Study Guides (248,366)
Canada (121,505)
Business (1,240)
BU486 (7)
Final

Accounting Information Systems - Textbook Notes needed for the Final

31 Pages
356 Views
Unlock Document

Department
Business
Course
BU486
Professor
Kevin Bullock
Semester
Fall

Description
Chapter 5 – Computer Fraud AIS Threats 1. Natural and political disasters can destroy an information system and cause many companies to fail 2. Software errors, operating system crashes, hardware failures, power outages, and fluctuations, and undetected data transmissions errors 3. Unintentional acts such as accidents or innocent and omissions is the greatest risk to info systems and causes greatest dollar losses  Caused by human carelessness, failure to follow established procedures, and poorly trained or supervised personnel 4. Intentional act such as computer crime, a fraud, or sabotage which is deliberate destruction or harm to a system Introduction to Fraud  Fraud is gaining an unfair advantage over another person  To be legally fraudulent, there must be: 1. A false statement, representation or disclosure 2. A material fact, which is something that induces a person to act 3. An intent to deceive 4. A justifiable reliance; person relies on the misrepresentation to take an action  Estimated 75-90% of perpetrators are knowledgeable insiders with the requisite access, skills, and resources  Fraud takes 2 forms: 1. Misappropriation of assets 2. Fraudulent financial reporting Misappropriation of Assets  Misappropriation of assets is the theft of company assets  Most commonly caused by the absence of internal controls and/or failure to enforce existing internal controls  Important elements/characteristics, the perpetrator: o Gains the trust of confidence of the entity being defrauded o Uses trickery, cunning, or false or misleading info to commit fraud o Conceals the fraud falsifying records or other info o Rarely terminates the fraud voluntarily o Need or greed impels the person to continue o Spends the ill-given gains o Gets greedy and takes even larger amounts, at more frequent intervals o Grows careless or overconfident as time passes Fraudulent Financial Reporting  Fraudulent financial reporting is intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements 1. F/S are falsified to deceive investors and creditors, increase a company’s stock price, meet CF needs, or hide company losses and problems  Most frequently used schemes involve inflating revenues, holding the books open, closing the books early, overstating inventory or fixed assets, and concealing losses and liabilities  Four actions to reduce fraudulent financial reporting: 1. Establish an org environment that contributes to the integrity of the financial reporting process 2. Identify and understand factors that lead to fraudulent financial reporting 3. Assess the risk of fraudulent financial reporting within the company 4. Design and implement internal controls to provide reasonable assurance of preventing fraudulent financial reporting  Misappropriate is 17 times more likely, the $ amounts involved are much smaller  SAS No. 99 – The Auditor’s Responsibility to Detect Fraud o Auditors must:  Understand fraud  Discuss the risks of material fraudulent misstatements  Obtain information  Identify, assess, and respond to risks  Evaluate the results of their audit tests  Document and communicate findings  Incorporate a technology focus Who Perpetrates Fraud and Why?  Some perpetrators are disgruntled and unhappy with their jobs and seek revenge against employees  Others are dedicated, hard-working, and trusted employees  Most have no previous criminal record  The Fraud Triangle o Three conditions (usually) present when fraud occurs: 1. Pressure  Pressure is a person’s incentive or motivation for committing fraud a) Employee Pressure Triangle  Financial  Emotional; greed, treated unfairly  Lifestyle; funds needed to support gambling habit, drug/alcohol addiction b) Financial Statement Pressure Triangle  Financial; meet or exceed earnings expectations to boost share price  Industry Conditions; new regulatory requirements, market saturation  Mgmt Characteristics; ethics, aggressive forecasts 2. Opportunity  Opportunity is the condition or situation that allows a person or org to do three things: a) Commit the fraud b) Conceal the fraud; takes more effort and time than the theft  Thefts are hidden by charging stolen item to expense account, exposure is limited to a year, whereas balance sheet accounts must be concealed year over year  Lapping scheme is where perpetrator steals the cash or checks from Customer A, pays Customer A’s balance with Customer B’s payments, etc., continues indefinitely  Kiting is where cash is created using the lag between the time a check is deposited and the time it clears the bank c) Convert the theft or misrepresentation to personal gain; differs for misappropriation and f/s fraudulent reporting  Many opportunities are the result of a deficient, and poorly enforced system of internal controls  Also the result of unclear policies and procedures, failure to teach corporate honesty, and failure to prosecute those who perpetrate fraud 3. Rationalization  Rationalization allows perpetrators to justify their illegal behavior  Can take the form of a justification, an attitude, or a lack of personal integrity Computer Fraud  Computer fraud is any fraud that requires computer technology knowledge to perpetrate, investigate, or prosecute it (ie. Unauthorized theft/use/access/modification, theft of computer time, theft/destruction of hardware/software)  The Rise in Computer Fraud o Computer systems are particularly vulnerable because:  Massive amounts of data can be stolen/destroyed in very little time  Number and variety of access points significantly increase risks  PCs are vulnerable to security risks  Computer systems face a number of unique challenges; reliability, equipment failure, environmental dependency, interruption, eavesdropping, and misrouting o Reasons for growth in computer fraud:  Not everyone agrees on what constitutes computer fraud (ie. Copying software)  Many instances of computer fraud go undetected  A high percentage of frauds is not reported  Many networks are not secure  Internet sites offer step-by-step instructions on how to perpetrate computer fraud and abuse  Law enforcement cannot keep up with the growth of computer fraud  Calculating losses is difficult  Computer Fraud Classifications(categorized using the data processing model) o Input fraud; requires little skill, perpetrators need only understand how the system operates so they can cover their tracks o Processor fraud; includes unauthorized system use, including the theft of computer time and services o Computer instructions fraud; tampering with company software, copying software illegally, using software in an unauthorized manner, and developing software to carry out an unauthorized activity, requires special programming knowledge o Data fraud; illegally using, copying, browsing, searching, or harming company data  Biggest cause is employee negligence  Ex. CIA and NASA have been victims of high profile website attacks o Output fraud; unless properly safeguarded, displayed or printed output can be stolen, copied, or misused  Ex. Forging of authentic looking outputs (ie. Paychecks)  Preventing and detecting fraud (discussed in chap 6 – 10) o Make fraud less likely to occur o Increase the difficulty of committing fraud o Improve detection methods o Reduce fraud losses Chapter 6 – Computer Fraud & Abuse Computer Attacks and Abuse  All computers connected to the internet are under constant attack from hackers, foreign governments, terrorist groups, disaffected employees, industrial spies, and competitors  Hacking is unauthorized access, modification, or use of an electronic device or some element of a computer system o Most hackers break into systems using known flaws in operating systems or application programs, or as a result of poor access controls  Botnet is short for robot network; network of powerful and dangerous hijacked computers o Used to perform denial-of-service attacks which are designed to make resources unavailable to its users  Hijacking is gaining control of a computer to carry out illicit activities without the user’s knowledge  Bot herders install software that responds to the hacker’s electronic instructions onto unwitting PCs  Zombies are hijacked computers  Spamming is emailing or texting an unsolicited message to many people at the same time, often trying to sell something o Dictionary attacks are where spammers use special software to guess addresses at a company and send blank email messages, major burden to corporate mail systems  Hackers create splogs with links to websites they own to increase their google pagerank, which is how often a page is referenced by other web pages  Spoofing is making an electronic communication look as if someone else sent it to gain the trust of the recipient o Email spoofing is making an email appear as though it originated from a different source o Caller ID spoofing displays an incorrect number of called ID to hide the caller’s identity o IP address spoofing is creating IP packets with a forged source IP address to conceal the identity of the sender or to impersonate another computer system o Address resolution protocol (ARP) spoofing is sending fake ARP messages to an Ethernet LAN 1. ARP is a networking protocol for determining a network host’s hardware address when only its IP or network address is known 2. Allows an attacker to associate his MAC address (media access control, hardware that unique identifies each node on a network) with the IP address of another node o SMS spoofing o Web page spoofing o DNS spoofing  Zero-day attack is an attack between the time a new software vulnerability is discovered and the time a software developer releases a patch that fixes the problem  Cross-site scripting (XSS) allows an attacker to bypass a browser’s security mechanisms and instruct the victim’s browser to execute code thinking it came from the desired website o XSS flaws are the most prevalent flaws in web applications today o Best way to protect against XSS is HTML sanitization (process of validating input and only allowing users to input predetermined characters)  Buffer overflow attack happens when the amount of data entered into a program is greater than the amount of the memory set aside to receive it, causes computer crashes, hackers thus exploit this buffer o This code opens a backdoor into the system  SQL injection is an attack where malicious code in the form of an SQL query is inserted into input so it can be passed to and executed by a software program o A successful SQL injection can read sensitive data from the database; modify, disclose, destroy, or limit the availability of the data, allow the attacker to become a database administrator, spoof identity, or issue operating system commands, spoof identity, etc.  Man-in-the-middle attack places a hacker between a client and a host and intercepts network traffic between them, often called session hijacking attack  Masquerading or impersonation is pretending to be an authorized user to access a system  Piggybacking: 1. The clandestine use of a neighbour’s wi-fi network 2. Tapping into a telecommunications line and electronically latching onto a legitimate user before the user enters a secure system 3. Unauthorized person following an authorized person through a secure door  Password cracking is penetrating a system’s defenses, stealing files with passwords, decrypting them, and using them to gain access  War dialing is programming a computer to dial thousands of phone lines searching for dial up modem lines  War driving is driving around looking for unprotected wireless networks  Phreaking is attacking phone systems to obtain free phone line access or using phone lines to transmit viruses and to access, steal, and destroy data  Data diddling is the changing of data before, during, or after it is entered into the system in order to delete, alter, or incorrectly update key system data  Data leakage is the unauthorized copying of company data o Podslurping is using a small device with storage capacity (USB) to download unauthorized data  Salami technique is used to embezzle money a “salami slice” at a time from many different accounts o Round-down fraud; all interest calculations are truncated at 2 decimal places and the excess decimals put into an account the perpetrator controls, over time these fractions add up  Economic espionage is the theft of information, trade secrets, and intellectual property  Cyber-extortion is threatening to harm a company or a person if a specified amount of money is not paid  Cyber-bullying is using the Internet, cell phones, or other communication technologies to support deliberate, repeated, and hostile behaviour that torments, threatens, harasses, humiliates, embarrasses, or otherwise harms another person (ie. Sexting)  Internet terrorism is the act of disrupting electronic commerce and harming computers and communications  Internet misinformation is using the Internet to spread false or misleading info  Internet pump-and-dump is using the Internet to pump up the price of a stock and then sell it  Click fraud is manipulating click numbers to inflate advertising bills  Web cramming is offering a free website for a month, developing a worthless website, and charging the phone bill of the people who accept the offer for months  Software piracy is the unauthorized copying or distribution of copyrighted software o Three forms: 1. Selling a computer with pre-loaded illegal software 2. Installing a single-license copy on multiple machines 3. Loading software on a network server allowing unrestricted access to it in violation of the license agreement Social Engineering  Social engineering refers to techniques or psychological tricks used to get people to comply with the perpetrator’s wishes in order to gain physical or logical access to a building, computer, server, or network  Procedures to minimize social engineering; 1. Never let people follow you into a building 2. Never log in for someone else on a computer 3. Never give sensitive info over the phone or through email 4. Never share passwords or user IDs 5. Be cautious of anyone you do not know who is trying to gain access through you  Identity theft is assuming someone’s identity, usually for economic gain, by illegally obtaining and using confidential info (ie. SIN)  Pretexting is using an invented scenario to increase the likelihood that a victim will divulge info or do something  Posing is creating a seemingly legitimate business, collecting personal info while making a sale and never delivering the product  Phishing is sending an electronic message pretending to be a legitimate company, usually a financial institution, and requesting info or verification of info and often warning of some dire consequence if it is not provided o Visihing is voice phishing o To avoid both, be highly skeptical of any message that suggests you are the target of illegal activity  Carding refers to activities performed on stolen credit cards  Pharming is redirecting website traffic to a spoofed website o Popular because: 1. Difficult to detect because the user’s browser shows the correct website 2. Ability to target many people at a time through domain spoofing rather than one at a time with phishing emails  Evil twin is a wireless network with the same name as a legitimate wireless access point  Typosquatting, or URL hijacking, is setting up similarly named websites so that users making typographical errors are sent to an invalid site (to stop this, companies 1) obtain all web names similar to theirs or 3) use software to scan the internet and find domains that appear to be typosquatting)  Tabnapping is secretly changing an already open browser tab to obtain a user’s personal info  Scavenging (dumpster diving) is gaining access to confidential info by searching documents and records  Shoulder surfing is when perpetrators look over a person’s shoulders in a public place to get info  Lebanese looping is where the perpetrator inserts a sleeve into an ATM that prevents the ATM from ejecting the card, when it obvious that the card is trapped, the perpetrator pretends to help and tricks the person to enter their pin again  Skimming is double-swiping a credit card in a legitimate terminal or covertly swiping a creit card in a small, hidden, handheld card reader that records credit card data for later use  Chipping is posing as a service engineer and planting a small chip that records transaction data in a legitimate card reader  Eavesdropping is listening to a private communications or tapping into data transmissions Malware  Malware is any software that can be used to do harm  Spyware secretly monitors and collects personal info about users and sends it to someone else o Especially problematic for companies with employees who telecommute or remotely access the network o Adware is spyware that pops banner ads on a monitor, collects info about the user’s web-surfing and spending habits, and forwards it to the aware creator  Scareware is software that is often malicious and of little or no benefit that is sold using scare tactics; marketed using spam emails, pop-up windows  Ransomware comes in the form of fake antivirus software; locks you out of all your programs and data by encrypting them  Key logging software records computer activity (ie. Keystrokes), parents use this to monitor children’s computer usage  Trojan horse is a set of malicious computer instructions in an authorized and otherwise properly functioning program o Unlike viruses and worms, the code does not try to replicate itself, some Trojan horses give the creator the power to control the victim’s computer remotely  Time bombs and logic bombs are Trojan horses that lie idle until triggered by a specified date or time, by a change in the system, by a message sent to the system, or by an event does not occur o Once triggered, the bomb goes off, destroying programs, data, or both  Trap door (back door) is a way into a system that bypasses normal authorization and authentication controls, used during systems development and then remove before the system is put into operation  Packet sniffers capture data from information packets as they travel over networks  Rootkit conceals processes, files, network connections, memory addresses, systems utility programs, and system data from the operating system and other programs o Used to hide the presence of trap doors, sniffers, and key loggers, access user names and logins  Superzapping is the unauthorized use of special system programs to bypass regular systems controls and perform illegal acts, all without leaving an audit trail  Virus is a segment of self-replicating, executable code that attaches itself to a file or program  Worm is similar to a virus except: o A virus is a segment of code hidden in or attached to a host program or executable file, whereas a worm is a stand-alone program o A virus requires a human to do something (run a program, open a file, etc) to replicate itself, whereas a worm does not and actively seeks to send copies of itself to other network devices o Worms harm networks whereas viruses infect or corrupt files or data on a targeted computer  Worm usually does not live very long, but quite destructive when alive  Bluesnarfing is stealing (or snarfing) contact lists, images, and other data using Bluetooth  Bluebugging is taking control of someone else’s phone to make or listen to calls, send or read text messages, connect to the internet, forward the victim’s calls, and call numbers that charge fees Chapter 7 – Control and AIS Overview of Control Concepts  Internal control is the process implemented to provide reasonable assurance that the following control objectives are achieved o Safeguard assets o Maintain records in sufficient detail to report company assets accurately and fairly o Provide accurate and reliable info o Prepare financial reports in accordance with established criteria o Promote and improve operational efficiency o Encourage adherence to prescribed managerial policies o Comply with applicable laws and regulations  Three important IC functions: 1. Preventive controls deter problems before they arise (ie. Hiring qualified personnel, segregating duties, controlling physical access) 2. Detective controls discover problems that are not prevented (ie. Duplicate checking of calculations, bank recs) 3. Corrective controls identify and correct problems as well as correct and recover from the resulting errors (ie. Maintain backup copies of files, correct data entry errors, resubmit transactions)  Two Categories; o General controls make sure an org’s control environment is stable and well managed (ie. IT infrastructure, security, software acquisition) o Application controls make sure transactions are processed correctly (concerned with accuracy, completeness, validity, and authorization of the data captured, entered, processed, stored, transmitted to other systems)  Four levels of control (help mgmt reconcile the conflict between creativity and controls): 1. Belief system describes how employees create value, help employees understand mgmt’s vision, communicate core values, and inspire employees to live those values 2. Boundary system helps employees act ethically by setting boundaries on employee behavior  Employees are encouraged to creatively solve problems while meeting min performance standards 3. Diagnostic control system measures, monitors, and compares actual company progress to budgets and performance goals, feedback helps mgmt adjust and fine-tune inputs and processes 4. Interactive control system helps managers to focus subordinates’ attention on key strategic issues and be more involved in their decisions, interactive system data are discussed in face to face meetings  Foreign Corrupt Practices and SOX Act (FCPA) o FCPA was passed to prevent companies from bribing foreign officials to obtain business  Required corporations to maintain good systems of internal control, but not sufficient to prevent further problems o SOX was designed to prevent f/s fraud, make financial reports more transparent, protect investors, strengthen ICs, and punish executives who perpetrate fraud  SOX did the following (applies to publicly held companies and their auditors):  Created PCAOB which sets and enforces auditing, QC, ethics, independence, and other auditing standards  New rules for auditors; must report specific info to AC, partners must be rotated periodically, prohibits auditors from performing non-audit services,  New rules for audit committees (AC); AC members must be on company’s BOD and be independent of the company, one member must be a financial expert, AC hires, compensates, and oversees auditors  New rules for mgmt; CEO and CFO must certify that 1) f/s and disclosures are fairly presented, reviewed by mgmt, and are not misleading, and 2) auditors were told about all material IC weaknesses and fraud  if not, mgmt can be prosecuted and fined. Mgmt’s evaluation must be based on a control framework (usually COSO),  New IC requirements; section 404 requires companies to issue a report with f/s stating that mgmt is responsible for establishing and maintaining an adequate IC system, must include mgmt’s assessment of ICs, and report significant weaknesses and material non-compliance Control Frameworks  COBIT Framework consolidates control standards from 36 different sources that allows: 1. Mgmt to benchmark security and control practices of IT environments 2. Users to be assured that adequate IT security and control exist 3. Auditors to substantiate their IC opinions and to advise on IT security and control matters  COBIT addresses control from 3 vantage points: 1. Business objectives; to satisfy business objectives, info must conform to 7 categories of criteria that map into the objectives established by COSO 2. IT resources; people, application systems, technology, facilities, and data 3. IT processes; 4 domains – planning and organization, acquisition and implementation, delivery and support, monitoring and evaluation.  COSO’s IC Framework  Committee of Sponsoring Organizations consists of multiple associations, who issues IC – Integrated Framework in 1992 which is widely accepted as the authority on ICs and is incorporated into policies, rules, and regulations  5 interrelated components of the IC model:  Control environment; people, their attributes, and the environment in which they operate  Control activities; policies and procedures  Risk assessment; identify, analyze, and manage risk  Information and communication; capture and exchange info to conduct, manage, and control operations  Monitoring; modifications are made so the system can change as conditions warrant  COSO’s Enterprise Risk Mgmt Framework is the process the BOD and mgmt use to set strategy, identify events that may affect the entity, assess and manage risk, and provide reasonable assurance that the company achieves it objectives and goals  ERM basic principles:  Companies are formed to create value for their owners  Mgmt must decide how much uncertainty it will accept as it creates value  Uncertainty results in risk, which is the possibility that something negatively affects the company’s ability to create or preserve value uncertainty results opportunity, which is the possibility that something positively affects the company’s ability to create or preserve value  ERM can manage uncertainty as well as create and preserve value  ERM Framework vs IC Framework  IC framework is widely adopted as the way to evaluate ICs but it does so without looking at the purposes and risks of business processes and provides little context for evaluating results  Hard to know which control systems are most important, and whether controls are missing  ERM is more comprehensive, takes a risk-based vs. controls-based approach  Adds 3 additional elements to IC framework; see objectives, identify events that may affect the company, and develop a response to assessed risk Eight ERM Components 1. Internal Environment (company culture)  Influences how orgs establish strategies and objectives, structure business activities, and identify/assess/respond to risk  Essentially the same as the control environment in the IC framework  Internal environment consists of mgmt’s philosophy, BOD, commitment to integrity, org structure, methods of assigning authority/responsibility, HR standards, and external influences  Enron is example of ineffective internal environment that resulted in financial failures 2. Objective Setting  Mgmt sets objectives at the corporate level and then subdivides them into more specific objectives for company subunits  Strategic objectives are high-level goals that are aligned with the company’s mission, support it, and create shareholder value  Operations objectives deal with the effectiveness and efficiency of company operations, determine how to allocate key resources  Reporting objectives help ensure the accuracy, completeness, and reliability of company reports, improve decision making, and monitor company activities and performance  Compliance objectives help the company comply with all applicable laws and regulations 3. Event Identification  Event is an incident or occurrence emanating from internal or external sources that affects implementation of strategy or achievement of objectives; events may have positive or negative impacts or both  Mgmt must try and anticipate all possible events, determine which are most and least likely to occur, and understand the interrelationship of events  Techniques used to identify events include using a comprehensive list of potential events, performing an internal analysis, monitoring leading events and trigger points, conducting workshops and interviews, using data mining, and analyzing biz processes 4. Risk Assessment & Risk Response  Inherent risk exists before mgmt takes any steps to control the likelihood or impact of an event  Residual risk is what remains after mgmt implements ICs 1. Identify Events 2. Estimate likelihood and impact 3. Identify controls 4. Estimate costs and benefits (expected loss = impact * likelihood) 5. Determine cost/benefit effectiveness 6. Implement Control, or Accept, Share, or Avoid the Risk 5. Control Activities  Control procedures fall into the following categories: 1. Proper authorization of transaction and activities 2. Segregation of duties  Segregation of accounting duties; authorization, recording, and custody  Segregation of systems duties; systems administration, network mgmt, security mgmt, change mgmt, uers, systems analysis, programming, computer operations, info system library, data control 3. Project development and acquisition of controls  Important systems development controls: steering committee, strategic master plan, project development plan, data processing schedule, system performance measurements, and post-implementation review  Some companies hire a systems integrator, if so, they should use the same controls above, and in addition they must develop clear specifications and monitor the project 4. Change mgmt controls 5. Design and use of documents and records 6. Safeguarding assets, records, and data  Important to:  Create and enforce appropriate policies and procedures  Maintain accurate records of all assets  Restrict access to assets  Protect records and documents 7. Independent checks on performance  Top-level reviews, analytical reviews, recs of independently maintained records, comparison of actual quantities with recorded amounts, double-entry accounting, independent review 6. Info and Communication 7. Monitoring  Perform ERM evaluations (measuring ERM effectiveness)  Implement effective supervision  Use responsibility accounting systems (ie. Budgets, quotas, schedules, standard costs)  Monitor system activities (review security measures, detect illegal access, test for weaknesses, suggest improvements)  Track purchased software and mobile devices  Conduct period audits  Employ a computer security officer (CSO) and chief compliance officer (CCO)  Engage forensic specialists  Install fraud detection software  Implement a fraud hotline Chapter 8 – IS Controls: Confidentiality Part 1 – Information Security  COBiT presents a comprehensive view of the controls necessary for systems reliability (whereas COSO and COSO- ERM do not address controls over IT)  Under COBit, info provided to mgmt must be o Effective o Efficient o Confidential o Integrity o Available o Compliant o And reliable  COBiT mgmt activities: 1. Plan and organize (PO); processes for properly designing and managing an org’s info systems 2. Acquire and implement (AI); processes for obtaining and installing technology solutions 3. Deliver and support (DS); processes for effectively and efficiently operating info systems and providing the info mgmt needs to run the org 4. Monitor and evaluate (ME); processes for assessing the operation of an org’s info system  COBiT specifies 210 detailed control objectives for the 34 processes to enable effective mgmt of an org’s info resources  It also describes specific audit procedures for assessing the effectiveness of those controls and suggests metrics that mgmt can use to evaluate performance  this comprehensive is one of its greatest strengths  Trust Services Framework (developed jointly by the American Institute of CPAs and Canadian Institute of CAs classifies info systems controls into 5 categories that most directly pertain to systems reliability (and thus the reliability of the f/s): 1. Security; access to the system and its data is controlled and restricted to legitimate users 2. Confidentiality; sensitive org info is protected from unauthorized disclosure 3. Privacy; personal info about customers is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure 4. Processing integrity; data are processed accurately, completely, in a timely manner, and only with proper authorization 5. Availability; the system and its information are available to meet operational and contractual obligations  Trust Services Framework is not a substitute for COBiT as it only addresses a subset of the issues covered by COBiT Two Fundamental Information Security Concepts 1. Security is a Mgmt Issue, Not a Technology Issue o Section 302 of SOX requires the CEO and CFO to certify that the f/s fairly present the results of the company’s activities o Accuracy of the f/s depends on systems reliability o COSO stresses “Tone at the top” o Mgmt’s role in Info Security:  Create and foster a pro-active “security-aware” culture  Inventory and value the org’s info resources  Assess risks and select a risk response  Develop and communicate security plans, policies, and procedures  Acquire and deploy info security technologies and products  Monitor and evaluate the effectiveness of the org’s info security programs 2. Defense-in-Depth and the Time-Based Model of Information Security o Defense-in-depth is to employ multiple layers of controls in order to avoid having a single point of failure o Typically involves the use of a combination of preventive, detective, and corrective controls o Detecting a security breach and initiating corrective remedial action must be timely o Goal of time-based model of security is to employ a combination of detective and corrective controls that identify an information security incident early enough to prevent the loss or compromise of information P > D +T, then org’s security procedures are effective  P = the time it takes an attacker to break through the org’s preventive controls  D = the time it takes to detect that an attack is in progress  T = the time it takes to respond to the attack o This model provides a means for mgmt to identify the most cost-effective approach to improving security by comparing the effects of additional investments in preventive, detective, or corrective controls o Best used as a high-level framework for strategic analysis (hard to determine exact parameters for each variable) Understanding Targeted Attacks 1. Conduct reconnaissance; study physical layout, learn about controls in place, 2. Attempt social engineering (ie. Trick employees into giving you access) 3. Scan and map the target (if 2 fails) 4. Research 5. Execute the attack 6. Cover tracks Preventive Controls  Training: o Employees should be taught why security measures are important to the org’s long run survival o Need to be trained to follow safe computing practices (not opening unsolicited attachments, only using approved software, not sharing passwords, taking steps to physically control laptops) o Trained not to allow people to follow them through restricted access entrances o Investment in security training will be effective only if mgmt clearly demonstrates that it supports employees who follow prescribed security policies  User access controls: o Authentication controls; process of verifying the identity of a person or device attempting to access the system  Three types of credentials that can be validated; password/PIN, ID badge, physical characteristic (ie. Finger print) o Authorization controls; process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform  Physical Access Controls  Network Access Controls o Perimeter defense; routers, firewalls, and intrusion prevention systems  Border router connects an org’s info system to the Internet  Firewall (behind border router) is either a special-purpose hardware device or software running on a general-purpose computer  Demilitarized zone (DMZ) is a separate network that permits controlled access from the internet to selected resources o Securing dial-up connections o Securing wireless access  Device and Software Hardening Controls o Endpoint configuration  Default configurations of most devices typically turn on a large number of optional settings that are seldom, if ever, used  Every program that is running represents a potential point of attack because it probably contains flaws, that can be exploited to either crash the system or take control of it o User account mgmt  Administrative rights are needed in order to install software and alter most configuration settings, thus these accounts are highly vulnerable  Employees with admin rights should have two accounts, one with admin rights and one without  Should use the account without the rights for web-surfing  Passwords for admin accounts should be changed after being created o Software design  Common theme of attacks is the failure to scrub user input to remove potentially malicious code Detective Controls  Log analysis o Especially important to analyze logs of failed attempts to log on to a system and failed attempts to obtain access to specific information sources o Also important to analyze changes to logs themselves o Need to be analyzed regularly to detect problems in a timely manner o Not easy because logs quickly grow in size, and many devices produce logs with proprietary formats making it hard to correlate and summarize logs from different devices  Intrusion detection systems o Set of sensors and a central monitoring unit that create logs of network traffic that was permitted to pass the firewall and then analyze these logs for signs of attempted or successful intrusions  Managerial reports o Include reports of # of incidents with business impact, % of users who do not comply with password standards, and % of cryptographic keys compromised and revoked  Security testing o Penetration test is an authorized attempt by either an internal audit team or an external security consulting firm to break into the org’s info system  Value is not so much that a system can be broken into but identifying where additional protections are most needed Corrective Controls  Computer Incident Response Team o CIRT is responsible for dealing with major incidents o Four steps CIRT should follow: 1. Recognition that a problem exists 2. Containment of the problem 3. Recovery; repair damage 4. Follow-up; CIRT should lead analysis of how the incident occurred  Chief Information Security Officer (CISO) o Should be independent of other information systems functions and should report to either the COO or the CEO o CISO must understand the company’s technology environment and work with CIO to design, implement, and promote sound security policies and procedures o Must work closely with person in charge of physical security  Patch Management o Need to fix known vulnerabilities by installing the latest updates to both security programs (ie. Antivirus and firewall software) and to operating systems and other applications programs in order to protect the org from viruses and other types of malware o Patch mgmt is the process for regularly applying patches and updates to all software used by the org  Patches sometimes create new problems because of unanticipated side effects Security Implications of Virtualization and the Cloud  Virtualization takes advantage of the power and speed of modern computers to run multiple systems simultaneously on one physical computer o Cuts hardware costs because fewer servers need to be purchased  Cloud computing enables employees to use a browser to remotely access software, data storage devices, hardware, and entire application environments o Can potentially generate significant cost saving, eliminate the need for making major capital investments in IT  Both alter the risk of some info security threats; o Unsupervised physical access in a virtualization environment exposes not just one device but the entire virtual network to the risk of theft or destruction and compromise  However all controls previously discussed are relevant to virtualization and cloud computing Chapter 9 – IS Controls: Confidentiality Part 2 – Confidentiality and Privacy Preserving Confidentiality 1. Identification and Classification of Information to be Protected o Time-consuming and costly because it involves examining more than just the contents of the org’s financial systems, ie. An org’s (confidential) competitive advantage may be within its automation activities o After identifying, must classify in terms of its value to the org, to do so, need input from senior mgmt 2. Protecting Confidentiality with Encryption o Encryption is the only way to protect info in transit over the internet o Some sensitive info (ie. Process shortcuts) may not be stored digitally, and therefore cannot be encrypted o Encryption protects info only in certain situations, if disk is stolen, perpetrator cannot access unless they can log on thus strong authentication is also needed o Once logged on, anyone who sits down can view the sensitive info, thus physical access controls are also needed 3. Controlling access to sensitive information o Information rights mgmt software provides an additional layer of protection to specific information resources, offering the capability not only to limit access to specific files or documents, but also to specify the actions that individuals who are granted access to that resources can perform o Also need physical access controls to prevent people from copying gigabytes of info o Also important to control the disposal of info resources o Protecting confidentiality also requires controls over outbound communications  Data loss prevention (DLP) software works like an antivirus program in reverse, blocking outgoing messages that contain key words or phrases associated with IP or other sensitive data the org wants to protect  DLP is a preventive control, can and should be supplemented by embedding code called a digital watermark (detective control that enables an org to identify confidential info that has been disclosed, ie. When org identifies document on internet with its digital watermark, the preventive control has clearly failed) 4. Training o Employees need to know what info they can share with outsiders and what info needs to be protected o Also need to be taught how to protect confidential data (ie. Need to know how to use encryption software) o Particularly important concerning the proper use of e-mail, instant messaging, and blogs because it is impossible to control the subsequent distribution of info once it has been sent or posted through any of those methods (ie, don’t hit reply all) Privacy  Privacy Controls o Identify what info is collected and who has access to it o Implement controls to protect that info, intentional or accidental disclosure of the information can be costly o Encryption is a fundamental control for protecting the privacy of personal info; needs to be encrypted while in transit over the internet and while in storage o Encryption must still be supplemented by physical access controls, and authentication/authorization  Privacy Concerns o Spam is unsolicited email that contains either advertising or offensive content  Privacy related issue because recipients are often targeted as a result of unauthorized access to email address lists and databases containing personal info o Identity theft is the unauthorized use of someone’s personal info for the perpetrators benefit  Often a financial crime, recently growing act of fraudulently obtaining medical care  Orgs have an ethical and moral obligation to implement controls to protect the personal info they collect  Privacy Regulations and Generally Accepted Privacy Principles: o Generally Accepted Privacy Principles: 1. Management; orgs need to establish a set of procedures and policies 2. Notice; org should provide notice of these policies at or before the time it collects personal info 3. Choice and consent; orgs should explain choices available and obtain their consent prior to collecting 4. Collection; collect only the info needed to fulfill the purposes stated in its privacy policies 5. Use and retention; info should be used only in manner described in policies, and retain only as long as needed to fulfill legitimate business purpose 6. Access; individuals should be able to access, review, correct, and delete their personal info rd rd 7. Disclosure to 3 parties; only in situations described in policies, and only to 3 parties who provide sam
More Less

Related notes for BU486

Log In


OR

Join OneClass

Access over 10 million pages of study
documents for 1.3 million courses.

Sign up

Join to view


OR

By registering, I agree to the Terms and Privacy Policies
Already have an account?
Just a few more details

So we can recommend you notes for your school.

Reset Password

Please enter below the email address you registered with and we will send you a link to reset your password.

Add your courses

Get notes from the top students in your class.


Submit