|CH 8: Authentication: Process of verifying the identity of the person or device attempting to access the | |system. The objective is to ensure that only legitimate users can access the system. Three different | |credentials are PINs(password), ID badge, or biometrics.
Authorization: Process of restricting access of | |authenticated users to specific portions of the system and limiting what actions they are permitted to | |perform. Access control matrix: shows that access controls of each user or device in your company to see | |who have what privileges.Best Practice of Passwords: Must have at least 8 characters in length, must have| |multiple character types (upper-lower case, numbers, and special characters), Randomness (not be words | |found in dictionary), and changed frequently (every 30 for sensitive of 90 for most users). Physical | |Access Controls: Only have one unlocked door during business hours (none after hours), safe lock all | |devices (computers, phones, and PDA devices), and physical access controls must be cost-effective. Access | |to the wiring used in the org’s LANs needs to be restricted in order to prevent wiretapping.Firewall: | |behind the border router (connects an orgs information system to the internet), and is either a | |special-purpose hardware device or software running on a general-purpose computer.
The demiliarized is a | |seperate network that permits controlled access from the internet to selected resources, such as the | |organizarion’s e-commerce Web server. Intrusion Prevention System: Monitors patterns in the traffic flow, | |rather than only inspecting individual packets, to identify and automatically block attacks.Examining | |pattern traffic is often the only way to identify undesirable activity. Intrusion Detection System | |consists of a set of sensors and a central monitoring unit that create logs of network traffic that was | |permitted to pass the firewall and then analyze those logs for signs of attempted or successful | |intrusions.
The difference between the two is that the IPS only produces a warning alert when it detects a| |suspicious pattern of network traffic, whereas the IDS not only issues an alert but also automatically | |takes steps to stop a suspected attack.Preventive controls that deter problems before they arise. | |Effective preventive controls include hiring qualified accounting personnel; appropriately segregating | |employee duties; and effectively controlling physical access to assets, facilities, and information | |Detective controls enhance security by monitoring the effectiveness of preventive controls and detecting | |incidents in which preventive controls have been successfully circumvented. Corrective are procedures that| |correct problems that have occurred.Social Engineering: Attackers will often try to use the information | |obtained during their initial reconnaissance to trick an unsuspecting employee into granting them access. | | | | | |CH 9: Encryption: The process of transforming normal content, called plaintext, into unreadable gibberish,| |called ciphertext.
This is a type of preventive control. Public key to encryption is widely distributed | |and available to everyone. Decryption reverses this process, transforming ciphertext back into plaintext. | |Hashing: The process that takes plaintext of any length and transform it into a short code called a hash.
| |Digital Signatures: A hash of a document or file that is encrypted using the document creator’s private | |key. This provides proof about two important issues: 1. That a copy of a document or file has not been | |altered 2.Who created the original version of a digital document or file.
Digital certificate: An | |electronic document that contains an entity’s public key and certifies the identity of the owner of that | |particular public key. It is issued by certificate authority. Thus, digital certificates function like the| |digital equivalent of a driver’s license or passport. It can also be the very sign logo on certain website| |to show that this is a trusted site.
Virtual Private Networks: Encrypting information while it transverses| |the Internet creates a VPN.It provides the functionality of a privately owned secure network without the | |associated costs of leased telephone lines, satellites, and other communication equipment. Private | |communication channels, often referred to as tunnels, which are accessible only to those parties | |possessing that appropriate encryption and decryption keys. | | | |CH 10: Field Check determines whether the characters in a field are of the proper type. Sign Check | |determines whether the data in a field have the appropriate arithmetic sign.Limit Check tests a numerical| |amount against a fixed value.
Range Check tests whether a numerical amount falls between predetermined | |whether all required data items have been entered. A Completeness Check on each input record determines | |whether all required data items have been entered. Validity Check compares the ID code or account number | |in transaction data with similar data in the master file to verify that the account exists. Reasonableness| |Test determines the correctness of the logical relationship between two data items.
Batch Totals | |summarizes important values for a batch of input records. The following are three commonly used batch | |totals: 1. Financial totals sums a field that contains monetary values, such as the total dollar amount of | |all sales for a batch of sales transactions 2. Hash total sums a nonfinancial numeric field, such as the | |total of the quantity ordered field in a batch of sales transactions 3.
Record count is the number of | |records in a batch. Processing Controls: 1.File Labels ensure correct and most current file is being | |updated 2. Batch Total Recalculation compares calculated batch total after processing to input totals | |3. Cross-Footing and Zero Balance Tests compute totals using multiple methods to ensure the same results | |4. Concurrent Update locks records or fields when they are being updated so multiple users are not updating| |at the same time.
Output Controls: 1. Management Review verifies reasonableness, completeness, and if | |routed to intended individual 2.Reconciliation: All transactions and other system updates should be | |reconciled to control reports, file status/update reports, or other control mechanisms. In additions, | |general ledger accounts should be reconciled to subsidiary account totals on a regular basis. Also, | |database totals should periodically be reconciled with data maintained outside the system. (Match employee| |files in payroll to that in the HR department to see if any fake names were created.
3.Data Transmission | |Controls: Check sums is a hash of file transmitted, comparison made of hash before and after transmission. | |Parity checking is a bit added to each character transmitted, the characters can then be verified for | |accuracy. Data Backup Procedures: 1. Incremental Backup involves copying only the data items that have | |changed since the last partial backup.
This produces a set of incremental backup files, each containing | |the results of one day’s transactions 2. Differential Backup copies all changes made since the last full | |backup.Thus, each new differential backup file contains the cumulative effects of all activity since the | |last full backup. Daily differential backups take longer than incremental backups. Disaster Recovery Plan | |outlines the procedures to restore an organization’s IT functions in the event that its data center is | |destroyed by a natural disaster or act of terrorism.
Cold site is the first option, which is an empty | |building that is prewired for necessary telephone and internet access, plus a contract with one or more | |vendors to provide all necessary equipment with a specified period of time.Hot site is the second option,| |which is a facility that is not only prewired for telephone and Internet access but also contains all the | |computing and office equipment the org needs to perform its essential business activities. (shorter RTO | |time that cold site) Business Continuity Plan specifies how to resume not only IT operations, but all | |business processes, including relocation to new offices and hiring temp replacements, in the event that a | |major calamity destroys not only an org’s data center but also its main headquarters.Having a DRP and BCP| |can mean the difference between sustaining a major catastrophe and going out of business.
Cloud computing | |typically utilizes banks of redundant servers in multiple locations, thereby reducing the risk that a | |single catastrophe could result in system downtime and the loss of all data. However if the public cloud | |goes out of business, it will be difficult to retrieve any information. Change control is the formal | |process used to ensure that modifications to hardware, software or processes do not reduce system | |reliability. |CH 7: Internal Control: The process implemented to prove reasonable assurance that the following control | |objectives are achieved: 1. Safeguard assets: prevent or detect their unauthorized acquisition, use, or | |disposition.
2. Maintain records in sufficient detail to report company assets accurately and fairly | |3. Provide accurate and reliable information 4. prepare financial reports in accordance with established | |criteria 5. Promote and improve operational efficiency 6. Encourage adherence to prescribed managerial | |policies 7.
Comply with applicable laws and regulations. Internal controls perform three important | |functions: 1. Preventive controls (most important) defer problems before they arise. Examples include | |hiring qualified personnel, segregating employee duties, and controlling physical access to assets and | |information 2. Detective controls discover problems that are not prevented.
Examples include duplicate | |checking of calculations and preparing bank reconciliations and monthly trial balances 3.Corrective | |controls identify and correct problems as well as correct and recover from the resulting errors. Examples | |include maintaining backup copies of files, correcting data entry errors, and resubmitting transactions | |for subsequent processing. Segregation of duties: No one employee should be given too much responsibility | |1. Authorization:Approving transactions and decisions 2. Recording:Preparaing source documents; entering | |data into online systems; maintaining journals, ledgers, files or databases; and preparing reconciliations| |and performance reports 3.
Custody:Handling cash, tools, inventory, or fixed assets; receiving incoming | |customer checks; writing checks. SOX 2002:Designed to prevent financial statement fraud, make financial | |reports more transparent, protect investors, strengthen internal controls, and punish executives who | |perpetrate fraud 1. Created PCAOB to control the auditing profession 2. New Auditing Rules: Partners must | |rotate periodically and prohibits auditors from performing certain nonaudit services, such as information | |systems design and implementation 3.New Roles for Audit Committee: Must be part of board of directors and | |be independent, one member must be a financial expert and oversees external auditors .
The audit committee| |is responsible for financial reporting, regulatory compliance, internal control, and hiring and overseeing| |internal and external auditors4. New Rules for Management: Financial statements and disclosures are fairly | |presented, were reviewed by management, and are not misleading; the auditors were told about all material | |internal control weak-ness and fraud 5.New Internal Control Requirements: Management is responsible for | |establishing and maintaining an adequate internal control system. COBIT: consolidates control standards | |from 36 different sources into a single framework that allows 1. Management to benchmark security and | |control practices of IT environments 2.
Users to be assured that adequate IT security and control exist | |3. Auditors to substantiate their internal control opinions and to advise on IT security and control | |matters. COBIT Framework addresses: 1. Business objectives 2. IT resources 3. IT processes.
COSO - authority | |on internal controls and is incorporated into policies, rules, and regulations used to control business | |activities. Five components of the IC framework: 1. Control environment 2. Control activities 3. Risk | |assessment 4. Information and communication 5.
Monitoring. COSO Enterprise Risk Management: second control | |framework developed by COSO. It is the process the board of directors and management use to set strategy, | |identify events that may affect the entity, assess and manage risk, and provide reasonable assurance that | |the company achieves its objectives and goals. | | |CH 11: Auditing: The systematic process of obtaining and evaluating evidence regarding assertions about | |economic actions and events in order to determine how well they correspond with established criteria.
| |Internal auditing is an independent, objective assurance and consulting activity designed to add value and| |improve organizational effectiveness and efficiency, including assisting in the design and implementation | |of an AIS.Audit Process: 1. Audit Planning 2. Collection of Audit Evidence 3.
Evaluation of Audit Evidence | |4. Communication of Audit Results. Audit Plan: Why, when, how and whom. Work targeted to area with greatest| |risk: Inherent is the chance of risk in the absence of controls Control: is the risk a misstatement will | |not be caught by the internal control system Detection is the chance that a misstatement will not by | |caught by auditors or their procedures.
Collections of Audit Evidence: Review of documentation to | |understand how a particular process or internal control sytem is supposed to function; Physical | |examination of the quality and/or condition of tangible assets, such as equipment and inventory; Vouching | |for validity of a transaction by exmaining supporting document; Analytical review of relationships and | |trends among information to detect items that should be further investigated Evaluation of Audit Evidence:| |Does evidence support favorable or unfavorable conclusion?It is material (How significant is the impact | |of the evidence)? Reasonable Assurance (some risk remains that the audit conclusion is incorrect) | |Communication of Audit Conclusion: Written report summarizing audit finding and recommendations to | |management, the audit committee, the board of directors and other appropriate parties. Types of Audits: | |1. Financial examines the reliability and integrity of financial transactions, accounting records, and | |financial statements 2.Information System reviews the controls of an AIS to access compliance with | |internal control policies and procedures and effectiveness in safeguarding assets 3. Operational is | |concerned with economical and efficient use of resources and the accomplishments of established goals and | |objectives 4. Compliance determines whether entities are complying with applicable laws, regulations, | |policies and procedures.
Risk-based Audit: 1. Determine the threats (fraud and errors) facing the company. |Accidental or intentional abuse and damage to which the system is exposed 2. Identify the control | |procedures that prevent, detect, or correct the threats. These are all the controls that management has | |put into place and that auditors should review and test, to minimize the threats 3. Evaluate control | |procedures using two ways, a system review (are control procedures in place) and tests of controls (are | |existing controls working) 4.
Evaluate control weaknesses to determine their effect on the nature, timing | |or extent of auditing procedures. The minimum number of samples to be selected for IT control is only 1. | |CAATS(audit software) uses auditor-supplied specifications to generate a program that performs audit | |functions, thereby automating or simplying the audit process | | | |SA 2: Physical access controls- 1.Alternate power sources 2. Flood Management 3. Data backup 4.
Fences are | |physical barrier to deter casual trespassers5. Human Guards to watch doors etc. 6. Physical Locks 7.
Fire | |Suppression systems 8. Biometrics 9. Location of assets 10. Man traps 11. Alarm systems 12. Steel cages | |around wiring system to prevent wiretapping Logical Access Controls – 1.
firewall or screening router that | |makes pass/block decisions based upon the type of traffic, origin, and destination 2. n application that | |first authenticates a user by requiring a user ID and password before permitting the user to access the | |application 3. Authentication, Authorization | | | |Preventive Controls: Training, user access controls (authentication and authorization), physical access | |controls (locks, guards, etc. ), Network access controls (firewalls, intrusion prevention systems, etc. ), | |Device and software hardening controls (configuration options).
Detective Controls: Log analysis, | |intrusion detection system, security testing and audits, and managerial reports. Corrective Controls: | |Computer incident response teams (CIRT), Chief information security officer (CISO), and patch management. | | | | | | | | | | |