IT SECURITY AND APPLICATION DEVELOPMENT

11.1 PHYSICAL AND SYSTEMS SECURITY

1. Data Integrity
a. The difficulty of maintaining the integrity of the data is the most significant limitation of
computer-based audit tools
1) The degree of reliance on electronic evidence by the auditor depends on the
effectiveness of the controls over the system from which such evidence is taken.
2) When making recommendations regarding the costs and benefits of computer
security, the auditor should focus on
a) Potential loss if security is not implemented
b) The probability of the occurrences
c) The cost and effectiveness of the implementation and operation of computer security.
3) The most important control is to enact an organization-wide network security policy.
This policy should promote the following objectives:
a) Availability. The intended and authorized users should be able to access data to meet
organizational goals.
b) Security, privacy, and confidentiality. The secrecy of information that could adversely
affect the organization if revealed to the public or competitors should be ensured.
c) Integrity. Unauthorized or accidental modification of data should be prevented.
Security controls
Physical controls
Physical access
(limit physically
controls
enter the data
Environmental
center)
controls (to protect
the physical
information assets)

Keypad devices, Card reader, Biometric technologies

(fingerprints, retina patterns, hand geometry)
1) Temperature and humidity control
2) Gaseous fire-suppression system (not water)
3) Data center not located on an outside wall
4) Building housing data center not located in a flood
plain
Logical controls
Access control software
(to avoid
Passwords and ID numbers
unauthorized
File attributes can be assigned to control access to and the use of files.
access)
Examples are read/write, read only, archive, and hidden.
Access controls have been developed to prevent improper use or manipulation of data
files and programs
A system access log records all attempts to use the system
Controlled disposal of documents.
2. Internet Security
a. Connection to the Internet presents security issues.
1) Thus, the organization-wide network security policy should at the very least include
a) A user account management system
b) Installation of an Internet firewall
c) Methods such as encryption to ensure that only the intended user receives the
information and that the information is complete and accurate

account management

a) New accounts are added correctly and assigned only to authorized

users
b) Old and unused accounts are removed promptly
c) Passwords are changed periodically, and employees are educated
on how to choose a password that cannot be easily guessed
Firewall (separates an Firewall systems ordinarily produce reports on organization-wide
internal network from
Internet use, unusual usage patterns, and system penetration attempts
an external network)
(These reports are very helpful to the internal auditor as a method of
continuous monitoring, or logging, of the system.)
encryption
Data traveling across the network can be encoded so that it is
indecipherable to anyone except the intended recipient
Authentication measures verify the identity of the user, thus ensuring that only the
intended and authorized users gain access to the system
Checksums help ensure the integrity of data by checking whether the file has been
changed (to check whether this value equals the last known value)
3. Data Storage
a. Storing all related data on one storage device creates security problems.
1) Greater emphasis on security is required to provide backup and restrict access to the
database.
2) The responsibility for creating, maintaining, securing, and restricting access to the
database belongs to the database administrator (DBA).
11.2 INFORMATION PROTECTION
1. Business Objective
Five categories are IT Business Assurance Objectives:
Availability
Ensure that information, processes, and services are available at all times
Capability
Ensure reliable and timely completion of transactions
Functionality
Ensure that systems are designed to user specifications to fulfill business
requirements
Protectability
Ensure that a combination of physical and logical controls prevents
unauthorized access to system data
Accountability Ensure that transactions are processed under firm principles of data
ownership, identification, and authentication
2. Malicious Software (Malware)
Malware
Trojan horse hidden function that may do damage when activated
Worm
copies itself not from file to file but from computer to computer
Repeated replication overloads a system by depleting memory or disk space
Logic bomb
like a Trojan horse except it activates only upon some occurrence, e.g., on a
certain date
Denial of
overwhelming a system or website with more traffic than it can handle
service
Virus
a program code that copies itself from file to file. The virus may destroy data or
programs
3. Controls Against Malware
a. Controls to prevent or detect infection by malware
b. The following are specific controls to prevent or detect infection by malware:

4. Types of Attacks
5. Countermeasures -- Intrusion Detection Systems (IDS)
a. If an organizations computer system has external connections, an IDS is needed to
respond to security breaches
1) The IDS complements the computer systems firewalls. It responds to attacks on
a) The network infrastructure (protected by the network IDS component)
i) Routers
ii) Switches
iii) Bandwidth
b) Servers (protected by the host IDS component)
i) Operating systems
ii) Applications
6. Information Integrity and Reliability
a. The IIA provides guidance on this topic in Practice Advisory 2130.A1-1, Information
Reliability and Integrity:
1) Internal auditors determine whether senior management and the board have a
clear understanding that information reliability and integrity is a management
responsibility. This responsibility includes all critical information of the
organization regardless of how the information is stored. Information reliability
and integrity includes accuracy, completeness, and security (para. 1).
2) The chief audit executive (CAE) determines whether the internal audit activity
possesses, or has access to, competent audit resources to evaluate information
reliability and integrity and associated risk exposures. This includes both
internal and external risk exposures, and exposures relating to the
organizations relationships with outside entities (para. 2).
3) Internal auditors assess the effectiveness of preventive, detective, and
mitigation measures against past attacks, as appropriate, and future attempts
or incidents deemed likely to occur. Internal auditors determine whether the
board has been appropriately informed of threats, incidents, vulnerabilities
exploited, and corrective measures (para. 4).
4) Internal auditors periodically assess the organizations information reliability and
integrity practices and recommend, as appropriate, enhancements to, or
implementation of, new controls and safeguards. Such assessments can either
be conducted as separate stand-alone engagements or integrated into other
audits or engagements conducted as part of the internal audit plan (para. 5).
7. Privacy
a. Management is responsible for ensuring that an organizations privacy framework is in
place. Internal auditors primary role is to ensure that relevant privacy laws and other
regulations are being properly communicated to the responsible parties.
b. The IIA provides guidance on this topic in Practice Advisory 2130.A1-2, Evaluating an
Organizations Privacy Framework:
1) Risks associated with the privacy of information encompass personal privacy
(physical and psychological); privacy of space (freedom from surveillance); privacy of
communication (freedom from monitoring); and privacy of information (collection, use,
and disclosure of personal information by others) (para. 2).
a) Personal information is information associated with a specific individual.
2) Effective control over the protection of personal information is an essential
component of the governance, risk management, and control processes of an
organization. The board is ultimately accountable for identifying the principal risks to the

organization and implementing appropriate control processes to mitigate those risks.

This includes establishing the necessary privacy framework for the organization and
monitoring its implementation (para. 3).
3) In conducting such an evaluation of the management of the organizations privacy
framework, the internal auditor:
a) Considers the laws, regulations, and policies relating to privacy in the jurisdictions
where the organization operates;
b) Liaisons with in-house legal counsel to determine the exact nature of laws,
regulations, and other standards and practices applicable to the organization and the
country/countries in which it operates;
c) Liaisons with information technology specialists to determine that information security
and data protection controls are in place and regularly reviewed and assessed for
appropriateness;
d) Considers the level or maturity of the organizations privacy practices.
Depending upon the level, the internal auditor may have differing roles (para. 7).
11.3 AUTHENTICATION AND ENCRYPTION
1. Application Authentication
a. Application authentication: taking a users identity from the operating system
b. There are three classes of authentication information.
1) Remembered information: name, birth date, account number, password, PIN
2) Possessed objects: badge, plastic card, key, finger ring
3) Personal characteristics: fingerprint, voiceprint, hand size, signature, retinal pattern
2. Encryption Overview
a. Encryption technology converts data into a code
b. Encryption technology may be either hardware- or software-based
3. Public-Key (Asymmetric) Encryption
a. Public-key (asymmetric) encryption requires two keys (Public to Private) private key is known
only to the recipient
b. This arrangement is more secure than a single-key system
c. A digital signature: authentication of an electronic document (validity of a purchase order,
acceptance of a contract)
d. A digital certificate: another means of authentication used in e-business
e. The public key infrastructure permits secure monetary and information exchange over
the Internet: HTTPS (HTTP Secure).
4. Private-Key (Symmetric) Encryption
a. Private-key, or symmetric, encryption is less secure than the public-key method
because it requires only a single (secret) key
11.4 END-USER COMPUTING (EUC)
1. End-User vs. Centralized Computing
1) Certain environmental control risks are more likely in EUC
Ex. copyright violations, Unauthorized access to application programs, physical access controls,
application-level controls, and other controls found in mainframe or networked environments
a. Program development, documentation, and maintenance also may lack the centralized
control found in larger systems.
1) They may not be subject to appropriate standards, controls, and quality assurance
procedures
2) EUC applications may update and define the data in different ways. Thus, determining
the location of data and ensuring data consistency become more difficult.

3) The auditors should determine that EUC applications contain controls that allow users to
rely on the information produced.
a) The first concern is to discover their existence and their intended functions.
b) The next step is risk assessment
c) The third step is to review the controls included in the applications chosen in the
risk assessment
b. In a personal computer setting, the user is often the programmer and operator. Thus the
protections provided by segregation of duties are eliminated
c. The audit trail is diminished because of the lack of history files, incomplete printed output
d. In general, available security features for stand-alone machines are limited compared with
those in a network
2. Three Basic Architectures for Desktop Computing
Client-server
divides processing of an application between a client machine on a network
model
and a server
Dummy
lack stand-alone processing power have access to remote computers in
terminal model
a network
Application
a three-tiered or distributed network application. EX. the users (front-end)
server model
server middle (application) Load balancing database (back-end) server
11.5 PROGRAM CHANGE CONTROL
1. Program Change Control Process
a. Once a change to a system has been approved, the programmer should save a copy of the
production program in a test area of the computer
b. The programmer makes the necessary changes to this copy of the program (source code)
c. The programmer transforms the changed program into a form that the computer can
execute (executable code) by a compiler
d. Once the executable version of the changed program is ready, the programmer tests it to
see if it performs the new task as expected (not actual data test data)
e. The programmer demonstrates the new functionality for the user who made the request.
(accept or go futher)
f. Once the program is in a form acceptable to the user, the programmer moves it to a
holding area. (Programmers (except in emergencies) should never be able to put programs
directly into production)
g. The programmers supervisor reviews the new program, approves it, and authorizes its
move into production, generally carried out by operations personnel.
11.6 APPLICATION DEVELOPMENT
1. Build or Buy
2. Systems Development Life Cycle (SDLC)
a. The feedback gathered during the maintenance of a system provides information for
developing the next generation of systems, hence the name life cycle.
b. The phases and component steps of the traditional SDLC:
Definition
The need for the application and the business function(s) that it will affect.
(Systems analysts)
Design
Data flow diagrams (DFDs) and structured flowcharts are commonly used
(Systems analysts)
Development
The actual program code and database structures that will be used in the
(programmers)
new system (test each new program module of the system) TEST DATA
Implementation
converting to the new system can be used
Maintenance

3. Prototyping
a. Prototyping is an alternative approach to application development

STUDY UNIT TWELVE

IT SYSTEMS
12.1 WORKSTATIONS AND DATABASES
1. Database Overview
a. A database is a series of related files combined to eliminate redundancy of data items.
A single integrated system allows for improved data accessibility
b. Security is required to provide backup and restrict access to the database
2. Relational Database Structure
* Normalization prevents inconsistent deletion, insertion, and updating of data items
a. The relational structure requires careful planning, but it is easy to maintain and processes
queries efficiently
b. The three basic operations in the relational model are selecting, joining, and projecting.
1) Selecting creates a subset of records that meet certain criteria.
2) Joining is the combining of relational tables based on a common field or combination of
fields.
3) Projecting results in the requested subset of columns from the table. This operation creates
a new table containing only the required information.