BTC1110 Lecture Notes - Lecture 9: Chief Information Security Officer, Smart Card, Symmetric-Key Algorithm
Week 7 Internal Controls for system Reliability
Part A: Information Security
Internal Control (policies, plans, procedures)
-Safeguarding assets
-Checking the accuracy and reliability of accounting data
-Promoting operational efficiency
-Encouraging adherence: Prescribed managerial policies
1. AIS Controls: COSO; COSO-ERM (Refer to Week 3)
2. COBIT-Control Objective for Information and Related Technology
-Help the trust in, and value from, information systems
(1) Management develops plans to organize information resources provide the information it needs
(2) Management authorises and oversees efforts: Acquire and implement the desired functionality
(3) Management ensures the resulting system actually delivers desired information
(4) Management monitors and evaluates system performance against established criteria
(5) Management modifies existing plans and procedures or develops new ones to respond to changes in
business objectives (Cycle repeated)
3. Trust Service Framework
(1) Security:
-Management issue
-Should comply with the Accounting standards; give a true and fair view Accuracy of an
organization’s financial statements:
Create security aware culture
Inventory and value company information resources
Assess risk, select risk response
Develop and communicate security plans
Acquire and deploy IT security resources
Monitor and evaluate effectiveness
-Defence-in-depth and the time-based model
Use a combination of preventive, detective and corrective controls
Identify an information security incident: Prevent a loss of compromise of information
P>D+C
𝑇𝑖𝑚𝑒 𝑡ℎ𝑒 𝑎𝑡𝑡𝑎𝑐𝑘𝑒𝑟 𝑡𝑎𝑘𝑒𝑠 𝑡𝑜 𝑏𝑟𝑒𝑎𝑘 𝑡ℎ𝑟𝑜𝑢𝑔ℎ 𝑡ℎ𝑒 𝑝𝑟𝑒𝑣𝑒𝑛𝑡𝑖𝑣𝑒 𝑐𝑜𝑛𝑡𝑟𝑜𝑙𝑠
> 𝑇𝑖𝑚𝑒𝑠 𝑡𝑜 𝑑𝑒𝑡𝑒𝑐𝑡 + 𝑅𝑒𝑠𝑝𝑜𝑛𝑑 𝑡𝑜 𝑎𝑡𝑡𝑎𝑐𝑘
(2) Confidentiality:
-Sensitive organizational information (E.g. marketing plans, trade secrets) si protected from unauthorized
disclosure
(3) Privacy
-Personal information about customers is collected, used, disclosure, and maintained only in compliance
with internal policies and external regulatory requirements and is protected from unauthorized disclosure
(4) Processing Integrity (Week 8)
(5) Availability (Week 8)
Document Summary
Checking the accuracy and reliability of accounting data. Encouraging adherence: prescribed managerial policies: ais controls: coso; coso-erm (refer to week 3, cobit-control objective for information and related technology. Defence-in-depth and the time-based model (cid:198)use a combination of preventive, detective and corrective controls (cid:198)identify an information security incident: prevent a loss of compromise of information (cid:198)p>d+c (2) confidentiality: Sensitive organizational information (e. g. marketing plans, trade secrets) si protected from unauthorized disclosure (3) privacy. Personal information about customers is collected, used, disclosure, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure (4) processing integrity (week 8) (5) availability (week 8) Corrective (1) log analysis: identify evidence of possible attacks (2) intrusion detection: Multiple systems are run on one computer: cloud computing: Reduced authentication standards (1) training (2) users access controls: One regular entry point to the building (unlocked duri(cid:374)g day, with (cid:862)fire doors(cid:863) alar(cid:373)ed a(cid:374)d u(cid:374)locked on inside, but locked from outside)