security n control
Post on 03-Apr-2018
217 Views
Preview:
TRANSCRIPT
-
7/28/2019 Security n Control
1/26
J.D.BIRLA INSTITUTE
(DEPARTMENT OFMANAGEMENT)
SUBJECT: Marketing (Paper 2)
SEMESTER: 6
SECTION: B
GROUP: 7
ROLL NO: 141, 143, 145, 146, 148, 149,
153, 154, 155 And 157
TOPIC: Security and Control for BIS
-
7/28/2019 Security n Control
2/26
INTRODUTION
SECURITY AND PROTECTION
Can you imagine what would happen if you tried to link to the internet without a firewall or
antivirus software? Your computer would be disabled in a few seconds and it might take you
many days to recover. If you used the computer to run your business, you might not be able
to sell to your customers or place orders with your suppliers while it was down. And you
might find that your system had been penetrated by outsiders, who perhaps stole or destroyed
valuable data, including confidential payment data from your customers. If too much data
were destroyed or divulged, your business might never be able to operate!
In short, if you operate a business today, you need to make security and control a top priority.
Security refers to policies, procedures and technical measures used to prevent unauthorized
access, alteration, theft, or physical damage to information systems. Controls consist of all
the methods, policies, and organizational procedures that ensure the safety of the
organizations assets, the accuracy and reliability of its accounting records, and operational
adherence to management standards.
Security and protection are used together but they do two totally different types of work:
Protection: Guarding Users (internal or external) data against interference from internal(authorized) users of the system.
Security: Guarding Users (internal or external) data or the system against interference and
access from external (unauthorized) users of the system.
Security and control are important but often neglected areas for information system
investment. Firms relying on computer systems for their core business functions can lose
sales and productivity. Information assets, such as confidential employee records, trade
secrets, or business plans, lose much of their value if they are revealed to outsiders or if theyexpose the firm to legal liability. News laws, such as HIPAA, the Sarbanes-Oxley Act and the
Gramm-Leach-Biley Act, require companies to practice stringent electronics record
management. And adhere to strict standards for security, privacy, and control. Legal actions
requiring electronics evidence and computer forensics also require firms to pay more
attention to security and electronics record management.
Firms need to establish an appropriate organizational and managerial framework for security
and control to use technologies effectively to protect their information resources. A riskassessment evaluates information assets, identifies control points and control weaknesses, and
-
7/28/2019 Security n Control
3/26
determines the most cost effective set of controls.
Firms must also develop a coherent corporate security policy and plans for continuing
business operations in the event of disaster or disruption. The security policy includes
policies for acceptable use and authorization. A disaster recovery plan provides procedures
and facilities for restoring computing and communication services after they have been
disrupted, whereas a business continuity plan focuses on how the company can restore
business operations.
Comprehensive and systematic MIS auditing helps organizations determine the effectiveness
of security and controls of their information system.
GOALS AND PRINCIPLES OF PROTECTION
Goals of Protection
To prevent mischievous, intentional violation of an access restriction by a user.
The need to ensure that each component of the system active in a system uses system
resources only in ways consistent with stated policy.
Principle of Protection
A key time tested guiding principle for protection is the principle of least privilege.
It dictates that programs, users and even systems be given just enough privileges to
perform their tasks
PROTECTION MECHANISM
In computer science, protection mechanisms are built into computer architecture to supportthe enforcement of security policies. A simple definition of a security policy is "to set whomay use what information in a computer system".
The access matrix model, first introduced in 1971, is a generalized description of operatingsystem protection mechanisms.
The separation of protection and security is a special case of the separation of mechanism andpolicy.
Access control list
An access control list (ACL), with respect to a computer file system, is a list of permission
-
7/28/2019 Security n Control
4/26
attached to an object. An ACL specifies which users or system processes are granted accessto objects, as well as what operations are allowed on given objects. Each entry in a typicalACL specifies a subject and an operation. For instance, if a file has an ACL that contains(Alice, delete), this would give Alice permission to delete the file.
Capability List
Capability-based security is a concept in the design ofsecure computing systems, one of theexisting security models. A capability (known in some systems as a key) is a communicable,unforgivable token of authority. It refers to a value that references an object along with anassociated set ofaccess rights. A userprogram on a capability-based operating system mustuse a capability to access an object. Capability-based security refers to the principle ofdesigning user programs such that they directly share capabilities with each other accordingto the principle of least privilege, and to the operating system infrastructure necessary tomake such transactions efficient and secure. Capability-based security is to be contrasted withan approach that uses hierarchical protection domains.
Although most operating systems implement a facility which resembles capabilities, theytypically do not provide enough support to allow for the exchange of capabilities among
possibly mutually untrusting entities to be the primary means of granting and distributingaccess rights throughout the system. A capability-based system, in contrast, is designed withthat goal in mind.
Data Encryption
The Data Encryption Standard is a previously predominant algorithm for the encryption ofelectronic data. It was highly influential in the advancement of modern cryptography in theacademic world. Developed in the early 1970s at IBM and based on an earlier design byHorst Feistel, the algorithm was submitted to the National Bureau of Standards (NBS)following the agency's invitation to propose a candidate for the protection of sensitive,unclassified electronic government data. In 1976, after consultation with the NationalSecurity Agency (NSA), the NBS eventually selected a slightly modified version, which was
published as an official Federal Information Processing Standard (FIPS) for the United Statesin 1977. The publication of an NSA-approved encryption standard simultaneously resulted inits quick international adoption and widespread academic scrutiny. Controversies arose out ofclassified design elements, a relatively short key length of the symmetric-keyblock cipherdesign, and the involvement of the NSA, nourishing suspicions about a backdoor. While
these suspicions eventually have turned out to be unfounded, the intense academic scrutinythe algorithm received over time led to the modern understanding of block ciphers and theircryptanalysis.
DES is now considered to be insecure for many applications. This is chiefly due to the 56-bitkey size being too small; in January, 1999, distributed.net and the Electronic FrontierFoundation collaborated to publicly break a DES key in 22 hours and 15 minutes (seechronology). There are also some analytical results which demonstrate theoreticalweaknesses in the cipher, although they are infeasible to mount in practice. The algorithm is
believed to be practically secure in the form of Triple DES, although there are theoreticalattacks. In recent years, the cipher has been superseded by the Advanced Encryption Standard
(AES). Furthermore, DES has been withdrawn as a standard by the National Institute ofStandards and Technology (formerly the National Bureau of Standards).
http://en.wikipedia.org/wiki/Secure_computinghttp://en.wikipedia.org/wiki/Computer_security_modelhttp://en.wikipedia.org/wiki/Reference_(computer_science)http://en.wikipedia.org/wiki/Object_(computer_science)http://en.wikipedia.org/wiki/Access_rightshttp://en.wikipedia.org/wiki/User_(computing)http://en.wikipedia.org/wiki/Computer_programhttp://en.wikipedia.org/wiki/Operating_systemhttp://en.wikipedia.org/wiki/Principle_of_least_privilegehttp://en.wikipedia.org/wiki/Ring_(computer_security)http://en.wikipedia.org/wiki/Algorithmhttp://en.wikipedia.org/wiki/Encryptionhttp://en.wikipedia.org/wiki/Cryptographyhttp://en.wikipedia.org/wiki/IBMhttp://en.wikipedia.org/wiki/Horst_Feistelhttp://en.wikipedia.org/wiki/National_Bureau_of_Standardshttp://en.wikipedia.org/wiki/National_Security_Agencyhttp://en.wikipedia.org/wiki/National_Security_Agencyhttp://en.wikipedia.org/wiki/Federal_Information_Processing_Standardhttp://en.wikipedia.org/wiki/United_Stateshttp://en.wikipedia.org/wiki/Classified_informationhttp://en.wikipedia.org/wiki/Key_lengthhttp://en.wikipedia.org/wiki/Symmetric-key_algorithmhttp://en.wikipedia.org/wiki/Block_cipherhttp://en.wikipedia.org/wiki/Backdoor_(computing)http://en.wikipedia.org/wiki/Cryptanalysishttp://en.wikipedia.org/wiki/Distributed.nethttp://en.wikipedia.org/wiki/Electronic_Frontier_Foundationhttp://en.wikipedia.org/wiki/Electronic_Frontier_Foundationhttp://en.wikipedia.org/wiki/Data_Encryption_Standard#Chronologyhttp://en.wikipedia.org/wiki/Triple_DEShttp://en.wikipedia.org/wiki/Advanced_Encryption_Standardhttp://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technologyhttp://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technologyhttp://en.wikipedia.org/wiki/Secure_computinghttp://en.wikipedia.org/wiki/Computer_security_modelhttp://en.wikipedia.org/wiki/Reference_(computer_science)http://en.wikipedia.org/wiki/Object_(computer_science)http://en.wikipedia.org/wiki/Access_rightshttp://en.wikipedia.org/wiki/User_(computing)http://en.wikipedia.org/wiki/Computer_programhttp://en.wikipedia.org/wiki/Operating_systemhttp://en.wikipedia.org/wiki/Principle_of_least_privilegehttp://en.wikipedia.org/wiki/Ring_(computer_security)http://en.wikipedia.org/wiki/Algorithmhttp://en.wikipedia.org/wiki/Encryptionhttp://en.wikipedia.org/wiki/Cryptographyhttp://en.wikipedia.org/wiki/IBMhttp://en.wikipedia.org/wiki/Horst_Feistelhttp://en.wikipedia.org/wiki/National_Bureau_of_Standardshttp://en.wikipedia.org/wiki/National_Security_Agencyhttp://en.wikipedia.org/wiki/National_Security_Agencyhttp://en.wikipedia.org/wiki/Federal_Information_Processing_Standardhttp://en.wikipedia.org/wiki/United_Stateshttp://en.wikipedia.org/wiki/Classified_informationhttp://en.wikipedia.org/wiki/Key_lengthhttp://en.wikipedia.org/wiki/Symmetric-key_algorithmhttp://en.wikipedia.org/wiki/Block_cipherhttp://en.wikipedia.org/wiki/Backdoor_(computing)http://en.wikipedia.org/wiki/Cryptanalysishttp://en.wikipedia.org/wiki/Distributed.nethttp://en.wikipedia.org/wiki/Electronic_Frontier_Foundationhttp://en.wikipedia.org/wiki/Electronic_Frontier_Foundationhttp://en.wikipedia.org/wiki/Data_Encryption_Standard#Chronologyhttp://en.wikipedia.org/wiki/Triple_DEShttp://en.wikipedia.org/wiki/Advanced_Encryption_Standardhttp://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technologyhttp://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technology -
7/28/2019 Security n Control
5/26
Some documentation makes a distinction between DES as a standard and DES as analgorithm, referring to the algorithm as the DEA (Data Encryption Algorithm).
TYPES OF SECURITY THREATS
Breach of Confidentiality
-This type of violation involves unauthorized reading of data or theft of
information. Hackers are individuals who gain illegal entry into a computer
system, often without malicious intent but simply to see if they can do it.
Although insiders constitute the greatest threat to information security, the hacker
problem is serious. Other terms sometimes used in this context are crackers and
attackers. Actions taken by hackers, crackers, and attackers may be limited tosimply browsing through information in a system or may extend to stealing,
altering, or destroying information. Systems accessible via remote access are
particularly vulnerable to hacker activity
Breach of Integrity
This type of violation involves unauthorized modification of data. Maliciouscode can attack both personal computers and more sophisticated systems. Itincludes viruses, worms, Trojan horses, logic bombs, and other software.Malicious code programs may play harmless pranks, such as displaying unwanted
phrases or graphics, or create serious problems by destroying or altering data orcrashing systems. The increasing use of corporate networks, e-mail, and theInternet provides fertile ground for the development of new strains of viruses andother malicious code. It is critical that antiviral or antimalware software be keptup-to-date.
Theft of service
-It refers to unauthorized use of services. Desktop and laptop computers and the
data they contain are vulnerable to theft and/or loss from inside and outside the
organization. The increasing use of laptops, tablets, smartphones and other
handheld devices, along with portable media such as external hard drives and
USB thumb drives, makes potential inappropriate access to PHI a greater threat,
especially if these devices lack encryption. Measures must be implemented to
ensure that patient and corporate data are protected in the event devices are lost,
stolen, or misplaced by users. Measures such as encryption and limiting USBusage are strongly recommended practices to enhance information security.
-
7/28/2019 Security n Control
6/26
Denial of service
-This violation involves preventing legitimate use of the system by the authorized
users. End users, data entry clerks, system operators, and programmers may make
unintentional errors that contribute to security problems by creating
vulnerabilities, crashing systems, or compromising data integrity. Legitimate users
may sometimes attempt to access information they do not need to do their jobs
simply to satisfy their curiosity. Extremely sensitive information, such as human
immunodeficiency virus test results, may be vulnerable to this threat if not
adequately protected in system or security design
VIRUS
A virus is a program or piece ofcode that is loaded onto your computer without your knowledge and
runs against your wishes. Viruses can also replicate themselves. All computerviruses are manmade.
A simple virus that can make a copy of itself over and over again is relatively easy to produce. Even
such a simple virus is dangerous because it will quickly use all available memory and bring
the system to a halt. An even more dangerous type of virus is one capable of transmitting itself
across networks and bypassing security systems.
Viruses are sometimes confused with worms and Trojan horses, which are technically different. A
worm can exploit security vulnerabilities to spread itself automatically to other computers through
networks, while a Trojan horse is a program that appears harmless but hides malicious functions.
Worms and Trojan horses, like viruses, may harm a computer system's data or performance. Some
viruses and other malware have symptoms noticeable to the computer user, but many are surreptitious
or simply do nothing to call attention to themselves. Some viruses do nothing beyond reproducing
themselves.
A virus program contains instructions to initiate some sort of "event" that affects the infected
computer. Each virus has an unique event associated with it. These events and their effects can range
from harmless to devastating. For examples:
An annoying message appearing on the computer screen.
Reduced memory or disk space.
Modification of data.
Files overwritten or damaged.
Hard drive erased.
-
7/28/2019 Security n Control
7/26
WORMS
A computer worm is a self-replicating malware computer program, which uses a computer
networkto send copies of itself to other nodes (computers on the network) and it may do so without
any user intervention. This is due to security shortcomings on the target computer. Unlike a computervirus, it does not need to attach itself to an existing program files and rely less on human behavior
in order to spread from computer to computer. Worms almost always cause at least some harm to
the network, even if only by consumingbandwidth, whereas viruses almost always corrupt or modify
files on a targeted computer.
Worms are independent computer programs that copy themselves from one computer to
others over a network. Worms can destroy data and programs as well as disrupt or even halt
the operation of computer networks.
Worms and viruses are often spread over the Internet from files of loaded software,from files attached to E-mail transmissions, or from computerized e-mail messages or instantmessaging. Viruses have also invaded computerized information systems from "infected" disksor infected machines. Worms are currently the most problematic.
Now viruses and worms are spreading to wireless computing devices. For example, theCabir worm, which first appeared in early 2005, targets mobiles running the popular Symbianmobile operating system and spreads through Bluetooth wireless networks. Cabir continuallyseeks other Bluetooths and eventually runs down a device's battery. Mobile device viruses
pose serious threats to enterprise computing because so many wireless devices are now linkedto corporate information systems.
TRAP DOOR
A trap door is an entrance point in an information processing system which circumvents the normal
safety measures. It is generally a hidden program or an electronic component which makes the
protection system ineffective if certain not documented orders are placed to him. Moreover, the trap
door is often activated by an event or a normal action.
A trap door can also be a hole of safety in a system which was deliberately set up by the creators or
the people in charge of maintenance. The principal interest of these trap doors is not always harmful:
certain operating systems, for example, have accounts users with high privileges intended to facilitate
the work of the maintenance men. But in this case, they must be documented.
The best guaranteed against the trap doors is to use software whose source codes public and are
analyzed by a maximum of people.
LOGIC BOMB
-
7/28/2019 Security n Control
8/26
In a computer program, a logic bomb, also called slag code, is programming code, inserted
surreptitiously or intentionally, that is designed to execute (or "explode") under
circumstances such as the lapse of a certain amount of time or the failure of a a program user
to respond to a program command. It is in effect a delayed-action computer virus or Trojan
horse. A logic bomb, when "exploded," may be designed to display or print a spurious
message, delete or corrupt data, or have other undesirable effects.
Some logic bombs can be detected and eliminated before they execute through a periodic
scan of all computer files, including compressed files, with an up-to-date anti-virus program.
For best results, the auto-protect and e-mail screening functions of the anti-virus program
should be activated by the computer user whenever the machine is online. In a network, each
computer should be individually protected, in addition to whatever protection is provided by
the network administrator. Unfortunately, even this precaution does not guarantee 100-
percent system immunity
FIREWALL
A firewall is a combination of hardware and software that controls the flow of incoming andoutgoing network traffic. It is generally placed between the organization's private internalnetworks and distrusted external networks, such as the Internet, although firewalls can also
be used to protect one part of a company's network from the rest of the network.
A firewall protects against a number of different online threats:
Hackersbreaking into your computer.
Some viruses, called worms, that spread from computer to computer over the
internet.
Some firewalls block outgoing traffic that might originate from a virusinfection.
Because the internet is a public network, any connected computer can find and connect to anyother connected computer. A firewallis a barrier between the public internet and your privatecomputer system. Think of it as a really paranoid bouncer who stops anyone coming intoyour computer if theyre not on the guest list.
The firewall acts like a gatekeeper who examines each user's credentials fore access isgranted to a network. The firewall identifies names, IP addresses, applications, and othercharacteristics of incoming traffic. It checks information against the access rules that have
been programmed into the stem by the network administrator. The firewall preventsunauthorized communication into and out of the network.In large organizations, the firewall often resides on a specially designated computer separatefrom the rest of the network, so no incoming request directly accesses private networkresources.
Types of firewall
http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=H#term_221http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=V#term_329http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=V#term_329http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=W#term_344http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=W#term_344http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=T#term_321http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=V#term_329http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=V#term_329http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=N#term_265http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=N#term_265http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=H#term_221http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=V#term_329http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=W#term_344http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=T#term_321http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=V#term_329http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=N#term_265http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213 -
7/28/2019 Security n Control
9/26
Desktop firewall
A desktop firewall is installed on each computer that is connected to the internet
and monitors (and blocks, where necessary) internet traffic. They are alsosometimes known as software firewalls.
Windows Firewall is a basic firewall. You can replace it with a more sophisticated
commercial desktop firewall or supplement it with a hardware firewall if youwish.
The benefits of a desktop firewall are:
Windows Firewall is free and included with Windows Vista and Windows XP
(with the latest updates)
Free software firewalls are also available for older systems in private use.
Commercial desktop firewalls often integrate well with other security products
like virus scanners.
Easy to set up no wiring or extra hardware.
If you use a laptop, a desktop firewall will protect you wherever you connect to
the internet.
Hardware firewall
Hardware firewalls are often built into broadband internet routers. If several computersshare an internet connection, a hardware firewall will protect all of them. Most routermanufacturers offer devices with firewalls.
Although they are getting easier to use, configuring a hardware firewall is often trickierthan configuring asoftware firewall. Most internetrouters and firewallshave a passwordthat lets one control them from their computer. It's a good idea to change that password sothat it is not the default one.
Commercial firewall
Commercial firewalls operate in the same way as Windows Firewall but generally giveyou extra protection, more control over how the firewall works and more informationabout how to configure it. Most security software companies sell a firewall as astandalone software package or as part of a security suite that includes other protectionsuch as a virusscanner
There are a number of firewall screening technologies, including static packet filtering,stateful inspection, Network Address Translation, and application proxy filtering. They arefrequently used in combination to provide firewall protection.
Packet filtering examines selected fields in the headers of data packets flowing back andforth between the trusted network and the Internet, examining individual packets inisolation. This filtering technology can miss many types of attacks. Stateful inspection
http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=D#term_192http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=T#term_321http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=S#term_308http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=D#term_192http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=H#term_223http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=D#term_192http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=S#term_308http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=D#term_192http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=V#term_329http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=D#term_192http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=H#term_223http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=B#term_172http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=R#term_302http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=H#term_223http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=R#term_302http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=H#term_223http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=S#term_308http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=S#term_308http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=R#term_302http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=R#term_302http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=V#term_329http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=V#term_329http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=D#term_192http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=T#term_321http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=S#term_308http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=D#term_192http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=H#term_223http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=D#term_192http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=S#term_308http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=D#term_192http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=V#term_329http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=D#term_192http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=H#term_223http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=B#term_172http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=R#term_302http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=H#term_223http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=R#term_302http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=H#term_223http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=S#term_308http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=R#term_302http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=F#term_213http://www.getsafeonline.org/nqcontent.cfm?a_name=glossary_1&letter=V#term_329 -
7/28/2019 Security n Control
10/26
provides additional security by determining whether packets are part of an ongoing dialoguebetween a sender and a receiver. It sets up state tables to track information over multiplepackets. Packets are accepted or rejected based on whether they are part of an approvedconversation or whether they are attempt ing to establish a legitimate connection.
Network Address Translation (NAT) can provide another layer of protection when staticpacket filtering and stateful inspection are employed. NAT conceals the IP addresses of theorganization's internal host computer(s) toprevent sniffer programs outside the firewall fromascertaining them and using that information to penetrate internal systems.
Application proxy filtering examines the application content of packets A proxy serverstops data packets originating outside the organization, inspects them, and passes a proxy to theother side of the fire wall. If a user outside the company wants to communicate with a userinside the organization, the outside user first "talks" to the proxy application and the proxyapplication communicates with the firm's internal computer. Likewise, a computer user insidethe organization goes through the proxy to talk with computers on t outside.
To create a good firewall, an administrator must maintain detailed intern rules identifyingthe people, applications, or addresses that are allowed rejected. Firewalls can deter, but notcompletely prevent, network penetration by outsiders and should be viewed as one element inan overall security plan.
Features of Firewall
Intrusion Detection and Protection: This is the most important feature of a firewall.
In this the firewall checks every inward traffic into the internal host and compare
them with the predefined rules set by the system administrator of the internal network
and drops the traffic and logs the unauthorized connection attempts
Blocking unauthorized outward traffic: Blocks the users of internal network from
any unauthorized connection attempts to external network.
Protection from Viruses and worms: Many firewall vendors adds this feature to
their firewall products and checks for any virus in the incoming traffic
-
7/28/2019 Security n Control
11/26
Protection from Denial of Service Attacks: A denial of service attack is one in
which the attacker deprives an organization of the use of a network resource (such as
the email system or web site) by the receiving system (for example, an inability to
deal with large number of email connection requests in a short time).
Protection from Spam: Spam is an unsolicited commercial email messages and are
not created with the same malicious intent as threats like viruses, but are now having a
negative economic impact on the same order of magnitude. Spam clogs networks,
hogs disk space and wastes countless hours of user time reading and dealing with the
messages.
SYSTEM VULNERABILITY AND ABUSE
Before computer automation, data about individuals or organizations were maintained andsecured as paper records dispersed in separate business or organizational units.Information systems concentrate data in computer files that can potentially be accessed bylarge numbers of people and by groups outside of the organization.When large amounts of data are stored in electronic form they are vulnerable to many morekinds of threats than when they exist in manual form. Through communications networks,information systems in different locations can be interconnected. The potential forunauthorized access, abuse, or fraud is not limited to a single location but can occur at anyaccess point in the network.
Why Systems Are Vulnerable
Figure 1 illustrates the most common threats against contemporary information systems.They can stem from technical, organizational, and environmental factors compounded by
poor management decisions. In the multitier client/server computing environment illustratedhere, vulnerabilities exist at each layer and in the communications between the layers. Usersat the client layer can cause harm by introducing errors or by accessing systems withoutauthorization. It is possible to access data flowing over networks, steal valuable data during
transmission, or alter messages without authorization.Radiation can disrupt a network at various points as well. Intruders can launch denial ofservice attacks or malicious software to disrupt the operation of Web sites. Those capable of
penetrating corporate systems can destroy or alter corporate data stored in databases or files.
-
7/28/2019 Security n Control
12/26
FIGURE 1 Contemporary security challenges and vulnerabilities
The architecture of a Web-based application typically includes a Web client, a server, andcorporate information systems linked to databases. Each of these components presentssecurity challenges and vulnerabilities. Floods, fires, power failures, and other electrical
problems can cause disruptions at any point in the network.Systems malfunction if computer hardware breaks down, is not configured properly, or isdamaged by improper use or criminal acts. Errors in programming, improper installation, orunauthorized changes cause computer software to fail. Computer systems can also bedisrupted by power failures, floods, fires, or other natural disasters. Domestic or offshoreoutsourcing to another company adds to system vulnerability because valuable informationwill reside on networks and computers outside the organizations control. Without strong
safeguards, valuable data could be lost, destroyed, or could fall into the wrong hands,revealing important trade secrets or information that violates personal privacy.Some worry that outsourcing application development to offshore companies might provideopportunities for programmers to insert hidden code that would later enable someone to gaincontrol over an application or its data (Schmerken and Fitzgerald, 2004).
Threats to Information System
1. Hardware Failure2. Software Failure3. Attacks by malicious software4. Sabotage
5. Theft of data, services, or equipments6. Accidents / Natural Disaster7. User Error8. Bugs in the program9. Telecommunication failure
INTERNET VULNERABI LITIES
Large public networks such as the Internet are more vulnerable than internal networks
because they are virtually open to anyone. The Internet is so huge that when abuses do occur,they can have an enormously widespread impact. When the Internet becomes part of the
-
7/28/2019 Security n Control
13/26
corporate network, the organizations information systems are even more vulnerable toactions from outsiders.
Computers that are constantly connected to the Internet by cable modems orDigital Subscriber Line (DSL) is more open to penetration by outsiders because they use
fixed Internet addresses where they can be easily identified. (With dial-up service, atemporary Internet address is assigned for each session.) A fixed Internet address creates afixed target for hackers.
Telephone service based on Internet technology can be more vulnerable than the switchedvoice network if it does not run over a secure private network. Most Voice over IP (VoIP)traffic over the public Internet is not encrypted, so anyone linked to a network can listen in onconversations. Hackers can intercept conversations to obtain credit card and otherconfidential personal information or shut down voice service by flooding servers supportingVoIP with bogus traffic.
Vulnerability has also increased from widespread use of e-mail and instant messaging (IM).E-mail can contain attachments that serve as springboards for malicious software orunauthorized access to internal corporate systems. Employees may use e-mail messages totransmit valuable trade secrets, financial data, or confidential customer information tounauthorized recipients. Popular instant messaging applications for consumers do not use asecure layer for text messages, so they can be intercepted and read by outsiders duringtransmission over the public Internet. IM activity over the Internet can in some cases be usedas a back door to an otherwise secure network. (IM systems designed for corporations, suchas IBMs SameTime, include security features.)
WIRELESS SECURITY CHALLENGES
Wireless networks using radio-based technology are even more vulnerable to penetrationbecause radio frequency bands are easy to scan. Although the range of Wireless Fidelity(Wi- Fi) networks is only several hundred feet, it can be extended up to one-fourth of a mileusing external antennae. Local area networks (LANs) that use the 802.11b (Wi-Fi) standardcan be easily penetrated by outsiders armed with laptops, wireless cards, external antennae,and freeware hacking software. Hackers use these tools to detect unprotected networks,monitor network traffic, and in some cases, gain access to the Internet or to corporatenetworks.
Wi-Fi transmission technology uses spread spectrum transmission in which a signal is spreadover a wide range of frequencies, and the particular version of spread spectrum transmissionused in the 802.11 standard was designed to make it easier for stations to find and hear oneanother. The service set identifiers (SSID) identifying the access points in a Wi-Fi networkare broadcast multiple times and can be picked up fairly easily by intruders sniffer programs(see Figure 10-2). Wireless networks in many locations do not have basic protections againstwar driving, in which eavesdroppers drive by buildings or park outside and try to interceptwireless network traffic.
-
7/28/2019 Security n Control
14/26
FIGURE 2 Wi-Fi security challenges
Many Wi-Fi networks can be penetrated easily by intruders using sniffer programs to obtainan address to access the resources of a network without authorization.
The 802.11 standard specifies the SSID as a form of password for a users radio networkinterface card (NIC) to join a particular wireless network. The users radio NIC must have thesame SSID as the access point to enable association and communication. Most access points
broadcast the SSID multiple times per second. A hacker can employ an 802.11 analysis toolto identify the SSID. (Windows XP has capabilities for detecting the SSID used in a network
and automatically configuring the radio NIC within the users device.) An intruder that hasassociated with an access point by using the correct SSID can then obtain a legitimate IPaddress to access other resources on the network because many wireless LANs automaticallyassign IP addresses to users as they become active. This enables an intruder who has illicitlyassociated with a wireless LAN to use the Windows operating system to determine whichother users are connected to the network, and even to click on other users devices, locatetheir documents folders, and open or copy their files.
This is a serious problem many end users overlook when connecting to access points atIntruders can also use the information they have gleaned about Internet Protocol (IP)addresses and SSIDs to set up rogue access points on a different radio channel in physical
locations close to users to force a users radio NIC to associate with the rogue access point.Once this association occurs, hackers using the rogue access point can capture the names and
-
7/28/2019 Security n Control
15/26
passwords of unsuspecting users.
The initial security standard developed for Wi-Fi, called Wired Equivalent Privacy (WEP), isnot very effective. WEP is built into all standard 802.11 products, but its use is optional.
Users must turn it on, and many neglect to do so, leaving many access points unprotected.The basic WEP specification calls for an access point and all of its users to share the same40-bit encrypted password, which can be easily decrypted by hackers from a small amount oftraffic. Manufacturers of wireless networking products are now beefing up their security byoffering stronger encryption and authentication systems.
Software Vulnerability
Software errors also pose a constant threat to information systems, causing untold losses in
productivity. The U.S. Department of Commerce National Institute of Standards and
Technology (NIST) reports that software flaws (including vulnerabilities to hackers and
malware) cost the U.S. economy $59.6 billion each year (Hulme, 2004). A major problem
with software is the presence of hidden bugs, or program code defects. Studies have shown
that it is virtually impossible to eliminate all bugs from large programs. The main source of
bugs is the complexity of decision-making code. Important programs within most
corporations may contain tens of thousands or even millions of lines of code, each with many
alternative decision paths. Such complexity is difficult to document and designdesigners
may document some reactions incorrectly or may fail to consider some possibilities. Even
after rigorous testing, developers do not know for sure that a piece of software is dependable
until the product proves itself after much operational use.
Commercial software often contains flaws that create not only performance issues but also
security vulnerabilities that open networks to intruders. These vulnerabilities and bugs can
enable malware to slip past antivirus defenses. A great deal of malware has been trying to
exploit vulnerabilities in the Microsoft Windows operating system and other Microsoft
products, but malware targeting the Linux operating system is on the rise as well.
To correct software flaws once they are identified, the software vendor creates lines of code
called patches to repair the flaw without disturbing proper operation of the software. An
example is Microsofts XP Service Pack 2 (SP2) introduced in 2004, which features added
firewall protection against viruses and intruders, capabilities for automatic security updates,
and an easy-to-use interface for managing the security applications on the users computer. It
is up to users of the software to track these vulnerabilities, test, and apply all patches. This
process is called patch management.
DISASTER RECOVERY PLANNING AND BUSINESS CONTINUITYPLANNING
-
7/28/2019 Security n Control
16/26
Disaster Definition
A disaster is any event that can cause a significant disruption in operational and/or
computer processing capabilities for a period of time, which affects the operations of thebusiness. The purpose of defining a crisis or a discontinuity is to establish a documented
description of what constitutes a crisis or a discontinuity. The intent is to minimize the
decision-making process when an event occurs.
Disaster recovery is the process, policies and procedures related to preparing for recovery or
continuation of technology infrastructure critical to an organization after a natural or human-
induced disaster
Disaster recovery planning devises plans for the restoration of computing and
communications services after they have been disrupted by an event such s an earthquake,flood, or terrorist attack. Disaster recovery plans focus primarily on the technical issuesinvolved in keeping systems up and running, such as which files to back up and themaintenance of backup computer stems or disaster recovery services.For example, MasterCard maintains a duplicate computer center in Kansas City, Missouri, toserve as an emergency backup to its primary computer center St. Louis. Rather than build theirown backup facilities, many firms contract with disaster recovery firms, such as ComdiscoDisaster Recovery Services in Rosemont, Illinois, and SunGard Recovery Services,headquartered in Wayne, Pennsylvania. These disaster recovery firms provide hot siteshousing spare computers at locations around the country where subscribing firms can runtheir critical applications in an emergency.
Business continuity planning focuses on how the company can restore businessoperations after a disaster strikes. The business continuity plan identifies critical
business processes and determines action plans for handling mission-critical functions ifsystems go down. .Business managers and information technology specialists need to work together on
both types of plans to determine which systems and business processes are most critical
to the company. They must conduct a business impact analysis to identify the firm's mostcritical systems and the impact systems outage would have on the business. Management mustdetermine the maximum amount of time the business can survive with its systems down andwhich parts of the business must be restored first.
Although these are different activities, they are clearly related and Disaster RecoveryPlanning builds upon Business Continuity Planning when properly done. While businesscontinuity involves planning for keeping all aspects of a business functioning in the midst ofdisruptive events, disaster recovery focuses on the IT or technology systems that support
business functions.
Introduction
This Disaster Recovery Plan is designed to ensure the continuation of vital business processes
-
7/28/2019 Security n Control
17/26
in the event that a disaster occurs. This plan will provide an effective solution that can be
used to recover all vital business processes within the required time frame using vital records
that are stored off-site.
The issue to be addressed within the Disaster Recovery Strategy is to insure that every
reasonable measure has been taken to identify and mitigate potential risks that exist within
the processing environment. The most successful Disaster Recovery Strategy is one that
will never be implemented; therefore, risk avoidance is a critical element in the disaster
recovery process.
Scope and Objectives
The Disaster Recovery Plan provides a state of readiness allowing prompt personnel response
after a disaster has occurred. This, in turn, provides for a more effective and efficient
recovery effort. The Disaster Recovery Plan should be developed to accomplish the following
objectives:
1. Limit the magnitude of any loss by minimizing the duration of a critical application service
interruption.
2. Assess damage, repair the damage, and activate the repaired computer center.
3. Recover data and information imperative to the operation of critical applications.
4. Manage the recovery operation in an organized and effective manner.
5. Prepare technology personnel to respond effectively in disaster recovery situations.
Every business has the responsibility to respond to any short or long term disruption of
services. By developing, documenting, implementing and testing a Disaster Recovery Plan,
businesses will be able to restore the availability of critical applications in a timely and
organized manner following a disaster occurrence.
Importance of disaster recovery planning
As IT systems have become increasingly critical to the smooth operation of a company, and
arguably the economy as a whole, the importance of ensuring the continued operation of the
systems, or the rapid recovery of the systems, has increased.
It is estimated that most large companies spend between 2% and 4% of their IT budget on
disaster recovery planning, with the aim of avoiding larger losses in the event that the
business cannot continue to function due to loss of IT infrastructure and data. Of companies
that had a major loss of business data, 43% never reopen, 51% close within two years, andonly 6% survive in the long-run.
-
7/28/2019 Security n Control
18/26
As a result, preparation for recovery of systems needs to be taken very seriously. This
involves a significant investment of time and money with the aim of ensuring minimal losses
in the event of a disruptive event.
Security Outsourcing
Many companies, especially small businesses, lack the resources or expertise to provide asecure high-availability computing environment on their own. They can outsource manysecurity functions to man aged securi ty service providers (MSSPs) that monitornetwork activity and perform vulnerability testing and intrusion detection. Guardent,Counterpane, VeriSign, and Symantec are leading providers of MSSP services.
CONCERN FOR SYSTEM OWNERS AND DEVELOPERS
Many firms are reluctant to spend heavily on security because it is not directly related to sales
revenue. However protecting information system is so critical to the operation of that
deserves a second look. Companies have very valuable information assets to protect.
Businesses must protect not only their own information assets but also those of customers,
employees and business partners. The system owners and developers always have the
concern to secure the information systems. The concerns for the owners and the developers of
system are:
1. Disaster recovery plan:
As companies increasingly rely on digital networks for revenue and
operations, they need to take additional steps to ensure that their systems and applications
are always available. The system owners and developers must plan for running the
business even in the event of any kind of system disaster.
2. Security policy:
Once they identify the risks to the system, they will need to developa security policy for protecting the companys assets. A security policy consists of
policies determining acceptable use of the firms information resources and which
members of the company have access to its information assets, procedures, and
technical measures used to prevent unauthorised access, alteration, theft, or physical
damage.
3. Software quality assurance:
In order to ensure the assurance of quality of software, the system
owners and developers must develop
-
7/28/2019 Security n Control
19/26
- Rules and policy for validation, verification and certification of
software. verification and validation is the process of checking that a software system
meets specifications and that it fulfills its intended purpose. It is normally the
responsibility ofsoftware testers as part of the software development lifecycle.
- System development methodology: A software development
methodology or system development methodology in software engineeringis a
framework that is used to structure, plan, and control the process of developing an
information system.
Every software development methodology framework acts as a basis for applying specificapproaches to develop and maintain software. Several software development approaches have
been used since the origin of information technology. These are:
Waterfall: a linear framework
Prototyping: an iterative framework
Incremental: a combined linear-iterative framework
Spiral: a combined linear-iterative framework
Rapid application development (RAD): an iterative framework
Extreme Programming
4. Data quality:
Data quality describe the quality of the content ofinformation systems.
It is often pragmatically defined as: "The fitness for use of the information provided." The
system owners and developers must look for data quality and must form policies
regarding source, authorization and auto-checking of the data by the software.
CONTROL
Controls can be regarded as :
Methods, policies, and procedures
Ensures protection of organizations assets
Ensures accuracy and reliability of records, and operational adherence to
management standards
The Control Challenge
http://en.wikipedia.org/wiki/Software_testinghttp://en.wikipedia.org/wiki/Software_testinghttp://en.wikipedia.org/wiki/Software_development_processhttp://en.wikipedia.org/wiki/Software_development_processhttp://en.wikipedia.org/wiki/Software_engineeringhttp://en.wikipedia.org/wiki/Software_development_processhttp://en.wikipedia.org/wiki/Software_development_processhttp://en.wikipedia.org/wiki/Software_development_processhttp://en.wikipedia.org/wiki/Information_systemshttp://en.wikipedia.org/wiki/Information_systemshttp://en.wikipedia.org/wiki/Information_systemshttp://en.wikipedia.org/wiki/Software_testinghttp://en.wikipedia.org/wiki/Software_development_processhttp://en.wikipedia.org/wiki/Software_engineeringhttp://en.wikipedia.org/wiki/Software_development_processhttp://en.wikipedia.org/wiki/Information_systems -
7/28/2019 Security n Control
20/26
How the organization will control the flow of information to internal and
external world?
Protect the confidentiality: One of the main importance of control is that it
protects the confidentiality . Control is very essential nowdays. Control
enables the user to protect its password, encryption etc and to maintain its
confidential and allows it to be confidential to the user only.
Protect the unwarranted changes in the information by unauthorized
users: An Important function of control is to protect the unwarranted changes
in the information by unauthorized users. Control helps to restrict
unauthorized users to gain access of the information and to make unwarranted
changes. Thus control, allows authorized users and restrict unauthorized users
from accessing information.
Protect the privacy of the customers: Another important function is Control
is to protect the privacy of the customers. Control enables the users
information and data to be confidential as well as to enable privacy of the
users information and data, by making it available only to the user and no one
else etc.
Criteria for determining control structure
Importance of data
Efficiency, complexity, and expense of each control technique
Level of risk if a specific activity or process is not properly controlled
Types of Control
There are two main types of controls :
General Control: Overall controls that establish a framework for controlling the
design, security and use of computer programs.
Application Control: Specific control unique to each computerized application.
General Control
There are six types of general control :
Implementation Control: It is a review of development and implementation
methodologies and adherence to the standards. This is mainly for software qualityassurance.
-
7/28/2019 Security n Control
21/26
Software Control: Controls the various categories of software, versions of software,
unauthorized access of software programs.
Hardware Control: Ensures physical security of the hardware, Preventive
maintenance audit etc
Computer Operation Control: User control, System administrator procedures,
network access rules etc.
Data Security & Control: Backup control, system audit for password security,
capability lists and data access permissions.
Administrative Control: Formalized standard rules, procedures and disciplines to
ensure that organizations control are properly executed.
Application Control
There are four types of application control:
Input Control: The procedure to check data for accuracy and completeness.
Validation
Authorization
Control totals
Processing Control: The routines for establishing that data are complete and accurate
during updating.
Capability Control: Measures to restrict the capability of a user to use the system.
Output Control: Measures that ensure that the results of a computer processing are
accurate, complete and properly distributed.
TYPES OF CONTROL
There are two main types of controls :
General Control: Overall controls that establish a framework for controlling the
design, security and use of computer programs.
Application Control: Specific control unique to each computerized application.
General Control
-
7/28/2019 Security n Control
22/26
There are six types of general control :
Implementation Control: It is a review of development and implementation
methodologies and adherence to the standards. This is mainly for software quality
assurance.
Software Control: Controls the various categories of software, versions of software,
unauthorized access of software programs.
Hardware Control: Ensures physical security of the hardware, Preventive
maintenance audit etc
Computer Operation Control: User control, System administrator procedures,
network access rules etc.
Data Security & Control: Backup control, system audit for password security,capability lists and data access permissions.
Administrative Control: Formalized standard rules, procedures and disciplines to
ensure that organizations control are properly executed.
Application Control
There are four types of application control:
Input Control: The procedure to check data for accuracy and completeness.
Validation
Authorization
Control totals
Processing Control: The routines for establishing that data are complete and accurate
during updating.
Capability Control: Measures to restrict the capability of a user to use the system.
Output Control: Measures that ensure that the results of a computer processing are
accurate, complete and properly distributed.
General control
An IT general control should demonstrate that the organization has a procedure or policy in
place for technology that affects the management of fundamental organizational processessuch as risk management, change management, disaster recovery and security.
-
7/28/2019 Security n Control
23/26
Implementation Control: It is a review of development and implementation methodologies
and adherence to the standards. This is mainly for software quality assurance.
Software Control: Controls the various categories of software, versions of software,
unauthorized access of software programs.
Hardware Control: Ensures physical security of the hardware, Preventive maintenance
audit. Etc.
Computer Operation Control: User control, System administrator procedures, network
access rules etc.
Data Security & Control: Backup control, system audit for password security, capability
lists and data access permissions
Administrative Control: Formalized standard rules, procedures and disciplines to ensurethat organizations control are properly executed.
Examples of general control
Back up/operations: Back-up media (tapes, disks, etc.) are rotated to an offsite storage
facility. The backup includes operating system and application databases. Logs showing the
rotation and presence of back up media should be maintained.
Back up /operations: at minimum incremental backups are performed nightly and fullback ups are done on atleast a monthly basis. These back-ups are rotated offsite to a well
protected storage site. The term incremental backups applies to redo logs and any other
methods that permits files to be reconstructed from an original base file plus records that will
bring it up to current state.
Application control
An important audit conducted entails general work flow control for computer applications.
Below are general guidelines to be used to review these controls for any computer application
-
7/28/2019 Security n Control
24/26
that may be in use.
Input Control: The procedure to check data for accuracy and completeness
Validation
Authorization
Control totals
Data input controls ensure the accuracy, completeness, and timeliness of data during its
conversion from its original source into computer data, or entry into a computer application.
Data can be entered into a computer application from either manual online input or by
scheduled automated processing. The input control reviewer should determine the adequacy
of both manual and automated controls over data input to ensure that data is input accuratelywith optimum use of computerized validation and editing and that error handling procedures
facilitate the timely and accurate resubmission of all corrected data.
1) Documented procedures should exist for any data manually entered into the application.
The procedures should include how to identify, correct, and reprocess rejected data.
2) Input edits should be used by the application. These could include checking for invalid
field lengths, invalid characters, missing or erroneous data, incorrect dates, or the use of
check digits.
3) Input data should also be controlled by the use of record counts, control totals, and event
logs.
4) Another way to help ensure appropriate data entry is through authorization/approval. The
authorization levels of the assigned approvers should also be reviewed to determine if they
are reasonable.
5) Passwords should be used to control access. Passwords should be changed periodically,
deleted when users leave the University, and modified to reflect user job changes.
6) Duties should be separated to ensure that no one individual performs multiple critical
tasks. (Example: Name Change and distribution of payroll checks)
Processing Control: The routines for establishing that data are complete and accurate during
updating
Data processing controls are used to ensure the accuracy, completeness, and timeliness of
data during either batch or online processing. These controls will insure that data is
accurately processed through the application and that no data is added, lost, or altered during
-
7/28/2019 Security n Control
25/26
processing.
1) Documentation should exist explaining the workflow through the application. Examples
would be narratives on the application processes, flowcharts, and an explanation of system orerror messages.
2) If batch processes are run on a regular schedule, there should be documented procedures
explaining how this is performed. The schedule of steps to be followed in case normal
completion or failure and restart.
3) A processing log should be available. It should be reviewed for unusual or unauthorized
activity.
4) Processing logs show errors or problems encountered during processing. These logs should
be the source for error reports to be used for trend analysis and follow up analysis.
5) There should be controls in place to document the correct files are used for processing.
6) Processing edits should also be used. These can limit large scale damage which could
result in a major database recovery effort.
7) Audit logs should be generated during processing. These logs contain information about
each transaction. Data that should be included are: who initiated each of the transactions, the
data and time of the transactions, the location of the transaction origination (IP address as an
example). Logs are used for activity reporting and anomaly detection.
Capability Control: Measures to restrict the capability of a user to use the system.
Output Control: Measures that ensure that the results of a computer processing are accurate,
complete and properly distributed.
Data output controls ensure the integrity of output and the correct and timely distribution ofany output produced. Output can be in paper, an email attachment, as file input to another
application or on an online screen. Output controls result in the verification of accurate
control totals, and timely result distribution.
1) Output should be balanced/reconciled to input. There should be adequate separation of
duties for the balancing/reconciliation process.
2) There should be documented procedures to explain the methods for the proper
balancing/reconciliation and error correcting of output.
-
7/28/2019 Security n Control
26/26
3) Output should be reviewed for general acceptability and completeness, including any
control totals.
4) There should be error reports. These should contain:
- A description of problems/errors and date identified
- Corrective action taken
5) Record retention and backup schedules for output files should be established.
Consideration should be given to rotate output files offsite.
top related