C

HAPTER 7

Information Systems Controls for Systems Reliability Part 1: Information Security

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

1 of 222

INTRODUCTION
One basic function of an AIS is to provide information useful for decision making. In order to be useful, the information must be reliable, which means:
It provides an accurate, complete, and timely picture of the organizations activities. It is available when needed. The information and the system that produces it is protected from loss, compromise, and theft.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 2 of 222

INTRODUCTION
SYSTEMS RELIABILITY

The five basic principles that contribute to systems reliability:

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

3 of 222

INTRODUCTION
SYSTEMS RELIABILITY

The five basic principles that contribute to systems reliability:

Security

Access to the system and its data is controlled.

SECURITY
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 4 of 222

INTRODUCTION
SYSTEMS RELIABILITY

The five basic principles that contribute to systems reliability:

Security Confidentiality

CONFIDENTIALITY

Sensitive information is protected from unauthorized disclosure.

SECURITY

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

5 of 222

INTRODUCTION
SYSTEMS RELIABILITY

The five basic principles that contribute to systems reliability:

Security Confidentiality Privacy Personal information about customers collected through e-commerce is collected, used, disclosed, and maintained in an appropriate manner.

CONFIDENTIALITY

SECURITY
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 6 of 222

PRIVACY

INTRODUCTION
SYSTEMS RELIABILITY PROCESSING INTEGRITY

CONFIDENTIALITY

The five basic principles that contribute to systems reliability: Data is processed:
Accurately Security Completely In a timely manner Confidentiality With proper authorization

PRIVACY

Privacy Processing integrity

SECURITY
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 7 of 222

INTRODUCTION
SYSTEMS RELIABILITY PROCESSING INTEGRITY

CONFIDENTIALITY

AVAILABILITY

The five basic principles that contribute to systems reliability:

Security Confidentiality Online The system is available to meet privacy operational and contractual Processing obligations. integrity Availability
Romney/Steinbart 8 of 222

SECURITY
2008 Prentice Hall Business Publishing

PRIVACY

Accounting Information Systems, 11/e

INTRODUCTION
SYSTEMS RELIABILITY PROCESSING INTEGRITY

CONFIDENTIALITY

AVAILABILITY

Note the importance of security in this picture. It is the foundation of systems reliability. Security procedures:
Restrict system access to only authorized users and protect:
The confidentiality of sensitive organizational data. The privacy of personal identifying information collected from customers.
Romney/Steinbart 9 of 222

SECURITY
2008 Prentice Hall Business Publishing

PRIVACY

Accounting Information Systems, 11/e

INTRODUCTION
Security procedures also:
SYSTEMS RELIABILITY PROCESSING INTEGRITY

Provide for processing integrity by preventing:

AVAILABILITY

CONFIDENTIALITY

PRIVACY

Submission of unauthorized or fictitious transactions. Unauthorized changes to stored data or programs.

SECURITY
2008 Prentice Hall Business Publishing

Protect against a variety of attacks, including viruses and worms, thereby ensuring the system is available when needed.
Romney/Steinbart 10 of 222

Accounting Information Systems, 11/e

FUNDAMENTAL INFORMATION SECURITY CONCEPTS

There are three fundamental information security concepts that will be discussed in this chapter:
Security as a management issue, not a technology issue. The time-based model of security. Defense in depth.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

11 of 222

FUNDAMENTAL INFORMATION SECURITY CONCEPTS

There are three fundamental information security concepts that will be discussed in this chapter:
Security is a management issue, not a technology issue. The time-based model of security. Defense in depth.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

12 of 222

TIME-BASED MODEL OF SECURITY

Given enough time and resources, any preventive control can be circumvented. Consequently, effective control requires supplementing preventive procedures with:
Methods for detecting incidents; and Procedures for taking corrective remedial action.

Detection and correction must be timely, especially for information security, because once preventive controls have been breached, it takes little time to destroy, compromise, or steal the organizations economic and information resources.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 13 of 222

FUNDAMENTAL INFORMATION SECURITY CONCEPTS

There are three fundamental information security concepts that will be discussed in this chapter:
Security is a management issue, not a technology issue. The time-based model of security. Defense in depth.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

14 of 222

DEFENSE IN DEPTH
The idea of defense-in-depth is to employ multiple layers of controls to avoid having a single point of failure. If one layer fails, another may function as planned. Information security involves using a combination of firewalls, passwords, and other preventive procedures to restrict access. Redundancy also applies to detective and corrective controls.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 15 of 222

PREVENTIVE CONTROLS
The objective of preventive controls is to prevent security incidents from happening. Involves two related functions:
Authentication
Focuses on verifying the identity of the person or device attempting to gain access.

Authorization
Restricts access of authenticated users to specific portions of the system and specifies what actions they are permitted to perform.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 16 of 222

PREVENTIVE CONTROLS
Each authentication method has its limitations.
Passwords Physical identification techniques Biometric techniques

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

17 of 222

PREVENTIVE CONTROLS
Although none of the three basic authentication methods is foolproof by itself, the use of two or three in conjunction, known as multi-factor authentication, is quite effective. Example: Using a palm print and a PIN number together is much more effective than using either method alone.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

18 of 222

PREVENTIVE CONTROLS
Authorization controls are implemented by creating an access control matrix.
Specifies what part of the IS a user can access and what actions they are permitted to perform. When an employee tries to access a particular resource, the system performs a compatibility test that matches the users authentication credentials against the matrix to determine if the action should be allowed.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 19 of 222

PREVENTIVE CONTROLS
User Identification Code Number Password 12345 ABC 12346 DEF 12354 KLM 12359 NOP 12389 RST 12567 XYZ Files A 0 0 1 3 0 1 B 0 2 1 0 1 1 C 1 0 1 0 0 1 1 0 0 0 0 0 1 Programs 2 0 0 0 0 3 1 3 0 0 0 0 0 1 4 0 0 0 0 0 1

Who has the authority to delete Program 2?

Codes for type of access: 0 = No access permitted 1 = Read and display only 2 = Read, display, and update 3 = Read, display, update, create, and delete

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

20 of 222

PREVENTIVE CONTROLS
These are the multiple layers of preventive controls that reflect the defense-in-depth approach to satisfying the constraints of the time-based model of security.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

21 of 222

DETECTIVE CONTROLS
Preventive controls are never 100% effective in blocking all attacks. So organizations implement detective controls to enhance security by:
Monitoring the effectiveness of preventive controls; and Detecting incidents in which preventive controls have been circumvented.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

22 of 222

DETECTIVE CONTROLS
Authentication and authorization controls (both preventive and detective) govern access to the system and limit the actions that can be performed by authorized users. Actual system use (detective control) must be examined to assess compliance through:
Log analysis Intrusion detection systems Managerial reports Periodically testing the effectiveness of existing security procedures

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

23 of 222

CORRECTIVE CONTROLS
COBIT specifies the need to identify and handle security incidents. Two of the Trust Services framework criteria for effective security are the existence of procedures to:
React to system security breaches and other incidents. Take corrective action on a timely basis.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

24 of 222

CORRECTIVE CONTROLS
Three key components that satisfy the preceding criteria are:
Establishment of a computer emergency response team. Designation of a specific individual with organization-wide responsibility for security. An organized patch management system.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

25 of 222

CORRECTIVE CONTROLS
Computer emergency response team
A key component to being able to respond to security incidents promptly and effectively is the establish of a computer emergency response team (CERT).
Responsible for dealing with major incidents. Should include technical specialists and senior operations management. Some potential responses have significant economic consequences (e.g., whether to temporarily shut down an e-commerce server) that require management input.
Accounting Information Systems, 11/e Romney/Steinbart 26 of 222

2008 Prentice Hall Business Publishing

CORRECTIVE CONTROLS
Three key components that satisfy the preceding criteria are:
Establishment of a computer emergency response team. Designation of a specific individual with organization-wide responsibility for security. An organized patch management system.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

27 of 222

CORRECTIVE CONTROLS
A chief security officer (CSO):
Should be independent of other IS functions and report to either the COO or CEO. Must understand the companys technology environment and work with the CIO to design, implement, and promote sound security policies and procedures. Disseminates info about fraud, errors, security breaches, improper system use, and consequences of these actions. Works with the person in charge of building security, as that is often the entitys weakest link. Should impartially assess and evaluate the IT environment, conduct vulnerability and risk assessments, and audit the CIOs security measures.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

28 of 222

CORRECTIVE CONTROLS
Three key components that satisfy the preceding criteria are:
Establishment of a computer emergency response team. Designation of a specific individual with organization-wide responsibility for security. An organized patch management system.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

29 of 222

CORRECTIVE CONTROLS
Patch management is the process for regularly applying patches and updates to all of an organizations software. Challenging to do because:
Patches can have unanticipated side effects that cause problems, which means they should be tested before being deployed. There are likely to be many patches each year for each software program, which may mean that hundreds of patches will need to be applied to thousands of machines.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 30 of 222