CHAPTER 8
INFORMATION SYSTEMS CONTROLS FOR SYSTEMS RELIABILITYPART 1:
INFORMATION SECURITY
Instructor’s Manual
Learning Objectives:
2. Explain the factors that influence information systems
reliability.
Questions to be addressed in this chapter:
1. What controls does Northwest Industries employ to prevent
unauthorized access to its accounting system?
The COBIT and Trust Service Frameworks
Figure 8-1 on page 220 presents an overview of the Control
Objectives for Information and related Technology (COBIT)
framework.
It shows that achieving the organization’s business and
governance objectives requires adequate controls over IT
resources to ensure that information provided to management
satisfied seven key criteria:
1. Effectivenessthe information must be relevant and timely.
5. Availabilitythe information must be available whenever
needed.
Figure 8-1 shows 34 generic IT processes that must be properly
managed and controlled in order to produce information that
satisfies the seven criteria listed above.
Those processes are grouped into four basic management
activities, which COBIT refers to as domains:
1. Plan and Organize (PO). Figure 8-1 lists ten important
processes for properly planning and organizing an
organization’s information systems.
2. Acquire and Implement (AI). Figure 8-1 lists seven
fundamental processes that pertain to the acquisition and
implementation of technology solutions.
Multiple Choice 1
Which of the basic management activities, which COBIT refers to as
domains, has seven fundamental processes?
a. PO
Multiple Choice 2
The AICPA focuses specifically on _____ aspects of information systems
controls.
a. 4
b. 7
c. 5
d. 6
One basic function of an accounting information system is to
provide information useful for decision making.
Figure 8-2 on page 222 shows the five fundamental principles that
contribute to the overall objective of systems reliability:
2. ConfidentialityBy restricting access, the confidentiality
of sensitive organizational information is protected.
4. Processing IntegritySecurity procedures provide for
5. AvailabilitySecurity procedures provide protection against
a variety of attacks, including viruses and worms, thereby
ensuring that the system is available when needed.
Multiple Choice 3
The five principles that contribute to the overall objective of systems
reliability include:
a. Effectiveness
b. Processing Integrity
Before discussing the preventive, detective, and corrective controls,
it is helpful to understand the basic steps used by criminals to attack
an organization’s information system:
1. Reconnaissance. Computer attackers begin by collecting
2. Attempt Social Engineering. Why go through all the trouble of
trying to break into a system if you can get someone to let you
in? Attackers will often try to use the information obtained
3. Scan and Map the Target. If an attacker cannot successfully
4. Research. Once the attacker has identified specific targets and
knows what versions of software are used, the next step is to
find known vulnerabilities for those programs.
6. Cover Tracks. After penetrating the victim’s information system,
most attackers will try to cover their tracks and come up with
back doors” just in case their initial attack is discovered.
Preventive Controls
Seven major types of preventive controls are listed in Table 8-2
on page 225.
Authentication Controls
Authentication focuses on verifying the identity of the person or
device attempting to access the system.
Users can be authenticated by verifying:
1. Something they know, such as passwords or personal
identification (PINs)
Focus 8-1 on page 227 discusses some of the requirements
for creating strong passwords
1. Length
2. Multiple character types
Page 5 of 13
3. Randomness
Should not be found in dictionary
4. Change frequently
At least every 90 days and possibly every 30 days
Multifactor authentication is when two or all three
basic authentication methods are used
Authorization Controls
Authorization restricts access of authenticated users to
specific portions of the system and specifies what actions
they are permitted to perform.
Authentication and authorization should also apply to
devices
Every workstation, printer, or other computing device
needs a Network Interface Card (NIC) to connect to
the organization’s internal network.
Training
Training is a critical preventive control as employees must
understand and follow the organization’s security policies.
All employees should be taught why security measures are
important to the organization’s long-run survival.
Some good security measures include:
1. Never open unsolicited e-mail attachments
Page 6 of 13
Training is especially needed to educate employees about
social engineering attacks, which use deception to obtain
unauthorized access to information resources.
Note to the Instructor: The following includes the personal
experience of the writer of this instructor’s manual and
also two articles regarding piggybacking.
Another form of piggybacking involves the wireless
Internet. The following is an abstract from the New York
Times:
Page 7 of 13
network with you is much more capable of accessing your
computer and performing other more malicious actions as
well. There is wireless network security software that you
can use to protect your wireless network. There are also
wireless security courses that are available. Although I’m
not endorsing the company, because I use McAfee for
viruses, I found out that McAfee offers a wireless home
network security software package.
Controlling Physical Access
Controlling physical access to the system is absolutely
essential.
Within minutes a skilled attacker can gain physical
access to the system and obtain sensitive data.
Someone with unsupervised physical access could also insert
special “boot” disks that provide direct access to every
file on the computer and then copy sensitive files to a
portable device such as a USB drive.
This technique involves the use of specially designed
rooms that serve as an entryway to the data center.
They typically contain two doors, each of which
uses multiple authentication methods to control
access.
Page 8 of 13
of the confidential information it contains and the costs
of notifying those affected.
Below is an exert from the Internet involving hackers
obtaining personal credit card information:
120 million accounts exposed?
And everyone I talk to says that number is conservative, says Julie
Ferguson, co-founder of ClearCommerce Corp., which sells products
designed to stop data theft. Ferguson also chairs the Merchant Risk
Council, which studies credit card fraud and advocates for merchant
rights.
Controlling Remote Access
Perimeter Defense: Routers, Firewalls, and Intrusion
Prevention Systems
Figure 8-4 on page 231 shows the relationship between an
organization’s information system and the Internet.
Firewall is a combination of security algorithms and router
communications protocols that prevents outsiders from
tapping into corporate databases and e-mail systems.
Overview of TCP/IP and Routers
Information travels throughout the Internet and internal
local area networks in the form of packets.
Page 9 of 13
Well defined rules and procedures called protocols dictate
how to perform these activities.
Figure 8-5 on page 232 shows how two important protocols,
referred to as TCP/IP, govern the process for transmitting
information over the Internet.
Every IP packet consists of two parts: a header and a body.
The header contains the packet’s origin and destination
addresses, as well as information about the type of data
contained in the body of the packet.
Filtering Packets
A set of rules, called an Access Control List (ACL),
determines which packets are allowed entry and which are
dropped.
Stateful packet filtering is still limited to
examining only information in the IP packet header.
Clearly, control over incoming mail would be more effective
if each envelope or package were opened and inspected.
Deep Packet Inspection
Page 10 of 13
Such a process called deep packet inspection provides this
added control.
Intrusion prevention systems (IPS) are designed to identify
and drop packets that are part of an attack.
Defense-in-Depth
DialUp Connections
The Remote Authentication Dial-In User Service (RADIUS) is
a standard method that verifies the identity of users
attempting to connect via dial-in-access.
Wireless Access
The following procedures need to be followed to adequately
secure wireless access:
1. Turn on available security features.
2. Authenticate all devices attempting to establish
3. Configure all authorized wireless Network Interface
4. Use noninformative names for the access point’s
5. Predefine a list of authorized Media Access Control
Page 11 of 13
6. Reduce the broadcast strength of wireless access
7. Locate wireless access points in the interior of the
building and use directional antennas to make
unauthorized access and eavesdropping more
difficult.
Host and Application Hardening
Routers, firewalls, and intrusion prevention systems are
designed to protest the network perimeter.
However, information system security is enhanced by
supplementing preventive controls.
Three areas deserve special attention:
1. Host configuration
1. Host Configuration
Hosts can be made more secure by modifying their
configurations. Every program running on a host
2. Managing User Accounts and Privileges
Users who need administrative powers on a particular
3. Software Design
Page 12 of 13
As organizations have increased the effectiveness of
their perimeter security controls, attackers have
increasingly targeted vulnerabilities in application
Multiple Choice 5
Social engineering attacks that take place via e-mail are known as:
a. bluesnarfing
Multiple Choice 6
An example of preventive controls would include:
a. log analysis
Multiple Choice 7
A biometric identifier includes:
a. passwords
Page 13 of 13