Upload
marcus-blair
View
223
Download
5
Tags:
Embed Size (px)
Citation preview
Chapter 16
IT Controls, Asset Protection, and Security
IT Controls, Asset Protection, and Security
Introduction
Managers who own or use IT assets are responsible for securing them
With interconnected enterprises (B2B), intrusion at a partner may result in business compromise locally
Security is an integrated, continuous process that takes place at all levels
The Meaning and Importance of Control Control is a primary management
responsibility Managers must have routine methods
for comparing actual and planned performance
“Planning and control are inseparable” IT controls are critical because other
parts of the organization use computer generated reports as the basis of their control activities
Why Controls are Important to Managers1. Control is a primary management
responsibility2. Uncontrolled events can be very
damaging3. The firm relies on IT for many control
processes4. U.S. law requires certain control
measures in public corporations5. Controls assist organizations in
protecting assets6. Technology introduction requires
controlled processes
Business Control Principles The primary job of all managers is
to take charge of the assets entrusted to them, capitalize on these assets to advance their part of the business, and grow, develop, or add value to them managers entrusted with information
assets must control and protect them implementing business controls is an
ethical responsibility
Asset Identification and Classification Managers must know what assets
they own or control, and their value Tangible – Physical assets – routers, PCs
servers, telephones Intangible – Intellectual assets –
operating systems, databases, applications
Managers must inventory and value items
Separation of Duties
Several individuals are involved in transaction processing In order for fraud to occur, several
individuals must work together Control can be made even more
effective by routinely changing job duties of these transaction tasks
Must validate output with input
Efficiency and Effectiveness of Controls Controls are best when they are
simple and are easily understood They are most effective when they
are part of the routine and produce action in a timely manner
Control cost and overhead must be balanced vs. risk and magnitude of loss
Managers must analyze the application and use good judgment
Control Responsibilities
1. The application program owner (almost always a manager)
2. Application users (some applications have many)
3. The application’s programming manager4. The individual providing the computing
environment5. The IT manager (in either the line or
staff role)
Owner and User Responsibilities Owners are responsible for providing
business direction for their applications authorizes the program’s use classifies the associated data stipulates program and data access controls
Users are individuals or groups authorized by owners to use applications according to owners’ specifications They are required to protect the data in
accordance with the owners’ classification
IT Managers’ Responsibilities All IT managers have control
responsibilities in conjunction with their operating responsibilities The responsibility of organizing and
managing application development, maintenance, or enhancement resides with IT programming managers
The supplier of computing services is responsible for providing the computing environment within which the application is processed
Application Controls
Necessary to ensure that applications function properly on a regular basis These controls are most effective when they
are built into the applications and generate documentation validating proper operation
Automated and manual control mechanisms should be classified as confidential information
Separation of duties principle applies to an application and its associated data handling
Application Processing Controls Application control and protection
consist of two duties: Ensuring that application programs
perform according to management-established specifications
Maintaining program and data integrity
To support these requirements, applications must have auditability features and control points built in
System Control Points
Control points are locations in program or process flow where control exposures exist and control actions and auditing activities can be done Transaction origination is one of the most
critical points It is a manual activity and can be subject to
human error or fraud
Online operations make the system more complex and require even greater controls
System Control Points
Control Actions at Transaction Origination
Input Data Controls
Processing, Storage, and Output Controls Operating systems and the
applications themselves enhance the validation processes of program processing Program execution is accompanied by
subroutines that validate that processing is complete and that program execution occurred correctly
Application program source code and executables must be treated as classified information
Program Processing Controls
Data Output Handling
Application Program Audits An application system is auditable if the
application owner can establish easily and with high confidence that the system continually performs specified functions
Auditable systems contain functions and features that let owners determine if applications are processing data correctly
Program testing that ensures auditability is vital Test data should be archived
Controls in Production Operations Well-disciplined production
operations maintain sound control over performance objectives They ensure sufficient system capacity
for application operations They allow batch and online systems
processing to function as designed Accurate scheduling and rigorous online
management provide controlled environments for application processing
Controls in Client/Server Operations Organizations that move applications
from secured centralized systems to distributed systems must understand the different exposures and vulnerabilities Client/server systems and e-business
systems have more points of vulnerability, so control and asset protection are more difficult
Special effort must be taken to design in controls and continuously assess vulnerabilities in the system over time
Network Controls and Security Networks face passive threats and
active threats Passive threats are attempts to monitor
network data transmission in order to read messages or obtain information about network traffic
Active threats are attempts to alter, destroy, or divert message data, or to pose as network nodes
Network Controls and Security
Network managers must control system and data access and must secure data in transit The first step in controlling system
access is physical security Rooms containing controllers, routers,
or servers must be tightly secured
Network Controls and Security Managers must establish user
identification and verification processes This usually means that users sign on to the
system with a name followed by a password Some firms require “two-factor
identification” The two factors are usually something you have
and something you know – fingerprint, token or smartcard + PIN
The two-factor system only erects higher barriers to entry
Data Encryption
It is often necessary to protect critical data in transit Before transmission, encryption
programs use an algorithm and a key to change the message character stream into a different character stream
When received, the algorithm and key decode or decipher the message
Encryption changes the risk of data loss to risk of key loss
Firewalls and Other Security Considerations A firewall is a specialized computer
inserted between internal and external networks and through which all incoming and outgoing traffic must pass Intended to screen incoming and
outgoing messages and prohibit any traffic deemed illegitimate
Firewalls are only the first line of defense against external intrusion
Network Security Measures
Additional Control and Protection Measures1. Only people who work in the data
center should be allowed routine access to the facility
2. Data center workers must wear special badges that identify them on sight
3. Physical access should be controlled by electronic code locks rather than mechanical key locks; this simplifies key management and hastens key changes
Additional Control and Protection Measures4. The identity and authorization of
all visitors to the center must be validated, and they must sign in and out
5. Duties within the center should be separated so that operators who initiate or control programs cannot access data stores
Managing Sensitive Programs IT managers must, with help from
other department managers, identify and maintain an inventory of these applications. The owner must prescribe protection
and security conditions covering storage, operation, and maintenance
Program source code, load modules, and test data must be classified as sensitive information and protected accordingly
Datasets must be protected as well
Controls for E-Business Applications Due to the integrated nature of e-
business, security is a shared concern All the partners must have documented
security policies, secure application development practices, and satisfactory access control and user authorization procedures
Partners must establish encryption standards, develop responses to security breaches, and schedule compliance audits
Keys to Effective Control Managers must understand their control
responsibilities and know: The assets for which they are responsible The value of those assets and protect the
assets accordingly
Managers must be involved in the control processes Involvement must be timely and responsive Must follow through to ensure effectiveness
Summary
No organization is safe from computer crime
Business controls, asset protection, and security are fundamental to business operations
Managers must know what their assets are and each asset’s estimated value
Assets must be classified and protected in accordance with their relative worth