ais e12 ch08
TRANSCRIPT
-
8/19/2019 AIS e12 CH08
1/27
Accounting InformationSystems
CHAPTER 8
INFORMATION SYSTEM CONTROLS for SYSTEMS RELIABILITYPart 1: Information Securit
S!""ESTE# ANS$ERS TO #ISC!SSION %!ESTIONS
8&1 E'()ain *+ an or,ani-ation *ou). *ant to u/e a)) of t+e fo))o*in, information
/ecurit contro)/: fire*a))/0 intru/ion (reention //tem/0 intru/ion .etection
//tem/0 an. a CIRT&
Using this combination of controls provides defense-in-depth. Firewalls and intrusion prevention systems are preventive controls. Intrusion detection systems are used to
identify problems and incidents. The purpose of a Computer Incident esponse Team!CIT" is to respond to and mediate problems and incidents. According to the time-basedmodel of security# information security is ade$uate if the firewalls and intrusion prevention systems can delay attac%s from succeeding longer than the time it ta%es theintrusion detection system to identify that an attac% is in progress and for the CIT torespond.
8&2 $+at are t+e a.anta,e/ an. .i/a.anta,e/ of +ain, t+e (er/on re/(on/i3)e for
information /ecurit re(ort .irect) to t+e c+ief information officer 4CIO50 *+o +a/
oera)) re/(on/i3i)it for a)) a/(ect/ of t+e or,ani-ation6/ information //tem/7
It is important for the person responsible for security !the CIS&" to report to seniormanagement. 'aving the person responsible for information security report to a memberof the e(ecutive committee such as the CI formali)es information security as a topmanagement issue.
&ne potential disadvantage is that the CI& may not always react favorably to reportsindicating that shortcuts have been ta%en with regard to security# especially in situationswhere following the recommendations for increased security spending could result infailure to meet budgeted goals. Therefore# *ust as the effectiveness of the internal audit
function is improved by having it report to someone other than the CF the securityfunction may also be more effective if it reports to someone who does not haveresponsibility for information systems operations.
+-,© 2010 Pearson Education, Inc. Publishing as Prentice Hall
-
8/19/2019 AIS e12 CH08
2/27
Ch. + Information System Controls for Systems eliability
8& Re)ia3i)it i/ often inc)u.e. in /erice )ee) a,reement/ 4SLA/5 *+en out/ourcin,&T+e tou,+e/t t+in, i/ to .eci.e +o* muc+ re)ia3i)it i/ enou,+& Con/i.er an
a(()ication )i9e emai)& If an or,ani-ation out/ource/ it/ emai) to a c)ou. (roi.er0
*+at i/ t+e .ifference 3et*een ; $+at i/ t+e .ifference 3et*een aut+entication an. aut+ori-ation7
Authentication and authori)ation are two related controls designed to restrict access to anorgani)ation6s information systems and resources.
The ob*ective of authentication is to verify the claimed identity of someone attempting toobtain access.
The ob*ective of authori)ation is to limit what an authenticated user can do once theyhave been given access.
8&
-
8/19/2019 AIS e12 CH08
3/27
Accounting InformationSystems
8&? Securit a*arene// trainin, i/ nece//ar to teac+ em()oee/ @/afe com(utin,(ractice/& T+e 9e to effectiene//0 +o*eer0 i/ t+at it c+an,e/ em()oee 3e+aior&
Ho* can or,ani-ation/ ma'imi-e t+e effectiene// of t+eir /ecurit a*arene//
trainin, (ro,ram/7
Top management support is always essential for the success of any program an entityunderta%es. Thus# top management support and participation in security awarenesstraining is essential to ma(imi)e its impact on the employees and managers of the firm.
9ffective instruction and hands-on active learning techni$ues help to ma(imi)e training.:eal life; e(ample should be used throughout the training so that employees can view or at least visuali)e the e(posures and threats they face as well as the controls in place toaddress the e(posures and threats. ole-playing has been shown to be an effectivemethod to ma(imi)e security awareness training especially with regard to social
engineering attac% training.
Training must also be repeated periodically# at least several times each year# to reinforceconcepts and update employees about new threats.
It is also important to test the effectiveness of such training.
Including security practices and behaviors as part of an employee6s performanceevaluation is also helpful as it reinforces the importance of security.
8& $+at i/ t+e re)ation/+i( 3et*een COSO0 COBIT0 an. t+e AICPA6/ Tru/t Serice/frame*or9/7
C&S& is a broad framewor% that describes the various components of internal control. Itdoes not# however# provide any details about IT controls.
C&
-
8/19/2019 AIS e12 CH08
4/27
Accounting InformationSystems
S!""ESTE# SOL!TIONS TO THE PROBLEMS
8.1 Matc+ t+e fo))o*in, term/ *it+ t+eir .efinition/:
Term #efinition
• ==d== ,. >ulnerability a& Code that corrects a flaw in a program.
• ==s== 2. 9(ploit 3& >erification of claimed identity.
• ==b== 3. Authentication c& The firewall techni$ue that filterstraffic by comparing the information in pac%et headers to a table of establishedconnections.
•
==m== ?. Authori)ation.& A flaw or wea%ness in a program.
• ==f== /. @emilitari)ed )one !@B" e& A test to determine the time it ta%es tocompromise a system.
• ==t== 4. @eep pac%et inspection f& A subnetwor% that is accessible fromthe Internet but separate from theorgani)ation6s internal networ%.
• ==o== . router ,& The device that connects theorgani)ation to the Internet.
• ==*== +. social engineering +& The rules !protocol" that govern routingof pac%ets across networ%s.
• ==%== . firewall i& The rules !protocol" that govern thedivision of a large file into pac%ets andsubse$uent reassembly of the file fromthose pac%ets.
• ==n== ,5. hardening & An attac% that involves deception toobtain access.
• ==l== ,,. CIT 9& A device that provides perimetersecurity by filtering pac%ets.
• ==a== ,2. patch )& The set of employees assigned
responsibility for resolving problemsand incidents.
• ===u= ,3. virtuali)ation m& estricting the actions that a user is permitted to perform.
• ==i== ,?. Transmission Control
7rotocol !TC7"
n& Improving security by removal ordisabling of unnecessary programs and
+-?© 2010 Pearson Education, Inc. Publishing as Prentice Hall
-
8/19/2019 AIS e12 CH08
5/27
Accounting InformationSystems
features.
• =$=== ,/. static pac%et filtering o& A device that uses the Internet 7rotocol
!I7" to send pac%ets across networ%s.
• ==g== ,4. border router (& A detective control that identifieswea%nesses in devices or software.
• ==p== ,. vulnerability scan D& A firewall techni$ue that filters traffic by e(amining the pac%et header of asingle pac%et in isolation.
• ==e== ,+. penetration test r& The process of applying code supplied by a vendor to fi( a problem in thatvendor6s software.
•
• =r=== s. patch management
/& Software code that can be used to ta%eadvantage of a flaw and compromise asystem.
•
• =v=== t. cloud computing
t& A firewall techni$ue that filters traffic by e(amining not *ust pac%et headerinformation but also the contents of a pac%et.
• u& The process of running multiplemachines on one physical server.
• & An arrangement whereby a user
remotely accesses software# hardware#or other resources via a browser.
•
•
• 8.2 In/ta)) an. run t+e )ate/t er/ion of t+e Micro/oft
Ba/e)ine Securit Ana)-er on our +ome com(uter or )a(to(& $rite a re(ort
e'()ainin, t+e *ea9ne//e/ i.entifie. 3 t+e too) an. +o* to 3e/t correct t+em&
Attac+ a co( of t+e MBSA out(ut to our re(ort&
•
• So)ution: will vary for each student. 9(amples of what to e(pect !from a computerrunning Dindows follow
+-/© 2010 Pearson Education, Inc. Publishing as Prentice Hall
-
8/19/2019 AIS e12 CH08
6/27
Accounting InformationSystems
•
•
,. The first section should identify the computer !not shown below" and the status of
security updates•
•
+-4© 2010 Pearson Education, Inc. Publishing as Prentice Hall
-
8/19/2019 AIS e12 CH08
7/27
Accounting InformationSystems
•
•
•
2. Ee(t is a section about user accounts and Dindows settings
•
•
•
& Then there is a section about other system information
+-© 2010 Pearson Education, Inc. Publishing as Prentice Hall
-
8/19/2019 AIS e12 CH08
8/27
Accounting InformationSystems
•
+-+© 2010 Pearson Education, Inc. Publishing as Prentice Hall
-
8/19/2019 AIS e12 CH08
9/27
Accounting InformationSystems
8.3 T+e fo))o*in, ta3)e )i/t/ t+e action/ t+at ariou/ em()oee/ are (ermitte.
to (erform:
•
E
m
()
o
ee
Permitte. action/
• A
ble
• Chec% customer account balances
• Chec% inventory availability
•
-
8/19/2019 AIS e12 CH08
10/27
Accounting InformationSystems
er File
• Able •
• ,
•
• ,
•
• 5
•
• 5
•
•
-
8/19/2019 AIS e12 CH08
11/27
Accounting InformationSystems
use of multiple character types# random characters# and re$uire that passwords bechanged fre$uently.
•
• #etectie: oc%ing out accounts after 3-/ unsuccessful login attempts8 since thiswas a :guessing; attac%# it may have ta%en more than a few attempts to login.
•
c& A crimina) remote) acce//e. a /en/itie .ata3a/e u/in, t+e aut+entication
cre.entia)/ 4u/er I# an. /tron, (a//*or.5 of an IT mana,er& At t+e time t+e attac9
occurre.0 t+e IT mana,er *a/ )o,,e. into t+e //tem at +i/ *or9/tation at com(an
+ea.Duarter/&
•
• Preentie: Integrate physical and logical security. In this case# the system should
re*ect any user attempts remotely log into the system if that same user is already logged
in from a physical wor%station.•
• #etectie 'aving the system notify appropriate security staff about such an
incident.
•
.& An em()oee receie. an emai) (ur(ortin, to 3e from +er 3o// informin, +er of an
im(ortant ne* atten.ance (o)ic& $+en /+e c)ic9e. on a )in9 em3e..e. in t+e emai)
to ie* t+e ne* (o)ic0 /+e infecte. +er )a(to( *it+ a 9e/tro9e )o,,er&
•
• Preentie: Security awareness training is the best way to prevent such problems.
9mployees should be taught that this is a common e(ample of a sophisticated phishing
scam.•
• #etectie an. correctie Anti-spyware software that automatically chec%s and
cleans all detected spyware on an employeeGs computer as part of the logon process foraccessing a companyGs information system.
•
•
e& A com(an6/ (ro,rammin, /taff *rote cu/tom co.e for t+e /+o((in, cart feature on
it/ *e3 /ite& T+e co.e containe. a 3uffer oerf)o* u)nera3i)it t+at cou). 3e
e'()oite. *+en t+e cu/tomer t(e. in t+e /+i(to a..re//&
•
• Preentie: Teach programmers secure programming practices# including the
need to carefully chec% all user input.
•
• anagement must support the commitment to secure coding practices# even if
that means a delay in completing# testing# and deploying new programs.
•
+-,,© 2010 Pearson Education, Inc. Publishing as Prentice Hall
-
8/19/2019 AIS e12 CH08
12/27
Accounting InformationSystems
• #etectie: a%e sure programs are thoroughly tested before being put into use
•
• 'ave internal auditors routinely test in-house developed software.
•
•
f& A com(an (urc+a/e. t+e )ea.in, @offt+e/+e)f ecommerce /oft*are for )in9in,
it/ e)ectronic /torefront to it/ inentor .ata3a/e& A cu/tomer .i/coere. a *a to
.irect) acce// t+e 3ac9en. .ata3a/e 3 enterin, a((ro(riate S%L co.e&
•
• Preentie: Insist on secure code as part of the specifications for purchasing any
3rd party software.
•
• Thoroughly test the software prior to use.
•
• 9mploy a patch management program so that any vendor provided fi(es and
patches are immediately implemented.
•
,& Attac9er/ 3ro9e into t+e com(an6/ information //tem t+rou,+ a *ire)e// acce//
(oint )ocate. in one of it/ retai) /tore/& T+e *ire)e// acce// (oint +a. 3een (urc+a/e.
an. in/ta))e. 3 t+e /tore mana,er *it+out informin, centra) IT or /ecurit&
•
• Preentie: 9nact a policy that forbids installation of unauthori)ed wireless
access points.
•
• #etectie Conduct routine audits for unauthori)ed or rogue wireless access
points.
•
• Correctie: Sanction employees who violate policy and install rogue wireless
access points.
•
+& An em()oee (ic9e. u( a !SB .rie in t+e (ar9in, )ot an. ()u,,e. it into t+eir
)a(to( to @/ee *+at *a/ on it0 *+ic+ re/u)te. in a 9e/tro9e )o,,er 3ein, in/ta))e.
on t+at )a(to(&
•
• Preentie: Security awareness training. Teach employees to never insert US<
drives unless they are absolutely certain of their source.
•
• Anti-spyware software that automatically chec%s and cleans all detected spyware
on an employeeGs computer as part of the logon process.
•
+-,2© 2010 Pearson Education, Inc. Publishing as Prentice Hall
-
8/19/2019 AIS e12 CH08
13/27
Accounting InformationSystems
i& Once an attac9 on t+e com(an6/ *e3/ite *a/ .i/coere.0 it too9 more t+an
minute/ to .etermine *+o to contact to initiate re/(on/e action/&
•
• Preentie: @ocument all members of the CIT and their contact information.•
• 7ractice the incident response plan.
•
•
& To faci)itate *or9in, from +ome0 an em()oee in/ta))e. a mo.em on +i/ office
*or9/tation& An attac9er /ucce//fu)) (enetrate. t+e com(an6/ //tem 3 .ia)in,
into t+at mo.em&
•
• Preentie: outinely chec% for unauthori)ed or rogue modems by dialing all
telephone numbers assigned to the company and identifying those connected to modems.•
9& An attac9er ,aine. acce// to t+e com(an6/ interna) net*or9 3 in/ta))in, a *ire)e//
acce// (oint in a *irin, c)o/et )ocate. ne't to t+e e)eator/ on t+e fourt+ f)oor of a
+i,+ri/e office 3ui).in, t+at t+e com(an /+are. *it+ /een ot+er com(anie/&
•
• Preentie: Secure or loc% all wiring closets.
•
• e$uire strong authentication of all attempts to log into the system from a wireless
client.
•
• 9mploy an intrusion detection system.
•
+-,3© 2010 Pearson Education, Inc. Publishing as Prentice Hall
-
8/19/2019 AIS e12 CH08
14/27
Accounting InformationSystems
8&< $+at are t+e a.anta,e/ an. .i/a.anta,e/ of t+e t+ree t(e/ of
aut+entication cre.entia)/ 4/omet+in, ou 9no*0 /omet+in, ou +ae0 an.
/omet+in, ou are57
•
T(e of
Cre.entia)
A.anta,e/ #i/a.anta,e/
• Something
you %now
• H 9asy to use
• H Universal - no special
hardware re$uired
• H evocable can cancel
and create new credential ifcompromised
• H 9asy to forget or guess
• H 'ard to verify who is
presenting the credential
• H ay not notice
compromise immediately
• Something
you have
• H 9asy to use
• H evocable can cancel
and reissue new credential ifcompromised
• H Juic%ly notice if lost or
stolen
• H ay re$uire special
hardware if not a US< to%en!i.e.# if a smart card# need a cardreader"
• H 'ard to verify who is
presenting the credential
• Something
you are!biometric"
• H Strong proof who is
presenting the credential
• H 'ard to copyKmimic
• H Cannot be lost# forgotten#
or stolen
• H Cost
• H e$uires special
hardware# so not universallyapplicable
• H User resistance. Some
people may ob*ect to use offingerprints8 some culturegroups may refuse facerecognition# etc.
• H ay create threat to
privacy. For e(ample# retinascans may reveal health
conditions.
• H False re*ection due to
change in biometriccharacteristic !e.g.# voicerecognition may fail if have acold".
+-,?© 2010 Pearson Education, Inc. Publishing as Prentice Hall
-
8/19/2019 AIS e12 CH08
15/27
Accounting InformationSystems
• H Eot revocable. If the
biometric template iscompromised# it cannot be
re-issued !e.g.# you cannotassign someone a newfingerprint".
•
•
+-,/© 2010 Pearson Education, Inc. Publishing as Prentice Hall
-
8/19/2019 AIS e12 CH08
16/27
Accounting InformationSystems
8&? a& A(() t+e fo))o*in, .ata to ea)uate t+e time3a/e. mo.e) of /ecurit for t+e
GY Com(an& #oe/ t+e GY Com(an /ati/f t+e reDuirement/ of t+e time3a/e.
mo.e) of /ecurit7 $+7
•
E/timate. time for attac9er to /ucce//fu)) (enetrate //tem 2< minute/
E/timate. time to .etect an attac9 in (ro,re// an. notif a((ro(riate
information /ecurit /taff < minute/ 43e/t ca/e5 to 1 minute/ 4*or/t ca/e5
E/timate. time to im()ement correctie action/ ? minute/ 43e/t ca/e5 to 2
minute/ 4*or/t ca/e5
•
• So)ution: LMB Company is secure under their best case scenario but they do not
meet security re$uirements under their worst case scenario.
• 7 1 2/ inutes
• @ 1 / inutes !
-
8/19/2019 AIS e12 CH08
17/27
Accounting InformationSystems
8& E'()ain +o* t+e fo))o*in, item/ in.ii.ua)) an. co))ectie) affect t+e
oera)) )ee) of /ecurit (roi.e. 3 u/in, a (a//*or. a/ an aut+entication
cre.entia)&• a. Len,t+ interacts with comple(ity to determine how hard it is to :guess; a
password or discover it by trial-and-error testing of every combination. &f the twofactors# length is more important because it has the biggest impact on the number of possible passwords.
• To understand this# consider that the number of possible passwords 1 (y# where (
1 the number of possible characters that can be used and y 1 the length. As thefollowing table shows# increasing the length increases the number of possibilitiesmuch more than does the same proportionate increase in comple(ity
•
Com()e'it 4t(e/ of
c+aracter/ a))o*e.5
Num3er of
c+aracter/
•
L
e
n
,
t
+
Num3er of
(o//i3)e
(a//*or./
• Eumeric • ,5 !5-" • ? • ,5? 1 ,5#555
• Alphabetic# not case
sensitive
• 24 !a-)" • + • 24+ 1
2.5++H9,,
• Alphabetic# case
sensitive
• /2 !a-)# A-
B"
• + • /2+ 1
/.3?4H9,3
• Alphanumeric# case
sensitive
• 42 !5-# a-)#
A-B"
• + • 42+ 1
2.,+3H9,?
• Alphanumeric# case
sensitive#
• • ,
2
• 42,2 1
3.224H92,
• Alphanumeric# case
sensitive# plus specialcharacters
• / !5-# a-)#
A-B# andP# Q# R# etc."
• + • /+ 1
4.43?H9,/
• Alphanumeric# case
sensitive# plus specialcharacters
• / !5-# a-)#
A-B# andP# Q# R# etc."
• ,
2
• /,2 1
/.?5?H923
•
+-,© 2010 Pearson Education, Inc. Publishing as Prentice Hall
-
8/19/2019 AIS e12 CH08
18/27
Accounting InformationSystems
• 3. Com()e'it reDuirement/ 4*+ic+ t(e/ of c+aracter/ are reDuire. to 3e u/e.:
num3er/0 a)(+a3etic0 ca/e/en/itiit of a)(+a3etic0 /(ecia) /m3o)/ )i9e J or K5 - interactswith comple(ity to determine how hard it is to :guess; a password or discover it by trial-and-
error testing of every combination.
•
• c. Ma'imum (a//*or. a,e 4+o* often (a//*or. mu/t 3e c+an,e.5 shorter means
more fre$uent changes which increases security
•
+-,+© 2010 Pearson Education, Inc. Publishing as Prentice Hall
-
8/19/2019 AIS e12 CH08
19/27
Accounting InformationSystems
• .. Minimum (a//*or. a,e 4+o* )on, a (a//*or. mu/t 3e u/e. 3efore it can 3e
c+an,e.5 this combined with history prevents someone from *ust %eeping their same
password# because it prevents repeatedly changing passwords until the system allows use ofthe same password once again.
•
• e. Maintenance of (a//*or. +i/tor 4+o* man (rior (a//*or./ .oe/ //tem
remem3er to (reent re/e)ection of t+e /ame (a//*or. *+en reDuire. to c+an,e
(a//*or./5 the larger this is# the longer the time before someone can reuse a password. For e(ample# a password history of ,2 combined with a minimum age of , month means that thesame password cannot be used until after a year. Eote that this re$uires setting a minimumage. &therwise# if the minimum age is )ero# someone could repeatedly change their passwordas many times as the system6s history setting# and then change it one more time# this last time
setting it to be the current password.•
• f . Account )oc9out t+re/+o). 4+o* man fai)e. )o,in attem(t/ 3efore t+e account i/
)oc9e.5 this is designed to stop guessing attac%s. 'owever# it needs to account for typos#accidentally hitting the CA7S &C %ey# etc. to prevent loc%ing out legitimate users. Itseffect also depends on the ne(t variable# time frame.
•
• ,. Time frame .urin, *+ic+ account )oc9out t+re/+o). i/ a(()ie. 4i&e&0 if )oc9out
t+re/+o). i/ fie fai)e. )o,in attem(t/0 time frame i/ *+et+er t+o/e < fai)ure/ mu/t occur
*it+in 1< minute/0 1 +our0 1 .a0 etc&5& Shorter time frames defeat attempts to guess.•
• +. Account )oc9out .uration 4+o* )on, t+e account remain/ )oc9e. after e'cee.in,
t+e ma'imum a))o*a3)e num3er of fai)e. )o,in attem(t/5 longer loc%outs defeatattempts to guess. Too short a value on this parameter may enable an attac%er to try to guess( times# get loc%ed out for only a few minutes# and then start guessing again.
+-,© 2010 Pearson Education, Inc. Publishing as Prentice Hall
-
8/19/2019 AIS e12 CH08
20/27
Accounting InformationSystems
• 8&8 T+e c+a(ter 3rief) .i/cu//e. t+e fo))o*in, t+ree common attac9/ a,ain/t
a(()ication/
a& Buffer oerf)o*/
3& S%L inection
c& Cro///ite /cri(tin,
ReDuire.
Re/earc+ eac+ of t+e/e t+ree attac9/ an. *rite a re(ort t+at e'()ain/ in .etai)
+o* eac+ attac9 actua)) *or9/ an. t+at .e/cri3e/ /u,,e/te. contro)/ for re.ucin,
t+e ri/9/ t+at t+e/e attac9/ *i)) 3e /ucce//fu)&
•
• So)ution eports will vary from student to student8 however# the reports should
contain at least some of the following basic facts gathered from the te(t# cgisecurity.net#and Di%ipedia
•
a& Buffer oerf)o*/
•
• &ne of the more common input-related vulnerabilities is what is referred to as a
buffer overflow attac%# in which an attac%er sends a program more data than it canhandle.
-
8/19/2019 AIS e12 CH08
21/27
Accounting InformationSystems
•
3& S%L inection
•
• any web pages receive an input or a re$uest from web users and then# to address
the input or the re$uest# they create a Structured Juery anguage !SJ" $uery for thedatabase that is accessed by the webpage. For e(ample# when a user logs into a webpage#the user name and password will be used to $uery the database to determine if they are avalid user. Dith SJ in*ection# a user inputs a specially crafted SJ command that is passed to the database and e(ecuted# thereby bypassing the authentication controls andeffectively gaining access to the database. This can allow a hac%er to not only steal datafrom the database# but also modify and delete data or the entire database.
•
To prevent SJ in*ection attac%s# the web server should be reprogrammed so thatuser input is not directly used to create $ueries sent to the database.
•
c& Cro///ite /cri(tin,
•
• Cross site scripting !also %nown as LSS" occurs whenever a web application
sends user input bac% to the browser without scrubbing it. The problem is that if the inputis a script# the browser will e(ecute it. The attac% re$uires tric%ing a user into clic%ing ona hyperlin% to a trusted website that is vulnerable to cross site scripting. The hyperlin%
will ta%e the victim to that website# but it also contains a script. Dhen the user6s browservisits the trusted website# it sends the input !the embedded script in the hyperlin%" bac% tothe browser. The browser then e(ecutes that script and sends information# often coo%iesthat may contain authentication credentials# bac% to the attac%er.
• The best protection is that web sites should never replay user input verbatim bac%
to the browser# but should always convert it to harmless 'T code first.
•
+-2,© 2010 Pearson Education, Inc. Publishing as Prentice Hall
-
8/19/2019 AIS e12 CH08
22/27
Accounting InformationSystems
8&; P+/ica) /ecurit i/ e'treme) im(ortant& Rea. t+e artic)e @1; $a/ to Bui).
P+/ica) Securit into a #ata Center0 *+ic+ a((eare. in t+e CSO Ma,a-ine
Noem3er 2
-
8/19/2019 AIS e12 CH08
23/27
Accounting InformationSystems
• . imit entry points • L •
• ,5. a%e fire doors e(it only • L •
• ,,. Use plenty of cameras • L •
• ,2. 7rotect the buildings
machinery
• L •
• ,3. 7lan for secure air handling • • L
• ,?. 9nsure nothing can hide in
the walls and ceilings
• •
• L
• ,/. Use two-factor
authentication
• L •
• ,4. 'arden the core with
security layers
• L •
• ,. Datch the e(its too • L •
• ,+. 7rohibit food in the
computer rooms
• L •
• ,. Install visitor restrooms • L •
•
•
•
+-23© 2010 Pearson Education, Inc. Publishing as Prentice Hall
-
8/19/2019 AIS e12 CH08
24/27
Accounting InformationSystems
S!""ESTE# SOL!TIONS TO THE CASES
•
CASE 8&1 Co/t/ of Preentie Securit
Fire*a))/ are one of t+e mo/t fun.amenta) an. im(ortant /ecurit too)/& You are
)i9e) fami)iar *it+ t+e /oft*are3a/e. +o/t fire*a)) t+at ou u/e on our )a(to( or .e/9to(&
Suc+ fire*a))/ /+ou). a)/o 3e in/ta))e. on eer com(uter in an or,ani-ation& Ho*eer0
or,ani-ation/ a)/o nee. cor(orate,ra.e fire*a))/0 *+ic+ are u/ua))0 3ut not a)*a/0
.e.icate. /(ecia)(ur(o/e +ar.*are .eice/& Con.uct /ome re/earc+ to i.entif t+ree
.ifferent 3ran./ of /uc+ cor(orate,ra.e fire*a))/ an. *rite a re(ort t+at a..re//e/ t+e
fo))o*in, (oint/:
Co/t
Tec+niDue 4.ee( (ac9et in/(ection0 /tatic (ac9et fi)terin,0 or /tatefu) (ac9et
fi)terin,5
Ea/e of confi,uration an. u/e
•
• Specifics of the solution will differ depending upon the brand identified. The instructor
may wish to re$uire students to turn in copies of their source materials. At a minimum# solutionshould clearly demonstrate that students understand the different types of firewalls and have readand understood the review of a product6s ease of configuration and ease of use.
•
+-2?© 2010 Pearson Education, Inc. Publishing as Prentice Hall
-
8/19/2019 AIS e12 CH08
25/27
Accounting InformationSystems
CASE 8&2 #ee)o(in, an Information Securit C+ec9)i/t
O3tain a co( of COBIT 4aai)a3)e at ***&i/aca&or,5 an. rea. /ection #S
-
8/19/2019 AIS e12 CH08
26/27
Accounting InformationSystems
• Suggested solution !answers will vary# %ey is to address each ob*ective"
•
CO
BI
T
C
on
tr
o)
O
3
ec
tie
•
•
Po//i3)e Due/tion/
• @S/
.,
• @oes the person responsible for information security report to the C-suite
• Is information security a topic at meetings of the
-
8/19/2019 AIS e12 CH08
27/27
Accounting InformationSystems
• Is logging enabled
• Are logs regularly reviewed
• @S/
.4
• Is there a computer incident response team !CIT"
• @oes membership of the CIT include all appropriate functions
• Is there a written incident response plan
• 'as the plan been practiced this year
• @S/
.
• Is documentation related to firewalls and I7S stored securely and with
restricted access
• Are firewalls and other security devices protected with appropriate logical
and physical access controls• @S/
.+
• Is sensitive information encrypted
• Are there procedures for issuing and revo%ing encryption %eys
• @S/
.
• @o all computers run up-to-date anti-malware
• Are patches applied on a timely basis
• @S/
.,5
• Are firewalls and I7S used to protect the perimeter
• Are firewalls used to segregate functions within the corporate networ%
• Are intrusion detection systems used
• @S/
.,,
• Is sensitive information encrypted prior to transmission over the Internet
•
+-2