  Chapter 

Every organization relies on information technology. Management wants assurance that the information produced by its accounting system is reliable. It also wants to know that its investment in information technology is cost effective.

See figure 8.1 on page 240 for the COBIT framework. It shows the business and governance objectives. The information for the management has several requirements:

  • Effectiveness: the information must be relevant and timely

  • Efficiency: the information must be produced in a cost-effective manner

  • Confidentially: sensitive information must be protected from unauthorized disclosure.

  • Integrity: the information must be accurate, complete and valid

  • Availability: the information must be available whenever needed

  • Compliance: controls must ensure compliance with internal policies with external legal and regulatory requirements.

  • Reliability: management must have access to appropriate information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities.

Information must satisfy the seven criteria listed above. The processes to achieve this are grouped into four basic management activities, also called domains.

  1. Plan and Organize

  2. Acquire and Implement

  3. Deliver and Support

  4. Monitor and Evaluate

COBIT specifies 210 detailed control objectives for these 34 processes to enable effective management of an organization’s information resources. It also describes specific audit procedures for assessing the effectiveness of those controls and suggest metrics that management can use to evaluate performance.

The ‘Trust Service Framework’ is not a substitute for COBIT, because it addresses only a subset of the issues covered by the COBIT.

The ‘Trust Service Framework’ classifies information systems controls into five categories that most directly pertain to systems reliability:

  • Security

  • Confidentiality

  • Privacy

  • Processing integrity

  • Availability

Two fundamental information security concepts

  1. Security is a management issue, not a technology issue.

  2. The accuracy of an organization’s financial statements depends upon the reliability of its information systems. Information security is the foundation for systems reliability and the responsibility of the management.

  3. Defense-in-depth and time-based model of information security

  4. The idea of defense-in-depth is to employ multiple layers of control in order to avoid having a single point of failure. It typically involves the use of a combination of preventive, detective, and corrective controls. The goal of a time-based model of security is to employ a combination of detective and corrective controls that identify an information security incident early enough to prevent the loss or compromise of information.

The objective of time-based model of security can be expressed in a formula that uses the following three variables.

P = the time it takes an attacker to break through the organization’s preventive controls

D = the time it takes to detect that an attack is in progress

C = the time it takes to respond on the attack

If P > D + C, then the organization’s security procedures are effective. If its otherwise, then the procedures are not effective. The time-based model of security provides a means for management to identify the most cost-effective approach to improving security by comparing the effects of additional investment in preventive, detective, or corrective controls.

It is useful to understand the basic steps criminal use to attack an organization’s information system.

  1. Conduct reconnaissance.

  2. The goal is to learn as much as possible about the target and to identify potential vulnerabilities.

  3. Attempt social engineering

  4. Social engineering takes place when attackers try to use the information obtained during their initial reconnaissance to ‘trick’ an unsuspecting employee into granting them access. Social engineering attacks often take place over the telephone.

  5. Scan and map the target.

  6. Research

  7. Execute the attack

  8. Cover tracks

Preventive controls

  • Training. People play a critical role in information security and that is why employees must understand and follow the organization’s security policies. Thus, training is a critical preventive control. All employees should be taught why security measures are important and need to be trained to follow safe computing practices. Training is especially needed to educate employees about social engineering attacks. Employees also needed to be trained not to allow other people to follow them through restricted access entrances. We call this social engineering attack piggybacking. It can take place both at the main entrance to the building but also at any internal looked doors.

  • User access controls

  • Physical access controls

  • Network access controls

  • Device and software hardening controls

User access controls

There are two related but distinct type of user access controls that accomplish that objective. It consists of authentication and authorization.

Authentication controls restrict who can access the organization’s information system. Authentication is the process of verifying the identity of the person or device attempting to access the system. The objective is to ensure that only legitimate users can access the system. There are three methods of verifying a person’s identity:

  1. Something they know, such as passwords or personal identification numbers

  2. Something they have, such as smart cards or ID badges

  3. Some physical characteristics, such as fingerprints of voice

None of the three basis authentication credentials, by itself, is fool proof. The use of two or all types in conjunction is called the multifactor authentication process. It is quite effective. Using multiple credentials of the same type, a process is referred to as multiple authentication. It can improve security.

Authorization controls limit what those individuals can do once they have been granted access. Authorization is the process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform. Authorization controls are often implemented by creating an access control matrix. When an employee attempts to access a particular information systems resource, the system performs a compatibility test that matches the user’s authentication credentials against the access control matrix to determine whether that employee should be allowed to access the resource and perform the requested action.

Physical access controls

Physical access controls are very essential to information resources, because a skilled attacker needs only a few minutes of unsupervised direct physical access in order to bypass existing information security controls.

Network access controls

A device, called a border router, connects an organization’s information system to the internet. Behind the border router is the main firewall. The firewall is either a special-purposed hardware device or software running on a general-purpose computer.

The demilitarized zone (DMZ) is a separate network that permits controlled access from the internet to selected resources. The border router and the firewall acts as filters to control which information is allowed to enter and leave the organization’s information system.

The transmission control protocol (TCP) specifies the procedures for diving files and documents into packets to be sent over the internet and the methods for reassembly of the original document or file at the destination.

The internet protocol (IP) specifies the structure of those packets and how to route them to the proper destination.

Special-purpose devices called routers are designed to read the destination address fields in IP packet headers to decide where to send (route) the packet next.

A set of rules, called an access control list (ACL), determine which packets are allowed entry and which are dropped. Border routers typically perform static packet filtering, which screens individual IP packets, based solely on the contents of the source and/or destination fields in the packet header.

Deep packet inspection is a process of examining the data contents of a packet. The added control comes at the cost of speed. It takes more time to examine the body of an IP packet. Deep packet inspection is the heart of a new type of security technology called intrusion prevention systems (IPS) that monitors patterns in the traffic flow, rather than only inspecting individual packers, to identify and automatically block attacks. An IPS consists of a set of sensors and a central monitor unit that analyses the data collected. Sensors must be installed in several places to effectively monitor network traffic. IPSs use several different techniques to identify undesirable traffic patterns.

The Remote Authentication Dial-In User Service (RADIUS) is a standard method to verify the identity of users attempting to obtain dial-in access. Dial-in users connect to a remote access server and submit their log-in credentials. The remote access server passes those credentials to the RADIUS server, which perform compatibility tests to authenticate the identity of that user. Only after the user has been authenticated is access to the internal corporate network granted. The problem is that modems are cheap and easy to install, so employees are often tempted to install them on their desktop workstations without seeking permission or notifying anyone that they have done so. The most efficient and effective way to periodically check for the existence of rogue modems is to use war dialing software. This software calls every telephone number assigned to the organization to identify those which are connected to modems.

Device and software hardening controls

Endpoints is the collective term for workstations, servers, printers, and other devices that contains the network of the organization. There are three devices that are very important:

  1. Endpoint configuration. Endpoints can be made more secure by modifying their configurations. Every program that is running represents a potential point of attack because it probably contains flaws, called vulnerabilities. These vulnerabilities can be exploited to either crash the system or take control of it. Tools called vulnerability scanners can be used to identify unused and therefore unnecessary programs that represent potential security threats. This process of modifying the default configuration of endpoints to eliminate unnecessary settings and services is called hardening.

  2. User account management. This is the management of all the user accounts. Administrative rights are needed in order to install software and alter most configuration settings. These powerful capabilities make accounts with administrative rights prime targets for attackers. Many vulnerabilities affect only accounts with administrative rights. Therefore, employees also have another account.

  3. Software design. As organizations have increased the effectiveness of their perimeter security controls, attackers have increasingly targeted vulnerabilities in application programs. The common theme in all of the attacks is the failure to ‘scrub’ users input to remove potentially malicious code. Therefore, programmers must be trained to treat all input from external users as untrustworthy and to carefully check it before performing further actions.

Detective controls

Preventive controls are never 100% effective in blocking all attacks. The COBIT control objective stresses that organizations need to implement detective controls. Detective controls enhance security by monitoring the effectiveness of preventive controls and detecting incidents in which preventive controls have been successfully circumvented. There are four types of detective controls.

Log Analysis

most systems come with extensive capabilities for logging who accesses the system and what specific actions each user performed. A log analysis is the process of examining logs to identify evidence of possible attacks. These logs form an adit trail of system access. It is important to analyse logs of failed attempts to log on a system and failed attempts to obtain access specific information resources. It’s also important to analyse changes to the logs themselves and logs need to be analysed regularly to detect problems in a timely manner.

Intrusion Detection Systems

Intrusion detection systems (IDSs) consist of a set of sensors and a central monitoring unit that create logs of network traffic that was permitted to pass the firewall and then analyse those logs for signs of attempted or successful intrusions. An IDS can be installed on a specific device to monitor unauthorized attempts to change that device’s configuration. The main difference between a IDS and an IPS is that the former only produces a warning alert when it detects a suspicious pattern of network traffic, whereas the latter not only issues an alert but also automatically takes steps to stop a suspected attack.

Managerial Reports

It is really important that the management monitors and evaluates both system performance and controls. The COBIT framework provides management guidelines that identify critical success factors associated with each control objective and suggest key performance indicators.

Security Testing

A penetration test is an authorized attempt by either an internal audit team or an external security consulting firm to break into the organization’s information system. This test provide a more rigorous way to test the effectiveness of an organization’s information security.

Corrective controls

Organizations also need procedures to undertake timely corrective actions. Many corrective actions rely on human judgment. Their effectiveness depends on a great extent on proper planning and preparation.

Computer Incident Response Team

A computer incident response team (CIRT) is a team that is responsible for dealing with major incidents. The CIRT should not only include technical specialist but also senior operations management, because some potential responses to security incidents have significant economic consequences. The CIRT should lead the organization’s incident response process through the following four steps.

  • Recognition that a problem exist.

  • Containment of the problem.

  • Recovery. Damaged caused by the attack must be repaired.

  • Follow-up. Once recovery is in process, the CIRT should lead the analysis of how the incident occurred.

Chief Information Security Officer (CISO)

The CISO is responsible for information security. This person should be independent of other information systems functions and should report to either the chief operating officer (COO) or the (CEO).

Patch Management

once a vulnerability has been identified, the next step is to explore and document how to take advantage of it to compromise a system. The set of instructions for taking advantage of a vulnerability is called an exploit. Once an exploit is published on the internet it can be easily used by anyone who runts that code.

A patch is code released by software developers that fixes a particular vulnerability. Patch management is the process for regularly applying patches and updates to all software used by the organization.

Virtualization takes advantage of the power and speed of modern computers to run multiple systems simultaneously on one physical computer.

Cloud computing takes advantage of the high bandwidth of the modern global telecommunication network to enable employees to use a browser to remotely access software, data storage devices, hardware and entire application environments.

Virtualization and cloud computing alter risk of some information security threats, but they also offer the opportunity to significantly improve overall security.

Voor toegang tot deze pagina kan je inloggen


Aansluiten en inloggen

Sluit je aan en word JoHo donateur (vanaf 5 euro per jaar)


    Aansluiten en online toegang tot alle webpagina's 

Sluit je aan word JoHo abonnee


Als donateur een JoHo abonnement toevoegen

Upgraden met JoHo abonnement (+ 10 euro per jaar)



Inloggen als donateur of abonnee


Hoe werkt het

Om online toegang te krijgen kun je JoHo donateur worden  en een abonnement afsluiten

Vervolgens ontvang je de link naar je online account en heb je online toegang

Lees hieronder meer over JoHo donateur en abonnee worden

Ben je al JoHo donateur? maar heb je geen toegang? Check hier  

Korte advieswijzer voor de mogelijkheden om je aan te sluiten bij JoHo

JoHo donateur

  • €5,- voor wie JoHo WorldSupporter en Smokey Tours wil steunen - voor wie korting op zijn JoHo abonnement wil - voor wie van de basiskortingen in de JoHo support centers gebruik wil maken of wie op zoek is naar de organisatie achter een vacature - voor wie toegang wil tot de op JoHo WorldSupporter gedeelde samenvattingen en studiehulp

JoHo abonnees

  • €20,- Voor wie online volledig gebruik wil maken van alle JoHo's en boeksamenvattingen voor alle fases van een studie, met toegang tot alle online HBO & WO boeksamenvattingen en andere studiehulp - Voor wie gebruik wil maken van de vacatureservice en bijbehorende keuzehulp & advieswijzers - Voor wie gebruik wil maken van keuzehulp en advies bij werk in het buitenland, lange reizen, vrijwilligerswerk, stages en studie in het buitenland - Voor wie gebruik wil maken van de emigratie- en expatservice

JoHo donateur met doorlopende reisverzekering

  • Sluit je via JoHo een jaarlijks doorlopende verzekering af dan kan je gedurende de looptijd van je verzekering gebruik maken van de voordelen van het JoHo abonnement: hoge kortingen + volledig online toegang + alle extra services. Lees meer

Abonnementen-advieswijzers voor JoHo services:

Abonnementen-advieswijzers voor JoHo services

  • Check hier de advieswijzers voor samenvattingen en stages - vacatures en sollicitaties - reizen en backpacken - vrijwilligerswerk en duurzaamheid - emigratie en lang verblijf in het buitenland - samenwerken met JoHo

Steun JoHo en steun jezelf


Sluit je ook aan bij JoHo!


 Steun JoHo door donateur te worden

en steun jezelf door ook een abonnement af te sluiten




  • Crossroads lead you through the JoHo web of knowledge, inspiration & association
  • Use the crossroads to follow a connected direction


Footprint toevoegen
Hoe werkt een JoHo Chapter?

 JoHo chapters

Eigen aantekeningen maken?

Zichtbaar voor jezelf en bewaren zolang jij wil

Flexibele parttime bijbanen bij JoHo

    Memberservice: Make personal notes

    Ben je JoHo abonnee dan kun je je eigen notities maken, die vervolgens in het notitieveld  worden getoond. Deze notities zijn en blijven alleen zichtbaar voor jouzelf. Je kunt dus aantekeningen maken of bijvoorbeeld je eigen antwoorden geven op vragen