ACCT10003 Lecture Notes - Lecture 8: Information Security Management, Computer Fraud, Information Security
Information Security and Computer Fraud
Integrity and Information Security
•Information security management is an important technology issue for accountants
-Not just about IT’s problem - CFO (governance) accountable as well
-A holistic information strategy required - behaviour of information creators/users
-Larger firms tend to have better security - small/medium firms more vulnerable
•Information security management: An integrated, systematic approach that co-ordinates
people, policies, standards, processes and controls used to safeguard critical systems and
information from internal and external security threats
•Information security is critical to maintaining systems integrity
•The goal of information security management is to protect the confidentiality, integrity &
availability (CIA) of a firm’s information
-Confidentiality: information is not accessible to unauthorised individuals or processes
-Integrity: Information is accurate and complete
-Availability: information and systems are accessible on demand
Information Security Risks
•Malware - code designed to damage, disrupt or steal data or disrupt computer systems and
networks
•Viruses:
-A self-replication program that runs and spreads by modifying other programs or files
-Example - Melissa virus
-A self-replicating, self-propagating, self-contained program that uses networking mechanisms
to spread itself
-Example - the Blaster Worm
-A non-self-replicating program that seems to have a useful purpose in appearance, but in
reality has a different malicious purpose
-Example - Trojans
-A collection of software robots that overruns computers to act automatically in response to the
bot-herder’s control inputs through the internet
-Example - bots
-Can be used for commercial or malicious purposes
•Spam
•Phishing
•Pharming
•Hacking
•Social engineering
•Identity theft
•Denial of Service - the prevention of authorised access to resources (such as servers) or the
delaying of time-critical operations
•Spyware - Software that is secretly installed into an information system to gather information of
individuals or organisations without their knowledge; a type of malicious code
•Spoofing - sending a network packet that appears to come from a source other than its actual
source
•Significant economic costs associated with these risks
1
Encryption and Authentication
•Encryption is a preventative control providing confidentiality and privacy for data transmission
and storage
•There are two algorithmic schemes that encode plaintext into non-readable form or cypher text:
-Symmetric-key encryption methods: same key for encryption and decryption
-Asymmetric-key encryption methods: different key for encryption and decryption
•Encryption is a technique used in the process of authentication
•Authentication is a process that establishes the origin of information or determines the identity
of a user, process or device.
•It is critical in e-business because it can prevent repudiation while conducting transactions online
Computer Fraud
•Fraud means an intention act by one or more individuals among management, those charged
with governance, employees or third parties, involving the use of deception to obtain an unjust
or illegal advantage
•The primary responsibility for the prevention and detection of fraud rests with both charged
with governance of the entity, and management
•Emphasis should be strongly on prevention and deterrence
•Role of IT controls, governance and internal audit function "
2
Document Summary
Integrity and information security: information security management is an important technology issue for accountants. Not just about it"s problem - cfo (governance) accountable as well. A holistic information strategy required - behaviour of information creators/users. Con dentiality: information is not accessible to unauthorised individuals or processes. Availability: information and systems are accessible on demand. Information security risks: malware - code designed to damage, disrupt or steal data or disrupt computer systems and networks, viruses: A self-replication program that runs and spreads by modifying other programs or les. A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself. A non-self-replicating program that seems to have a useful purpose in appearance, but in reality has a different malicious purpose. A collection of software robots that overruns computers to act automatically in response to the bot-herder"s control inputs through the internet.