Part 1: Information systems controls for system reliability - Chapter 8

 

Every organization relies on information technology. Management wants assurance that the information produced by its accounting system is reliable. It also wants to know that its investment in information technology is cost effective.

See figure 8.1 on page 240 for the COBIT framework. It shows the business and governance objectives. The information for the management has several requirements:

  • Effectiveness: the information must be relevant and timely

  • Efficiency: the information must be produced in a cost-effective manner

  • Confidentially: sensitive information must be protected from unauthorized disclosure.

  • Integrity: the information must be accurate, complete and valid

  • Availability: the information must be available whenever needed

  • Compliance: controls must ensure compliance with internal policies with external legal and regulatory requirements.

  • Reliability: management must have access to appropriate information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities.

Information must satisfy the seven criteria listed above. The processes to achieve this are grouped into four basic management activities, also called domains.

  1. Plan and Organize

  2. Acquire and Implement

  3. Deliver and Support

  4. Monitor and Evaluate

COBIT specifies 210 detailed control objectives for these 34 processes to enable effective management of an organization’s information resources. It also describes specific audit procedures for assessing the effectiveness of those controls and suggest metrics that management can use to evaluate performance.

The ‘Trust Service Framework’ is not a substitute for COBIT, because it addresses only a subset of the issues covered by the COBIT.

The ‘Trust Service Framework’ classifies information systems controls into five categories that most directly pertain to systems reliability:

  • Security

  • Confidentiality

  • Privacy

  • Processing integrity

  • Availability

Two fundamental information security concepts

  1. Security is a management issue, not a technology issue.

  2. The accuracy of an organization’s financial statements depends upon the reliability of its information systems. Information security is the foundation for systems reliability and the responsibility of the management.

  3. Defense-in-depth and time-based model of information security

  4. The idea of defense-in-depth is to employ multiple layers of control in order to avoid having a single point of failure. It typically involves the use of a combination of preventive, detective, and corrective controls. The goal of a time-based model of security is to employ a combination of detective and corrective controls that identify an information security incident early enough to prevent the loss or compromise of information.

The objective of time-based model of security can be expressed in a formula that uses the following three variables.

P = the time it takes an attacker to break through the organization’s preventive controls

D = the time it takes to detect that an attack is in progress

C = the time it takes to respond on the attack

If P > D + C, then the organization’s security procedures are effective. If its otherwise, then the procedures are not effective. The time-based model of security provides a means for management to identify the most cost-effective approach to improving security by comparing the effects of additional investment in preventive, detective, or corrective controls.

It is useful to understand the basic steps criminal use to attack an organization’s information system.

  1. Conduct reconnaissance.

  2. The goal is to learn as much as possible about the target and to identify potential vulnerabilities.

  3. Attempt social engineering

  4. Social engineering takes place when attackers try to use the information obtained during their initial reconnaissance to ‘trick’ an unsuspecting employee into granting them access. Social engineering attacks often take place over the telephone.

  5. Scan and map the target.

  6. Research

  7. Execute the attack

  8. Cover tracks

Preventive controls

  • Training. People play a critical role in information security and that is why employees must understand and follow the organization’s security policies. Thus, training is a critical preventive control. All employees should be taught why security measures are important and need to be trained to follow safe computing practices. Training is especially needed to educate employees about social engineering attacks. Employees also needed to be trained not to allow other people to follow them through restricted access entrances. We call this social engineering attack piggybacking. It can take place both at the main entrance to the building but also at any internal looked doors.

  • User access controls

  • Physical access controls

  • Network access controls

  • Device and software hardening controls

User access controls

There are two related but distinct type of user access controls that accomplish that objective. It consists of authentication and authorization.

Authentication controls restrict who can access the organization’s information system. Authentication is the process of verifying the identity of the person or device attempting to access the system. The objective is to ensure that only legitimate users can access the system. There are three methods of verifying a person’s identity:

  1. Something they know, such as passwords or personal identification numbers

  2. Something they have, such as smart cards or ID badges

  3. Some physical characteristics, such as fingerprints of voice

None of the three basis authentication credentials, by itself, is fool proof. The use of two or all types in conjunction is called the multifactor authentication process. It is quite effective. Using multiple credentials of the same type, a process is referred to as multiple authentication. It can improve security.

Authorization controls limit what those individuals can do once they have been granted access. Authorization is the process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform. Authorization controls are often implemented by creating an access control matrix. When an employee attempts to access a particular information systems resource, the system performs a compatibility test that matches the user’s authentication credentials against the access control matrix to determine whether that employee should be allowed to access the resource and perform the requested action.

Physical access controls

Physical access controls are very essential to information resources, because a skilled attacker needs only a few minutes of unsupervised direct physical access in order to bypass existing information security controls.

Network access controls

A device, called a border router, connects an organization’s information system to the internet. Behind the border router is the main firewall. The firewall is either a special-purposed hardware device or software running on a general-purpose computer.

The demilitarized zone (DMZ) is a separate network that permits controlled access from the internet to selected resources. The border router and the firewall acts as filters to control which information is allowed to enter and leave the organization’s information system.

The transmission control protocol (TCP) specifies the procedures for diving files and documents into packets to be sent over the internet and the methods for reassembly of the original document or file at the destination.

The internet protocol (IP) specifies the structure of those packets and how to route them to the proper destination.

Special-purpose devices called routers are designed to read the destination address fields in IP packet headers to decide where to send (route) the packet next.

A set of rules, called an access control list (ACL), determine which packets are allowed entry and which are dropped. Border routers typically perform static packet filtering, which screens individual IP packets, based solely on the contents of the source and/or destination fields in the packet header.

Deep packet inspection is a process of examining the data contents of a packet. The added control comes at the cost of speed. It takes more time to examine the body of an IP packet. Deep packet inspection is the heart of a new type of security technology called intrusion prevention systems (IPS) that monitors patterns in the traffic flow, rather than only inspecting individual packers, to identify and automatically block attacks. An IPS consists of a set of sensors and a central monitor unit that analyses the data collected. Sensors must be installed in several places to effectively monitor network traffic. IPSs use several different techniques to identify undesirable traffic patterns.

The Remote Authentication Dial-In User Service (RADIUS) is a standard method to verify the identity of users attempting to obtain dial-in access. Dial-in users connect to a remote access server and submit their log-in credentials. The remote access server passes those credentials to the RADIUS server, which perform compatibility tests to authenticate the identity of that user. Only after the user has been authenticated is access to the internal corporate network granted. The problem is that modems are cheap and easy to install, so employees are often tempted to install them on their desktop workstations without seeking permission or notifying anyone that they have done so. The most efficient and effective way to periodically check for the existence of rogue modems is to use war dialing software. This software calls every telephone number assigned to the organization to identify those which are connected to modems.

Device and software hardening controls

Endpoints is the collective term for workstations, servers, printers, and other devices that contains the network of the organization. There are three devices that are very important:

  1. Endpoint configuration. Endpoints can be made more secure by modifying their configurations. Every program that is running represents a potential point of attack because it probably contains flaws, called vulnerabilities. These vulnerabilities can be exploited to either crash the system or take control of it. Tools called vulnerability scanners can be used to identify unused and therefore unnecessary programs that represent potential security threats. This process of modifying the default configuration of endpoints to eliminate unnecessary settings and services is called hardening.

  2. User account management. This is the management of all the user accounts. Administrative rights are needed in order to install software and alter most configuration settings. These powerful capabilities make accounts with administrative rights prime targets for attackers. Many vulnerabilities affect only accounts with administrative rights. Therefore, employees also have another account.

  3. Software design. As organizations have increased the effectiveness of their perimeter security controls, attackers have increasingly targeted vulnerabilities in application programs. The common theme in all of the attacks is the failure to ‘scrub’ users input to remove potentially malicious code. Therefore, programmers must be trained to treat all input from external users as untrustworthy and to carefully check it before performing further actions.

Detective controls

Preventive controls are never 100% effective in blocking all attacks. The COBIT control objective stresses that organizations need to implement detective controls. Detective controls enhance security by monitoring the effectiveness of preventive controls and detecting incidents in which preventive controls have been successfully circumvented. There are four types of detective controls.

Log Analysis

most systems come with extensive capabilities for logging who accesses the system and what specific actions each user performed. A log analysis is the process of examining logs to identify evidence of possible attacks. These logs form an adit trail of system access. It is important to analyse logs of failed attempts to log on a system and failed attempts to obtain access specific information resources. It’s also important to analyse changes to the logs themselves and logs need to be analysed regularly to detect problems in a timely manner.

Intrusion Detection Systems

Intrusion detection systems (IDSs) consist of a set of sensors and a central monitoring unit that create logs of network traffic that was permitted to pass the firewall and then analyse those logs for signs of attempted or successful intrusions. An IDS can be installed on a specific device to monitor unauthorized attempts to change that device’s configuration. The main difference between a IDS and an IPS is that the former only produces a warning alert when it detects a suspicious pattern of network traffic, whereas the latter not only issues an alert but also automatically takes steps to stop a suspected attack.

Managerial Reports

It is really important that the management monitors and evaluates both system performance and controls. The COBIT framework provides management guidelines that identify critical success factors associated with each control objective and suggest key performance indicators.

Security Testing

A penetration test is an authorized attempt by either an internal audit team or an external security consulting firm to break into the organization’s information system. This test provide a more rigorous way to test the effectiveness of an organization’s information security.

Corrective controls

Organizations also need procedures to undertake timely corrective actions. Many corrective actions rely on human judgment. Their effectiveness depends on a great extent on proper planning and preparation.

Computer Incident Response Team

A computer incident response team (CIRT) is a team that is responsible for dealing with major incidents. The CIRT should not only include technical specialist but also senior operations management, because some potential responses to security incidents have significant economic consequences. The CIRT should lead the organization’s incident response process through the following four steps.

  • Recognition that a problem exist.

  • Containment of the problem.

  • Recovery. Damaged caused by the attack must be repaired.

  • Follow-up. Once recovery is in process, the CIRT should lead the analysis of how the incident occurred.

Chief Information Security Officer (CISO)

The CISO is responsible for information security. This person should be independent of other information systems functions and should report to either the chief operating officer (COO) or the (CEO).

Patch Management

once a vulnerability has been identified, the next step is to explore and document how to take advantage of it to compromise a system. The set of instructions for taking advantage of a vulnerability is called an exploit. Once an exploit is published on the internet it can be easily used by anyone who runts that code.

A patch is code released by software developers that fixes a particular vulnerability. Patch management is the process for regularly applying patches and updates to all software used by the organization.

Virtualization takes advantage of the power and speed of modern computers to run multiple systems simultaneously on one physical computer.

Cloud computing takes advantage of the high bandwidth of the modern global telecommunication network to enable employees to use a browser to remotely access software, data storage devices, hardware and entire application environments.

Virtualization and cloud computing alter risk of some information security threats, but they also offer the opportunity to significantly improve overall security.

Heb je niet de volledige tekst in beeld, log dan eerst in
 

Aansluiten bij JoHo als abonnee of donateur

The world of JoHo footer met landenkaart

Aansluiten bij JoHo met een JoHo abonnement

JoHo abonnement (€20,- p/j)

  • Voor wie online volledig gebruik wil maken van alle JoHo's en boeksamenvattingen voor alle fases van een studie, met toegang tot alle online HBO & WO boeksamenvattingen en andere studiehulp
  • Voor wie gebruik wil maken van de gesponsorde boeksamenvattingen en er met zijn pinpoints 10 gratis kan afhalen in een JoHo support center of bij een JoHo partner
  • Voor wie gebruik wil maken van de vacatureservice en bijbehorende keuzehulp & advieswijzers
  • Voor wie gebruik wil maken van keuzehulp en advies bij werk in het buitenland, lange reizen, vrijwilligerswerk, stages en studie in het buitenland
  • Voor wie extra kortingen wil op (reis)artikelen en services (online + in de JoHo support centers)

 of met een JoHo donateurschap

JoHo donateurschap (€5,- per jaar)

  • Voor wie €10,- korting wil op zijn JoHo abonnement
  • Voor wie JoHo WorldSupporter en Smokey projecten wil steunen
  • Voor wie gebruik wil maken van alle gedeelde materialen op WorldSupporter
  • Voor wie op zoek is naar de organisatie bij een vacature

 

Aanmelden & Aansluiten bij JoHo 

Meer partners: met impact

Partnerselectie: inspiratie & activiteiten in binnen- en buitenland

Wereldstage & Wereldjob

Wereldstage is actief op Curaçao en helpt je aan betaald werk, stages, vrijwilligerswerk en de invulling van een 'gap programma'. Ze organiseren voor alle leeftijden programma's van een paar weken of langer, waarbij je erachter komt welke toekomst bij jou past. Lokale initiatieven worden gesteund door vrijwilligers te plaatsen, en financieel bij te dragen aan de vele goede doelen op Curaçao.

Dutchies Travel

Dutchies Travel is dé plek om reisplannen, ideeën en dromen van alle Dutchies (en hun vrienden) ter wereld te ontwikkelen! Door hun passie & liefde voor reizen te delen met de Nederlandse community creëren ze unieke en volledig op maat gemaakte droomreizen.
Ze geven gratis advies over reizen in Australië, Nieuw-Zeeland, Fiji, Canada en hun andere bestemmingen. Ze helpen je bij het maken van je reisplannen, en bij het kiezen en regelen van tours en activiteiten die het beste bij jou passen.

Vrijwillig Wereldwijd

Vrijwillig Wereldwijd is een kleinschalige organisatie die de mooiste lokale projecten in meer dan 10 landen ondersteunt op de continenten: Afrika, Zuid-Amerika, Azië en Europa. Ze zijn er van overtuigd dat vrijwilligerswerk in het buitenland kan leiden tot een geweldige win-win situatie. Door middel van een goede begeleiding en jarenlange ervaring doen ze er alles aan doen om deze belofte waar te maken. Dit omdat ze op deze manier de wereld een stukje mooier willen maken en mensen willen inspireren.

Snowminds

Bij Snowminds deelt het volledige team dezelfde passie: Sneeuw! Iedereen in het team heeft winterseizoenen gedaan, uiteenlopend van één winterseizoen tot meer dan negen. Snowminds begeleidt haar ski- en snowboardleraren van de reis tot skipas, van het hotel tot je contract. Bij Snowminds volgt iedereen basis- en vervolgopleidingen om uiteindelijk zo goed voorbereid mogelijk de verschillende skiculturen ter wereld te kunnen ervaren én de Snowboard gasten van dezelfde passie te laten genieten.

Pakachere

Pakachere is een backpackershostel en creatief centrum in Malawi, opgericht door twee Nederlanders. De plek doet dienst als een ontmoetingsplek, waar mensen samen kunnen komen voor workshops, activiteiten of om gewoon een drankje te doen.

Oneworld

OneWorld is de grootste Nederlandse website over mondiale verbondenheid en duurzaamheid. Naast de website OneWorld.nl geeft de organisatie ook een aantalk keer per jaar het tijdschrijft OneWorld uit!

  Chapters 

Teksten & Informatie

JoHo: paginawijzer

JoHo 'chapter 'pagina

 

Wat vind je op een JoHo 'chapter' pagina?

  •   JoHo chapters zijn tekstblokken en hoofdstukken rond een specifieke vraag of een deelonderwerp

Crossroad: volgen

  • Via een beperkt aantal geselecteerde webpagina's kan je verder reizen op de JoHo website

Crossroad: kiezen

  • Via alle aan het chapter verbonden webpagina's kan je verder lezen in een volgend hoofdstuk of tekstonderdeel.

Footprints: bewaren

  • Je kunt deze pagina bewaren in je persoonlijke lijsten zoals: je eigen paginabundel, je to-do-list, je checklist of bijvoorbeeld je meeneem(pack)lijst. Je vindt jouw persoonlijke  lijsten onderaan vrijwel elke webpagina of op je userpage
  • Dit is een service voor JoHo donateurs en abonnees.

Abonnement: nemen

  • Hier kun je naar de pagina om je aan te sluiten bij JoHo, JoHo te steunen en zelf en volledig gebruik te kunnen maken van alle teksten en tools.

Abonnement: checken

  • Hier vind je wat jouw status is als JoHo donateur of abonnee

Aantekeningen: maken

  • Dit is een service voor wie bij JoHo is aangesloten. Je kunt zelf online aantekeningen maken en bewaren, je eigen antwoorden geven op tests, of bijvoorbeeld checklists samenstellen.
  • De aantekeningen verschijnen direct op de pagina en zijn alleen voor jou zichtbaar
  • De aantekeningen zijn zichtbaar op de betrokken webpagine en op je eigen userpage.

Prints: maken

  • Dit is een service voor wie bij JoHo is aangesloten.  Wil je een tekst overzichtelijk printen, gebruik dan deze knop.
JoHo: footprint achterlaten