C HAPTER Information Systems Controls for Systems Reliability Part 1: Information Security © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart of 222 INTRODUCTION • Questions to be addressed in this chapter: – How does security affect systems reliability? – What are the four criteria that can be used to evaluate the effectiveness of an organization’s information security? – What is the time-based model of security and the concept of defense-in-depth? – What types of preventive, detective, and corrective controls are used to provide information security? – How does encryption contribute to security and how the two basic types of encryption systems work? © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart of 222 INTRODUCTION • One basic function of an AIS is to provide information useful for decision making In order to be useful, the information must be reliable, which means: – It provides an accurate, complete, and timely picture of the organization’s activities – It is available when needed – The information and the system that produces it is protected from loss, compromise, and theft © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart of 222 INTRODUCTION SYSTEMS RELIABILITY © 2008 Prentice Hall Business Publishing • The five basic principles that contribute to systems reliability: Accounting Information Systems, 11/e Romney/Steinbart of 222 INTRODUCTION SYSTEMS RELIABILITY • The five basic principles that contribute to systems reliability: – Security • Access to the system and its data is controlled SECURITY © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart of 222 INTRODUCTION CONFIDENTIALITY SYSTEMS RELIABILITY • The five basic principles that contribute to systems reliability: – Security – Confidentiality • Sensitive information is protected from unauthorized disclosure SECURITY © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart of 222 INTRODUCTION PRIVACY CONFIDENTIALITY SYSTEMS RELIABILITY • The five basic principles that contribute to systems reliability: – – – • Security Confidentiality Privacy Personal information about customers collected through e-commerce is collected, used, disclosed, and maintained in an appropriate manner SECURITY © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart of 222 INTRODUCTION PROCESSING INTEGRITY PRIVACY CONFIDENTIALITY SYSTEMS RELIABILITY • The five basic principles that contribute to systems reliability: • Data is processed: – –Security Accurately Completely – –Confidentiality – In a timely manner – –Privacy With proper authorization – Processing integrity SECURITY © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart of 222 INTRODUCTION SECURITY © 2008 Prentice Hall Business Publishing AVAILABILITY PROCESSING INTEGRITY PRIVACY CONFIDENTIALITY SYSTEMS RELIABILITY • The five basic principles that contribute to systems reliability: – Security – Confidentiality The system is available to meet –• Online privacy operational and contractual – Processing obligations integrity – Availability Accounting Information Systems, 11/e Romney/Steinbart of 222 INTRODUCTION SECURITY © 2008 Prentice Hall Business Publishing AVAILABILITY PROCESSING INTEGRITY PRIVACY CONFIDENTIALITY SYSTEMS RELIABILITY • Note the importance of security in this picture It is the foundation of systems reliability Security procedures: – Restrict system access to only authorized users and protect: • The confidentiality of sensitive organizational data • The privacy of personal identifying information collected from customers Accounting Information Systems, 11/e Romney/Steinbart 10 of 222 CORRECTIVE CONTROLS • The CERT should lead the organization’s incident response process through four steps: – Recognition that a problem exists • Typically occurs when an IDS signals an alert or as a result of a system administrator’s log analysis © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 208 of 222 CORRECTIVE CONTROLS • The CERT should lead the organization’s incident response process through four steps: – Recognition that a problem exists – Containment of the problem • Once an intrusion is detected, prompt action is needed to stop it and contain the damage © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 209 of 222 CORRECTIVE CONTROLS • The CERT should lead the organization’s incident response process through four steps: – Recognition that a problem exists – Containment of the problem – Recovery • • Damage must be repaired May involve restoring data from backup and reinstalling corrupted programs (discussed more in Chapter 8) © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 210 of 222 • Once recovery is in process, the CERT should lead analysis of how the incident occurred • Steps should be taken to modify existing security policy and minimize the likelihood of a similar incident • An important decision is whether to try to catch and punish the perpetrator – If the perpetrator will be pursued, forensic experts should be involved ensure that all possible Recognition that immediately a problemtoexists evidence is collected and maintained Containment of the problem in a manner that makes it admissible in court CORRECTIVE CONTROLS • The CERT should lead the organization’s incident response process through four steps: – – – Recovery – Follow-up © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 211 of 222 CORRECTIVE CONTROLS • Communication is vital to all four steps, so multiple methods are needed for notifying members of CERT (e.g., email, phone, cell phone) © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 212 of 222 CORRECTIVE CONTROLS • It is also important to practice the incident response plan, including the alert process, so that gaps can be discovered Regular practice helps identify the need for change in response to technological changes • – EXAMPLE: A CERT practicing an incident response in Texas recently realized that the password to a Web address that was vital to the incident response had been changed The CERT did not have the new password Better to find this out on a trial run and make provision for the CERT to be immediately notified of any future password changes than to discover it in a live incident © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 213 of 222 CORRECTIVE CONTROLS • Three key components that satisfy the preceding criteria are: – Establishment of a computer emergency response team – Designation of a specific individual with organization-wide responsibility for security – An organized patch management system © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 214 of 222 CORRECTIVE CONTROLS • A chief security officer (CSO): – Should be independent of other IS functions and report to either the COO or CEO – Must understand the company’s technology environment and work with the CIO to design, implement, and promote sound security policies and procedures – Disseminates info about fraud, errors, security breaches, improper system use, and consequences of these actions – Works with the person in charge of building security, as that is often the entity’s weakest link – Should impartially assess and evaluate the IT environment, conduct vulnerability and risk assessments, and audit the CIO’s security measures © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 215 of 222 CORRECTIVE CONTROLS • Three key components that satisfy the preceding criteria are: – Establishment of a computer emergency response team – Designation of a specific individual with organization-wide responsibility for security – An organized patch management system © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 216 of 222 CORRECTIVE CONTROLS • Patch management – Another important corrective control involves fixing known vulnerabilities and installing latest updates to: • • • • Anti-virus software Firewalls Operating systems Application programs – The number of reported vulnerabilities rises each year © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 217 of 222 CORRECTIVE CONTROLS • A primary cause of the rise in reported vulnerabilities is the ever-increasing size and complexity of software • Many widely-used programs contain millions of lines of code • Even if 99.9% error free, there would still be 100 vulnerabilities per million lines • Both hackers and security consultants constantly search for these vulnerabilities • Once discovered, the question is how to take advantage of them © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 218 of 222 CORRECTIVE CONTROLS • Hackers usually publish instructions for doing so (known as exploits) on the Internet • Although it takes skill to discover the exploit, once published, it can be executed by almost anyone • Attackers who execute these programmed exploits are referred to as script kiddies • A patch is code released by software developers to fix vulnerabilities that have been discovered © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 219 of 222 CORRECTIVE CONTROLS • Patch management is the process for regularly applying patches and updates to all of an organization’s software • Challenging to because: – Patches can have unanticipated side effects that cause problems, which means they should be tested before being deployed – There are likely to be many patches each year for each software program, which may mean that hundreds of patches will need to be applied to thousands of machines © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 220 of 222 CORRECTIVE CONTROLS • Intrusion prevention systems may provide great promise if they can be quickly updated to respond to new vulnerabilities and block new exploits, so that the entity can buy time to: – Thoroughly test the patches – Apply the patches © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 221 of 222 SUMMARY • In this chapter, you’ve learned: – How security affects systems reliability – The four criteria that can be used to evaluate the effectiveness of an organization’s information security – What the time-based model of security is, as well as the concept of defense-in-depth – The types of preventive, detective, and corrective controls that are used to provide information security – How encryption contributes to security and how the two basic types of encryption systems work © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 222 of 222 ... Publishing Accounting Information Systems, 11/e Romney/ Steinbart 17 of 222 COBIT and Trust Services © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/ Steinbart. .. Publishing Accounting Information Systems, 11/e Romney/ Steinbart 19 of 222 COBIT and Trust Services © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/ Steinbart. .. Publishing Accounting Information Systems, 11/e Romney/ Steinbart 21 of 222 COBIT and Trust Services © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/ Steinbart