DISASTER RECOVERY AND BUSINESS PLANNING (CHAPTER # 13-Wholly based upon ATFL (100%))

1. BUSINESS CONTINUITY PLAN (BCP): “BCP is a process designed to reduce organization business risk arising from unexpected disruption of critical operation necessary for survival of organization” BCP is one of the stages of development of wide organization security policies Life cycle of BCP (Stages in development of BCP): BCP Process can be divided into following life cycle phases:

1. Business Impact Analysis (BIA)

2. Classification of operation and criticality analysis (System risk ranking)

3. Developing recovery strategies (Off-site back up / Alternative processing facilities)

4. Training and awareness of people;

5. Testing and Implementation of plan

6. Monitoring.

1. BUSINESS IMPACT ANALYSIS (BIA): BIA is the first phase in developing the BCP, This phase involve “Identifying” various events that could impact the continuity of operations and their financial, Human, and reputational “Impact” on the organization. 2. CLASSIFICATION OF OPERATION AND CRITICALITY ANALYSIS (System risk ranking) (Refer it to Page MRS-78) 3. DEVELOPING RECOVERY STRATEGIES (Off-site back up / Alternative processing facilities) The next phase in BCP is to develop various recovery strategies and select most appropriate strategy for recovering from disaster. Selection of recovery strategies would depend upon:

a) The criticality of business process and application supporting process b) Cost c) Time required to recover d) Security

There are many alternative recovery strategies’, most appropriate alternative recovery strategy in term of aforesaid criteria should be selected based upon “relative risk level”. Some recovery strategies are as follows:

1. Hot sites 2. Warm sites 3. Cold sites (Refer it to Page MRS-78) 4. Mobile sites 5. Reciprocal agreements with other organizations:

5. Reciprocal agreements with other organizations Under this typical agreement participant promise to provide computer time to each other when an emergency arises. Critical questions to cover in a reciprocal agreement: (Considerations)

i. How much “time available”

to host computer site?

ii. What “Facilities & equipment available”

?

iii. Will “Staff assistance”

be provided?

iv. How “Quickly access be gained”

to host recovery facility?

v. Can “Data and voice communication links”

be established at host site?

vi. How “Long emergency operation continues”

?

vii. How “Frequently”

system be tested?

viii. How “Confidentiality”

of data be maintained?

ix. What type of “Security be afforded”

for IS systems operations and data?

Advantages (Reciprocal Agreements):

a) Low cost;

b) May be the only option available because of unavailability of hot sites due to unique equipments. Disadvantages (Reciprocal Agreements):

a) Usually not enforceable;

b) Differences in equipment configurations

c) Unnoticed changes in workloads or equipment configurations. Contract with Hot, Warm and Cold Sites:

(contractual provisions that should be considered) – (JUNE 2011 ATTEMPT)

Contractual provision with third party that should cover by agreement is as follows.

i. Configuration

: are the vendor’s hardware and software configuration adequate with company’s demand;

ii. Disaster

: is the definition of disaster broad enough to meet anticipated needs;

iii. Speed of availability

: how soon after disaster will facilities be available;

iv. Subscribers per site

: does agreement limit the number of subscriber per site;

v. Subscriber per area

: does agreement limit the number of subscriber per area;

vi. Preference

: who gets preference if there are common or original disaster;

vii. Insurance

: is there adequate insurance coverage for company’s employees;

viii. Usage period:

how long is the facility available for use;

ix. Communication

: are the communications adequate.

4. TRAINING AND AWARENESS OF PEOPLE (Try to do your self) 5. TESTING AND IMPLEMENTATION OF PLAN (Recovery Continuity plan testing) One of the purposes of BCP test is to determine how well the plan works or which portion of the plan needs improvement.

It should be scheduled during the time that will minimize the disruption to normal operation; weekends are generally good time to conduct the test.

1. Specification: (Tasks that should be covered by test) Test should accomplish the following tasks:

1. Verify completeness and precision

of BCP;

2. Evaluate the performance of the personnel

involved in BCP;

3. Evaluate the coordination among BCP team and external vendors

and supplies;

4. Measure the ability and capacity of Backup sites

to perform prescribed processing;

5. Asses the vital record retrieval capabilities

;

6. etc… etc… 2. Test Execution Following phases of the test should be completed:

• Pre- Test Phase • Test Phase

• Post Test Phase

1. Pre-Test Phase: It includes actions necessary to set the stage for actual test

. For example, it ranges from transporting and installing backup equipment to placing tables in proper recovery areas.

2. Test Phase: It includes the real actions of the Business continuity test

. Actual operational activities are performed to test the specific objectives of BCP. For example, Data entry, IS processing, Handling orders etc.

3. Post Test: It includes such assignment as returning all resources

to their proper place, disconnecting equipments and returning personnel.

3. Documentation of Test: Detail documentation of

• Observation; • Problems; and • Resolution

Should be maintained. This documentation serves as important historical information that can facilitate actual recovery during the real disaster. 6. CONTINUITY PLAN MAINTENANCE: (Monitoring) The responsibility for maintaining the business continuity plan often falls on BCP coordinator

. Plan responsibilities includes

a) Development of Schedule

for periodic reviews and maintenance of plan;

b) Review of revision and comments and updating the plan

within 30 days of the review date;

c) Participating in the scheduled plan test

and writing evaluations and integrate test results;

d) Maintaining record of plan maintenance activities

, testing, training and reviews;

e) etc etc…… 2. OFF SITE LIBRARIES Definition: Secondary storage media (tape reels, hard drives, or cassettes) are used to store programs and associated data for backup purposes in order to ensure that profit seeking activities of business are not interrupted in the event of disaster. These tapes or secondary storage media are stored in one or more physical facilities known as Off site libraries.

Controls over Off - site Libraries: (All physical controls and physical access controls) Controls over off site libraries are as follows:

1. Securing “Physical access

” to library contents;

2. Ensuring libraries can withstand “fire/heat”

(minimum 2 hours)

3. “Locating the libraries

” away from computer room;

4. Ensuring that only “authorized person have access

” to library and off line media;

5. Ensuring that “perpetual inventory of all storage media

” and files stored in library maintained;

6. Ensuring that “record of all storage media and files

” moved into and out of library maintained;

7. Ensuring that “record of information regarding” the contents, versions, and locations of data files

is maintained.

Documents to be backed up and stored in off site libraries: Following documents to be backed up and stored in off site libraries: Classifications Documents to be backed up

1) Operating Procedures Operating system manuals, application run books etc 2) Special Procedures Any procedures or instructions other than ordinary i.e.

- exception processing; - emergency processing; - variation in processing.

3) System and program Documentation

Flow charts, Data flow diagrams, Program source code listing, program logics, etc

4) Input Source documents, Output Documents

duplicate copies, photocopies, performance of vital works, Historical analysis, etc

5) Business continuity Plan A copy of correct plan for reference. 3. COMPONENTS OF EFFECTIVE BUSINESS CONTINUITY PLAN Components of effective business continuity plan (BCP) are as follows:

i. Directory of Key Decision making Personnel;

ii. Information about backup of required supplies;

iii. Telecommunication network disaster recovery method;

iv. Server Disaster recovery method;

v. Redundant array of inexpensive disks (RAID);

vi. Fault tolerant server; and

vii. Insurance. (December 2010 Attempt)

i. Directory of Key Decision making Personnel

:

Plan should contain a directory of key decision making IS personnel and end user personnel required to initiate and carry out recovery process. This is usually a telephone directory of people who should be notified in the event of disaster or catastrophe. ii. Information about backup of required supplies

:

It includes detailed up to date hard copy procedures that can be easily followed by contract personnel who are unfamiliar with standard operations. iii. Telecommunication network disaster recovery method

:

The plan should contain the organizations telecommunication network and the procedures to ensure the continuity of the telecommunication capabilities. Telecommunication capabilities to consider include:

• Telephone voice circuits; • WAN; • LAN; and • Third party electronic data interchange provider.

The methods of providing telecommunication continuity include:

i. Redundancy: (involves providing extra capacity to plan

, to be used when normal primary transmission capabilities are not available)

ii. Alternative Routing: (it involves routing information via alternate medium

i.e. copper cable or fiber optic)

iii. Diverse Routing: (it involves routing information via split cable facilities or duplicate cable facilities

)

iv. Long Haul network diversity: (it involves recovery facilities vendor has provided

which ensures diverse long distance network availability)

v. “Last Mile” circuit protection

:

vi. Voice Recovery

:

iv. Server disaster recovery method

:

The plan of providing server continuity includes “ operational failover methods”

to prevent servers from going offline for any extended period of time.

v. Redundant Array of inexpensive disks (RAID)

:

RAID provides “performance improvement and fault tolerant capabilities”

Via hardware and software solutions on to which a series of multiple disks are written to improve performance.

vi. Fault tolerant servers

:

vii. Insurance

: (December 2010 Attempt)

4. AUDITING DISASTER RECOVERY PLAN Auditor task / Procedures: Auditor tasks/ procedures include the following

1. Review BCP;

2. Evaluate Prior Test Results;

3. Evaluate Off – Site Storage;

4. Evaluate Ability of IS & User Personnel to respond effectively in Emergency Situations;

5. Review Insurance Coverage. 1. Review BCP: When reviewing the BCP, IS auditor should verify that basic elements of BCP are evident. Procedures include:

i. Obtain current copy of BCP

or manual;

ii. Sample the distributed copies of plan

and verify that they are current;

iii. Determine if all applications have been reviewed

for their level of tolerance in the event of disaster;

iv. Determine if all the critical applications have been identified

;

v. Verify that all the softwares are compatible

otherwise system will not be able to process production data;

vi. Review the list of BCP Personnel

vii. etc etc….

, emergency hot site contracts, emergency vendor contracts etc for appropriateness and completeness;

2. Evaluate Prior Test Results: IS auditor should review results of prior BCP test and ensures that the actions requiring corrections have been incorporated

into the plan.

IS auditor should also evaluate prior tests to determine that appropriate results have been achieved, and to identify problem trends

and appropriate resolution of problems.

3. Evaluate Off-site Storage: The off site storage should be evaluated to ensure the

• Presence; • Synchronization; and • Currency of Critical media and Documentations.

To verify off site storage, the IS auditor should perform detailed inventory review. This review includes:

i. Testing for correct data set names; ii. Volume serial numbers;

iii. Accounting periods; and iv. Bin location of tapes.

4. Evaluate Ability of IS & User Personnel to respond effectively in Emergency Situations IS Auditor should evaluate ability of IS & User personnel to respond effectively in emergency situations by

• Reviewing emergency situations; • Employee training and results of their tests and drills.

5. Review Insurance Coverage: IS auditor should review the insurance coverage and evaluate that it reflects the actual cost of recovery by taking into consideration:

a) Insurance premium; b) Coverage of media damage; c) Business interruption; d) Equipment replacement. etc

************************************************************************

100% chapter coverage except 1 Topic “Organization and assignment of responsibilities”

Which includes responsibilities of “Teams” in DRP and BCP

Document Controller – Saqib Ghafoor (CA Finalist) saqib_ghafoor@live.com

************************************************************************

PROTECTION OF INFORMATION ASSETS (CHAPTER # 12-Wholly based upon ATFL (100%))

1. INFORMATION SECURITY MANAGEMENT What is security? (Refer to PBP Page No. 377) What is Information Security? (Refer to PBP Page No. 377) Key Elements/Components of Information Security Policy: Key elements of information security policy are as follows:

1. Management support and commitment 2. Access philosophy 3. Compliance with relevant legislation and regulation 4. Reviews of access authorization 5. Security awareness 6. Role of security administrator 7. Security committee

1. Management support and commitment: Management must demonstrate a commitment to security. Management shows this commitment by approving and supporting formal:

a) Security awareness; and b) Training.

2. Access philosophy: Access to IS assets should be based on documented:

a) Need to know; and b) Need to do basis.

3. Compliance with relevant legislation and regulation: Policy should state that compliance is required with:

a) All relevant legislation such as requiring confidentiality of personal information; or b) Specific regulation relating to particular industry i.e. banking and financial institutions.

4. Reviews of access authorization:

Like any other control, access control should be evaluated regularly to ensure they are still effective. Any access exceeding the “need to know”, “need to do” philosophy should be changed accordingly. 5. Security awareness: All employees including management need to be aware on the importance of security on regular basis. Mechanism to raise security awareness includes:

i. Distribution of written security policies; ii. Training on a regular basis of new employees, staff and users;

iii. Non- Disclosure statement signed by employees; iv. Visible enforcement of security rules; v. Reward employees who report suspicious events.

6. Role of security administrator: SA is typically a member of IS department, is responsible for

a) Implementing; b) Monitoring; and c) Enforcing security rules

That management has established. 7. Security committee: As security policies, procedures and guidelines effect entire organization, therefore, individuals representing various management levels should meet as committee to discuss there issues and establish security practices. 2. COMPUTER CRIME, ISSUES AND EXPOSURES: A. Threat to Business: Threat to business includes the following:

1. Financial Loss; 2. Loss of credibility or competitive edge; 3. Blackmail / Industrial espionage; 4. Disclosure of confidential, sensitive or embarrassing information; 5. Sabotage. 6. Legal repercussion;

1. Financial Loss: These losses can be

a) Direct: Through loss of electronic funds; or b) Indirect: Through the loss of correcting the exposure.

2. Loss of credibility or competitive edge:

Many organizations such as banking and financial institutions need credibility and public trust to maintain a competitive edge. Security violations can severely damage their credibility resulting loss of business and prestige. 3. Blackmail / Industrial espionage: (Do it your self) 4. Disclosure of confidential, sensitive or embarrassing information: Such events can damage organization credibility, prestige and its means of conducting business. Legal or regulatory actions against company may also be result of disclosure. 5. Sabotage: Some proprietor may want to cause damage due to dislike of organization or for self gratification. 6. Legal repercussion: IS auditor should obtain legal assistance when reviewing the legal issues associated with computer security B. Logical Access Violators: (Enemies/Intruders) (Refer it to MRS-12) 3. LOGICAL ACCESS EXPOSURES AND CONTROLS A. Logical Access Exposures (Refer it to MRS-13 & Few from PBP- 387) B. Logical Access Controls (Refer it to PBP – 393(only 3 controls mentioned there), But apart from that following should be done from here) 1. General “Operating System (OS)”

access controls:

General Operating System access controls are as follows:

i. Apply user identification and authentication mechanism; ii. Restrict logon IDs to specific terminals and specific times;

iii. Establish rules for access to specific information resources; iv. Create individual accountability and auditability; v. Create or change user profiles;

vi. Log events; vii. Log user activities;

viii. Report capabilities. 2. Database and application level access control: Database and application level access control are as follows:

i. Verify user authorization at the application and transaction level;

ii. Verify user authorization within application; iii. Verify user authorization at the field level for changes within database; iv. Verify subsystem authorization for the user at file level; v. Create or change data files and database profile

C. Logon – ID’s and Passwords: (Refer it to PBP) D. Biometrics: (Refer it to PBP, But types of Biometrics from here) Types of biometrics: Types of biometrics are as follows:

i. Palm ii. Hand geometry

iii. Iris iv. Retina v. Fingerprints

vi. Face E. Viruses 1. Definition (From PBP) 2. Virus Controls: Generally Virus attacks four parts of computer:

i. Executable program files (exe. files) ii. The file directory system which track the location of all the computer files.

iii. Boot and system areas, which needed to start the computer. iv. Data Files.

a) Management procedural Controls for Viruses: (General controls) (Refer it to PBP) b) Technical Controls: Technical method of preventing viruses can be The following

implemented through hardware and software. “hardware tactics”

can reduce the risk of infection.

i. Use workstations’ without floppy disks; ii. Use boot virus protection (built-in firmware based virus protection)

iii. Use remote booting iv. Use hardware based passwords v. Use write protected tabs on floppy disks.

3. Types of antivirus softwares: There are different types of antivirus softwares which are as follows:

1. Scanners a) Virus masks or signatures b) Heuristic scanners

2. Active monitors 3. Integrity Checkers 4. Behavior Blockers 5. Immunizers

1. Scanners Scanners look for sequence of bits called signatures that are typical of virus program. There are two primary types of scanners are: a) Virus mask or signature: Antivirus scanners check files, sectors and system memory for known and new viruses on the basis of virus mask and signature

. It is a specific code strings that are recognized as belonging to virus.

b) Heuristic Scanners: Works on analyzing the instruction in the code being scanned and deciding on whether it could contain malicious code on the basis of statistical probability. It results indicate that virus may be present i.e. possibly infected. 2. Active Monitor: Active monitor interpret DOS and ROM basic input output system (BIOS) calls, looking for virus like action. It can be annoying because it can’t distinguish between a user request or virus request. 3. Integrity Checkers: It computes a binary number or known virus free program called “Cyclical redundancy check or CRC”. When that program is called to execute, the checkers compute the CRC on the program and compare it to the number in database. A match means no infection. 4. Behavior Blocker: Focus on detecting potential abnormal behavior like:

a) Writing to boot sector; or b) Master boot record; or c) Changes to executable files.

5. Immunizers: Defend against viruses by appending sections of themselves to files, exactly the same way as the viruses append themselves.

4. AUDITING INFORMATION SECURITY MANAGEMNET AND LOGICAL ISSUES AND EXPOSURES: 1. AUDITING INFORMATION SECURITY MANAGEMENT: (Auditing procedures) IS Auditors should review the security management framework. Review includes:

1. Review written policies, procedures and standards: 2. Logical Access Security Policies: 3. Formal Security Awareness and Training 4. Data Ownership 5. Data Custodians 6. Security Administrator 7. Data Users 8. Documented Authorization 9. Terminated employee access 10. Access standards

1. Review written policies, procedures and standards: IS Auditor should review the policies and procedures to determine if they

a) Set the tone for proper security; and b) Assign responsibility for maintain a secured Computer processing environment.

2. Logical Access Security Policies: These policies should encourage limiting access to a need-to-know basis. IS Auditor should assess exposure to the concerns identified. 3. Formal Security Awareness and Training: Effective security will always be dependent on people. It can be effective only if employees know what is expected of them and what their responsibilities are. They should know why security measures are in place, and the repercussion of violating security. 4. Data Ownership: Data ownership refers to the “Classification” of data element and “allocation of responsibility”

for ensuring that they are kept confidential, complete and accurate.

a) IS auditor should use this information to determine if proper ownership has been assigned and that they are aware of their data ownership responsibilities.

b) IS auditor should also ensure that responsibilities and duties are consistent with IS security policies. 5. Data Owners: These people are generally Managers and Directors responsible for using information for running and controlling the business. Their security responsibilities include:

a) Authorizing access; b) Updating access rules when personal changes occur; c) Regularly inventorying access rules for the data for which they are responsible.

6. Data Custodian: These people are generally IS Personnel such as System Analyst and Computer Operators. These are responsible for:

a) Storing of data; b) Safeguarding of data.

7. Security Administrator: These people are responsible for providing adequate Physical; and Logical Security For IS programs, data and equipment. Normally Information Security Policy (ISP) provides a basic guideline under which security administrator works. 8. Data Users These people are, normally referred as “end users”, actual users of computerized data. There level of access to computerized data should be authorized by “Data Owner” and restricted and monitored by

“Security Administrator”

9. Terminated Employee Access Termination of employees may occur in the following circumstances:

a) Voluntary resignation (on the request of employees) b) Scheduled (on retirement or completion of contract) c) Involuntary termination (Fired or forced by management in special circumstances).

In case of Involuntary termination, the logical and physical access rights of employees to IT infrastructure should either be:

a) Withdrawn completely; or b) Highly restricted.

As early as possible before the employee is informed about the termination. 10. Access Standards Access standards should be reviewed by IS Auditor to ensure that they:

a) Meet organization objectives for separating duties. b) Prevent Fraud or Error. c) Meet policy requirement for minimizing the risk of unauthorized access.

Standard of security may be defined:

a) At general level (i.e. all passwords may be of 5 characters long) b) On a 30 day password changes basis. c) For a specific application systems.

2. AUDITING LOGICAL ACCESS: While Auditing Logical Accesses, auditor should review the following:

1. Familiarization with IS Processing Environment 2. Document the Access Paths 3. Interview System personnel 4. Review report from Access Control Software 5. Review Application System Operational Manual

When evaluating logical access controls, the IS Auditor should:

1.

Familiarization with IS Processing Environment:

Obtain general understanding of security risks faced by Information Processing, through review of relevant

a) Documentation; b) Inquiry; c) Observation. d) Risk assessment ; and e) Evaluation techniques.

2.

Document the Access Path:

Do Access path is the “logical route an end users takes to access computerized Information”. This starts with a terminal and typically ends with data being accessed. On the way various Hardware and software components are encountered. IS Auditor should evaluate each component for

“proper implementation and proper physical and logical access security.”

Typical Sequence of components is as follows:

i). Terminal: Terminal is used by an end user to sign on. A key audit issues involve that: a) Terminal should be physically secured; and b) Logon- ID / Passwords used for sign on should be subjects to restrictions. ii) Telecommunication software: Telecommunication software intercepts the log on and direct that to appropriate telecommunication link. A key audit issues involve that: a) To ensure all applications have been defined to the software. b) Various telecommunication control and processing features used are

“appropriate and approved”

by management.

iii) Transaction processing software Transaction processing software is the next component of Access Path. This routes transactions to appropriate application software. A key audit issues involve that:

a) Ensuring proper identification / authentication of the user; and b) Authorization of the user to gain access to application. iv) Application software Application software is the next Component.

“Processing transaction in accordance with Program logic”

. A key audit issues involve that:

a) Restricted access to production software library to only authorized personnel. v) Data base management system Data base management system directs access to the computerized Information. A key audit issues involve that: a) Ensuring that all data elements are identified in data dictionary; b) Access to data dictionary is restricted to authorized personnel only.

3.

Test Control Over Access Path:

Test control over access paths to determine that they are functioning and are effective.

4. Review report from Access Control Software:

Evaluate the access control environment to determine if control objectives are achieved by analyzing the test result and other audit evidence.

5.

Review Application System Operations Manual:

Evaluate security environment to assess its adequacy by reviewing written policies, observing practices and procedures.

5. TELECOMMUNICATION AND NETWORKS (Plz refer it to ATFL Page No. 276 – 291) 6. AUDITING TELECOMMUNICATIONS AND NETWORKS 7. COMMUNICATION SYSTEM EXPOSURES Three major types of exposures arise in the communication subsystem.

1. First. Transmission impairment can cause differences between data sent and data received ; 2. Second: Data can be corrupted or lost through component failure; 3. Third: A hostile party could seek to subvert data that is transmitted through subsystem.

1. Transmission Impairment: When data is transported across a transmission medium, three types of impairment can arise:

a) Attenuation; b) Delay distortion; and c) Noise

It increases as the distance travelled by the signal increases. In the case of analogue signal amplifier must be used in order to boost the signal. In the case of digital signals, repeaters are used to boost signal strength.

a) Attenuation: Attenuation can also cause distortion to analog signals; attenuation varies across frequencies of analogue signal. Digital signals also suffer from attenuation distortion.

b) Delay-Distortion:

It occurs when signal is transmitted through bounded media (twisted pair wire, coaxial etc). However, it does not occur when signal is transmitted through air or space. Different frequencies traverse bounded media with different velocities, thus signals are distorted because their different frequency components are subject to different delays.

c) Noise: It is the random electric signals that degrade performance in the transmission medium. There are four types of noise

i. White noise ii. Inter – modulation noise;

iii. Crosstalk; and iv. Impulse noise

i. White noise: White noise arises through the motion of electron. It increases with temperature ii. Inter-modulation noise:

It arises when out put from a component in the communication subsystem is not a linear function of its input. It can arises because of component malfunctioning. iii. Cross talks: It arises because signal paths become coupled as bounded media places too close to each other . iv. Impulsive noise: It arises because of variety of reasons

a) Atmospheric conditions; b) Faulty switching gears; and c) Poor contacts.

2. Component Failure The primarily components in communication subsystem are:

a) Transmission media; b) Hardware; and c) Softwares.

Each of these components may fail, as a result data in communication subsystem may be lost , corrupted, or routed incorrectly through the network. 3. Subversive Threats (No need to do that as appeared in June 2011 attempt) – (Active and Passive Attacks) CONTROLS OVER SUBVERSIVE THREATS Definition: In subversive attacks on communication subsystem, an intruder attempts to violate the integrity of some of the component in the subsystem. For example, “invasive” or “inductive” taps can be installed on the telephone lines using say, a data scope. Invasive tap enable the intruder either to read or modify the data being transmitted over the line. Inductive tap monitor electromagnetic transmission from the line and allow data to be read only. Controls over Subversive Threats: There are two types of controls over subversive threats to the communication subsystem. First seek to establish physical barrier to data traversing the subsystem Second accept that intruder somehow will gain access to the data, and seeks to render data useless when access occurs.

1. Link Encryption 2. End-to-End Encryption 3. Message Authentication Code (MAC) 4. Message Sequence Number 5. Request-Response Mechanism

1. Link Encryption Link encryption protects data traversing a communication channel connecting two nodes in a network. Sending node encrypt data it receives then transmitted the data in encrypted form to the receiving node. The receiving node subsequently decrypts the data. With link encryption, the cryptographic key might be common to all in the network, thus it is easy to establish a communication session between the two nodes. 2. End-to-End Encryption Link encryption has several limitations:

a) If an intermediate node in the network is subverted, all the traffic passing through the node is exposed.

b) Users of public network might rely on link encryption to protect their data, for these reason owners

of the network could incur high insurance costs to protect themselves. To help overcome these problems end-to-end encryption is used. It protects integrity of data between sender and receiver independently of nodes and data traverse thus cryptography facility is available to both sender and receiver. 3. Message Authentication Code (MAC) In electronic fund transfer (EFT), a control used to identify changes to a message in transit is a message authentication code (MAC). it is calculated on the basis of some or all the fields in the message, it is then appended to the message and sent to the receiver, who recalculate the MAC on the basis of the message received to determine weather calculated MAC and received MAC are equal. If it is not equal it means that message has been altered some way during transit. 4. Message Sequence Number It is used to detect an attack on the order of the message that are transmitted between sender and receiver. Intruder can delete, edit, or change the order of messages in a stream. In each case receiver does not obtain messages in the order generated by the sender. If each message contains sequence number and order of the sequence number is checked, these attacks will not be successful. 5. Request-Response Mechanism It is used to identify attacks by an intruder aimed at denying message services to a sender and a receiver. In this attack, intruder delete message passing through a communication line or delays them for extended period. Thus communication channel has been broken. With request response mechanism, a timer is placed with sender and receiver. The timer periodically triggers a control message from the sender, the receiver must respond to show that communication link has not been broken.

8. TOPOLOGICAL CONTROLS: LAN Topological Controls: i. Bus Topology Controls Considerations: From auditors’ perspective, following control consideration arise with bus topology:

i. Relative to the other topologies like the ring, a bus degrades the performance of the transmission medium

ii. Because the taps that connect each node to the network are passive,

, because the taps that connect each node to bus introduce attenuation (lessening) and distortion to the signal being transmitted;

the network will not fail if a node fails

iii. Because all the nodes have access to the traffic on the network, thus ;

controls must be implemented to protect the privacy of sensitive data (encryption controls)

.

ii. Tree Topology Controls Considerations: From auditors’ perspective, control considerations that apply to bus topology also apply to tree topology. iii. Ring Topology Controls Considerations: From auditors’ perspective, following control consideration arise with ring topology:

i. Unlike taps used in bus network, repeaters do not introduce attenuation and distortion

ii. Because repeaters are active component in the network, they will bring

to the signal being transmitted. Indeed, it retransmits a clean signal after it has been received. However, timings error may occur.

network down if repeaters are down

iii. Because all the traffic in the network must be routed through each node’s repeater ;

controls must be implemented to protect the privacy of sensitive data (encryption controls)

.

iv. Star Topology Controls Considerations: From auditors’ perspective, following control consideration arise with Star topology:

i. Reliability of central hub is critical

ii.

in star network, if the central hub fails, the entire network will be brought down; Failure of particular node in the network

iii. has only limited effects on network;

Security of central hub is critical

, all the data must passed through hub. Therefore, compromise of the hub means all messages is compromised.

9. CHANNEL ACCESS CONTROLS: (COMMUNICATION CHANNEL) Whenever, the possibility of the contention of the communication channels exist some type of channel access control techniques must be used. These techniques must fall into two classes.

• Polling method; (non contention) • Contention method.

i. Polling Method: “Polling techniques establish an order in which a node can gain access to channel capacity” There are two forms of polling

• Centralized polling: and • Distributed polling.

In centralized polling

one node within the network is designated as “master node” or control node. This node takes responsibility of asking other nodes within the network whether they wish to use the channel.

In distributed polling, each node takes some responsibility for control over channel access. For example, a common form of distributed polling is Token processing

.

ii. Contention Method: “In contention method, nodes in the network must compete with each other to gain access to channel”. There are several types of contention methods are available. One commonly used with bus local area network is called “Carrier sense multiple access with collusion detection” If a node wishes to send a message in network, it first listen to the channel. If it is clear it transmits a message to be sent. If another channel also transmits a message, collusion between two messages occurs. To detect collusion, each node must continue to listen the channel, if it hears collusion it must resend message. 10. CONTROLS OVER SUBVERSIVE THREATS

11. AUDIT TRIAL IN COMMUNICATION SUBSYSTEM CONTROLS: Definition of Audit Trail in Communication Subsystem: The Audit Trail in communication subsystem maintains the chronology of events from a time a sender dispatches a mess- -age to a time a receiver obtains the message

.

i. Accounting Audit Trail ii. Operations Audit Trail

iii. Existence Controls i. Accounting Audit Trail(For controls – put question mark)

:

The accounting audit trail must allow a message to be traced through each node in a networkthat might kept in accounting trail are as follows :

. The example of data items

a) Unique identifier of source codeb) Unique identifier of

; person or process authorizing

c) Unique identifier of dispatch of message;

each node in the networkd) Unique identifier of

that the message traversed;

e) sink node;

Time and datef)

at which message was received by sink node; Time and date

g) at which message dispatch;

Message sequence number

.

AUDIT TRIAL:

Paper or 'electronic' trail that gives a

step by step documented history of a

transaction. It enables an examiner to

trace the financial data from general

ledger to the source document (invoice,

receipt, voucher, etc.). The presence of a

reliable and easy to follow audit trail is

an indicator of good internal controls

instituted by a firm, and forms the basis

of objectivity.

ii. Operation Audit Trail

:

“The performance and integrity” of network depends upon availability of comprehensive operations audit trail data.The example of data items that might be kept in operational audit trail are as follows:

Using this data, network supervisors can identify where problem areas are occurring.

a) Number of messages that have traversed (pass through) each link; b) Number of messages that have traversed (pass through) each node; c) Queue lengths at each node; d) Number of errors occurring on each link or at each node; e) Log of errors to identify locations and pattern of errors; f) Log of system restart.

************************************************************************

100% chapter coverage

Document Controller – Saqib Ghafoor (CA Finalist) saqib_ghafoor@live.com

************************************************************************

AUDITING INFRASTRUCTURE AND OPERATIONS

(CHAPTER # 11) 1. HARDWARE 1. Types of Computers:

1. Mainframe: large general purpose computer capable of supporting thousands of users simultaneously.

2. Minicomputer: A multiprocessor system capable of supporting about 200 users

3. Microcomputer: small computers referred to as personal computers designed for individual

users based on microprocessor technology.

4. Notebook/Laptop: light weight personal computer that are easily transportable and can be used anywhere for several hours via battery.

5. Personal Digital Assistant: Handheld devices that enable its users use a small computing

device the size of calculator as a personal organizers and planner. 2. Common characteristics

a) Multitasking b) Multiprocessing c) Multiusing

3. Hardware acquisition: Invitation to tender (ITT) ITT or specification should include the following:

1. Organizational description indicating whether computer facilities are centralized or decentralised

2. Information processing requirements such as:

a) Major existing and future application systems; b) Workloads and performance requirements; c) Processing approaches to be used (for example: online/batch, client server etc)

3. Hardware requirements such as:

a) CPU processing speed b) Peripheral devices

c) Data preparation/input devices that convert and accept data for machine processing d) Data entry devices e) Networking capabilities.

4. System software requirements such as:

a) Operating system softwares b) Compilers c) Program library packages d) Database management packages and programs e) Communication soft ware f) Security access control softwares

5. Support requirement such as:

a) System maintenance b) Training c) Backup

6. Adaptability requirements such as:

a) Hardware / software upgrade capabilities b) Compatibility with existing hardware /software platforms c) Changeover to other equipment capabilities

7. Constraints such as :

a) Staffing level b) Existing hardware capacity c) Delivery dates

8. Conversion requirements such as:

a) Test time for hardware/ software b) System conversion facilities c) Cost/pricing schedule

4. Acquisition Steps: When purchasing hardware and software from a vendor, considerations should be given to the following:

1. Testimonials/Visits to other users; 2. Provision for competitive bidding; 3. Analysis of bid against bidding; 4. Comparison of bids against each other; 5. Analysis of vendor financial condition; 6. Analysis of vendor’s capability to provide maintenance and support; 7. Review of delivery schedules against requirement; 8. Analyses of hardware/software upgrade capability; 9. Analysis of security and control facilities; 10. Evaluation of performance against requirement; 11. Review and negotiation of price; 12. Review of contract terms.

5. Evaluating Vendor Proposals (Refer to PBP) 6. Hardware Maintenance Program (Refer to PBP) 7. Hardware Monitoring Procedures: Following are the typical procedures and reports for monitoring the effective and efficient use of hardware:

1. Hardware error reports; 2. Availability reports; 3. Utilization reports.

1. Hardware Error Reports:

These reports identify CPU, Input/output (I/O), Power and storage failures. These reports should be reviewed by IS operation management to ensure that hardware is functioning properly.

2. Availability Reports: These reports indicates the “time period” during which

a) Computer is in operation; and b) Available for utilization by users or other processes.

3. Utilization Reports:

These automated reports document the use of the machine and peripherals. Software monitor are used to capture utilization measurements for processors, channel and secondary storage media such as disk and tape drives. Trends provided by utilization reports are can be used by IS management to predict where more or fewer processing resources are required. 2. DATA AND CAPACITY MANAGEMENT (AUDITS) 1. Data Management

:

“Data management is the process that controls:

• Data Buffering; • Performs I/O operations; and • Deal with file management activities”.

It is a category of system software that is often a major component of operating system. Data Management File Organization

:

Includes the following:

• Sequential; • Indexed sequential; • Direct Random Access.

a) Sequential: One record is processed after another, from the beginning to the end of the file. b) Indexed Sequential Records are logically ordered according to data related- key, and can be accessed based on that key. c) Direct Random Access: Records are addressed individually based on non data related key, for example, “record number” 2. Capacity Management

:

(No need to cover that topic as it is tested in December, 2010 Attempt) 3. Reviews of Hardware, Microcomputer acquisition, Capacity and Change Management Reviews i) Hardware Acquisition Review (Why hardware reviews done?) Review of hardware acquisition