Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

Similar documents
تاثیرفناوری اطالعات برسازمان ومدیریت جلسه هشتم و نهم

Information Security in Corporation

Securing Information Systems

Securing Information Systems

HIPAA Compliance Checklist

CHAPTER 8 SECURING INFORMATION SYSTEMS

Projectplace: A Secure Project Collaboration Solution

Definition of Internal Control

Securing Information Systems

A practical guide to IT security

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

University of Pittsburgh Security Assessment Questionnaire (v1.7)

RISK ASSESSMENTS AND INTERNAL CONTROL CIS CHARACTERISTICS AND CONSIDERATIONS CONTENTS

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Juniper Vendor Security Requirements

Cyber Criminal Methods & Prevention Techniques. By

Security Policies and Procedures Principles and Practices

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

Securing Information Systems

PCI Compliance. What is it? Who uses it? Why is it important?

Top-Down Network Design

SECURITY PRACTICES OVERVIEW

The BUSINESS of Fraud. Don t let it put you out of business. AFFILIATE LOGO

QuickBooks Online Security White Paper July 2017

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

ADIENT VENDOR SECURITY STANDARD

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

Simple and Powerful Security for PCI DSS

Policy and Procedure: SDM Guidance for HIPAA Business Associates

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Chapter 10: Security and Ethical Challenges of E-Business

e-commerce Study Guide Test 2. Security Chapter 10

Secure Network Design Document

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

Information Security Policy

Management of IT Infrastructure Security by Establishing Separate Functional Area with Spiral Security Model

Controls Electronic messaging Information involved in electronic messaging shall be appropriately protected.

emarketeer Information Security Policy

Trust Services Principles and Criteria

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

University of Sunderland Business Assurance PCI Security Policy

PCI DSS and the VNC SDK

Keys to a more secure data environment

Checklist: Credit Union Information Security and Privacy Policies

Introduction to Information Technology Turban, Rainer and Potter John Wiley & Sons, Inc. Copyright Chapter 12 1

Top considerations for implementing secure backup and recovery. A best practice whitepaper by Zmanda

Donor Credit Card Security Policy

SECURITY & PRIVACY DOCUMENTATION

AIR FORCE ASSOCIATION S CYBERPATRIOT NATIONAL YOUTH CYBER EDUCATION PROGRAM UNIT FIVE. Microsoft Windows Security.

System Security Features

The Honest Advantage

6) A Trojan horse is a software program that appears threatening but is really benign. 6) Answer: True False

Information Technology General Control Review

7.16 INFORMATION TECHNOLOGY SECURITY

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

A (sample) computerized system for publishing the daily currency exchange rates

Chapter 8: General Controls and Application Controls

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

EXHIBIT A. - HIPAA Security Assessment Template -

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Introduction To IS Auditing

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

Education Network Security

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Data Classification, Security, and Privacy

HIPAA Assessment. Prepared For: ABC Medical Center Prepared By: Compliance Department

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

Addressing PCI DSS 3.2

Most Common Security Threats (cont.)

CCISO Blueprint v1. EC-Council

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

Payment Card Industry (PCI) Data Security Standard

SECURE CLOUD BACKUP AND RECOVERY

NEN The Education Network

Physical and Environmental Security Standards

CERT-In. Indian Computer Emergency Response Team ANTI VIRUS POLICY & BEST PRACTICES

Online Threats. This include human using them!

PCI DSS Compliance. White Paper Parallels Remote Application Server

The Common Controls Framework BY ADOBE

SMart esolutions Information Security

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Certified Information Systems Auditor (CISA)

CONTROL AUDIT AND SECURITY OF INFORMATION SYSTEM

Hosted Testing and Grading

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

716 West Ave Austin, TX USA

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

9/11/ FALL CONFERENCE & TRAINING SEMINAR 2014 FALL CONFERENCE & TRAINING SEMINAR

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

PCI DSS and VNC Connect

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Voting System Security as per the VVSG

PCI PA-DSS Implementation Guide

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Chapter 11: Networks

Transcription:

Introduction Controlling Information Systems When computer systems fail to work as required, firms that depend heavily on them experience a serious loss of business function. M7011 Peter Lo 2005 1 M7011 Peter Lo 2005 2 Threats to Computerised Information System Hardware failure Software failure Personnel actions Terminal access penetration Theft of data, services, equipment Fire Electrical problems User errors Program changes Telecommunications problems Why System are Vulnerable? A complex Information System cannot be replicated manually Computerized procedures appear to be invisible and are not easily understood or audited Disaster Unauthorized individuals can gain access to systems. M7011 Peter Lo 2005 3 M7011 Peter Lo 2005 4

Telecommunications in System Advances in telecommunications and computer software have magnified vulnerabilities. Information System in different locations can be interconnected. The potential for unauthorized access, abuse, or fraud can occur at any access point in the network. Hacker A person who gains unauthorized access to a computer network for profit, criminal mischief, or personal pleasure. M7011 Peter Lo 2005 5 M7011 Peter Lo 2005 6 Computer Virus Software programs that are difficult to detect that spread rapidly through computer systems, destroying data or disrupting processing and memory systems. Example Macro virus Worm Antivirus Software Software designed to detect, eliminate computer viruses from an Information System. M7011 Peter Lo 2005 7 M7011 Peter Lo 2005 8

Disaster Computer hardware, programs, data files, and other equipment can be destroyed by fires, power failures, or other disasters. Fault-tolerant Computer Systems Systems that contain extra hardware, software, and power supply components that can back a system up and keep it running to prevent system failure. They are used for critical applications with heavy on-line transaction processing requirements. M7011 Peter Lo 2005 9 M7011 Peter Lo 2005 10 Security Errors can occur in Policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to Information System. Data preparation Transmission Conversion Form completion Data entry Validation Processing File Maintenance Output Distribution M7011 Peter Lo 2005 11 M7011 Peter Lo 2005 12

Bugs Program code defects or errors. Studies shown it is impossible to eliminate all bugs from large programs. Maintenance Nightmare Most organizations spent half Information System staff time in existing systems maintenance. Why maintenance costs so high? Organizational change (structure, leadership, and surrounding environment) affect information requirements. Software complexity Faulty systems analysis & design M7011 Peter Lo 2005 13 M7011 Peter Lo 2005 14 Data Quality Problems Data that are inaccurate, untimely, or inconsistent with other sources of information can create serious operational and financial problems for business. Poor data quality may stem from errors during data input or faulty Information System and database design. Controls All the methods, policies, and procedures that ensure protection of the organization s assets, accuracy and reliability of its records, and operational adherence to management standards. M7011 Peter Lo 2005 15 M7011 Peter Lo 2005 16

General Controls Application Controls Overall controls that establish a framework for controlling the design, security, and use of computer programs throughout an organization. General controls include Controls over the system implementation process Software controls Physical hardware controls Computer operation controls Data security controls Administrative disciplines, standards, and procedures. Specific controls unique to each computerized application, such as payrolls, account receivable, and order processing. They consist of controls applied from the user functional area of a particular system and from programmed procedures. M7011 Peter Lo 2005 17 M7011 Peter Lo 2005 18 Implementation Controls The audit of the systems development process at various points to make sure that it is properly controlled and managed. Software Controls Controls to ensure the security and reliability of software. It monitors the use of system software and prevent unauthorized access of software programs, system software, and computer programs. M7011 Peter Lo 2005 19 M7011 Peter Lo 2005 20

Hardware Controls Computer Operations Controls Controls to ensure the physical security and correct performance of computer hardware. Access by authorized individuals only Protected against fires and humidity Emergency backup in case of power failure Procedures to ensure that programmed procedures are consistently and correctly applied to data storage and processing. Include controls over the setup of computer processing jobs, operations software, and computer operations, and backup & recovery procedures for processing that ends abnormally. M7011 Peter Lo 2005 21 M7011 Peter Lo 2005 22 Data Security Controls Administrative Controls Controls to ensure that data files on either disk or tape are not subject to unauthorized access, change, or destruction. Example: Restrict physical access Use of password Formalized standards, rules, procedures, and disciplines to ensure that the organization s controls are properly executed and enforced. Segregation of functions Written policies and procedures Supervision M7011 Peter Lo 2005 23 M7011 Peter Lo 2005 24

Segregation of Functions The principle of internal control to divide responsibilities and assign tasks among people so that job functions do not overlap, to minimize the risk of errors and fraudulent manipulation of the organization s assets. Written Policies and Procedures They establish formal standards for controlling Information System operations. Procedures must be formalized in writing and authorized by the appropriate level of management. Accountabilities and responsibilities must be clearly specified. M7011 Peter Lo 2005 25 M7011 Peter Lo 2005 26 Supervision Supervision of personnel involved in control procedures ensures that the controls for an Information System are performing as intended. Application Controls Controls within each separate computer application. They include automated and manual procedures that ensure that only authorized data are completely and accurately processed by that applications. Application controls can be classified as Input controls Processing controls Output controls M7011 Peter Lo 2005 27 M7011 Peter Lo 2005 28

Input Controls The procedures to check data for accuracy and completeness when they enter the system. There are specific input controls for input authorization, data conversion, data editing, and error handling. Control Totals A type of input control that requires counting transactions or quantity fields prior to processing for comparison and reconciliation after processing. M7011 Peter Lo 2005 29 M7011 Peter Lo 2005 30 Edit Checks Routines performed to verify input data and correct errors prior to processing. Reasonableness checks Format checks Existence checks (valid codes are being used) Dependency checks (logical relationship is maintained) E.g. a relationship between loan and repayment. Processing Controls The routines for establishing that data are complete and accurate during updating. Run Control Totals Computer Matching Programmed Edit Checks M7011 Peter Lo 2005 31 M7011 Peter Lo 2005 32

Run Control Totals The procedures for controlling completeness of computer updating by generating control totals that reconcile totals before and after processing. Computer Matching The processing control that matches input data to information held on master files. E.g. match employee time cards with a payroll master file and report missing or duplicate time cards. M7011 Peter Lo 2005 33 M7011 Peter Lo 2005 34 Programmed Edit Checks Reasonable or dependency check during updating rather than input. E.g. check electric bill with previous bill. Output Controls Measures that ensure the results of computer processing are accurate, complete and properly distributed. Typical output controls: Balancing output totals with input and processing totals Reviews of computer processing logs Formal procedures and documentation M7011 Peter Lo 2005 35 M7011 Peter Lo 2005 36

Firewall It controls access to the organization s internal networks. It identifies names, IP addresses, applications and other characteristics of incoming traffic. Firewall Technologies Proxies It stops data originating outside the organization at the firewall, inspect them, and pass a proxy to the other side of the firewall. More secure than Stateful inspection. Consume more resources, degrading network performance. M7011 Peter Lo 2005 37 M7011 Peter Lo 2005 38 Firewall Technologies Stateful Inspection It scans each packet of incoming data, checking its source, destination addresses, or services. User-defined access rules must identify every type of packet that the organization does not want to admit. Less secure because some data pass through the firewall. Firewall Policy To create a good firewall, someone must write and maintain the internal rules identifying the people, applications, or addresses that are allowed or rejected in very fine detail. M7011 Peter Lo 2005 39 M7011 Peter Lo 2005 40

Encryption The coding of messages to prevent their being read or accessed without authorization. A message can be encrypted by applying a secret numerical code called an encryption key. In order to read, the message must be decrypted with a matching key. Authentication The ability of each party in a transaction to ascertain the identity of the other party. M7011 Peter Lo 2005 41 M7011 Peter Lo 2005 42 Encryption: Single Key Encrypt and decrypt with the same key How do you get the key safely to the other party? What if there are many people involved? Fast encryption and decryption DES - old and falls to brute force attacks Triple DES - old but slightly harder to break with brute force. AES - new standard Key: 9837362 Single key: e.g., AES Key: 9837362 Plain text message AES Encrypted text Encrypted text AES Plain text message Encryption: Dual Key Message Message Encrypted Alice Bob Private Key Public Keys 13 Use Private Key Use Alice 29 Bob s 37 Bob s Bob 17 Private key Public key Alice sends message to Bob that only he can read. M7011 Peter Lo 2005 43 M7011 Peter Lo 2005 44

Dual Key: Authentication Alice Message Private Key 13 Use Alice s Private key Encrypt+M Public Keys Alice 29 Bob 17 Use Bob s Public key Transmission Encrypt+T+M Use Alice s Public key Encrypt+T Message Bob Private Key Use 37 Bob s Private key Bob sends message to Alice: His key guarantees it came from him. Her key prevents anyone else from reading message. M7011 Peter Lo 2005 45 Certificate Authority Public key Imposter could sign up for a public key. Need trusted organization. Only Verisign today, a public company with no regulation. Verisign mistakenly issued a certificate to an imposter claiming to work for Microsoft in 2001. Alice How does Alice know that it is really Bob s key? Trust the C.A. C.A. validate applicants Public Keys Alice 29 Use Bob 17 Bob s Public key M7011 Peter Lo 2005 46 Message Integrity The ability to ascertain that a transmitted message has not been copied or altered. Digital Signature A digital code that can be attached to an electronically transmitted message to uniquely identify its contents and the sender. M7011 Peter Lo 2005 47 M7011 Peter Lo 2005 48

Digital Certificate Secure Electronic Transaction (SET) An attachment to an electronic message to verify the identity of the sender and to provide the receiver with the means to encode a reply. A digital certificate system uses a trusted third party known as a certificate authority (CA) to verify a user s identity. A special electronic payment systems for the Internet. It encrypts credit card payment data over the Internet and other open networks. M7011 Peter Lo 2005 49 M7011 Peter Lo 2005 50 How much Control? Criteria Importance of its data The cost-effectiveness of controls Level of risk Risk Assessment Determining the potential frequency of the occurrence of a problem and the potential damage if the problem were to occur. Used to determine the cost/benefit of a control. M7011 Peter Lo 2005 51 M7011 Peter Lo 2005 52

Auditing Information System To find out whether Information System controls are effective. It identifies all the controls that govern individual Information System and assesses their effectiveness. Auditor must acquire a thorough understanding of operations, physical facilities, telecommunications, control systems, data security objectives, organizational structure, personnel, manual procedures, and individual applications. The audit lists and ranks all control weaknesses and estimates the probability of their occurrence. It then assess the financial and organizational impact of each threat. Management is expected to devise a plan for countering significant weaknesses in controls. M7011 Peter Lo 2005 53 Securing E-Commerce Servers Install and maintain a working network firewall to protect data accessible via the Internet. Keep security patches up-to-date. Encrypt stored data. Encrypt data sent across networks. Use and regularly update anti-virus software. Restrict access to data by business "need to know." Assign a unique ID to each person with computer access to data. Don't use vendor-supplied defaults for system passwords and other security parameters. Track access to data by unique ID. Regularly test security systems and processes. Maintain a policy that addresses information security for employees and contractors. Restrict physical access to cardholder information. M7011 Peter Lo 2005 54

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback