INFORMATION SYSTEMS CONTROLS

Lecture 9
Learning Objectives
• Explain the factors that influence information
systems reliability.

• Describe how a combination of preventive,

detective, and corrective controls can be
employed to provide reasonable assurance about
information security.
Trust Services Framework
• According to the Trust
Services framework,
reliable systems satisfy
five principles:

• Security
• Confidentiality
• Privacy
• Processing Integrity
• Availability
Trust Services Framework
• Security
• Access to the system and its data is controlled and restricted to
legitimate users.

• Confidentiality
• Sensitive organizational information (e.g., marketing plans, trade
secrets) is protected from unauthorized disclosure.

• Privacy
• Personal information about customers is collected, used,
disclosed, and maintained only in compliance with internal policies
and external regulatory requirements and is protected from
unauthorized disclosure.
Trust Services Framework

• Processing Integrity
• Data are processed accurately, completely, in a timely manner, and
only with proper authorization.

• Availability
• System and its information are available to meet operational and
contractual obligations.
Security
• Foundation of the Trust Services Framework

• Security as a management issue, not a technology issue

• Though information security is a complex technical subject, security is
first and foremost a top management issue, not an IT issue.
• Management is responsible for the accuracy of various internal reports
and financial statements produced by the organization’s IS.
• SOX Section 302 requires that the CEO and CFO certify the accuracy of the
financial statements.
• SOX Section 404 requires that the annual report include a report on the
company’s internal controls. Within this report, management acknowledges
their responsibility for designing and maintaining internal controls and
assessing their effectiveness.
• As identified in the COSO model, management’s philosophy and operating
style are critical to an effective control environment.
Security
• Time – based model
• Given enough time and resources, any preventive control can be
circumvented
• The time-based model of security focuses on implementing a set
of preventive, detective, and corrective controls that enable an
organization to recognize that an attack is occurring and take steps
to thwart it before any assets have been compromised.

• P = the time it takes an attacker to break through the organization’s

preventive controls
• D = the time it takes to detect that an attack is in progress
• C = the time it takes to respond to the attack
• For an effective information security system:
• P>D+C
Security
• Defense – in – depth

• The idea of defense-in-depth is to employ multiple layers of

controls to avoid having a single point of failure.
• If one layer fails, another may function as planned.
Security – Preventive Controls
• Training

• User access controls (authentication and authorization)

• Physical access controls (locks, guards, etc.)

• Network access controls (firewalls, intrusion prevention

systems, etc.)

• Device and software hardening controls (configuration

options)
Security – Detective Controls
• Log Analysis

• Intrusion Detection

• Managerial Reports

• Security Testing
Confidentiality
• Intellectual Property
• Strategic plans
• Trade secrets
• Cost information
• Legal documents
• Process improvements
Confidentiality
• Steps in Securing Intellectual Property

• Where is the information, who has access to it? Classify value of

Identification and information
Classification

• The process of obscuring information to make it unreadable

Encryption without special knowledge, key files, or passwords.

• Information rights management: control who can read, write,

Controlling
Access
copy , delete, or download information.

• Most important! Employees need to know what can or can’t

Trainingj be read, written, copied, deleted, or downloaded
Privacy
• The privacy principle is closely related to the confidentiality
principle.
• Primary difference is that privacy focuses on protecting
personal information about customers rather than
organizational data.
• Same controls
• Identification and classification
• Encryption
• Access control
• Training

• Important Privacy Concern: Identity Theft

Privacy
• Generally Accepted Privacy Principles
1. Management (Procedures and policies)
2. Notice
3. Choice and Consent
4. Collection
5. Use and Retention
6. Access
7. Disclosure to 3rd Parties
8. Security
9. Quality
10. Monitor and Enforce
Confidentiality & Privacy Controls
• Encryption
• Preventive Control
• Process of transforming normal content called plaintext into
unreadable gibberish
• Decryption reverses this process

• Types of Encryption
• Symmetric
• Asymmetric
• Hybrid Solution
Confidentiality & Privacy - Controls
• Virtual Private Networks
• Private communication channels, often referred to as tunnels,
which are accessible only to those parties possessing the
appropriate encryption and decryption keys.
Processing Integrity
• Controls Ensuring Processing Integrity
• Input controls
• Processing controls
• Output controls
Processing Integrity – Input Control
• “Garbage-in Garbage-out”

• Form Design
• All forms should be sequentially numbered
• Use of turnaround documents
 Processing Integrity – Input Control
• Data Entry Checks
• Field check
• Characters proper type? Text,
integer, date, and so on
• Sign check
• Proper arithmetic sign?
• Limit check
• Input checked against fixed
value?
• Range check
• Input within low and high range
value?
• Size check
• Input fit within field?
• Completeness check
• Have all required data been
entered?
• Validity check
• Input compared with master
data to confirm existence
• Reasonableness check
• Logical comparisons
• Check digit verification
• Computed from input value
to catch typo errors
• Prompting
• Input requested by system
• Close-loop verification
• Uses input data to retrieve
and display related data
Processing Integrity – Processing
Controls
• Data Matching
• Multiple data values must match before processing occurs.

• File Labels
• Ensure correct and most current file is being updated.

• Batch Total Recalculation

• Compare calculated batch total after processing to input totals.

• Cross-Footing and Zero Balance Tests

• Compute totals using multiple methods to ensure the same results.

• Write Protection
• Eliminate possibility of overwriting or erasing existing data.

• Concurrent Update
• Locking records or fields when they are being updated so multiple
users are not updating at the same time.
Processing Integrity – Output Controls
• User Review
• Verify reasonableness, completeness, and routed to intended
individual
• Reconciliation
• Data Transmission Controls
• Check sums
• Hash of file transmitted, comparison made of hash before and after
transmission
• Parity checking
• Bit added to each character transmitted, the characters can then be
verified for accuracy
Availability
• Systems or information need to be available 24/7
• It is not possible to ensure this so:
Availability - Minimize Risks
• Preventive Maintenance
• Cleaning, proper storage

• Fault Tolerance
• Ability of a system to continue if a part fails

• Data Center Location

• Minimize risk of natural and human created disasters.

• Training
• Less likely to make mistakes and will know how to recover, with
minimal damage, from errors they do commit

• Patch Management
• Install, run, and keep current antivirus and anti-spyware programs
Availability - Quick Recovery
• Back-up
• Incremental
• Copy only data that changed from last partial back-up
• Differential
• Copy only data that changed from last full back-up

• Business Continuity Plan (BCP)

• How to resume not only IT operations, but all business processes
• Relocating to new offices
• Hiring temporary replacements
Availability - Disaster Recovery Plan
(DRP)
• Procedures to restore an organization’s IT function in the
event that its data center is destroyed
• Cold Site
• An empty building that is prewired for necessary
telephone and Internet access, plus a contract with
one or more vendors to provide all necessary
equipment within a specified period of time
• Hot Site
• A facility that is not only prewired for telephone and
Internet access but also contains all the computing
and office equipment the organization needs to
perform its essential business activities
• Second Data-Center
• Used for back-up and site mirroring