Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

Transcription

1 Introduction Controlling Information Systems When computer systems fail to work as required, firms that depend heavily on them experience a serious loss of business function. M7011 Peter Lo M7011 Peter Lo Threats to Computerised Information System Hardware failure Software failure Personnel actions Terminal access penetration Theft of data, services, equipment Fire Electrical problems User errors Program changes Telecommunications problems Why System are Vulnerable? A complex Information System cannot be replicated manually Computerized procedures appear to be invisible and are not easily understood or audited Disaster Unauthorized individuals can gain access to systems. M7011 Peter Lo M7011 Peter Lo

2 Telecommunications in System Advances in telecommunications and computer software have magnified vulnerabilities. Information System in different locations can be interconnected. The potential for unauthorized access, abuse, or fraud can occur at any access point in the network. Hacker A person who gains unauthorized access to a computer network for profit, criminal mischief, or personal pleasure. M7011 Peter Lo M7011 Peter Lo Computer Virus Software programs that are difficult to detect that spread rapidly through computer systems, destroying data or disrupting processing and memory systems. Example Macro virus Worm Antivirus Software Software designed to detect, eliminate computer viruses from an Information System. M7011 Peter Lo M7011 Peter Lo

3 Disaster Computer hardware, programs, data files, and other equipment can be destroyed by fires, power failures, or other disasters. Fault-tolerant Computer Systems Systems that contain extra hardware, software, and power supply components that can back a system up and keep it running to prevent system failure. They are used for critical applications with heavy on-line transaction processing requirements. M7011 Peter Lo M7011 Peter Lo Security Errors can occur in Policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to Information System. Data preparation Transmission Conversion Form completion Data entry Validation Processing File Maintenance Output Distribution M7011 Peter Lo M7011 Peter Lo

4 Bugs Program code defects or errors. Studies shown it is impossible to eliminate all bugs from large programs. Maintenance Nightmare Most organizations spent half Information System staff time in existing systems maintenance. Why maintenance costs so high? Organizational change (structure, leadership, and surrounding environment) affect information requirements. Software complexity Faulty systems analysis & design M7011 Peter Lo M7011 Peter Lo Data Quality Problems Data that are inaccurate, untimely, or inconsistent with other sources of information can create serious operational and financial problems for business. Poor data quality may stem from errors during data input or faulty Information System and database design. Controls All the methods, policies, and procedures that ensure protection of the organization s assets, accuracy and reliability of its records, and operational adherence to management standards. M7011 Peter Lo M7011 Peter Lo

5 General Controls Application Controls Overall controls that establish a framework for controlling the design, security, and use of computer programs throughout an organization. General controls include Controls over the system implementation process Software controls Physical hardware controls Computer operation controls Data security controls Administrative disciplines, standards, and procedures. Specific controls unique to each computerized application, such as payrolls, account receivable, and order processing. They consist of controls applied from the user functional area of a particular system and from programmed procedures. M7011 Peter Lo M7011 Peter Lo Implementation Controls The audit of the systems development process at various points to make sure that it is properly controlled and managed. Software Controls Controls to ensure the security and reliability of software. It monitors the use of system software and prevent unauthorized access of software programs, system software, and computer programs. M7011 Peter Lo M7011 Peter Lo

6 Hardware Controls Computer Operations Controls Controls to ensure the physical security and correct performance of computer hardware. Access by authorized individuals only Protected against fires and humidity Emergency backup in case of power failure Procedures to ensure that programmed procedures are consistently and correctly applied to data storage and processing. Include controls over the setup of computer processing jobs, operations software, and computer operations, and backup & recovery procedures for processing that ends abnormally. M7011 Peter Lo M7011 Peter Lo Data Security Controls Administrative Controls Controls to ensure that data files on either disk or tape are not subject to unauthorized access, change, or destruction. Example: Restrict physical access Use of password Formalized standards, rules, procedures, and disciplines to ensure that the organization s controls are properly executed and enforced. Segregation of functions Written policies and procedures Supervision M7011 Peter Lo M7011 Peter Lo

7 Segregation of Functions The principle of internal control to divide responsibilities and assign tasks among people so that job functions do not overlap, to minimize the risk of errors and fraudulent manipulation of the organization s assets. Written Policies and Procedures They establish formal standards for controlling Information System operations. Procedures must be formalized in writing and authorized by the appropriate level of management. Accountabilities and responsibilities must be clearly specified. M7011 Peter Lo M7011 Peter Lo Supervision Supervision of personnel involved in control procedures ensures that the controls for an Information System are performing as intended. Application Controls Controls within each separate computer application. They include automated and manual procedures that ensure that only authorized data are completely and accurately processed by that applications. Application controls can be classified as Input controls Processing controls Output controls M7011 Peter Lo M7011 Peter Lo

8 Input Controls The procedures to check data for accuracy and completeness when they enter the system. There are specific input controls for input authorization, data conversion, data editing, and error handling. Control Totals A type of input control that requires counting transactions or quantity fields prior to processing for comparison and reconciliation after processing. M7011 Peter Lo M7011 Peter Lo Edit Checks Routines performed to verify input data and correct errors prior to processing. Reasonableness checks Format checks Existence checks (valid codes are being used) Dependency checks (logical relationship is maintained) E.g. a relationship between loan and repayment. Processing Controls The routines for establishing that data are complete and accurate during updating. Run Control Totals Computer Matching Programmed Edit Checks M7011 Peter Lo M7011 Peter Lo

9 Run Control Totals The procedures for controlling completeness of computer updating by generating control totals that reconcile totals before and after processing. Computer Matching The processing control that matches input data to information held on master files. E.g. match employee time cards with a payroll master file and report missing or duplicate time cards. M7011 Peter Lo M7011 Peter Lo Programmed Edit Checks Reasonable or dependency check during updating rather than input. E.g. check electric bill with previous bill. Output Controls Measures that ensure the results of computer processing are accurate, complete and properly distributed. Typical output controls: Balancing output totals with input and processing totals Reviews of computer processing logs Formal procedures and documentation M7011 Peter Lo M7011 Peter Lo

10 Firewall It controls access to the organization s internal networks. It identifies names, IP addresses, applications and other characteristics of incoming traffic. Firewall Technologies Proxies It stops data originating outside the organization at the firewall, inspect them, and pass a proxy to the other side of the firewall. More secure than Stateful inspection. Consume more resources, degrading network performance. M7011 Peter Lo M7011 Peter Lo Firewall Technologies Stateful Inspection It scans each packet of incoming data, checking its source, destination addresses, or services. User-defined access rules must identify every type of packet that the organization does not want to admit. Less secure because some data pass through the firewall. Firewall Policy To create a good firewall, someone must write and maintain the internal rules identifying the people, applications, or addresses that are allowed or rejected in very fine detail. M7011 Peter Lo M7011 Peter Lo

11 Encryption The coding of messages to prevent their being read or accessed without authorization. A message can be encrypted by applying a secret numerical code called an encryption key. In order to read, the message must be decrypted with a matching key. Authentication The ability of each party in a transaction to ascertain the identity of the other party. M7011 Peter Lo M7011 Peter Lo Encryption: Single Key Encrypt and decrypt with the same key How do you get the key safely to the other party? What if there are many people involved? Fast encryption and decryption DES - old and falls to brute force attacks Triple DES - old but slightly harder to break with brute force. AES - new standard Key: Single key: e.g., AES Key: Plain text message AES Encrypted text Encrypted text AES Plain text message Encryption: Dual Key Message Message Encrypted Alice Bob Private Key Public Keys 13 Use Private Key Use Alice 29 Bob s 37 Bob s Bob 17 Private key Public key Alice sends message to Bob that only he can read. M7011 Peter Lo M7011 Peter Lo

12 Dual Key: Authentication Alice Message Private Key 13 Use Alice s Private key Encrypt+M Public Keys Alice 29 Bob 17 Use Bob s Public key Transmission Encrypt+T+M Use Alice s Public key Encrypt+T Message Bob Private Key Use 37 Bob s Private key Bob sends message to Alice: His key guarantees it came from him. Her key prevents anyone else from reading message. M7011 Peter Lo Certificate Authority Public key Imposter could sign up for a public key. Need trusted organization. Only Verisign today, a public company with no regulation. Verisign mistakenly issued a certificate to an imposter claiming to work for Microsoft in Alice How does Alice know that it is really Bob s key? Trust the C.A. C.A. validate applicants Public Keys Alice 29 Use Bob 17 Bob s Public key M7011 Peter Lo Message Integrity The ability to ascertain that a transmitted message has not been copied or altered. Digital Signature A digital code that can be attached to an electronically transmitted message to uniquely identify its contents and the sender. M7011 Peter Lo M7011 Peter Lo

13 Digital Certificate Secure Electronic Transaction (SET) An attachment to an electronic message to verify the identity of the sender and to provide the receiver with the means to encode a reply. A digital certificate system uses a trusted third party known as a certificate authority (CA) to verify a user s identity. A special electronic payment systems for the Internet. It encrypts credit card payment data over the Internet and other open networks. M7011 Peter Lo M7011 Peter Lo How much Control? Criteria Importance of its data The cost-effectiveness of controls Level of risk Risk Assessment Determining the potential frequency of the occurrence of a problem and the potential damage if the problem were to occur. Used to determine the cost/benefit of a control. M7011 Peter Lo M7011 Peter Lo

14 Auditing Information System To find out whether Information System controls are effective. It identifies all the controls that govern individual Information System and assesses their effectiveness. Auditor must acquire a thorough understanding of operations, physical facilities, telecommunications, control systems, data security objectives, organizational structure, personnel, manual procedures, and individual applications. The audit lists and ranks all control weaknesses and estimates the probability of their occurrence. It then assess the financial and organizational impact of each threat. Management is expected to devise a plan for countering significant weaknesses in controls. M7011 Peter Lo Securing E-Commerce Servers Install and maintain a working network firewall to protect data accessible via the Internet. Keep security patches up-to-date. Encrypt stored data. Encrypt data sent across networks. Use and regularly update anti-virus software. Restrict access to data by business "need to know." Assign a unique ID to each person with computer access to data. Don't use vendor-supplied defaults for system passwords and other security parameters. Track access to data by unique ID. Regularly test security systems and processes. Maintain a policy that addresses information security for employees and contractors. Restrict physical access to cardholder information. M7011 Peter Lo