Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
CHAPTER 8
CONTROLS FOR INFORMATION SECURITY
SUGGESTED ANSWERS TO DISCUSSION QUESTIONS
8.1 Explain why an organization would want to use all of the following information
security controls: firewalls, intrusion prevention systems, intrusion detection
systems, and a CIRT.
Using this combination of controls provides defense-in-depth. Firewalls and intrusion
8.2 What are the advantages and disadvantages of having the person responsible for
information security report directly to the chief information officer (CIO), who has
overall responsibility for all aspects of the organization’s information systems?
It is important for the person responsible for security (the CISO) to report to senior
One potential disadvantage is that the CIO may not always react favorably to reports
indicating that shortcuts have been taken with regard to security, especially in situations
where following the recommendations for increased security spending could result in
8.3 Reliability is often included in service level agreements (SLAs) when outsourcing.
The toughest thing is to decide how much reliability is enough. Consider an
application like e-mail. If an organization outsources its e-mail to a cloud provider,
what is the difference between 95%, 99%, 99.99%, and 99.9999% reliability?
The differences in promised reliability levels over the course of a year in terms of days
when the e-mail system may not work are:
8-1
©2018 Pearson Education, Inc.
Ch. 8: Controls for Information Security
8.4 What is the difference between authentication and authorization?
Authentication and authorization are two related controls designed to restrict access to an
8.5 What are the limitations, if any, of relying on the results of penetration tests to
assess the overall level of security?
Penetration testing provides a rigorous way to test the effectiveness of an organization’s
computer security by attempting to break into the organization’s information system.
Internal audit and external security consulting team perform penetration tests in which
8.6 Security awareness training is necessary to teach employees “safe computing”
practices. The key to effectiveness, however, is that it changes employee behavior.
How can organizations maximize the effectiveness of their security awareness
training programs?
Top management support is always essential for the success of any program an entity
undertakes. Thus, top management support and participation in security awareness
8-2
©2018 Pearson Education, Inc.
Accounting Information Systems
8.7 What is the relationship between COSO, COBIT 5, and the AICPA’s Trust Services
frameworks?
8-3
©2018 Pearson Education, Inc.
Accounting Information Systems
SUGGESTED SOLUTIONS TO THE PROBLEMS
8.1 Match the following terms with their definitions:
Term Definition
__d__ 1. Vulnerability a. Code that corrects a flaw in a program.
__e__ 18. Penetration test r. The process of applying code supplied by a
vendor to fix a problem in that vendor’s
software.
8-4
©2018 Pearson Education, Inc.
Accounting Information Systems
_i___ 20. Cloud computing t. A firewall technique that filters traffic by
examining not just packet header information
but also the contents of a packet.
8.2 The CISO of the ABC company is considering how to increase the strength of employee
passwords. Currently, passwords must be eight characters, they must be case-sensitive,
and they must contain at least two numbers.
a. Calculate the size of the search space of possible passwords given the current
password requirements.
b. Calculate the size of the search space of possible passwords if the current password
requirements were changed so that they must contain at least two special characters
(e.g., $, #, @, etc.) from a list of 33 commonly available symbols.
c. Calculate the size of the search space of possible passwords if the current password
requirements were changed so that passwords must be 12 characters long.
d. Which modification to the current password requirements (adding the requirement to
include special symbols or increasing the length from 8 to 12) increases the strength
of the password the most?
e. Which modification do you recommend? Why?
Solution:
a. The current search space is the number of choices for each character (62 = 26 upper-case
b. There would now be 95 possible choices for each character: 26 upper-case letters, 26
c. There would 62 choices for each character (26 upper-case letters, 26 lower-case letters, and
d. Changing the size of the possible character set (part b) increases the search space by 30.3847
e. Increasing the length – because it increases resistance to brute-force guessing the most. Also,
8-5
©2018 Pearson Education, Inc.
Accounting Information Systems
8.3 The following table lists the actions that various employees are permitted to
perform:
Employee Permitted actions
Able Check customer account balances
Baker Change customer credit limits
Charley Update inventory records for sales and purchases
Denise Add new customers
Use the following codes to complete the access control matrix so that it enables each
employee to perform those specific activities:
0 = no access
1 = read only access
Employee
Customer
Master file
Inventory
Master
File
Payroll
Master File
System Log
Files
Able
Baker 2 0 0 0
Use the following codes:
8-6
©2018 Pearson Education, Inc.
Accounting Information Systems
8.4 Which preventive, detective, and/or corrective controls would best mitigate the
following threats?
a. An employee’s laptop was stolen at the airport. The laptop contained personally
identifying information about the company’s customers that could potentially be
used to commit identity theft.
Preventive: Policies against storing sensitive information on laptops and requiring that if
Corrective: Installation of “phone home” software might help the organization either
b. A salesperson successfully logged into the payroll system by guessing the payroll
supervisor’s password.
Preventive: Strong password requirements such as at least an 8-character length, use of
Detective: Locking out accounts after 3-5 unsuccessful login attempts; since this was a
c. A criminal remotely accessed a sensitive database using the authentication
credentials (user ID and strong password) of an IT manager. At the time the
attack occurred, the IT manager was logged into the system at his workstation at
company headquarters.
Preventive: Integrate physical and logical security. In this case, the system should reject
d. An employee received an email purporting to be from her boss informing her of
an important new attendance policy. When she clicked on a link embedded in the
email to view the new policy, she infected her laptop with a keystroke logger.
Preventive: Security awareness training is the best way to prevent such problems.
8-7
©2018 Pearson Education, Inc.
Accounting Information Systems
e. A company’s programming staff wrote custom code for the shopping cart feature
on its web site. The code contained a buffer overflow vulnerability that could be
exploited when the customer typed in the ship-to address.
Detective: Make sure programs are thoroughly tested before being put into use
f. A company purchased the leading “off-the-shelf” e-commerce software for
linking its electronic storefront to its inventory database. A customer discovered
a way to directly access the back-end database by entering appropriate SQL
code.
Preventive: Insist on secure code as part of the specifications for purchasing any 3rd party
software.
g. Attackers broke into the company’s information system through a wireless
access point located in one of its retail stores. The wireless access point had been
purchased and installed by the store manager without informing central IT or
security.
Preventive: Enact a policy that forbids installation of unauthorized wireless access
points.
h. An employee picked up a USB drive in the parking lot and plugged it into their
laptop to “see what was on it,” which resulted in a keystroke logger being
installed on that laptop.
Preventive: Security awareness training. Teach employees to never insert USB drives
unless they are absolutely certain of their source.
8-8
©2018 Pearson Education, Inc.
Accounting Information Systems
i. Once an attack on the company’s website was discovered, it took more than 30
minutes to determine who to contact to initiate response actions.
Preventive: Document all members of the CIRT and their contact information.
j. To facilitate working from home, an employee installed a modem on his office
workstation. An attacker successfully penetrated the company’s system by
dialing into that modem.
Preventive: Routinely check for unauthorized or rogue modems by dialing all telephone
k. An attacker gained access to the company’s internal network by installing a
wireless access point in a wiring closet located next to the elevators on the fourth
floor of a high-rise office building that the company shared with seven other
companies.
Preventive: Secure or lock all wiring closets.
8-9
©2018 Pearson Education, Inc.
Accounting Information Systems
8.5 What are the advantages and disadvantages of the three types of authentication
credentials (something you know, something you have, and something you are)?
Type of Credential Advantages Disadvantages
Something you know + Easy to use
+ Easy to forget or guess
Something you have + Easy to use
+ May require special hardware if
Something you are
(biometric)
+ Strong proof who is presenting the
credential
+ Cost
+ Requires special hardware, so not
8-10
©2018 Pearson Education, Inc.
Accounting Information Systems
8.6 a. Use the following facts to assess the time-based model of security for the ABC
Company; how well does the existing system protect ABC? Assume that the best-,
average-, and worst-case estimates are independent for each component of the model.
b. The company is considering investing up to an additional $100,000 to improve its
security. Given the following possibilities, which single investment would you
recommend? Which combination of investments would you recommend? Explain your
answer.
8-11
©2018 Pearson Education, Inc.
Accounting Information Systems
8-12
©2018 Pearson Education, Inc.
