Wereldstage is actief op Curaçao en helpt je aan betaald werk, stages, vrijwilligerswerk en de invulling van een 'gap programma'. Ze organiseren voor alle leeftijden programma's van een paar weken of langer, waarbij je erachter komt welke toekomst bij jou past. Lokale initiatieven worden gesteund door vrijwilligers te plaatsen, en financieel bij te dragen aan de vele goede doelen op Curaçao.
Part 1: Information systems controls for system reliability - Chapter 8
Every organization relies on information technology. Management wants assurance that the information produced by its accounting system is reliable. It also wants to know that its investment in information technology is cost effective.
See figure 8.1 on page 240 for the COBIT framework. It shows the business and governance objectives. The information for the management has several requirements:
Effectiveness: the information must be relevant and timely
Efficiency: the information must be produced in a cost-effective manner
Confidentially: sensitive information must be protected from unauthorized disclosure.
Integrity: the information must be accurate, complete and valid
Availability: the information must be available whenever needed
Compliance: controls must ensure compliance with internal policies with external legal and regulatory requirements.
Reliability: management must have access to appropriate information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities.
Information must satisfy the seven criteria listed above. The processes to achieve this are grouped into four basic management activities, also called domains.
Plan and Organize
Acquire and Implement
Deliver and Support
Monitor and Evaluate
COBIT specifies 210 detailed control objectives for these 34 processes to enable effective management of an organization’s information resources. It also describes specific audit procedures for assessing the effectiveness of those controls and suggest metrics that management can use to evaluate performance.
The ‘Trust Service Framework’ is not a substitute for COBIT, because it addresses only a subset of the issues covered by the COBIT.
The ‘Trust Service Framework’ classifies information systems controls into five categories that most directly pertain to systems reliability:
Two fundamental information security concepts
Security is a management issue, not a technology issue.
The accuracy of an organization’s financial statements depends upon the reliability of its information systems. Information security is the foundation for systems reliability and the responsibility of the management.
Defense-in-depth and time-based model of information security
The idea of defense-in-depth is to employ multiple layers of control in order to avoid having a single point of failure. It typically involves the use of a combination of preventive, detective, and corrective controls. The goal of a time-based model of security is to employ a combination of detective and corrective controls that identify an information security incident early enough to prevent the loss or compromise of information.
The objective of time-based model of security can be expressed in a formula that uses the following three variables.
P = the time it takes an attacker to break through the organization’s preventive controls
D = the time it takes to detect that an attack is in progress
C = the time it takes to respond on the attack
If P > D + C, then the organization’s security procedures are effective. If its otherwise, then the procedures are not effective. The time-based model of security provides a means for management to identify the most cost-effective approach to improving security by comparing the effects of additional investment in preventive, detective, or corrective controls.
It is useful to understand the basic steps criminal use to attack an organization’s information system.
The goal is to learn as much as possible about the target and to identify potential vulnerabilities.
Attempt social engineering
Social engineering takes place when attackers try to use the information obtained during their initial reconnaissance to ‘trick’ an unsuspecting employee into granting them access. Social engineering attacks often take place over the telephone.
Scan and map the target.
Execute the attack
Training. People play a critical role in information security and that is why employees must understand and follow the organization’s security policies. Thus, training is a critical preventive control. All employees should be taught why security measures are important and need to be trained to follow safe computing practices. Training is especially needed to educate employees about social engineering attacks. Employees also needed to be trained not to allow other people to follow them through restricted access entrances. We call this social engineering attack piggybacking. It can take place both at the main entrance to the building but also at any internal looked doors.
User access controls
Physical access controls
Network access controls
Device and software hardening controls
There are two related but distinct type of user access controls that accomplish that objective. It consists of authentication and authorization.
Authentication controls restrict who can access the organization’s information system. Authentication is the process of verifying the identity of the person or device attempting to access the system. The objective is to ensure that only legitimate users can access the system. There are three methods of verifying a person’s identity:
Something they know, such as passwords or personal identification numbers
Something they have, such as smart cards or ID badges
Some physical characteristics, such as fingerprints of voice
None of the three basis authentication credentials, by itself, is fool proof. The use of two or all types in conjunction is called the multifactor authentication process. It is quite effective. Using multiple credentials of the same type, a process is referred to as multiple authentication. It can improve security.
Authorization controls limit what those individuals can do once they have been granted access. Authorization is the process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform. Authorization controls are often implemented by creating an access control matrix. When an employee attempts to access a particular information systems resource, the system performs a compatibility test that matches the user’s authentication credentials against the access control matrix to determine whether that employee should be allowed to access the resource and perform the requested action.
Physical access controls are very essential to information resources, because a skilled attacker needs only a few minutes of unsupervised direct physical access in order to bypass existing information security controls.
A device, called a border router, connects an organization’s information system to the internet. Behind the border router is the main firewall. The firewall is either a special-purposed hardware device or software running on a general-purpose computer.
The demilitarized zone (DMZ) is a separate network that permits controlled access from the internet to selected resources. The border router and the firewall acts as filters to control which information is allowed to enter and leave the organization’s information system.
The transmission control protocol (TCP) specifies the procedures for diving files and documents into packets to be sent over the internet and the methods for reassembly of the original document or file at the destination.
The internet protocol (IP) specifies the structure of those packets and how to route them to the proper destination.
Special-purpose devices called routers are designed to read the destination address fields in IP packet headers to decide where to send (route) the packet next.
A set of rules, called an access control list (ACL), determine which packets are allowed entry and which are dropped. Border routers typically perform static packet filtering, which screens individual IP packets, based solely on the contents of the source and/or destination fields in the packet header.
Deep packet inspection is a process of examining the data contents of a packet. The added control comes at the cost of speed. It takes more time to examine the body of an IP packet. Deep packet inspection is the heart of a new type of security technology called intrusion prevention systems (IPS) that monitors patterns in the traffic flow, rather than only inspecting individual packers, to identify and automatically block attacks. An IPS consists of a set of sensors and a central monitor unit that analyses the data collected. Sensors must be installed in several places to effectively monitor network traffic. IPSs use several different techniques to identify undesirable traffic patterns.
The Remote Authentication Dial-In User Service (RADIUS) is a standard method to verify the identity of users attempting to obtain dial-in access. Dial-in users connect to a remote access server and submit their log-in credentials. The remote access server passes those credentials to the RADIUS server, which perform compatibility tests to authenticate the identity of that user. Only after the user has been authenticated is access to the internal corporate network granted. The problem is that modems are cheap and easy to install, so employees are often tempted to install them on their desktop workstations without seeking permission or notifying anyone that they have done so. The most efficient and effective way to periodically check for the existence of rogue modems is to use war dialing software. This software calls every telephone number assigned to the organization to identify those which are connected to modems.
Endpoints is the collective term for workstations, servers, printers, and other devices that contains the network of the organization. There are three devices that are very important:
Endpoint configuration. Endpoints can be made more secure by modifying their configurations. Every program that is running represents a potential point of attack because it probably contains flaws, called vulnerabilities. These vulnerabilities can be exploited to either crash the system or take control of it. Tools called vulnerability scanners can be used to identify unused and therefore unnecessary programs that represent potential security threats. This process of modifying the default configuration of endpoints to eliminate unnecessary settings and services is called hardening.
User account management. This is the management of all the user accounts. Administrative rights are needed in order to install software and alter most configuration settings. These powerful capabilities make accounts with administrative rights prime targets for attackers. Many vulnerabilities affect only accounts with administrative rights. Therefore, employees also have another account.
Software design. As organizations have increased the effectiveness of their perimeter security controls, attackers have increasingly targeted vulnerabilities in application programs. The common theme in all of the attacks is the failure to ‘scrub’ users input to remove potentially malicious code. Therefore, programmers must be trained to treat all input from external users as untrustworthy and to carefully check it before performing further actions.
Preventive controls are never 100% effective in blocking all attacks. The COBIT control objective stresses that organizations need to implement detective controls. Detective controls enhance security by monitoring the effectiveness of preventive controls and detecting incidents in which preventive controls have been successfully circumvented. There are four types of detective controls.
most systems come with extensive capabilities for logging who accesses the system and what specific actions each user performed. A log analysis is the process of examining logs to identify evidence of possible attacks. These logs form an adit trail of system access. It is important to analyse logs of failed attempts to log on a system and failed attempts to obtain access specific information resources. It’s also important to analyse changes to the logs themselves and logs need to be analysed regularly to detect problems in a timely manner.
Intrusion Detection Systems
Intrusion detection systems (IDSs) consist of a set of sensors and a central monitoring unit that create logs of network traffic that was permitted to pass the firewall and then analyse those logs for signs of attempted or successful intrusions. An IDS can be installed on a specific device to monitor unauthorized attempts to change that device’s configuration. The main difference between a IDS and an IPS is that the former only produces a warning alert when it detects a suspicious pattern of network traffic, whereas the latter not only issues an alert but also automatically takes steps to stop a suspected attack.
It is really important that the management monitors and evaluates both system performance and controls. The COBIT framework provides management guidelines that identify critical success factors associated with each control objective and suggest key performance indicators.
A penetration test is an authorized attempt by either an internal audit team or an external security consulting firm to break into the organization’s information system. This test provide a more rigorous way to test the effectiveness of an organization’s information security.
Organizations also need procedures to undertake timely corrective actions. Many corrective actions rely on human judgment. Their effectiveness depends on a great extent on proper planning and preparation.
Computer Incident Response Team
A computer incident response team (CIRT) is a team that is responsible for dealing with major incidents. The CIRT should not only include technical specialist but also senior operations management, because some potential responses to security incidents have significant economic consequences. The CIRT should lead the organization’s incident response process through the following four steps.
Recognition that a problem exist.
Containment of the problem.
Recovery. Damaged caused by the attack must be repaired.
Follow-up. Once recovery is in process, the CIRT should lead the analysis of how the incident occurred.
Chief Information Security Officer (CISO)
The CISO is responsible for information security. This person should be independent of other information systems functions and should report to either the chief operating officer (COO) or the (CEO).
once a vulnerability has been identified, the next step is to explore and document how to take advantage of it to compromise a system. The set of instructions for taking advantage of a vulnerability is called an exploit. Once an exploit is published on the internet it can be easily used by anyone who runts that code.
A patch is code released by software developers that fixes a particular vulnerability. Patch management is the process for regularly applying patches and updates to all software used by the organization.
Virtualization takes advantage of the power and speed of modern computers to run multiple systems simultaneously on one physical computer.
Cloud computing takes advantage of the high bandwidth of the modern global telecommunication network to enable employees to use a browser to remotely access software, data storage devices, hardware and entire application environments.
Virtualization and cloud computing alter risk of some information security threats, but they also offer the opportunity to significantly improve overall security.
- Choice Assistance with summaries of Accounting Information Systems - Romney & Steinbart - 14th edition
- Accounting information systems: an overview - Chapter 1
- Overview of transaction processing and enterprise resource planning systems - Chapter 2
- Systems documentation techniques - Chapter 3
- Computer fraud - Chapter 5
- Control and accounting information systems - Chapter 7
- Part 1: Information systems controls for system reliability - Chapter 8
- Part 2: Information systems controls for system reliability - Chapter 9
- Part 3: Information systems controls for system reliability - Chapter 10
- Revenue cycle: sales to cash collections - Chapter 12
- Expenditure cycle: purchasing to cash disbursements - Chapter 13
- Production cycle - Chapter 14
- The human resources management and payroll cycle - Chapter 15
- General Ledger and Reporting System - Chapter 16
- Accounting Information Systems - Romney and Steinbart - BulletPoints
- Printed summary of Accounting Information Systems - Romney & Steinbart - 13th edition
- Accounting Information Systems van Romney en Steinbart - Boek & JoHo's
JoHo 'chapter 'pagina
Wat vind je op een JoHo 'chapter' pagina?
- JoHo chapters zijn tekstblokken en hoofdstukken rond een specifieke vraag of een deelonderwerp
- Via een beperkt aantal geselecteerde webpagina's kan je verder reizen op de JoHo website
- Via alle aan het chapter verbonden webpagina's kan je verder lezen in een volgend hoofdstuk of tekstonderdeel.
- Je kunt deze pagina bewaren in je persoonlijke lijsten zoals: je eigen paginabundel, je to-do-list, je checklist of bijvoorbeeld je meeneem(pack)lijst. Je vindt jouw persoonlijke lijsten onderaan vrijwel elke webpagina of op je userpage
- Dit is een service voor JoHo donateurs en abonnees.
- Hier kun je naar de pagina om je aan te sluiten bij JoHo, JoHo te steunen en zelf en volledig gebruik te kunnen maken van alle teksten en tools.
- Hier vind je wat jouw status is als JoHo donateur of abonnee
- Dit is een service voor wie bij JoHo is aangesloten. Je kunt zelf online aantekeningen maken en bewaren, je eigen antwoorden geven op tests, of bijvoorbeeld checklists samenstellen.
- De aantekeningen verschijnen direct op de pagina en zijn alleen voor jou zichtbaar
- De aantekeningen zijn zichtbaar op de betrokken webpagine en op je eigen userpage.
- Dit is een service voor wie bij JoHo is aangesloten. Wil je een tekst overzichtelijk printen, gebruik dan deze knop.