Presentation is loading. Please wait.

Presentation is loading. Please wait.

BUSINESS APPLICATION SYSTEM Before an IS auditor can successfully audit a system, (s)he must gain an understanding of the business application Before an.

Published byBeryl Strickland Modified over 8 years ago

Similar presentations

Presentation on theme: "BUSINESS APPLICATION SYSTEM Before an IS auditor can successfully audit a system, (s)he must gain an understanding of the business application Before an."— Presentation transcript:

1 BUSINESS APPLICATION SYSTEM Before an IS auditor can successfully audit a system, (s)he must gain an understanding of the business application Before an IS auditor can successfully audit a system, (s)he must gain an understanding of the business application

2 ELECTRONIC COMMERCE e-commerce is the buying and selling of goods on-line, usually via the internet. e-commerce is the buying and selling of goods on-line, usually via the internet. Usually, a website will advertise goods and services, and the buyer will fill in a form on the web site to select the items to be purchased and provide delivery and payment details. Usually, a website will advertise goods and services, and the buyer will fill in a form on the web site to select the items to be purchased and provide delivery and payment details. The cost of street store is avoided and the savings are often a benefit to the customer. The cost of street store is avoided and the savings are often a benefit to the customer.

3 E-commerce models E-commerce models include: E-commerce models include: Business to consumer (B-to-C) relationships; Business to consumer (B-to-C) relationships; Business-to-business (B-to-B) relationships; Business-to-business (B-to-B) relationships; Business-to-employee (B-to-E) relationships; Business-to-employee (B-to-E) relationships; Business-to-government (B-to-G) relationships; Business-to-government (B-to-G) relationships; Consumer-to-government (C-to-G) relationships; Consumer-to-government (C-to-G) relationships; Exchange-to-exchange (X-to-X) relationships. Exchange-to-exchange (X-to-X) relationships.

4 E-COMMERCE ARCHITECTURE E-commerce architecture could be: E-commerce architecture could be: two tiered (client browser and web server) two tiered (client browser and web server) three tiered (client browser, web server and database server) three tiered (client browser, web server and database server) Recent developments however has necessitated the integration of e- commerce architecture with legacy application; Recent developments however has necessitated the integration of e- commerce architecture with legacy application; Even in more recent times, mobile phones, wireless devices now play convenient roles in e-commerce transactions. Even in more recent times, mobile phones, wireless devices now play convenient roles in e-commerce transactions.

5 E-COMMERCE ARCHITECTURE contd… The challenge of integrating diverse technologies within and beyond the business has increasingly led to a paradigm shift to component based system that utilize a middleware infrastructure. The challenge of integrating diverse technologies within and beyond the business has increasingly led to a paradigm shift to component based system that utilize a middleware infrastructure. E-component that one could expect to see in B- to-C system would include marketing, sales and customer service component (e.g. personalization, membership, product catalog, customer ordering, invoicing, shipping, inventory replacement, online training and problem notification) E-component that one could expect to see in B- to-C system would include marketing, sales and customer service component (e.g. personalization, membership, product catalog, customer ordering, invoicing, shipping, inventory replacement, online training and problem notification)

6 In e-commerce architecture, In e-commerce architecture, A web server is used to manage web content and connections; A web server is used to manage web content and connections; Application server is used to provide business logic and other business related services; Application server is used to provide business logic and other business related services; Database server is used for data storage, maintaining data for web site pages, accumulating customer information. For security reasons, customer data should not be stored on the web server that are exposed directly to the internet Database server is used for data storage, maintaining data for web site pages, accumulating customer information. For security reasons, customer data should not be stored on the web server that are exposed directly to the internet E-COMMERCE ARCHITECTURE contd…

7 E-COMMERCE RISKS Confidentiality Confidentiality Integrity Integrity Availability Availability Authentication and nonrepudiation Authentication and nonrepudiation Power shift to customers Power shift to customers Any other risk beyond confidentiality? Any other risk beyond confidentiality?

8 E-commerce requirements Build a business case (IT as enabler) Build a business case (IT as enabler) Develop a clear business purpose Develop a clear business purpose Use technology to first improve cost Use technology to first improve cost Build business case around the four Cs: customers, costs, competitors and capabilities Build business case around the four Cs: customers, costs, competitors and capabilities Top-level commitment Top-level commitment Business Process reconfiguration Business Process reconfiguration Links to legacy systems Links to legacy systems

9 E-commerce audit & control issues Due to the risks mentioned earlier, a set of security mechanism and procedures, taking together, constitute an e-commerce security architecture could be used. They include: Due to the risks mentioned earlier, a set of security mechanism and procedures, taking together, constitute an e-commerce security architecture could be used. They include: Internet firewalls; Internet firewalls; PKI PKI Encryption Encryption Digital signature Digital signature Password management. Password management.

10 INTERNET FIREWALLS This is a mechanism put in place to mediate between the public network (internet) and the organization's private network This is a mechanism put in place to mediate between the public network (internet) and the organization's private network Although a number of variations or types of firewalls exist, there are 3 basic designs: Although a number of variations or types of firewalls exist, there are 3 basic designs:. Packet filters. Packet filters Proxy. Proxy. Stateful inspection Stateful inspection

11 Packet filter firewall Uses access control lists to make access decisions. ACLs enable rule sets to be built that that will allow or block traffic based on header information. Uses access control lists to make access decisions. ACLs enable rule sets to be built that that will allow or block traffic based on header information. Access is based on source & destination IP addresses, port numbers & protocols Access is based on source & destination IP addresses, port numbers & protocols First generation firewall First generation firewall Cannot prevent spoofing Cannot prevent spoofing

12 Proxy firewall Middleman btw communicating computers. Middleman btw communicating computers. Masks source computer b’cos it copies the packet & inserts its own address. Masks source computer b’cos it copies the packet & inserts its own address. Second generation firewall. Second generation firewall.

13 Stateful Inspection Stateful inspection firewalls are closely related to packet filters, except that they have the capability to track the status of a connection. For example, if an ACK packet arrives at the firewall that claims to be from an established connection. Stateful inspection firewalls are closely related to packet filters, except that they have the capability to track the status of a connection. For example, if an ACK packet arrives at the firewall that claims to be from an established connection. has a record of the three-way handshake ever taking place. has a record of the three-way handshake ever taking place. Third generation firewall. Third generation firewall.

14 ENCRYPTION This is a process whereby participants in an e-commerce transaction can be identified uniquely and positively i.e. a process of using some combination of public and private key encryption and certifying key pairs. This is a process whereby participants in an e-commerce transaction can be identified uniquely and positively i.e. a process of using some combination of public and private key encryption and certifying key pairs.

15

16 Hashing Cryptographic hash functions have many information security applications, notably in digital signatures, message authentication codes (MACs), and other forms of authentication. Cryptographic hash functions have many information security applications, notably in digital signatures, message authentication codes (MACs), and other forms of authentication.information securitydigital signatures message authentication codesauthenticationinformation securitydigital signatures message authentication codesauthentication They can also be used as ordinary hash functions, to index data in hash tables, They can also be used as ordinary hash functions, to index data in hash tables,hash functionshash tableshash functionshash tables for fingerprinting, to detect duplicate data or uniquely identify files, for fingerprinting, to detect duplicate data or uniquely identify files,fingerprinting and as checksums to detect accidental data corruption. Indeed, in information security contexts, cryptographic hash values are sometimes called (digital) fingerprints, checksums, or just hash values, even though all these terms stand for functions with rather different properties and purposes. and as checksums to detect accidental data corruption. Indeed, in information security contexts, cryptographic hash values are sometimes called (digital) fingerprints, checksums, or just hash values, even though all these terms stand for functions with rather different properties and purposes.checksums

17 DIGITAL SIGNATURE Digital signature is used to achieve authenticity, integrity and non-repudiation. Digital signature is used to achieve authenticity, integrity and non-repudiation. briefly describe how digital signature works briefly describe how digital signature works

18 PKI An enterprise network security architecture of a Public Key Infrastructure (PKI) would be comprised of: An enterprise network security architecture of a Public Key Infrastructure (PKI) would be comprised of: A public key cryptography A public key cryptography Digital certificate Digital certificate Certificate authority Certificate authority

19 PKI INFRASTRUCTURE An infrastructure to manage and control public key pairs and their certificates include: An infrastructure to manage and control public key pairs and their certificates include: Digital certificate – a digital credential is composed of a public key and identifying information about the owner of the public key. The purpose of Digital certificate is to associate a public key with the individual identity. Digital certificate – a digital credential is composed of a public key and identifying information about the owner of the public key. The purpose of Digital certificate is to associate a public key with the individual identity. Certificate authority – attests to the authenticity of the owner to whom a public/private key has been issued. Certificate authority – attests to the authenticity of the owner to whom a public/private key has been issued.

20 PKI INFRASTRUCTURE Certificate revocation list – this is an instrument for checking the continued validity of the certificates. If a certificate is compromised, no longer authorized or there is a fault in binding the certificate to the holder, it must be revoked. CRL is usually a highly controlled online database through which subscribers may determine the status of a partner’s certificate Certificate revocation list – this is an instrument for checking the continued validity of the certificates. If a certificate is compromised, no longer authorized or there is a fault in binding the certificate to the holder, it must be revoked. CRL is usually a highly controlled online database through which subscribers may determine the status of a partner’s certificate Registration authority – an optional entity separate from a CA that would be used by a CA with a very large customer base. CAs use RAS to delegate some of the administrative functions associated with recording or verifying some or all of the information needed by a CA to issue certificates Registration authority – an optional entity separate from a CA that would be used by a CA with a very large customer base. CAs use RAS to delegate some of the administrative functions associated with recording or verifying some or all of the information needed by a CA to issue certificates

21 PKI The goal of PKI is to answer the question The goal of PKI is to answer the question “How do I know this key is truly your public key?” “How do I know this key is truly your public key?” PKI provides access control, authentication, confidentiality, nonrepudiation, and integrity for the exchange of messages through use of Certificate Authorities (CA) and digital certificates. PKI provides access control, authentication, confidentiality, nonrepudiation, and integrity for the exchange of messages through use of Certificate Authorities (CA) and digital certificates. PKI uses a combination of public-key cryptography and digital certificates to provide some of the strongest overall control over data confidentiality, reliability, and integrity for Internet transactions. PKI uses a combination of public-key cryptography and digital certificates to provide some of the strongest overall control over data confidentiality, reliability, and integrity for Internet transactions.

22 PKI INFRASTRUTURE The CA maintains, issues, and revokes public key certificates, which ensure an individual’s identity. The CA maintains, issues, and revokes public key certificates, which ensure an individual’s identity. If a user (Bimpe) receives a message from Willoughby that contains Willoughby’s public key, he can request authentication of Willoughby’s key from the CA. When the CA has responded that this is Willoughby’s public key, Bimpe can communicate with Willoughby, knowing that he is who he says he is. If a user (Bimpe) receives a message from Willoughby that contains Willoughby’s public key, he can request authentication of Willoughby’s key from the CA. When the CA has responded that this is Willoughby’s public key, Bimpe can communicate with Willoughby, knowing that he is who he says he is. The other advantage of the CA is the maintenance of a certificate revocation list (CRL), which lists all certificates that have been revoked Certificates can be revoked if the private key has been comprised or the certificate has expired. The other advantage of the CA is the maintenance of a certificate revocation list (CRL), which lists all certificates that have been revoked Certificates can be revoked if the private key has been comprised or the certificate has expired.

23 PKI INFRASTRUCTURE As an example, imagine that Willoughby found that his private key had been compromised and had a list of 150 people to whom he had distributed his public key. He would need to contact all 150 and tell them to discard the existing public key they had for him. He would then need to distribute a new public key to all those he communicates with. In using PKI, Willoughby could contact the CA, provide a new public key (establish a new certificate) and place the old public key on the CRL. This is a more efficient way to deal with key distribution because a central authority is providing key maintenance services. As an example, imagine that Willoughby found that his private key had been compromised and had a list of 150 people to whom he had distributed his public key. He would need to contact all 150 and tell them to discard the existing public key they had for him. He would then need to distribute a new public key to all those he communicates with. In using PKI, Willoughby could contact the CA, provide a new public key (establish a new certificate) and place the old public key on the CRL. This is a more efficient way to deal with key distribution because a central authority is providing key maintenance services.

24 PKI INFRASTRUTURE Certificate practice statement – this is a detailed set of rules governing CAs operations. It provides an understanding of the value and trustworthiness of certificates issued by a given CA Certificate practice statement – this is a detailed set of rules governing CAs operations. It provides an understanding of the value and trustworthiness of certificates issued by a given CA

25 TEASER Which of the following is the MOST reliable sender authentication method? Which of the following is the MOST reliable sender authentication method? A. Digital signatures B. Asymmetric cryptography C. Digital certificates D. Message authentication code

26 TEASER Sending a message and a message hash encrypted by the sender's private key will ensure: A. authenticity and integrity. B. authenticity and privacy. C. integrity and privacy. D. privacy and nonrepudiation

27 TEASER (***) Which of the following best provides message integrity, sender identity, authentication and non repudiation? Which of the following best provides message integrity, sender identity, authentication and non repudiation? A.Symmetric cryptography A.Symmetric cryptography B.Public Key Infrastructure (PKI) B.Public Key Infrastructure (PKI) C.Message Hashing C.Message Hashing D.Message Authentication Code D.Message Authentication Code

28 TEASER Which of the followings is/are considered the most reliable authentication control for senders of information Which of the followings is/are considered the most reliable authentication control for senders of information a. Digital signature b. Digital certificate c. Electronic signature d. PKI

29 TEASER With digital signatures, a hash of the data is encrypted with the sender’s ________ key to ensure data _________ With digital signatures, a hash of the data is encrypted with the sender’s ________ key to ensure data _________ a.private; integrity b.hashing; integrity c.public; integrity d.private; confidentiality

30 TEASER Ladies & Gentlemen, what is the key difference between hashing and encryption? Ladies & Gentlemen, what is the key difference between hashing and encryption?

31 TEASER Which of the following statements is TRUE relating to the use of public key encryption to secure data while it is being transmitted across a network? Which of the following statements is TRUE relating to the use of public key encryption to secure data while it is being transmitted across a network? A. Under public key encryption both the key used to encrypt and decrypt the data are made public. B. Under public key encryption the key used to encrypt is kept private but the key used to decrypt the data is made public. C. Under public key encryption the key used to encrypt is made public but the key used to decrypt the data is kept private. D. Under public key encryption both the key used to encrypt and decrypt the data are kept private.

32 Which of the following best provides e-mail message authenticity and confidentiality? Which of the following best provides e-mail message authenticity and confidentiality? A. Signing the message using the sender's public key and encrypting the message using the receiver's private key B. Signing the message using the sender's private key and encrypting the message using the receiver's public key C. Signing the message using the receiver's private key and encrypting the message using the sender's public key D. Signing the message using the receiver's public key and encrypting the message using the sender's private key By encrypting the message with the receiver's public key, only the receiver can decrypt the message using his/her own private key, thus ensuring confidentiality. By signing the message with the sender's private key, the receiver can verify its authenticity using the sender's public key. The receiver's private key is confidential, and therefore unknown to the sender. Messages encrypted using the sender's private key can be read by anyone (with the sender's public key).

33 EDI This is the direct computer – to – computer exchange, between two organizations, of standard business transaction documents such as invoices or purchase orders. This is the direct computer – to – computer exchange, between two organizations, of standard business transaction documents such as invoices or purchase orders. EDI saves money and time because transactions can be transmitted from one system to another through a telecommunications network, eliminating the printing and handling of paper at one end and inputting of data at the other. EDI saves money and time because transactions can be transmitted from one system to another through a telecommunications network, eliminating the printing and handling of paper at one end and inputting of data at the other. EDI differs from electronic mail in that it transmits an actual structured transaction (with different fields such as transaction date, transaction amount) as opposed to an unstructured electronic mail text message such as a letter EDI differs from electronic mail in that it transmits an actual structured transaction (with different fields such as transaction date, transaction amount) as opposed to an unstructured electronic mail text message such as a letter

34 EDI contd… EDI works by translating data from a business application into a standard format, transmitting the data over communication lines to a trading partner, and then re-translating using the trading partner’s application. EDI works by translating data from a business application into a standard format, transmitting the data over communication lines to a trading partner, and then re-translating using the trading partner’s application.

35 EDI

36 EDI BENEFITS Less paperwork Less paperwork Fewer error during exchange of information; Fewer error during exchange of information; Improved information flow, database-to- database and company-to-company; Improved information flow, database-to- database and company-to-company; No unnecessary re-keying of data; No unnecessary re-keying of data; Fewer delays in communication; Fewer delays in communication; Improved invoicing and payment processes. Improved invoicing and payment processes.

37

38 EDI APPROACHES There are basically two approaches to EDI. They are: There are basically two approaches to EDI. They are: Traditional (Proprietary) EDI Traditional (Proprietary) EDI Public (internet) EDI Public (internet) EDI The difference between the two approaches relates to cost (use of Public EDI provides significant cost reduction). The difference between the two approaches relates to cost (use of Public EDI provides significant cost reduction). From a security standpoint, which of the two approaches carries higher risk??? From a security standpoint, which of the two approaches carries higher risk???

39 COMPONENTS OF TRADITIONAL EDI Moving data in a batch transmission process through the traditional EDI process generally involves three functions within each trading partner’s computer system. Moving data in a batch transmission process through the traditional EDI process generally involves three functions within each trading partner’s computer system.

40 Communication handler – this handles the transmission and receipt of electronic documents between trading partners via dial-up lines, public switched network, multiple dedicated lines or a value added network (VAN) Communication handler – this handles the transmission and receipt of electronic documents between trading partners via dial-up lines, public switched network, multiple dedicated lines or a value added network (VAN) EDI interface – this manipulates and routes data between the application system and the communication handler. It consists of two components: EDI translator & Application interface EDI interface – this manipulates and routes data between the application system and the communication handler. It consists of two components: EDI translator & Application interface Application system – this is the programs that process the data sent or received from the trading partner. Application system – this is the programs that process the data sent or received from the trading partner. COMPONENTS OF TRADITIONAL EDI

41

42 COMPONENTS OF EDI INTERFACE EDI translator – this device translates the data between the standard format (ANSI X12) and a trading partner’s proprietary format. EDI translator – this device translates the data between the standard format (ANSI X12) and a trading partner’s proprietary format. Application interface – this interface moves electronic transactions to or from the application system and performs data mapping. Data mapping is the process by which data are extracted from the EDI translation process and integrated with the data or processes of the receiving company. Application interface – this interface moves electronic transactions to or from the application system and performs data mapping. Data mapping is the process by which data are extracted from the EDI translation process and integrated with the data or processes of the receiving company.

43 NOTE: EDI interface may generate and send functional acknowledgement, verify the identity of partners and check the validity of transactions by checking transmission information against a trading partner master file.

44 EDI RISK contd… The most fundamental of EDI risk is transaction authorization. The most fundamental of EDI risk is transaction authorization. Since the interaction between parties is electronic, there is no inherent authentication occurring. Computerized data can look the same no matter what the source and does not include any distinguishing human element or signature.

45 TEASER In an EDI process, the device which transmits and receives electronic documents is the: In an EDI process, the device which transmits and receives electronic documents is the: A. communications handler. B. EDI translator. C. application interface. D. EDI interface.

46 EDI RISK contd… Another risk is the loss of business continuity when EDI applications is corrupted, whether done innocently or deliberately. This would have a negative impact on both customer and vendor relations. In an extreme situation, it could ultimately affect the ability of a company to stay in business Another risk is the loss of business continuity when EDI applications is corrupted, whether done innocently or deliberately. This would have a negative impact on both customer and vendor relations. In an extreme situation, it could ultimately affect the ability of a company to stay in business

47 OTHER EDI RISKS Unauthorized access to electronic transactions; Unauthorized access to electronic transactions; Deletion or manipulation of transactions prior to or after establishment of application controls; Deletion or manipulation of transactions prior to or after establishment of application controls; Loss or duplication of EDI transmission; Loss or duplication of EDI transmission; Loss of confidentiality and improper distribution of EDI transactions while in the possession of third parties Loss of confidentiality and improper distribution of EDI transactions while in the possession of third parties

48 EDI RISK contd… To eliminate the risk of responsibility uncertainty between trading partners, a properly documented trading partner agreement should be in place. To eliminate the risk of responsibility uncertainty between trading partners, a properly documented trading partner agreement should be in place. The agreement should be a legal document. The agreement should be a legal document. Trading partner agreement should define the transactions to be used, responsibilities of both parties in handling and processing the transactions, as well as written business terms and conditions associated with the transactions. Trading partner agreement should define the transactions to be used, responsibilities of both parties in handling and processing the transactions, as well as written business terms and conditions associated with the transactions.

49 CONTROLS IN EDI ENVIRONMENT To protect EDI transmissions, the EDI process should include the following electronic measures: To protect EDI transmissions, the EDI process should include the following electronic measures: Standards should be set to indicate the message format and content are valid to avoid transmission errors; Standards should be set to indicate the message format and content are valid to avoid transmission errors; Control should be in place to ensure standard transmission are properly converted for the application software by the translating application Control should be in place to ensure standard transmission are properly converted for the application software by the translating application

50 EDI CONTROLS contd… The receiving organisation must have controls in place to test the reasonableness of messages received. This should be based upon trading partner’s transaction history or documentation received that substantiate special situations. The receiving organisation must have controls in place to test the reasonableness of messages received. This should be based upon trading partner’s transaction history or documentation received that substantiate special situations. Controls should be established to guard against manipulation of data in active transactions, files and archives. Attempt to change records should be recorded by the system for Mgt review and attention Controls should be established to guard against manipulation of data in active transactions, files and archives. Attempt to change records should be recorded by the system for Mgt review and attention

51 EDI CONTROLS contd… Procedures should be established to determine messages are only from authorized parties and that transmissions are properly authorized. Procedures should be established to determine messages are only from authorized parties and that transmissions are properly authorized. Dedicated transmission channels among the parties should exist to reduce the risk of tapping into the transmission lines. Dedicated transmission channels among the parties should exist to reduce the risk of tapping into the transmission lines. Data should be encrypted using algorithms agreed to by the parties involved. Data should be encrypted using algorithms agreed to by the parties involved.

52 EDI CONTROLS contd… Electronic signatures should be used in the transmission to identify the source and destination. Electronic signatures should be used in the transmission to identify the source and destination. Message authentication codes should exist to ensure that what is sent is received. Message authentication codes should exist to ensure that what is sent is received.

53 EDI CONTROLS contd… The EDI process needs the ability to detect and deal with transactions that do not conform to the standard format or are from/to authorized parties. Options for handling detected errors include requesting retransmissions or manually changing the data. The EDI process needs the ability to detect and deal with transactions that do not conform to the standard format or are from/to authorized parties. Options for handling detected errors include requesting retransmissions or manually changing the data.

54 EDI CONTROLS contd… The critical nature of many EDI transactions, such as orders and payments, requires that there be positive assurances that the transmissions were complete. The critical nature of many EDI transactions, such as orders and payments, requires that there be positive assurances that the transmissions were complete. The transactions need to be successfully passed from the originating computer application to the destination organization. The transactions need to be successfully passed from the originating computer application to the destination organization. Method for providing these assurances include internal batch total checking, run-to-run and transmission count balancing and use of special acknowledgment transactions for functional acknowledgments. Method for providing these assurances include internal batch total checking, run-to-run and transmission count balancing and use of special acknowledgment transactions for functional acknowledgments.

55 Organisations desiring to exchange transactions using EDI need to establish a trusted business relationship- using a TPA Organisations desiring to exchange transactions using EDI need to establish a trusted business relationship- using a TPA TPA includes: TPA includes: Defining the transactions to be used Defining the transactions to be used Responsibilities of both parties in handling and processing transactions. Responsibilities of both parties in handling and processing transactions. written business terms. written business terms. Conditions associated with the transactions. Conditions associated with the transactions.

56 Receipt of inbound transactions Controls should ensure that all inbound EDI transactions are: Controls should ensure that all inbound EDI transactions are: 1. accurately and completely received. 1. accurately and completely received. 2. passed to an application. 2. passed to an application. 3. processed only once.- 3. processed only once.- See page............ See page............

57 Outbound Transactions Controls should ensure that only properly authorised outbound transactions are processed. This includes the objectives that: Controls should ensure that only properly authorised outbound transactions are processed. This includes the objectives that: EDI transactions are initiated on authorisation. EDI transactions are initiated on authorisation. They are preapproved. They are preapproved. They are sent only to valid partners. They are sent only to valid partners.

58 AUDITING EDI The IS Auditor must evaluate that : 1. All inbound messages are received, and translated accurately, passed to an application and processed only once. 2. Audit monitors are installed to capture transactions for audit trails. (protected storage) 3. Expert systems are installed to evaluate these trails to determine the significance of such transactions and provide a report for the auditor’s use

59 TEASER The purpose of a checksum on an amount field in an electronic data interchange (EDI) communication of financial transactions is to ensure: The purpose of a checksum on an amount field in an electronic data interchange (EDI) communication of financial transactions is to ensure: A. integrity. B. authenticity. C. authorization. D. nonrepudiation.

60 TEASER Which of the following represents the GREATEST potential risk in an EDI environment? Which of the following represents the GREATEST potential risk in an EDI environment? A. Transaction authorization B. Loss or duplication of EDI transmissions C. Transmission delay D. Deletion or manipulation of transactions prior to or after establishment of application controls A. Transaction authorization B. Loss or duplication of EDI transmissions C. Transmission delay D. Deletion or manipulation of transactions prior to or after establishment of application controls

61 EXPLANATION Since the interaction between parties is electronic, there is no inherent authentication occurring; therefore, transaction authorization is the greatest risk. Choices B and D are examples of risks, but the impact is not as great as that of unauthorized transactions. Transmission delays may terminate the process or hold the line until the normal time for processing has elapsed; however, there will be no loss of data. Since the interaction between parties is electronic, there is no inherent authentication occurring; therefore, transaction authorization is the greatest risk. Choices B and D are examples of risks, but the impact is not as great as that of unauthorized transactions. Transmission delays may terminate the process or hold the line until the normal time for processing has elapsed; however, there will be no loss of data.

62 TEASER When evaluating the controls of an EDI application, an IS auditor should primarily be concerned with the risk of: When evaluating the controls of an EDI application, an IS auditor should primarily be concerned with the risk of: A.excessive transaction turnaround time A.excessive transaction turnaround time B.application interface failure B.application interface failure C.improper transaction authorization C.improper transaction authorization D.non validated batch totals D.non validated batch totals

63 ELECTRONIC MAIL E-mail is the most heavily used feature of the internet and LANs in an organization. E-mail is the most heavily used feature of the internet and LANs in an organization. It can be divided into two principal components: It can be divided into two principal components: Mail servers – are hosts that deliver, forward and store mail Mail servers – are hosts that deliver, forward and store mail Client – devises that interface with users and allow users to read, compose, send and store e- mail messages. Client – devises that interface with users and allow users to read, compose, send and store e- mail messages.

64 E-MAIL OPERATIONS E-mails are sent in the same way as most internet data. E-mails are sent in the same way as most internet data. A user originates a message; A user originates a message; TCP breaks the message into IP packets; TCP breaks the message into IP packets; The packets are sent to an internal router in the user’s network; The packets are sent to an internal router in the user’s network; Router examines the address and decide whether the msg is for someone inside or outside the network Router examines the address and decide whether the msg is for someone inside or outside the network

65 E-MAIL OPERATIONS contd… If the mail is for someone inside the network, the mail is delivered to them; If the mail is for someone inside the network, the mail is delivered to them; If it is for someone outside the network, the message may pass through a firewall, which is a computer that shields the network from the broader internet, so intruders cannot break into the network If it is for someone outside the network, the message may pass through a firewall, which is a computer that shields the network from the broader internet, so intruders cannot break into the network Firewall also keeps track of data going into and out of the network – to and from the internet. It can also be used to prevent packets from getting through it. Firewall also keeps track of data going into and out of the network – to and from the internet. It can also be used to prevent packets from getting through it.

66 E-MAIL OPERATIONS contd… Once out on the internet, the message is sent to an internet router. The router examines the address, determines where the message should be sent and sends the message on its way. Once out on the internet, the message is sent to an internet router. The router examines the address, determines where the message should be sent and sends the message on its way. A gateway at the receiving network receives the e-mail message. A gateway at the receiving network receives the e-mail message. The gateway uses TCP to reconstruct the IP packets into a full message. The gateway uses TCP to reconstruct the IP packets into a full message.

67 E-MAIL OPERATIONS contd… The gateway then translates the message into the protocol the target network uses and sends it on its way. The gateway then translates the message into the protocol the target network uses and sends it on its way. The message may be required to pass through a firewall on the receiving network. The message may be required to pass through a firewall on the receiving network. The receiving network examines the e-mail address and sends the message to a specific mailbox. The receiving network examines the e-mail address and sends the message to a specific mailbox.

68 E-MAIL OPERATIONS contd… Pictures, videos, sounds and executable files can also be attached to the e-mail message. Pictures, videos, sounds and executable files can also be attached to the e-mail message. To do this, the user must encode the file in a way that will allow it to be sent across the network; To do this, the user must encode the file in a way that will allow it to be sent across the network; The receiver will have to decode the file once it is received. The receiver will have to decode the file once it is received. Some e-mail software automatically does the encoding and decoding for the user. Some e-mail software automatically does the encoding and decoding for the user.

69 E-MAIL OPERATIONS contd… When a user sends e-mail to someone on the internet or within a closed network, the message often has to travel through a series of networks before it reaches the recipient. When a user sends e-mail to someone on the internet or within a closed network, the message often has to travel through a series of networks before it reaches the recipient. These networks might use different e-mail formats. These networks might use different e-mail formats. Gateways perform the job of translating e- mail format from one network to another network so the mesg can make their way through all the networks. Gateways perform the job of translating e- mail format from one network to another network so the mesg can make their way through all the networks.

70 PLS REFER TO PAGE 183 PLS REFER TO PAGE 183 Interactively discuss Security Issues in E-mail and Standard for E-mail Security Interactively discuss Security Issues in E-mail and Standard for E-mail Security Security issues with emails include: Security issues with emails include: Mail server misconfiguration Mail server misconfiguration DoS DoS Intercepting unencrypted sensitive msg Intercepting unencrypted sensitive msg Altering email msg (MITM attack) Altering email msg (MITM attack) Viruses and other malicious codes. Viruses and other malicious codes. Sending inappropriate or other sensitive info via email leading to legal exposure Sending inappropriate or other sensitive info via email leading to legal exposure Outbound( server configuration & maintenance, encryption, digital signature, PKI) Outbound( server configuration & maintenance, encryption, digital signature, PKI) Inbound (Digital signature verification, firewalls, routers, IDS) Inbound (Digital signature verification, firewalls, routers, IDS)

71 POINT OF SALES SYSTEMS This enables the capture of data at the time and place that sales transactions occur. This enables the capture of data at the time and place that sales transactions occur. The most common payment instrument to operate with POS are credit and debit cards, which are associated with bank accounts; The most common payment instrument to operate with POS are credit and debit cards, which are associated with bank accounts; POS terminals may have attached peripheral equipment, such as: POS terminals may have attached peripheral equipment, such as: Optical scanners to read bar codes Optical scanners to read bar codes Magnetic card reader for credit cards Magnetic card reader for credit cards Electronic readers for smart cards Electronic readers for smart cards to improve the efficiency and accuracy of the transaction recording process

72 POINT OF SALE SYSTEMS contd.. POS systems may be on-line to a central computer owned by a financial institution or a cards administrator, POS systems may be on-line to a central computer owned by a financial institution or a cards administrator, or may use local processors/microcomputers owned by a business to hold the transactions for a specific period after which they are sent to the main computer for batch processing. or may use local processors/microcomputers owned by a business to hold the transactions for a specific period after which they are sent to the main computer for batch processing. If a POS system holds cards information such as PIN, credit card numbers, such information should be encrypted using strong encryption methods. If a POS system holds cards information such as PIN, credit card numbers, such information should be encrypted using strong encryption methods.

73 ELECTRONIC BANKING E-banking as we currently know it in Nigeria is banking without the customer leaving his office/desk. E-banking as we currently know it in Nigeria is banking without the customer leaving his office/desk. E-banking do not raise risks that were not already identified in traditional banking; but it increases and modifies some of these traditional risks. E-banking do not raise risks that were not already identified in traditional banking; but it increases and modifies some of these traditional risks. The core business and the IT environment are tightly coupled, thereby influencing the overall risk profile of e-banking The core business and the IT environment are tightly coupled, thereby influencing the overall risk profile of e-banking

74 Risk Mgt The Process of identifying vulnerabilities and threats to the Information resources. Deciding the countermeasures to take in reducing risk to acceptable level. Mgt and Board may decide to: 1. Avoid 2. Mitigate Transfer 3. Accept

75 E-BANKING contd… Banks should have a risk management process to enable them identify, measure, monitor and control their technology risk exposure. Banks should have a risk management process to enable them identify, measure, monitor and control their technology risk exposure. Risk management of new technology has 3 elements: 1. the board and senior management should take an explicit, informed and documented strategic decision about e-banking. 1. the board and senior management should take an explicit, informed and documented strategic decision about e-banking. Risk management is the responsibility of the BOD and senior management.

76 E-banking contd… 2. Implementation – implementing technology is the responsibility of the IT senior management members. They should have the skills to effectively evaluate e-banking technologies and products and ensure that they are appropriately installed and documented. 3. Measuring and monitoring risk is the responsibility of members of operational management However, the BOD should receive regular reports on the technologies employed,the risks assumed and how those risks are managed However, the BOD should receive regular reports on the technologies employed,the risks assumed and how those risks are managed

77 TEASER If senior management is not committed to strategic planning, how likely is it that a company's implementation of IT will be successful? A. IT cannot be implemented if senior management is not committed to strategic planning. A. IT cannot be implemented if senior management is not committed to strategic planning. B. More likely. B. More likely. C. Less likely. C. Less likely. D. Strategic planning does not affect the success of a company's implementation of IT. D. Strategic planning does not affect the success of a company's implementation of IT.

78 Answer: C Answer: C

79 Teaser Who is ultimately accountable for the development of an IS security policy? A. The board of directors B. Middle management C. Security administrators D. Network administrators

80 Answer: A Answer: A

81 Teaser Which of the following could lead to an unintentional loss of confidentiality? Choose the BEST answer. Which of the following could lead to an unintentional loss of confidentiality? Choose the BEST answer. A. Lack of employee awareness of a company's information security policy A. Lack of employee awareness of a company's information security policy B. Failure to comply with a company's information security policy B. Failure to comply with a company's information security policy C. A momentary lapse of reason C. A momentary lapse of reason D. Lack of security policy enforcement procedures D. Lack of security policy enforcement procedures

82 Answer: A

83 RISK MGT CHALLENGES IN E- BANKING E-banking presents a number of risk management challenges: E-banking presents a number of risk management challenges: Risk of obsolescence; Risk of obsolescence; Increased dependence on system design and system interoperability and operational scalability; Increased dependence on system design and system interoperability and operational scalability; Increased dependence on IT and thereby increasing the technical complexity of operations and security issues and tending towards more partnerships and outsourcing; Increased dependence on IT and thereby increasing the technical complexity of operations and security issues and tending towards more partnerships and outsourcing; Use of internet in e-banking further magnifies the importance of security controls, customer authentication techniques, audit trail procedure and customer privacy standard. Use of internet in e-banking further magnifies the importance of security controls, customer authentication techniques, audit trail procedure and customer privacy standard.

84 RISK MGT CONTROLS FOR E- BANKING Please turn to page 180 Please turn to page 180 1 Board and mgt oversight 2 Security controls 3 Legal and reputational risk mgt.

85 Teaser Which of the following is a detective control? Which of the following is a detective control? A. Segregation of duties B. Back-up procedures C. Audit trails. D. Physical access control

86 Answer :C Audit trails capture information, which can be used for detecting errors. Therefore, they are considered to be detective controls. Back-up procedures are corrective controls whereas segregation of duties and physical access controls are examples of preventive controls. Audit trails capture information, which can be used for detecting errors. Therefore, they are considered to be detective controls. Back-up procedures are corrective controls whereas segregation of duties and physical access controls are examples of preventive controls.

87 ELECTRONIC FINANCE E-finance basically refers to provision of credit facility electronically. E-finance basically refers to provision of credit facility electronically. It allows consumers to compare financial services such as mortgage loans and insurance policies It allows consumers to compare financial services such as mortgage loans and insurance policies It allows lenders to better stratify their customer base through analysis of internet collected data and allow customers to build preference profiles online. It allows lenders to better stratify their customer base through analysis of internet collected data and allow customers to build preference profiles online. Some of the advantages to customers include: Some of the advantages to customers include: Lower cost; Lower cost; Increased breadth and quality Increased breadth and quality Widening access to financial services Widening access to financial services A-synchrony (time-decoupled) A-synchrony (time-decoupled) A-topy (location-decoupled) A-topy (location-decoupled)

88 PAYMENT SYSTEMS Typically, this involves the issuers and the users. Typically, this involves the issuers and the users. An issuer is an entity that operates the payment services. An issuer is an entity that operates the payment services. The users of the payment service are either making or receiving payments. Payer or payee The users of the payment service are either making or receiving payments. Payer or payee Payment systems include: Payment systems include: Electronic money model Electronic money model Electronic checks model Electronic checks model Electronic transfer model Electronic transfer model

89 ELECTRONIC MONEY MODEL The objective of this is to emulate physical cash. The objective of this is to emulate physical cash. An issuer attempts to do this by creating digital certificates, which are then purchased (or withdrawn) by the users, who redeem (deposit) them with the issuer at a later date. An issuer attempts to do this by creating digital certificates, which are then purchased (or withdrawn) by the users, who redeem (deposit) them with the issuer at a later date. In the interim, the certificates can be transferred between users to trade for goods and services. In the interim, the certificates can be transferred between users to trade for goods and services. E.g. Ven, e-gold, Ripple, Digital monetary trust E.g. Ven, e-gold, Ripple, Digital monetary trust

90 ELECTRONIC MONEY MODEL contd… For the certificates to take on some of the attributes of physical cash, certain techniques are used so that when a certificate is deposited, the issuer cannot determine the original withdrawer of the certificate. This provides electronic certificates with unconditional untraceability. For the certificates to take on some of the attributes of physical cash, certain techniques are used so that when a certificate is deposited, the issuer cannot determine the original withdrawer of the certificate. This provides electronic certificates with unconditional untraceability. Advantages include: Advantages include: The payer does not need to be on-line at the time of purchase (since the electronic money can be stored on the payer’s computer) The payer does not need to be on-line at the time of purchase (since the electronic money can be stored on the payer’s computer) The payer has unconditional untraceability (albeit at the expense on loss interest on deposits) The payer has unconditional untraceability (albeit at the expense on loss interest on deposits) Disadvantage includes: Double spending; Double spending;

91 ELECTRONIC CHECKS MODEL Electronic check systems model real-world checks quite well and are, thus, relatively simple to understand and implement. Electronic check systems model real-world checks quite well and are, thus, relatively simple to understand and implement. A user writes an electronic check, which is a digitally signed instruction to pay. A user writes an electronic check, which is a digitally signed instruction to pay. This is transferred (in the course of making purchases) to another user, who then deposits it with the issuer. This is transferred (in the course of making purchases) to another user, who then deposits it with the issuer. The issuer will verify the payer’s signature on the payment and transfer the funds from the payer’s account to the payee’s account. The issuer will verify the payer’s signature on the payment and transfer the funds from the payer’s account to the payee’s account.

92 ELECTRONIC CHECKS MODEL contd… Advantages include: Advantages include: Easy to understand and implement; Easy to understand and implement; The availability of electronic receipts, allowing users to resolve disputes without involving the issuer The availability of electronic receipts, allowing users to resolve disputes without involving the issuer No need for payer to be online to create payment. No need for payer to be online to create payment. Please note that these systems are usually fully traceable, which is an advantage for certain law enforcement, tax collection and marketing purposes. Please note that these systems are usually fully traceable, which is an advantage for certain law enforcement, tax collection and marketing purposes. A disadvantage for those concerned is lack of privacy. How? A disadvantage for those concerned is lack of privacy. How?

93 ELECTRONIC TRANSFER MODEL This is the simplest of the three payment models. This is the simplest of the three payment models. The payer simply creates a payment transfer instruction, signs it digitally and sends it to the issuer. The payer simply creates a payment transfer instruction, signs it digitally and sends it to the issuer. The issuer then verifies the signature on the request and performs the transfer. The issuer then verifies the signature on the request and performs the transfer. This type of system requires the payer to be online, but not the payee. This type of system requires the payer to be online, but not the payee.

94 ELECTRONIC TRANSFER MODEL contd… Advantages include: Advantages include: Easy to understand and implement Easy to understand and implement The payee does not need to be online, a considerable advantage in some circumstances (e.g. paying employee wages) The payee does not need to be online, a considerable advantage in some circumstances (e.g. paying employee wages)

95 INTEGRATED MANUFACTURING SYSTEMS These is/are application(s) traditionally used in the manufacturing sector to automate common operations. These is/are application(s) traditionally used in the manufacturing sector to automate common operations. These applications integrate the manufacturing processing from recording raw materials, work in progress and finished goods transaction, inventory adjustments, purchases, supplier mgt, sales, account payables, account receivables, goods received, inspection, invoices, cost accounting, maintenance. These applications integrate the manufacturing processing from recording raw materials, work in progress and finished goods transaction, inventory adjustments, purchases, supplier mgt, sales, account payables, account receivables, goods received, inspection, invoices, cost accounting, maintenance. Integrated Manufacturing System (IMS) or Manufacturing Resource Planning (MRP) is a typical module of most ERP packages such as SAP, Oracle, J.D. Edwards, Navision and it usually integrated in modern CRM & SCM systems. Integrated Manufacturing System (IMS) or Manufacturing Resource Planning (MRP) is a typical module of most ERP packages such as SAP, Oracle, J.D. Edwards, Navision and it usually integrated in modern CRM & SCM systems.

Download ppt "BUSINESS APPLICATION SYSTEM Before an IS auditor can successfully audit a system, (s)he must gain an understanding of the business application Before an."

Similar presentations

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
“Electronic Payment System”

“Electronic Payment System”
Electronic Data Interchange (EDI)

Electronic Data Interchange (EDI)
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

Similar presentations

Ads by Google