Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Published byEdwin Gardner Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice."— Presentation transcript:

1 Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

2 Learning Objectives Discuss how the COBIT framework can be used to develop sound internal control over an organization’s information systems. Explain the factors that influence information systems reliability. Describe how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about information security. Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

3 AIS Controls COSO and COSO-ERM address general internal control
COBIT addresses information technology internal control Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

4 Information for Management Should Be:
Effectiveness Information must be relevant and timely. Efficiency Information must be produced in a cost-effective manner. Confidentiality Sensitive information must be protected from unauthorized disclosure. Integrity Information must be accurate, complete, and valid. Availability Information must be available whenever needed. Compliance Controls must ensure compliance with internal policies and with external legal and regulatory requirements. Reliability Management must have access to appropriate information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities. Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

5 COBIT Framework Information Criteria
Plan & Organize Acquire & Implement Deliver & Support Monitor & Evaluate Information Criteria Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

6 COBIT Cycle Management develops plans to organize information resources to provide the information it needs. Management authorizes and oversees efforts to acquire (or build internally) the desired functionality. Management ensures that the resulting system actually delivers the desired information. Management monitors and evaluates system performance against the established criteria. Cycle constantly repeats, as management modifies existing plans and procedures or develops new ones to respond to changes in business objectives and new developments in information technology. Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

7 COBIT Controls 210 controls for ensuring information integrity
Subset is relevant for external auditors IT control objectives for Sarbanes-Oxley, 2nd Edition AICPA and CICA information systems controls Controls for system and financial statement reliability Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

8 Trust Services Framework
Security Access to the system and its data is controlled and restricted to legitimate users. Confidentiality Sensitive organizational information (e.g., marketing plans, trade secrets) is protected from unauthorized disclosure. Privacy Personal information about customers is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure. Processing Integrity Data are processed accurately, completely, in a timely manner, and only with proper authorization. Availability The system and its information are available to meet operational and contractual obligations. Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

9 Trust Services Framework
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

10 Security / Systems Reliability
Foundation of the Trust Services Framework Management issue, not a technology issue SOX 302 states: CEO and the CFO responsible to certify that the financial statements fairly present the results of the company’s activities. The accuracy of an organization’s financial statements depends upon the reliability of its information systems. Defense-in-depth and the time-based model of information security Have multiple layers of control Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

11 Management’s Role in IS Security
Create security aware culture Inventory and value company information resources Assess risk, select risk response Develop and communicate security: Plans, policies, and procedures Acquire and deploy IT security resources Monitor and evaluate effectiveness Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

12 Time-Based Model Combination of detective and corrective controls
P = the time it takes an attacker to break through the organization’s preventive controls D = the time it takes to detect that an attack is in progress C = the time it takes to respond to the attack For an effective information security system: P > D + C Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

13 Steps in an IS System Attack
Conduct Reconnaissance Attempt Social Engineering Scan & Map Target Research Execute Attack Cover Tracks Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

14 Mitigate Risk of Attack
Preventive Control Detective Control Corrective Control Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

15 Preventive Control Training
User access controls (authentication and authorization) Physical access controls (locks, guards, etc.) Network access controls (firewalls, intrusion prevention systems, etc.) Device and software hardening controls (configuration options) Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

16 Authentication vs. Authorization
Authentication—verifies who a person is Something person knows Something person has Some biometric characteristic Combination of all three Authorization—determines what a person can access Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

17 Network Access Control (Perimeter Defense)
Border router Connects an organization’s information system to the Internet Firewall Software or hardware used to filter information Demilitarized Zone (DMZ) Separate network that permits controlled access from the Internet to selected resources Intrusion Prevention Systems (IPS) Monitors patterns in the traffic flow, rather than only inspecting individual packets, to identify and automatically block attacks Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

18 Internet Information Protocols
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

19 Device and Software Hardening (Internal Defense)
End-Point Configuration Disable unnecessary features that may be vulnerable to attack on: Servers, printers, workstations User Account Management Software Design Programmers must be trained to treat all input from external users as untrustworthy and to carefully check it before performing further actions. Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

20 Detective Controls Log Analysis Intrusion Detection Managerial Reports
Process of examining logs to identify evidence of possible attacks Intrusion Detection Sensors and a central monitoring unit that create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions Managerial Reports Security Testing Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

21 Corrective Controls Computer Incident Response Team
Chief Information Security Officer (CISO) Independent responsibility for information security assigned to someone at an appropriate senior level Patch Management Fix known vulnerabilities by installing the latest updates Security programs Operating systems Applications programs Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

22 Computer Incident Response Team
Recognize that a problem exists Containment of the problem Recovery Follow-up Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

23 New Considerations Virtualization Cloud Computing Risks
Multiple systems are run on one computer Cloud Computing Remotely accessed resources Software applications Data storage Hardware Risks Increased exposure if breach occurs Reduced authentication standards Opportunities Implementing strong access controls in the cloud or over the server that hosts a virtual network provides good security over all the systems contained therein Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall

Download ppt "Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice."

Similar presentations

Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
The Islamic University of Gaza

The Islamic University of Gaza
HAPTER 7 Information Systems Controls for Systems Reliability

HAPTER 7 Information Systems Controls for Systems Reliability
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Security Controls – What Works

Security Controls – What Works
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit

Similar presentations

Ads by Google