Вы находитесь на странице: 1из 43


Chapter 3

The operating system is the

computers control program.
It allows users and their applications
to share and access common
computer resources, such as
processors, main memory,
databases, and printers

Operating System

OS Security
Operating system security involves
policies, procedures, and controls
that determine who can access the
operating system, which resources
(files, programs, printers) they can
use, and what actions they can take

OS Security
Log-On Procedure

Access Control List

Threats to Operating System

accidentally or intentionally
Accidental threats include hardware
failures that cause the operating
system to crash
Intentional threats to the operating
system are most commonly attempts
to illegally access data or violate
user privacy for financial gain

Operating System Controls

and Audit Tests
Controlling Access Privileges
The auditors objective is to verify
that access privileges are granted in
a manner that is consistent with the
need to separate incompatible
functions and is in accordance with
the organizations policy.

Audit Procedures Relating to Access

Review the organizations policies for
separating incompatible functions
and ensure that they promote
reasonable security.
Review the privileges of a selection
of user groups and individuals to
determine if their access rights are
appropriate for their job descriptions
and positions.

Review personnel records to determine

whether privileged employees undergo an
adequately intensive security clearance
check in compliance with company policy.
Review employee records to determine
whether users have formally acknowledged
their responsibility to maintain the
confidentiality of company data.
Review the users permitted log-on times

Password Control
A password is a secret code the user
enters to gain access to systems,
applications, data files, or a network
Reusable password The user
defines the password to the system
once and then reuses it to gain future

one-time password the users

password changes continuously
The auditors objective here is to
ensure that the organization has an
adequate and effective password
policy for controlling access to the
operating system.

Audit Procedures Relating to

Verify that all users are required to
have passwords.
Verify that new users are instructed
in the use of passwords and the
importance of password control.
Review password control procedures
to ensure that passwords are
changed regularly

Review the password file to determine that

weak passwords are identified and
Verify that the password file is encrypted and
that the encryption key is properly secured.
Assess the adequacy of password standards
such as length and expiration interval.
Review the account lockout policy and

Controlling Against Malicious and

Destructive Programs
The losses are measured in terms of
data corruption and destruction,
degraded computer performance,
hardware destruction, violations of
privacy, and the personnel time
devoted to repairing the damage.
This class of programs includes
viruses, worms, logic bombs, back
doors, and Trojan horses

Audit Objective Relating to Viruses

and Other Destructive Programs
The auditors objective is to verify
that effective management policies
and procedures are in place to
prevent the introduction and spread
of destructive programs, including
viruses, worms, back doors, logic
bombs, and Trojan horses.

Audit Procedures Relating to Viruses

and Other Destructive Programs
Through interviews, determine that operations
personnel have been educated about computer
viruses and are aware of the risky computing
practices that can introduce and spread viruses
and other malicious programs.
Verify that new software is tested on standalone
workstations prior to being implemented on the
host or network server.
Verify that the current version of antiviral software
is installed on the server and that upgrades are
regularly downloaded to workstations.

System Audit Trail Controls

logs that record activity at the
system, application, and user level
two types of audit logs:
(1) detailed logs of individual
keystrokes and (2) event-oriented

Keystroke monitoring involves

recording both the users keystrokes
and the systems responses
Event monitoring summarizes key
activities related to system resources

Audit trails can be used to support

security objectives in three ways:
(1) detecting unauthorized access to
the system,
(2) facilitating the reconstruction of
events, and
(3) promoting personal accountability

The auditors objective is to ensure

that the established system audit
trail is adequate for preventing and
detecting abuses, reconstructing key
events that precede systems failures,
and planning resource allocation.

Audit Procedures Relating to System

Audit Trails
Most operating systems provide some
form of audit manager function to
specify the events that are to be audited
Many operating systems provide an
audit log viewer that allows the auditor
to scan the log for unusual activity
The organizations security group has
responsibility for monitoring and
reporting security violations

intranet risks

Intranet risks
Intranets consist of small LANs and
large WANs that may contain
thousands of individual nodes
Interception of Network Messages
Access to Corporate Databases
Privileged Employees

Internet risks
IP Spoofing

Controlling Networks
Firewalls a system that enforces access
control between two networks
Encryption the conversion of data into a
secret code for storage in databases and
transmission over networks. The sender
uses an encryption algorithm to convert
the original message (called cleartext) into
a coded equivalent (called ciphertext). At
the receiving end, the ciphertext is
decoded (decrypted) back into cleartext

Digital Signatures electronic

authentication that cannot be forged
Digital Certificate issued by a
trusted third party called a
certification authority (CA)

Controlling Risks from

Equipment Failure
Line Errors
The auditors objective is to verify
the integrity of the electronic
commerce transactions by
determining that controls are in place
to detect and correct message loss
due to equipment failure.


A general definition of EDI is: The
intercompany exchange of computerprocessible business information in
standard format.
Key to EDI success is the use of a
standard format for messaging
between dissimilar systems

several important features

of EDI

Benefits of EDI
Data keying. EDI reduces or even
eliminates the need for data entry.
Error reduction. Firms using EDI see
reductions in data keying errors, human
interpretation and classification errors,
and filing (lost document) errors
Reduction of paper. The use of electronic
envelopes and documents drastically
reduces the paper forms in the system.

Postage. Mailed documents are replaced

with much cheaper data transmissions.
Automated procedures. EDI automates
manual activities associated with
purchasing, sales order processing, cash
disbursements, and cash receipts.
Inventory reduction. By ordering directly
as needed from vendors, EDI reduces the
lag time that promotes inventory

EDI Controls
Some VANs have the capability of validating
passwords and user ID codes for the vendor by
matching these against a valid customer file. The
VAN rejects any unauthorized trading partner
transactions before they reach the vendors
Before being converted, the translation software
can validate the trading partners ID and password
against a validation file in the firms database.
Before processing, the trading partners application
software references the valid customer and vendor
files to validate the transaction

EDI Audit Trail

One technique for restoring the audit
trail is to maintain a control log,
which records the transactions flow
through each phase of the EDI

The auditors objectives are to determine that

(1) all EDI transactions are authorized,
validated, and in compliance with the trading
partner agreement;
(2) no unauthorized organizations gain access
to database records;
(3) authorized trading partners have access
only to approved data; and
(4) adequate controls are in place to ensure a
complete audit trail of all EDI transactions.

Audit Procedures Relating to

Tests of Authorization and
Validation Controls
Tests of Access Controls
Tests of Audit Trail Controls

PC applications tend to be general-purpose
systems that serve a wide range of needs
allows software vendors to mass-produce
low-cost and error-free standard products.
PC accounting systems are popular with
smaller firms, which use them to automate
and replace manual systems and thus
become more efficient and competitive.
Most PC systems are modular in design

PC Systems Risks and


Operating System Weaknesses

Weak Access Control
Inadequate Segregation of Duties
Multilevel Password Control
Risk of Theft
Weak Backup Procedures
Risk of Virus Infection

Audit Objectives Associated with PC

Verify that controls are in place to protect data, programs, and
computers from unauthorized access, manipulation,
destruction, and theft.
Verify that adequate supervision and operating procedures
exist to compensate for lack of segregation between the
duties of users, programmers, and operators.
Verify that backup procedures are in place to prevent data and
program loss due to system failures, errors, and so on.
Verify that systems selection and acquisition procedures
produce applications that are high quality, and protected from
unauthorized changes.
Verify that the system is free from viruses and adequately
protected to minimize the risk of becoming infected with a
virus or similar object.

Audit Procedures Associated with PC

The auditor should observe that PCs
are physically anchored to reduce
the opportunity of theft.
The auditor should verify from
organizational charts, job
descriptions, and observation that
programmers of accounting systems
do not also operate those systems.

The auditor should confirm that reports of

processed transactions, listings of updated
accounts, and control totals are prepared,
distributed, and reconciled by appropriate
management at regular and timely intervals.
Where appropriate, the auditor should
determine that multilevel password control is
used to limit access to data and applications
and that the access authority granted is
consistent with the employees job

If removable or external hard drives are used,

the auditor should verify that the drives are
removed and stored in a secure location
when not in use.
By selecting a sample of backup files, the
auditor can verify that backup procedures are
being followed. By comparing data values
and dates on the backup disks to production
files, the auditor can assess the frequency
and adequacy of backup procedures

By selecting a sample of PCs, the

auditor should verify that their
commercial software packages were
purchased from reputable vendors
and are legal copies
The auditor should review the
organizations policy for using
antiviral software