ch7 lecture slides
TRANSCRIPT
-
7/28/2019 CH7 Lecture Slides
1/30
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 1 of 222
C HAPTER 7
Information Systems Controls
for Systems Reliability
Part 1: Information Security
-
7/28/2019 CH7 Lecture Slides
2/30
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 2 of 222
INTRODUCTION
One basic function of an AIS is to provideinformation useful for decision making. Inorder to be useful, the information must be
reliable, which means: It provides an accurate, complete, and timely
picture of the organizations activities.
It is available when needed.
The information and the system that producesit is protected from loss, compromise, andtheft.
-
7/28/2019 CH7 Lecture Slides
3/30
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 3 of 222
INTRODUCTION
The five basic principles that
contribute to systems reliability:SYSTEMSRELIABILITY
-
7/28/2019 CH7 Lecture Slides
4/30
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 4 of 222
INTRODUCTION
The five basic principles that
contribute to systems reliability:
Security
SECURITY
SYSTEMS
RELIABILITY
Access to the system and its data
is controlled.
-
7/28/2019 CH7 Lecture Slides
5/30
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 5 of 222
INTRODUCTION
The five basic principles that
contribute to systems reliability:
Security
Confidentiality
SECURITY
CON
FIDENTIALITY
SYSTEMS
RELIABILITY
Sensitive information is protected
from unauthorized disclosure.
-
7/28/2019 CH7 Lecture Slides
6/30
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 6 of 222
INTRODUCTION
The five basic principles that
contribute to systems reliability:
Security
Confidentiality
Privacy
SECURITY
CON
FIDENTIALITY
PRIVACY
SYSTEMS
RELIABILITY
Personal information about
customers collected through
e-commerce is collected, used,
disclosed, and maintained in an
appropriate manner.
-
7/28/2019 CH7 Lecture Slides
7/30 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 7 of 222
INTRODUCTION
The five basic
principles that
contribute to systems
reliability:
Security
Confidentiality
Privacy
Processing integrity
SECURITY
CON
FIDENTIALITY
PRIVACY
PROCES
SINGI
NTEGRITY
SYSTEMS
RELIABILITY
Data is processed:
Accurately
Completely
In a timely manner
With proper authorization
-
7/28/2019 CH7 Lecture Slides
8/30 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 8 of 222
INTRODUCTION
The five basic
principles that
contribute to systems
reliability:
Security
Confidentiality
Online privacy
Processing integrity
AvailabilitySECURITY
CON
FIDENTIALITY
PRIVACY
PROCES
SINGI
NTEGRITY
AV
AILABILITY
SYSTEMS
RELIABILITY
The system is available to meetoperational and contractual
obligations.
-
7/28/2019 CH7 Lecture Slides
9/30 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 9 of 222
INTRODUCTION
Note the importance ofsecurity in this picture. It isthe foundation of systemsreliability. Securityprocedures: Restrict system access to
only authorized users andprotect:
The confidentiality of sensitiveorganizational data.
The privacy of personalidentifying informationcollected from customers.SECURITY
CON
FIDENTIALITY
PRIVACY
PROCES
SINGI
NTEGRITY
AV
AILABILITY
SYSTEMS
RELIABILITY
-
7/28/2019 CH7 Lecture Slides
10/30 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 10 of 222
INTRODUCTION
Security procedures also:
Provide for processing
integrity by preventing:
Submission of unauthorized orfictitious transactions.
Unauthorized changes to
stored data or programs.
Protect against a variety of
attacks, including virusesand worms, thereby
ensuring the system is
available when needed.SECURITY
CON
FIDENTIALITY
PRIVACY
PROCES
SINGI
NTEGRITY
AV
AILABILITY
SYSTEMS
RELIABILITY
-
7/28/2019 CH7 Lecture Slides
11/30 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 11 of 222
FUNDAMENTAL INFORMATION
SECURITY CONCEPTS
There are three fundamental information
security concepts that will be discussed in
this chapter:
Security as a management issue, not a
technology issue.
The time-based model of security.
Defense in depth.
-
7/28/2019 CH7 Lecture Slides
12/30 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 12 of 222
FUNDAMENTAL INFORMATION
SECURITY CONCEPTS
There are three fundamental information
security concepts that will be discussed in
this chapter:
Security is a management issue, not a
technology issue.
The time-based model of security.
Defense in depth.
-
7/28/2019 CH7 Lecture Slides
13/30 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 13 of 222
TIME-BASED MODEL OF SECURITY
Given enough time and resources, anypreventive control can be circumvented.
Consequently, effective control requiressupplementing preventive procedures with:
Methods for detecting incidents; and Procedures for taking corrective remedial action.
Detection and correction must be timely,especially for information security, because once
preventive controls have been breached, it takeslittle time to destroy, compromise, or steal theorganizations economic and informationresources.
-
7/28/2019 CH7 Lecture Slides
14/30 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 14 of 222
FUNDAMENTAL INFORMATION
SECURITY CONCEPTS
There are three fundamental information
security concepts that will be discussed in
this chapter:
Security is a management issue, not a
technology issue.
The time-based model of security.
Defense in depth.
-
7/28/2019 CH7 Lecture Slides
15/30 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 15 of 222
DEFENSE IN DEPTH
The idea of defense-in-depth is to employ
multiple layers of controls to avoid having a
single point of failure.
If one layer fails, another may function asplanned.
Information security involves using a
combination of firewalls, passwords, and other
preventive procedures to restrict access.
Redundancy also applies to detective and
corrective controls.
-
7/28/2019 CH7 Lecture Slides
16/30 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 16 of 222
PREVENTIVE CONTROLS
The objective of preventive controls is to
prevent security incidents from happening.
Involves two related functions:
Authentication
Focuses on verifying the identity of the person or
device attempting to gain access.
Authorization Restricts access of authenticated users to specific
portions of the system and specifies what actions
they are permitted to perform.
-
7/28/2019 CH7 Lecture Slides
17/30 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 17 of 222
PREVENTIVE CONTROLS
Each authentication method has its
limitations.
Passwords
Physical identification techniques
Biometric techniques
-
7/28/2019 CH7 Lecture Slides
18/30 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 18 of 222
PREVENTIVE CONTROLS
Although none of the three basic authentication
methods is foolproof by itself, the use of two or
three in conjunction, known as mult i - factor
authent icat ion, is quite effective. Example: Using a palm print and a PIN number
together is much more effective than using either
method alone.
-
7/28/2019 CH7 Lecture Slides
19/30 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 19 of 222
PREVENTIVE CONTROLS
Authorization controls are implemented by
creating an access con tro l matr ix.
Specifies what part of the IS a user can
access and what actions they are permitted toperform.
When an employee tries to access a
particular resource, the system performs acompat ib i l i ty testthat matches the users
authentication credentials against the matrix
to determine if the action should be allowed.
-
7/28/2019 CH7 Lecture Slides
20/30 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 20 of 222
PREVENTIVE CONTROLS
Who has
the
authority
to delete
Program2?
Code
Number Password A B C 1 2 3 4
12345 ABC 0 0 1 0 0 0 0
12346 DEF 0 2 0 0 0 0 012354 KLM 1 1 1 0 0 0 0
12359 NOP 3 0 0 0 0 0 0
12389 RST 0 1 0 0 3 0 0
12567 XYZ 1 1 1 1 1 1 1
Codes for type of access:0 = No access permitted
1 = Read and display only
2 = Read, display, and update
3 = Read, display, update, create, and delete
User Identification Files Programs
-
7/28/2019 CH7 Lecture Slides
21/30 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 21 of 222
PREVENTIVE CONTROLS
These are the
multiple layers of
preventive
controls that
reflect thedefense-in-depth
approach to
satisfying the
constraints of thetime-based
model of security.
-
7/28/2019 CH7 Lecture Slides
22/30 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 22 of 222
DETECTIVE CONTROLS
Preventive controls are never 100%
effective in blocking all attacks.
So organizations implement detective
controls to enhance security by:
Monitoring the effectiveness of preventive
controls; and
Detecting incidents in which preventivecontrols have been circumvented.
-
7/28/2019 CH7 Lecture Slides
23/30 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 23 of 222
DETECTIVE CONTROLS
Authentication and authorization controls (both
preventive and detective) govern access to the system
and limit the actions that can be performed by authorized
users.
Actual system use (detective control) must be examined
to assess compliance through:
Log analysis
Intrusion detection systems
Managerial reports Periodically testing the effectiveness of existing security
procedures
-
7/28/2019 CH7 Lecture Slides
24/30 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 24 of 222
CORRECTIVE CONTROLS
COBIT specifies the need to identify and handle
security incidents.
Two of the Trust Services framework criteria for
effective security are the existence ofprocedures to:
React to system security breaches and other
incidents.
Take corrective action on a timely basis.
-
7/28/2019 CH7 Lecture Slides
25/30
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 25 of 222
CORRECTIVE CONTROLS
Three key components that satisfy the
preceding criteria are:
Establishment of a computer emergency
response team.
Designation of a specific individual with
organization-wide responsibility for security.
An organized patch management system.
-
7/28/2019 CH7 Lecture Slides
26/30
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 26 of 222
CORRECTIVE CONTROLS
Computer emergency response team
A key component to being able to respondto security incidents promptly and effectively
is the establish of a compu ter emergencyresponse team (CERT). Responsible for dealing with major incidents.
Should include technical specialists and senioroperations management.
Some potential responses have significanteconomic consequences (e.g., whether totemporarily shut down an e-commerce server)that require management input.
-
7/28/2019 CH7 Lecture Slides
27/30
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 27 of 222
CORRECTIVE CONTROLS
Three key components that satisfy the
preceding criteria are:
Establishment of a computer emergency
response team.
Designation of a specific individual with
organization-wide responsibility for
security.An organized patch management system.
-
7/28/2019 CH7 Lecture Slides
28/30
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 28 of 222
CORRECTIVE CONTROLS
A chief security officer (CSO): Should be independent of other IS functions and report to either
the COO or CEO.
Must understand the companys technology environment andwork with the CIO to design, implement, and promote sound
security policies and procedures.
Disseminates info about fraud, errors, security breaches,improper system use, and consequences of these actions.
Works with the person in charge of building security, as that isoften the entitys weakest link.
Should impartially assess and evaluate the IT environment,conduct vulnerability and risk assessments, and audit the CIOssecurity measures.
-
7/28/2019 CH7 Lecture Slides
29/30
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 29 of 222
CORRECTIVE CONTROLS
Three key components that satisfy the
preceding criteria are:
Establishment of a computer emergency
response team.
Designation of a specific individual with
organization-wide responsibility for security.
An organized patch management system.
-
7/28/2019 CH7 Lecture Slides
30/30
CORRECTIVE CONTROLS
Patch managementis the process for regularly
applying patches and updates to all of an
organizations software.
Challenging to do because: Patches can have unanticipated side effects that
cause problems, which means they should be tested
before being deployed.
There are likely to be many patches each year foreach software program, which may mean that
hundreds of patches will need to be applied to
thousands of machines.