© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems Reliability Part 1: Information Security

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart2 of 222 INTRODUCTION Questions to be addressed in this chapter: –How does security affect systems reliability? –What are the four criteria that can be used to evaluate the effectiveness of an organization’s information security? –What is the time-based model of security and the concept of defense-in-depth? –What types of preventive, detective, and corrective controls are used to provide information security? –How does encryption contribute to security and how do the two basic types of encryption systems work?

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart3 of 222 INTRODUCTION The five basic principles that contribute to systems reliability: –Security –Confidentiality –Online privacy –Processing integrity –Availability SECURITY CONFIDENTIALITY PRIVACY PROCESSING INTEGRITY AVAILABILITY SYSTEMS RELIABILITY

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart4 of 222 C OBI T and Trust Services Control Objectives for Information Technology (C OBI T) Information systems controls required for achieving business and governance objectives Adequate Controls

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart5 of 222 C OBI T and Trust Services C OBI T IT resources: –Applications –Information –Infrastructures –People

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart6 of 222 C OBI T and Trust Services C OBI T information criteria: –Effectiveness –Efficiency –Confidentiality –Integrity –Availability –Compliance –Reliability

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart7 of 222 C OBI T and Trust Services C OBI T domains: –Basic management activities for IT –Help organize 34 generic IT controls

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart8 of 222 C OBI T and Trust Services

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart9 of 222 C OBI T and Trust Services

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart10 of 222 C OBI T and Trust Services

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart11 of 222 C OBI T and Trust Services

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart12 of 222 FUNDAMENTAL INFORMATION SECURITY CONCEPTS There are three fundamental information security concepts that will be discussed in this chapter: –Security as a management issue, not a technology issue. –The time-based model of security. –Defense in depth.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart13 of 222 SECURITY AS A MANAGEMENT ISSUE Management is responsible for the accuracy of various internal reports and financial statements produced by the organization’s IS. –SOX Section 302 requires that the CEO and CFO certify the accuracy of the financial statements. –SOX Section 404 requires that the annual report include a report on the company’s internal controls. Within this report, management acknowledges their responsibility for designing and maintaining internal controls and assessing their effectiveness. –Security is a key component of the internal control and systems reliability to which management must attest. –As identified in the COSO model, management’s philosophy and operating style are critical to an effective control environment.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart14 of 222 SECURITY AS A MANAGEMENT ISSUE The Trust Services framework identifies four essential criteria for successfully implementing the five principles of systems reliability: –Develop and document policies. –Effectively communicate those policies to all authorized users. –Design and employ appropriate control procedures to implement those policies. –Monitor the system, and take corrective action to maintain compliance with the policies. Top management involvement and support is necessary to satisfy each of the preceding criteria.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart15 of 222 TIME-BASED MODEL OF SECURITY The time-based model evaluates the effectiveness of an organization’s security by measuring and comparing the relationship among three variables: –P = Time it takes an attacker to break through the organization’s preventive controls. –D = Time it takes to detect that an attack is in progress. –C = Time to respond to the attack. These three variables are evaluated as follows: –If P > (D + C), then security procedures are effective. –Otherwise, security is ineffective.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart16 of 222 DEFENSE IN DEPTH  Major types of preventive controls used for defense in depth include: –Authentication controls (passwords, tokens, biometrics, MAC addresses) –Authorization controls (access control matrices and compatibility tests) –Training –Physical access controls (locks, guards, biometric devices) –Remote access controls (IP packet filtering by border routers and firewalls using access control lists; intrusion prevention systems; authentication of dial-in users; wireless access controls) –Host and application hardening procedures (firewalls, anti-virus software, disabling of unnecessary features, user account management, software design, e.g., to prevent buffer overflows) –Encryption

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart17 of 222 DEFENSE IN DEPTH Detective controls include: –Log analysis –Intrusion detection systems –Managerial reports –Security testing (vulnerability scanners, penetration tests, war dialing)

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart18 of 222 DEFENSE IN DEPTH Corrective controls include: –Computer emergency response teams –Chief Security Officer (CSO) –Patch Management

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart19 of 222 PREVENTIVE CONTROLS Who has the authority to delete Program 2?

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart20 of 222 PREVENTIVE CONTROLS  These are the multiple layers of preventive controls that reflect the defense-in-depth approach to satisfying the constraints of the time-based model of security.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart21 of 222 PREVENTIVE CONTROLS Perimeter Defense: Routers, Firewalls, and Intrusion Prevention Systems –This figure shows the relationship between an organization’s information system and the Internet. –A device called a border router connects an organization’s information system to the Internet.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart22 of 222 PREVENTIVE CONTROLS This is a contract for... Encryption algorithm Xb&j &m 2 ep0%fg... Decryption algorithm This is a contract for... Plaintext Plain- text Cipher- text Key Encryption is the process of transforming normal text, called plaintext, into unreadable gibberish, called ciphertext. Decryption reverses this process. To encrypt or decrypt, both a key and an algorithm are needed. + + Key