1. Trang chủ
  2. » Giáo án - Bài giảng

Accounting information systems 11e romney steinbart chapter 07

222 580 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 222
Dung lượng 2,5 MB

Nội dung

• The five basic principles that contribute to systems reliability: – Security – Confidentiality • Personal information about customers collected through e-commerce is collected, used, d

Trang 1

C HAPTER 7

Information Systems Controls

for Systems Reliability Part 1: Information Security

Trang 2

• Questions to be addressed in this chapter:

– How does security affect systems reliability?

– What are the four criteria that can be used to evaluate the effectiveness of an organization’s information

– How does encryption contribute to security and how

do the two basic types of encryption systems work?

Trang 3

• One basic function of an AIS is to provide

information useful for decision making In

order to be useful, the information must be reliable, which means:

– It provides an accurate, complete, and timely picture of the organization’s activities.

– It is available when needed.

– The information and the system that produces

it is protected from loss, compromise, and theft.

Trang 4

• The five basic principles that contribute to systems reliability:

SYSTEMS RELIABILITY

Trang 5

• Access to the system and its data

is controlled.

Trang 6

• Sensitive information is protected

from unauthorized disclosure.

Trang 7

• The five basic principles that contribute to systems reliability:

– Security – Confidentiality

Personal information about customers collected through e-commerce is collected, used, disclosed, and maintained in an appropriate manner.

Trang 8

• The five basic principles that contribute to systems reliability:

– Security – Confidentiality – Privacy

• Data is processed:

– Accurately – Completely – In a timely manner – With proper authorization

Trang 9

• The five basic principles that contribute to systems reliability:

– Security – Confidentiality – Online privacy – Processing integrity

The system is available to meet operational and contractual

obligations.

Trang 10

• Note the importance of security in this picture It is the foundation of systems reliability Security

procedures:

– Restrict system access to only authorized users and protect:

• The confidentiality of sensitive organizational data.

• The privacy of personal identifying information collected from customers.

Trang 11

• Security procedures also:

– Provide for processing integrity by preventing:

• Submission of unauthorized or fictitious transactions.

• Unauthorized changes to stored data or programs.

– Protect against a variety of attacks, including viruses and worms, thereby

ensuring the system is available when needed.

Trang 12

• This chapter provides a broad introduction

to the topic of information systems

security.

• Anyone interested in a career in

information systems security would need

to undertake additional detailed study.

• Chapter 8 will discuss controls relevant to

the other four reliability principles.

Trang 13

• The press carries many stories about

information security incidents including:

– Denial of service attacks – Fraud

– Loss of trade secrets – Identity theft

• Accountants and IS professionals need to

understand basic principles of information

security in order to protect their organizations

and themselves.

Trang 14

C OBI T and Trust Services

• Control Objectives for

Trang 15

C OBI T and Trust Services

• C OBI T IT resources:

– Applications – Information – Infrastructures – People

Trang 16

C OBI T and Trust Services

• C OBI T information

criteria:

– Effectiveness – Efficiency

– Confidentiality – Integrity

– Availability – Compliance – Reliability

Trang 17

C OBI T and Trust Services

• C OBI T domains:

– Basic management activities for IT

– Help organize 34 generic IT controls

Trang 18

C OBI T and Trust Services

Trang 19

C OBI T and Trust Services

Trang 20

C OBI T and Trust Services

Trang 21

C OBI T and Trust Services

Trang 22

C OBI T and Trust Services

Trang 23

C OBI T and Trust Services

Trang 24

C OBI T and Trust Services

Trang 25

C OBI T and Trust Services

Trang 26

FUNDAMENTAL INFORMATION

SECURITY CONCEPTS

• There are three fundamental information

security concepts that will be discussed in

Trang 27

FUNDAMENTAL INFORMATION

SECURITY CONCEPTS

• There are three fundamental information

security concepts that will be discussed in

Trang 28

SECURITY AS A MANAGEMENT ISSUE

• Though information security is a complex

technical subject, security is first and

foremost a top management issue, not an

IT issue.

Trang 29

SECURITY AS A MANAGEMENT ISSUE

• Management is responsible for the accuracy of various

internal reports and financial statements produced by the organization’s IS.

– SOX Section 302 requires that the CEO and CFO certify the accuracy of the financial statements.

– SOX Section 404 requires that the annual report include a report

on the company’s internal controls Within this report, management acknowledges their responsibility for designing and maintaining internal controls and assessing their

Trang 30

SECURITY AS A MANAGEMENT ISSUE

• The Trust Services framework identifies four

essential criteria for successfully implementing

the five principles of systems reliability:

– Develop and document policies.

– Effectively communicate those policies to all authorized users.

– Design and employ appropriate control procedures to implement those policies.

– Monitor the system, and take corrective action to maintain compliance with the policies.

• Top management involvement and support is

necessary to satisfy each of the preceding

criteria.

Trang 31

SECURITY AS A MANAGEMENT ISSUE

• The Trust Services framework identifies four essential

criteria for successfully implementing the five principles

of systems reliability:

– Develop and document policies.

– Effectively communicate those policies to all authorized users.

– Design and employ appropriate control procedures to implement those policies.

– Monitor the system, and take corrective action to maintain compliance with the policies.

• COBIT section PO 6 identifies the CIO as responsible for ensuring that information policies and controls are

defined and communicated to all employees.

Trang 32

SECURITY AS A MANAGEMENT ISSUE

implementing specific control procedures.

– Helps ensure that the security products you ultimately purchase protect each IS resource.

– Developing a comprehensive set of security policies begins with taking an inventory of information

systems resources, including:

• Hardware

• Software

• Databases

Trang 33

SECURITY AS A MANAGEMENT ISSUE

• Once the resources have been identified, they

need to be valued in order to select the most

cost-effective control procedures.

– Not easy—particularly in valuing information itself.

– Management at the highest level needs to be involved because they have a broader understanding of the

organization’s mission and goals that will enable them

to better assess the dollar impact caused by loss or disclosure of information resources.

Trang 34

SECURITY AS A MANAGEMENT ISSUE

• The Trust Services framework identifies four

essential criteria for successfully implementing

the five principles of systems reliability:

– Develop and document policies.

– Effectively communicate those policies to all authorized users.

– Design and employ appropriate control procedures to implement those policies.

– Monitor the system, and take corrective action to maintain compliance with the policies.

• Top management involvement and support is

necessary to satisfy each of the preceding

criteria.

Trang 35

SECURITY AS A MANAGEMENT ISSUE

• Effective communication of policies

– Security policies must be communicated to and understood by employees, customers, suppliers, and other authorized users.

– Needs to be more than having people sign off that they’ve received and read a written document.

– Employees should have regular reminders about security policies and training in how to comply.

– Training and communication will only be taken seriously if management provides active support and involvement.

– Sanctions must also be associated with these violations, again requiring management support for enforcement.

Trang 36

SECURITY AS A MANAGEMENT ISSUE

• The Trust Services framework identifies four

essential criteria for successfully implementing

the five principles of systems reliability:

– Develop and document policies.

– Effectively communicate those policies to all authorized users.

– Design and employ appropriate control procedures to implement those policies.

– Monitor the system, and take corrective action to maintain compliance with the policies.

• Top management involvement and support is

necessary to satisfy each of the preceding

criteria.

Trang 37

SECURITY AS A MANAGEMENT ISSUE

• Design and employ appropriate control procedures

– Control frameworks such as COBIT and Trust Services identify a variety of specific control procedures and tools that can be used

to mitigate various security threats.

– Options differ in terms of cost and effectiveness.

– Determining the optimal level of investment in security involves evaluating cost-benefit trade-offs.

– Systems personnel have knowledge about the technical merits

of each alternative, as well as the risk of various threats.

– Management insight is needed in identifying potential costs and ensuring that all relevant organizational factors are considered.

– COBIT stresses that the CEO and CFO are accountable for ensuring that the organization has implemented a thorough risk assessment program

Trang 38

SECURITY AS A MANAGEMENT ISSUE

• The Trust Services framework identifies four

essential criteria for successfully implementing

the five principles of systems reliability:

– Develop and document policies.

– Effectively communicate those policies to all authorized users.

– Design and employ appropriate control procedures to implement those policies.

– Monitor the system, and take corrective action to maintain compliance with the policies.

• Top management involvement and support is

necessary to satisfy each of the preceding

criteria.

Trang 39

SECURITY AS A MANAGEMENT ISSUE

• Monitor and take remedial action

– Security is a moving target.

– Technology advances create new threats and alter the risks associated with existing threats.

– Effective control involves a continuous cycle of:

• Developing policies to address identified threats;

• Communicating those policies to all employees;

• Implementing specific control procedures to mitigate risk;

• Monitoring performance; and

• Taking corrective action in response to problems.

Trang 40

SECURITY AS A MANAGEMENT ISSUE

• Corrective actions often involve the modification

of existing cycles, and the cycle starts all over.

• Senior management must be involved to ensure

that security policies remain consistent with and

support the organization’s business strategy.

Trang 41

FUNDAMENTAL INFORMATION

SECURITY CONCEPTS

• There are three fundamental information

security concepts that will be discussed in

Trang 42

TIME-BASED MODEL OF SECURITY

• Given enough time and resources, any

preventive control can be circumvented.

• Consequently, effective control requires

supplementing preventive procedures with:

– Methods for detecting incidents; and – Procedures for taking corrective remedial action.

• Detection and correction must be timely,

especially for information security, because once preventive controls have been breached, it takes little time to destroy, compromise, or steal the

organization’s economic and information

resources.

Trang 43

TIME-BASED MODEL OF SECURITY

• The time-based model of security focuses on

implementing a set of preventive, detective, and

corrective controls that enable an organization to recognize that an attack is occurring and take

steps to thwart it before any assets have been

compromised.

• All three types of controls are necessary:

– Preventive • Limit actions to those in accord

with the organization’s security policy and disallows all others.

Trang 44

TIME-BASED MODEL OF SECURITY

• The time-based model of security focuses on

implementing a set of preventive, detective, and

corrective controls that enable an organization to recognize that an attack is occurring and take

steps to thwart it before any assets have been

compromised.

• All three types of controls are necessary:

– Preventive

– DetectiveIdentify when preventive controls

have been breached.

Trang 45

TIME-BASED MODEL OF SECURITY

• The time-based model of security focuses on

implementing a set of preventive, detective, and

corrective controls that enable an organization to recognize that an attack is occurring and take

steps to thwart it before any assets have been

compromised.

• All three types of controls are necessary:

– Preventive – Detective

– Corrective

• Repair damage from problems that

have occurred.

• Improve preventive and detective

controls to reduce likelihood of

Trang 46

TIME-BASED MODEL OF SECURITY

• The time-based model evaluates the

effectiveness of an organization’s security by

measuring and comparing the relationship

among three variables:

– P = Time it takes an attacker to break through the organization’s preventive controls.

– D = Time it takes to detect that an attack is in progress.

– C = Time to respond to the attack.

• These three variables are evaluated as follows:

– If P > (D + C), then security procedures are effective.

– Otherwise, security is ineffective.

Trang 47

TIME-BASED MODEL OF SECURITY

• The model provides management with a

means to identify the most cost-effective

approach to improving security by

comparing the effects of additional

investments in preventive, detective, or

corrective controls.

Trang 48

TIME-BASED MODEL OF SECURITY

• EXAMPLE: For an additional expenditure of

$25,000, the company could take one of four

measures:

– Measure 1 would increase P by 5 minutes.

– Measure 2 would decrease D by 3 minutes.

– Measure 3 would decrease C by 5 minutes.

– Measure 4 would increase P by 3 minutes and reduce

C by 3 minutes

• Because each measure has the same cost,

which do you think would be the most

cost-effective choice? (Hint: Your goal is to have P

exceed [D + C] by the maximum possible

amount.)

Trang 49

TIME-BASED MODEL OF SECURITY

• You may be able to solve this problem by eyeballing it If not,

one way to solve it is to assume some initial values for P, D, and

C.

• So let’s assume that P = 15 min., D = 5 min., and C = 8 min.

• At our starting point, P – (D + C) = 15 – (5 + 8) = 2 min.

• With Measure 1, P is increased by 5 minutes:

Trang 50

FUNDAMENTAL INFORMATION

SECURITY CONCEPTS

• There are three fundamental information

security concepts that will be discussed in

Trang 51

DEFENSE IN DEPTH

• The idea of defense-in-depth is to employ

multiple layers of controls to avoid having a

single point of failure.

• If one layer fails, another may function as

planned.

• Information security involves using a

combination of firewalls, passwords, and other

preventive procedures to restrict access.

• Redundancy also applies to detective and

corrective controls.

Trang 52

– Host and application hardening procedures (firewalls, anti-virus software, disabling of unnecessary features, user account

management, software design, e.g., to prevent buffer overflows) – Encryption

Trang 53

DEFENSE IN DEPTH

• Detective controls include:

– Log analysis – Intrusion detection systems – Managerial reports

– Security testing (vulnerability scanners, penetration tests, war dialing)

Trang 54

DEFENSE IN DEPTH

• Corrective controls include:

– Computer emergency response teams – Chief Security Officer (CSO)

– Patch Management

Trang 55

Understanding Targeted Attacks

• How are they done?

– Reconnaissance – Social Engineering – Scan and Map

– Research – Attack Execution – Cover Tracks

Collecting information to identify potential vulnerabilities.

Tricking unsuspecting employees into allowing access to system.

Detailed scan of system to identify potential points of remote entry.

Researching vulnerabilities of software identified during scan.

Unauthorized access to system.

Removing evidence of attack.

Ngày đăng: 12/05/2017, 10:58

TỪ KHÓA LIÊN QUAN

w