CSAC 2511 AIS: Information

Systems Controls for Systems

Reliability
Chapter 8 Learning Objectives

• Explain how information security affects information

systems reliability.

• Discuss how a combination of preventive, detective, and

corrective controls can be employed to provide
reasonable assurance about the security of an
organization’s information system.

8-2
Trust Services Framework
• Security
− Access to the system and data is controlled and restricted
to legitimate users.
• Confidentiality
− Sensitive organizational data is protected.
• Privacy
− Personal information about trading partners, investors, and
employees are protected.
• Processing integrity
− Data are processed accurately, completely, in a timely
manner, and only with proper authorization.
• Availability
− System and information are available.
8-3
 Security Life Cycle
Security is a management issue

8-4
How to Mitigate Risk of Attack
Preventive Controls Detective Controls
• People • Log analysis
• Process • Intrusion detection
• IT Solutions systems
• Physical security • Penetration testing
• Change controls and • Continuous monitoring
change management

8-5
Preventive: People

• Culture of security
− Tone set at the top with management
• Training
− Follow safe computing practices
 Never open unsolicited e-mail attachments
 Use only approved software
 Do not share passwords
 Physically protect laptops/cellphones
− Protect against social engineering

8-6
Preventive: Process

• Authentication—verifies the person

1. Something person knows
2. Something person has
3. Some biometric characteristic
4. Combination of all three
• Authorization—determines what a person can access

8-7
Preventive: IT Solutions

• Antimalware controls
• Network access controls
• Device and software hardening controls
• Encryption

8-8
Preventive: Other

• Physical security access controls

− Limit entry to building
− Restrict access to network and data
• Change controls and change management
− Formal processes in place regarding changes made to
hardware, software, or processes

8-9
Corrective

• Computer Incident Response Team (CIRT)

• Chief Information Security Officer (CISO)
• Patch management

8-10
Chapter 9 Learning Objectives

• Identify and explain controls designed to protect the

confidentiality of sensitive information.

• Identify and explain controls designed to protect the

privacy of customers’ personal information.

• Explain how the two basic types of encryption systems

work.

9-11
Protecting Confidentiality and Privacy of
Sensitive Information
• Identify and classify information to protect
• Where is it located and who has access?
• Classify value of information to organization
• Encryption
• Protect information in transit and in storage
• Access controls
• Controlling outgoing information (confidentiality)
• Digital watermarks (confidentiality)
• Data masking (privacy)
• Training

9-12
Generally Accepted Privacy Principles
• Management • Access
− Procedures and policies − Customer should be able to
with assigned responsibility review, correct, or delete
and accountability information collected on
them
• Notice
• Disclosure to third parties
− Provide notice of privacy
policies and practices prior
to collecting data • Security
• Choice and consent • Protect from loss or
− Opt-in versus opt-out unauthorized access
approaches • Quality
• Collection
− Only collect needed • Monitoring and enforcement
information • Procedures in responding
• Use and retention to complaints
− Use information only for • Compliance
stated business purpose 9-13
Encryption

• Preventative control

• Factors that influence encryption strength:

− Key length (longer = stronger)
− Algorithm
− Management policies
 Stored securely

9-5
 Encryption
Steps
• Takes plain text and
with an encryption key
and algorithm,
converts to unreadable
ciphertext (sender of
message)

• To read ciphertext,
encryption key
reverses process to
make information
readable (receiver of
message)

9-
15
Types of Encryption
Symmetric Asymmetric
• Uses one key to encrypt and • Uses two keys
decrypt − Public—everyone has
• Both parties need to know access
the key − Private—used to decrypt
− Need to securely (only known by you)
communicate the shared
key − Public key can be used by
all your trading partners
− Cannot share key with
multiple parties, they get • Can create digital signatures
their own (different) key
from the organization

9-16
Virtual Private Network

• Securely transmits encrypted data between sender and

receiver
− Sender and receiver have the appropriate encryption and
decryption keys.

9-17
Chapter 10 Learning Objectives

• Identify and explain controls designed to ensure

processing integrity.

• Identify and explain controls designed to ensure systems

availability.

10-18
Processing Integrity Controls

• Input
− Forms design
 Sequentially prenumbered
− Turnaround documents

10-19
Processing Integrity: Data Entry Controls
• Field check • Completeness check
− Characters in a field are proper − Verifies that all required data is
type entered
• Sign check • Validity check
− Data in a field is appropriate − Compares data from
sign (positive/negative) transaction file to that of master
• Limit check file to verify existence
− Tests numerical amount • Reasonableness test
against a fixed value
− Correctness of logical
• Range check
relationship between two data
− Tests numerical amount
items
against lower and upper limits
• Size check • Check digit verification
− Input data fits into the field − Recalculating check digit to
verify data entry error has not
been made
10-
20
Processing Controls
• Data matching • Cross-footing
− Two or more items must be − Verifies accuracy by
comparing two alternative
matched before an action ways of calculating the same
takes place total
• File labels • Zero-balance tests
− For control accounts (e.g.,
− Ensures correct and most payroll clearing)
updated file is used
• Write-protection mechanisms
• Recalculation of batch totals − Protect against overwriting or
erasing data
• Concurrent update controls
− Prevent error of two or more
users updating the same
record at the same time

10-
21
Output Controls

• User review of output

• Reconciliation
− Procedures to reconcile to control reports (e.g., general
ledger A/R account reconciled to Accounts Receivable
Subsidiary Ledger)
− External data reconciliation
• Data transmission controls

10-22
Availability Controls
• Preventive maintenance • Backup procedures
• Fault tolerance − Incremental
 Copies only items that have
− Use of redundant changed since last partial
components backup
• Data center location and − Differential backup
design  Copies all changes made
− Raised floor since last full backup
− Fire suppression • Disaster recovery plan (DRP)
− Procedures to restore
− Air conditioning organization’s IT function
− Uninterruptible power  Cold site
supply (UPS)  Hot site
− Surge protection • Business continuity plan (BCP)
• Patch management and − How to resume all
antivirus software operations, not just IT

10-
23