses - Concept, Wazzu)
44Viruses Can a virus infect data files? Some viruses (e.g., Frodo, Cinderella) modify non-executable files.However, in order to spread, the virus code must be executed.Therefore "infected" non-executable files cannot be sources of further infection.Such "infections" are usually mistakes, due to bugs in the virus. However, there is an increasing possibility of viruses spreading through the sharing of data files.
46Anti-Virus PoliciesBuild any system from original, clean master copies. Boot only from original diskettes whose write-protection has always been in place.Allow no disk to be used until it has been scanned on a stand-alone machine that is used for no other purpose and is not connected to the network.Update virus software scanning definitions regularly.Write-protect all diskettes with .exe and .com extensionsHave vendors run demonstrations on their machines not yours.
47Anti-Virus PoliciesEnforce a rule of not using shareware without first scanning the shareware thoroughly for a virus.Insist that field technicians scan their disks on a test machine before they use any of their disks on the system.Ensure that the network administrator uses workstation and server anti-virus software.Ensure that all servers are equipped with an activated current release of the anti-virus software.Educate users so they will heed these policies.
48Anti-Virus - Hardware Tactics Use workstations without floppy drives.Use boot virus protection (i.e. built-in firmware-based virus protection)Use remote booting.Use a hardware-based password.Use write-protect tabs on floppy disks.
49What is the best Anti-virus program? None!Different products are more or less appropriate in different situations, but in general you should build a cost-effective strategy based on multiple layers of defence. There are three main kinds of anti-virus software:ScannersActivity Monitoring ProgramsIntegrity Checkers
50Anti-Virus Software Scanners These look for sequences of bits called signatures that are typical of virus programs.Scanners examine memory, disk boot sectors, executables and command files for bit patterns that match a known virus.Scanners therefore need to be updated frequently to be effective.Examples: FindViru in Dr Solomon's AntiVirus ToolKit, Frisk Software's F-PROT, McAfee's VirusScan
51Anti-Virus Software Activity Monitoring Programs Interpret DOS and ROM basic input output system (BIOS) calls, looking for virus-like actions such as attempts to write to another executable, reformat the disk, etc.Activity monitors can be annoying because they cannot distinguish between a user’s request and a program or virus request.As a result, users are constantly asked to confirm actions like formatting a disk or deleting a file or set of files.Examples: SECURE and FluShot+
52Anti-Virus Software Integrity Checkers These compute a small checksum or hash value (usually CRC or cryptographic) for files when they are presumably uninfected,and later compare newly calculated values with the original ones to see if the files have been modified. This catches unknown viruses as well as known ones and thus provides “generic” detection.Examples: ASP Integrity Toolkit (commercial), and Integrity Master and VDS (shareware)
53Anti-Virus SoftwareIntegrity checkers are considered to be the strongest line of defence against computer viruses, becausethey are not virus-specificand can detect new viruses without being constantly updated.However, they should not be considered as an absolute protection--they have several drawbacks, cannot identify the particular virus that has attacked the system, and there are successful methods of attack against them too.
54Anti-Virus Software Modification Detectors Some modification detectors provide HEURISTIC DISINFECTION.Sufficient information is saved for each file so that it can be restored to its original state in the case of the great majority of viral infections, even if the virus is unknown.Examples: V-Analyst 3 (BRM Technologies, Israel), the VGUARD module of V-Care and ThunderByte's TbClean.
56Anti-Virus Software Virus Removal Once a virus has been detected, an eradication program can be used to wipe the virus from the hard disk.Sometimes eradication programs can kill a virus without having to delete the infected program or data file, while other times those infected files must be deleted.Inoculators are programs which will not allow a program to be run if it contains a virus.
57Is Windows a Virus?No, Windows is not a virus. Here's what viruses do:They replicate quickly - okay, Windows does that.Viruses use up valuable system resources, thereby slowing down the system - okay, Windows does that.Viruses will, from time to time, crash your hard disk - okay, Windows does that too.Viruses are usually carried, unknown to the user, along with valuable programs and systems. Sigh... Windows does that, too.Viruses will occasionally make the user suspect their system is too slow and the user will buy new hardware. Yup, that's with Windows, too.
58Is Windows a Virus?Until now it seems Windows is a virus but there are fundamental differences:Viruses are well supported by their authors,Run on most systems,Their program code is fast, compact and efficientThey tend to become more sophisticated as they mature.Conclusion : Windows is not a virus. It's a bug !!
59Computer Crime Exposures Committing crimes that exploit the computer and the information it contains can be damaging to the reputation, morale and very existence of an organization. Threats to the business include the following:Financial Loss - These losses can be direct, through loss of electronic funds or indirect, through the costs of correcting the exposure.
60Computer Crime Exposures Legal RepercussionsThere are numerous privacy and human rights laws to consider when developing security policies.Not having proper security measures could expose the organization to lawsuits from investors and insurers.Most companies must also comply with industry-specific regulatory agencies.The IS auditor should obtain legal assistance when reviewing the legal issues associated with computer security.
61Computer Crime Exposures Loss of Credibility or Competitive EdgeMany organizations, especially service firms such as banks, financial institutions need credibility and public trust to maintain a competitive edge.A security violation can severely damage this credibility resulting in loss of business and prestige.
62Computer Crime Exposures Blackmail / Industrial EspionageBy gaining access to confidential information or the means to adversely impact computer operations, a perpetrator can extort payments or services from an organization by threatening to exploit the security breach.Some perpetrators may not be looking for financial gain. They merely want to cause damage due to dislike of the organization or for self-gratification.
63Agents of Exposures Hackers Hackers are typically attempting to test the limits of access restrictions to prove their ability to overcome the obstacles. They usually do not access a computer with the intent of destruction; however, this is quite often the result.
64Agents of Exposures Employees / IS Personnel These individuals have the easiest access to computerized information since they are the custodians of this information.In addition to logical access controls, good segregation of duties and supervision help reduce logical access violations by these individuals.
65Agents of Exposures Interested or Educated Outsiders Competitors ForeignersOrganized criminalsCrackers (paid hackers working for a third party)Phreakers (hackers attempting access into the telephone/communication system)
66Access Control Software Generally performs the following tasks:Verification of the userAuthorization of access to defined resourcesRestriction of users to specific terminalsReports on unauthorized attempts to access computer resources, data or programs
67Access Control Software Provide the following functions of verifying user authorization:To sign-on at the network and subsystem levelAt the application and transaction levelWithin the applicationAt the field level for changes within a databaseVerify subsystem authorization for the user at the file level.
68Access Control Software Authorization ComponentsLogon-IDs and user authenticationLimitation to specific terminals for specific logon-IDsBased on predetermined timesSpecific tasks to be initiated from a predefined libraryEstablishing rules of accessCreation of individual accountability and auditabilityLogging eventsLogging user activitiesReporting capabilities
69Access Control Software Following is a list of computerized files and facilities that should be protected by logical access controls:System SoftwareDataApplication softwareTelecommunication linesLibrariesPassword libraryTape filesProcedure libraries
70Access Control Software Advantages of Decentralized EnvironmentThe security administration is on site at the distributed locationSecurity issues can be resolved in a more timely mannerSecurity controls are monitored on a more frequent basis
71Access Control Software Risks related to the Decentralized EnvironmentThe possibility that local standards might be implemented rather than those required by the organization.Levels of security management might be below that which can be maintained by a central administration.Distributed security administration requires a greater degree of management checks and audit by central administration to ensure standards are maintained.
72Access Control Software Issues related to Remote Processing EnvironmentSoftware controls over access to the computer, data files and remote access to the network should be implemented.Access from remote locations via modems and laptops to other computers should be controlled appropriately.Supervisory controls should be established over terminal and computer operations at remote locationsWhen replicated files exist at multiple locations, controls should ensure that all files used are correct and current.
73Identification / Authentication The two phase User Identification/Authentication process consists of the following:Identification - Users must identify themselves to the access control software by name or account number.Authentication - Users must prove they are who they claim to be. Authentication is a two way process where the software must first verify the validity of the user and then proceed to verify prior knowledge information.
74Identification / Authentication For example, users may provide the following:Remembered information such as name, account number, and passwordProcessor objects such as badge, plastic cards and key.Personal characteristics such as fingerprint, voice, and signature.
75Features of PasswordsA password should be easy for the user to remember but difficult for the perpetrator to guess.When the user logs on for the first time, the system should force a password changeIf the wrong logon-ID or password is entered, say three times, the account should be locked-out.Passwords should be internally one-way encrypted.Passwords should be changed regularly.Passwords should not be shared
76Syntax of PasswordsIdeally, passwords should be 5 to 8 characters in lengthShould be a combination of alphabetic, upper case and lower case, and numeric characters.Should allow special characters like &^%$, etc.Passwords should not be identifiable with the user - such as first name, spouse’s name, pet’s name etc.Should not use common names or dictionary terms.The system should not permit previous passwords to be used again.
77Password combinations A 4-digit numeric password could be cracked on a modest PC in 0.02 seconds - faster than you can blink your eyes !!If you increase the length of the password from 4 digits to 6, you find that the time to crack would be 100 times more - or 2 seconds.Increasing again from 6 to 8 digits, you end up with just under 4 minutes to crack the password.
78Password Combinations 429.5 yrsTime32.2 yrs3.7 mins5.4 mins24 monsPassword Combinations (5 - 8 characters)NumericSingle case alpha, numeric, specialSingle case alphaMixed case alpha, numeric, specialSingle case alpha, numeric
79Real World ScenarioL0pht Heavy Industries, a group of hackers who have turned their expertise into a security consulting business, claim that during a corporate audit they performed for a ‘large high technology company’, they cracked 90% of the passwords in under 48 hours on a Pentium II/300.They further state that 18% of the passwords were cracked under 10 minutes !
80Password Dilemma The best password is one that can’t be guessed. If a password can’t be guessed, it is probably difficult to remember.If a password is hard to remember, the user will probably write it down somewhere.If a password is written down, it is probably no longer secure.
81Session ControlsLogon-Ids not used for a number of days should be deactivated to prevent misuse. This can be done automatically by the system or manually by the security administrator.The system should automatically disconnect a logon session if no activity has occurred for a period of time. This reduces the risk of misuse of an active logon session left unattended because the user left for lunch or for a meeting.
82Data File Access Read, inquiry, or copy only Write, create, update, or delete onlyExecute
83Logging Computer Access Computer access and attempted access violations can be automatically logged by the computer and reported. The security administrator should review the access report and look for:Patterns or trends that indicate abuse of access privileges, such as concentration on a sensitive applicationViolations such as attempting computer file access that is not authorized and/or use of incorrect passwords.
84Access ViolationsThe violation should be referred to the security administrator.The security administrator should investigate and determine the severity of the violation.If the violation is serious, executive management should be notified. They are normally responsible for notifying law enforcement agencies.Written guidelines should exist that identify various types and levels of violations and how they will be addressed.Disciplinary action should be a formal process that is consistently applied.Corrective measures should include review of access rules.
85Bypassing SecurityGenerally, only system programmers should have access to these features:Bypass Label Processing (BLP) - BLP bypasses computer reading of the file label. Since most access control rules are based on file names (labels), this can bypass access security.System Exits - This system software feature permits the user to perform complex system maintenance which may be tailored to a specific environment.Special System Logon-Ids - These logon-Ids are often provided by the vendor and are the same for all similar systems. The passwords should be changed immediately upon installation.
86Data ClassificationThe National Institute of Standards and Technology (NIST) describes the following four classifications:Sensitive :Applies to information that requires special precautions to assure the integrity of the information, by protecting it from unauthorized modification or deletion.It is information that requires a higher than normal assurance of accuracy and completeness.For example passwords, encryption parameters, etc.
87Data Classification Confidential Applies to the most sensitive business information that is intended strictly for use within an organization.Its unauthorized disclosure could seriously and adversely impact the organization’s image in the eyes of the public.For example application program source code, project documentation, etc.
88Data Classification Private Applies to personal information that is intended for use within the organization.Its unauthorized disclosure could seriously and adversely impact the organization and / or its customers.For example customer account data, messages, etc.
89Data Classification Public Applies to data that can be accessed by the public but can be updated/modified by authorized people only.For example company web pages, monetary transaction limit data, etc.
90PC Security IssuesSensitive data should not be stored on a PC. The simplest and most effective way to secure data and software is to remove the storage medium, such as disk, cassette or tape from the machine when it is not in use and lock it in a safe.Vendors offer lockable enclosures, clamping devices and cable fastening devices that help prevent equipment theft.The computer can also be connected to a security system that sounds an alarm if the equipment is moved.Passwords can be allocated to individual files to prevent them from being opened by an unauthorized person.
91PC Security IssuesPreventing the theft of data is virtually impossible. The medium itself is inexpensive, but the data residing on disks may be vital to the company. A practical solution is to record all sensitive data on removable hard drives, which are more easily secured than fixed or floppy disks.Preventive controls such as encryption become more important for protecting sensitive data in the event the PC or laptop is lost, stolen, or sold.Other procedures may require that the PC or laptop may only be used in a physically-secured area and must not be taken from that location.
92Naming ConventionsOn larger mainframe and minicomputer systems, access control naming conventions are structures used to govern user access to the system and user authority to access or use computer resources.The owners of the data or application, along with the help of the security administrator, usually set up the naming conventions.It is important to establish naming conventions that both promote the implementation of efficient access rules and simplify security administration.
93Naming ConventionsNaming conventions for system resources such as datasets, volumes, programs, and terminals are an important perquisite for efficient administration of security controls.Naming conventions can be structured so that resources beginning with the same high-level qualifier can be governed by one or more generic rules.This reduces the number of rules required to adequately protect resources, which, in turn, facilitates security administration and maintenance efforts.
94Evaluating Logical Access When evaluating logical access controls, the IS Auditor should:Obtain a general understanding of the security risks facing information processing through a review of relevant documentation, inquiry, observation, risk assessment, and evaluation techniques.Document and evaluate controls over potential access paths into the system to assess the adequacy, efficiency, and effectiveness by reviewing appropriate hardware and software security features and identifying deficiencies or redundancies.
95Evaluating Logical Access Test controls over access paths to determine that they are functioning and effective by applying appropriate audit techniques.Evaluate the access control environment to determine if the control objectives are achieved by analyzing test results and other audit evidence.Evaluate the security environment to assess its adequacy by reviewing written policies, observing practices and procedures and comparing them with appropriate security standards and procedures.
96Evaluating Logical Access Familiarizing with the IS Processing Environment:This is the first step of the audit and involves obtaining a clear understanding of the technical, managerial and security environment of the IS facility.This typically includes interviews, physical walkthroughs, review of documents and risk assessments.
97Document the Access Paths The access path is the logical route the end user takes to access computerized information. Its starts with a terminal and typically ends with the data being accessed. The IS Auditor should evaluate each component for proper implementation and proper physical and logical access security. A typical sequence of the components follows:TerminalA terminal is used by an end user to sign on. It should be physically secured, and logon-Id and password should be subject to conditions outlined in the security policy.
98Document the Access Paths Telecommunications SoftwareIt intercepts the logon to direct it down the appropriate telecommunications link.The telecom software can restrict terminals to specific data or application software.A key audit issue with telecom software is to ensure all applications have been defined to the software and the various optional telecom control and processing features used are appropriate and approved by management.This analysis typically requires the help of a system software analyst.
99Document the Access Paths Transaction Processing SoftwareThis software routes transactions to the appropriate application software.Key audit issues include ensuring proper identification / authentication of the user, and authorization of the user to gain access to the application.This analysis is performed by reviewing internal tables that reside in the transaction processing software or in the system security software.Access to these should be restricted to the security administrator.
100Document the Access Paths Application SoftwareThe application software processes transactions in accordance with program logic.Audit issues include restricting access to the production software library to only the implementation coordinator.
101Document the Access Paths Database Management SoftwareThe DBMS software directs access to the computerized information.Audit issues include ensuring that all data elements are identified in the data dictionary, that access to data dictionary is restricted to the DBA, and that all data elements are subject to logical access control.
102Document the Access Paths Access Control SoftwareThe access control software can wrap logical access security around all the above components.This is done via internal security tables.Audit issues include ensuring all the above components are defined to the access control software, providing access control rules that define who can access what on a need-to-know basis and restricting access to the security tables to the security administrator.
103Conduct Reviews Reports from Access Control Software The reporting features of Access Control Software provide the security administrator with the opportunity to monitor adherence to security policies.By reviewing a sampling of reports, the IS Auditor can determine if enough information is provided to support an investigation and if the security administrator is performing an effective review of the report.Unsuccessful access attempts should be reported and should identify the time, terminal, logon and file or data element for which access was attempted.
104Conduct Reviews Application System Operations Manual The application systems manual should contain documentation on the programs that are generally used throughout a data processing installation to support the development, implementation, operations, and use of application systems.This manual should include information about which platform the application can run on, database management systems, compilers, interpreters, telecom monitors and other applications that can run with the application.
105Conduct Reviews Written Policies, Procedures, and Standards Policies and procedures provide the framework and guidelines for maintaining proper operation and control.The IS Auditor should review the policies and procedures to determine if they set the tone for proper security and provide a means for assigning responsibility for maintaining a secured computer processing environment.
106Conduct Reviews Formal Security Training Effective security will always be dependent on people. Security can only be effective if people know what is expected of them and what their responsibilities are.They should know why various security measures, such as locked doors and the use of logon-Ids, are in place and the repercussions of violating security.Employees should be encouraged to identify and report possible security violations.Training should start with new employee orientation or induction and should be an ongoing process.
107Data Ownership Formal Security Training Data ownership refers to the classification of the data elements and allocation of responsibility to ensuring that it is kept confidential, complete, and accurate.A key point of ownership is that by assigning responsibility for protecting computer data to particular employees, accountability is established.By interviewing a sampling of data owners, the IS Auditor can determine if they are aware of their data ownership duties.The IS Auditor should review the classification of data and evaluate its appropriateness.
108Data Ownership Data Owners These are generally managers and directors responsible for using information for running and controlling the business.Their security responsibilities include authorizing access, ensuring access rules are updated when personnel changes occur and regularly inventorying access rules for the data for which they are responsible.Data CustodiansThese people are responsible for storing and safeguarding the data and include IS personnel such as systems analysts and computer operators.
109Data Ownership Data Users Often referred to as end users, are the actual users of the computerized data.Their levels of access should be authorized by data owners and restricted and monitored by the security administrator.Security AdministratorSecurity administrators are responsible for providing adequate physical and logical security for IS programs, data, and equipment.Normally the security policy will provide basic guidelines under which the security administrator will operate.
110Data Ownership Documented Authorizations Data access should be identified and authorized in writing. The IS Auditor can review a sample of these authorizations to determine if the proper level of written authority was provided.Access StandardsAccess Standards should be reviewed by the IS Auditor to ensure that they meet organizational objectives for separating duties, that they prevent fraud or error and that they meet policy requirements for minimizing the risk of unauthorized access.
111Bypass Security Features Typically includeBypass label processingSpecial system maintenance logon-IdsOperating system exitsInstallation utilitiesI/O appendages.
112Bypass Security Features Since bypass security features can be exploited by technically sophisticated intruders, the IS Auditor should be interested in compensating features, including the following:All uses of these features should be logged, reported and investigated by the security administrator or system software manager.Unnecessary bypass security features should be deactivated.If possible, the bypass security features should be subject to additional logical access controls.
113Penetration TestingPenetration tests are used by the IS Auditor which simulate techniques used by a hacker. Typical components of a penetration test include:Attempting to guess passwords by using password cracking tools which generate passwords from dictionaries, common phrases, or combinations of letters and numbers.Searching for programmer back doors into operations.Attempting to overload communications software.Exploiting known vulnerabilities in software.
114Password Administration Access controls and password administration are reviewed to determine that:Procedures exist for adding individuals to the list of those authorized to have access to computer resources, changing their access capabilities and deleting them from the list.Passwords are of adequate length, cannot be easily guessed and do not contain repeating characters.Passwords are changed periodically.Procedures provide for the suspension of user accounts, or the disabling of terminals in case of security violations.