Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Accounting Information
Systems
CHAPTER 8
INFORMATION SYSTEM CONTROLS for SYSTEMS RELIABILITY
Part 1: Information Security
SUGGESTED ANSWERS TO DISCUSSION QUESTIONS
8.1 Explain why an organization would want to use all of the following information
security controls: firewalls, intrusion prevention systems, intrusion detection
systems, and a CIRT.
Using this combination of controls provides defense-in-depth. Firewalls and intrusion
8.2 What are the advantages and disadvantages of having the person responsible for
information security report directly to the chief information officer (CIO), who has
overall responsibility for all aspects of the organization’s information systems?
It is important for the person responsible for security (the CISO) to report to senior
management. Having the person responsible for information security report to a member
of the executive committee such as the CIO, formalizes information security as a top
management issue.
Ch. 8: Information System Controls for Systems Reliability
8-2
8.3 Reliability is often included in service level agreements (SLAs) when outsourcing.
The toughest thing is to decide how much reliability is enough. Consider an
application like e-mail. If an organization outsources its e-mail to a cloud provider,
what is the difference between 95%, 99%, 99.99%, and 99.9999% reliability?
The differences in promised reliability levels over the course of a year in terms of days
when the e-mail system may not work are:
8.4 What is the difference between authentication and authorization?
Authentication and authorization are two related controls designed to restrict access to an
organization’s information systems and resources.
8.5 What are the limitations, if any, of relying on the results of penetration tests to
assess the overall level of security?
Penetration testing provides a rigorous way to test the effectiveness of an organization’s
computer security by attempting to break into the organization’s information system.
Internal audit and external security consulting team perform penetration tests in which
Accounting Information
Systems
8-3
8.6 Security awareness training is necessary to teach employees “safe computing”
practices. The key to effectiveness, however, is that it changes employee behavior.
How can organizations maximize the effectiveness of their security awareness
training programs?
Top management support is always essential for the success of any program an entity
undertakes. Thus, top management support and participation in security awareness
training is essential to maximize its impact on the employees and managers of the firm.
8.7 What is the relationship between COSO, COBIT, and the AICPA’s Trust Services
frameworks?
COSO is a broad framework that describes the various components of internal control. It
does not, however, provide any details about IT controls.
Ch. 8: Information System Controls for Systems Reliability
8-4
SUGGESTED SOLUTIONS TO THE PROBLEMS
8.1 Match the following terms with their definitions:
Term
Definition
__d__ 1. Vulnerability
a. Code that corrects a flaw in a program.
__s__ 2. Exploit
b. Verification of claimed identity.
__b__ 3. Authentication
c. The firewall technique that filters
traffic by comparing the information in
packet headers to a table of established
connections.
__j__ 8. social engineering
h. The rules (protocol) that govern routing
of packets across networks.
__k__ 9. firewall
i. The rules (protocol) that govern the
division of a large file into packets and
subsequent reassembly of the file from
those packets.
Accounting Information
Systems
8-5
(IP) to send packets across networks.
__g__ 16. border router
p. A detective control that identifies
weaknesses in devices or software.
_r___ s. patch management
s. Software code that can be used to take
advantage of a flaw and compromise a
system.
_v___ t. cloud computing
t. A firewall technique that filters traffic
by examining not just packet header
information but also the contents of a
8.2 Install and run the latest version of the Microsoft Baseline Security Analyzer on
your home computer or laptop. Write a report explaining the weaknesses identified
by the tool and how to best correct them. Attach a copy of the MBSA output to your
report.
Solution: will vary for each student. Examples of what to expect (from a computer
running Windows 7 follow:
Ch. 8: Information System Controls for Systems Reliability
8-6
8-7
2. Next is a section about user accounts and Windows settings:
3. Then there is a section about other system information
Ch. 8: Information System Controls for Systems Reliability
8-8
Accounting Information
Systems
8.3 The following table lists the actions that various employees are permitted to
perform:
Employee
Permitted actions
Able
Check customer account balances
Check inventory availability
Complete the following access control matrix so that it enables each employee to perform
those specific activities:
Employee
Customer
Master file
Inventory
Master
File
Payroll
Master File
System Log
Files
Able
1
1
0
0
Use the following codes:
0 = no access
1 = read only access
2 = read and modify records
3= read, modify, create, and delete records
Ch. 8: Information System Controls for Systems Reliability
8-10
8.4 Which preventive, detective, and/or corrective controls would best mitigate the
following threats?
a. An employee’s laptop was stolen at the airport. The laptop contained personally
identifying information about the company’s customers that could potentially be
used to commit identity theft.
Preventive: Policies against storing sensitive information on laptops and requiring that if
any such information must exist on the laptop that it be encrypted.
b. A salesperson successfully logged into the payroll system by guessing the payroll
supervisor’s password.
Preventive: Strong password requirements such as at least an 8 character length, use of
c. A criminal remotely accessed a sensitive database using the authentication
credentials (user ID and strong password) of an IT manager. At the time the attack
occurred, the IT manager was logged into the system at his workstation at company
headquarters.
Preventive: Integrate physical and logical security. In this case, the system should reject
d. An employee received an email purporting to be from her boss informing her of an
important new attendance policy. When she clicked on a link embedded in the email
to view the new policy, she infected her laptop with a keystroke logger.
Preventive: Security awareness training is the best way to prevent such problems.
Employees should be taught that this is a common example of a sophisticated phishing
scam.
Accounting Information
Systems
8-11
e. A company’s programming staff wrote custom code for the shopping cart feature on
its web site. The code contained a buffer overflow vulnerability that could be
exploited when the customer typed in the ship-to address.
Preventive: Teach programmers secure programming practices, including the need to
carefully check all user input.
f. A company purchased the leading “off-the-shelf” e-commerce software for linking
its electronic storefront to its inventory database. A customer discovered a way to
directly access the back-end database by entering appropriate SQL code.
Preventive: Insist on secure code as part of the specifications for purchasing any 3rd
party software.
g. Attackers broke into the company’s information system through a wireless access
point located in one of its retail stores. The wireless access point had been purchased
and installed by the store manager without informing central IT or security.
Preventive: Enact a policy that forbids installation of unauthorized wireless access
points.
Ch. 8: Information System Controls for Systems Reliability
8-12
h. An employee picked up a USB drive in the parking lot and plugged it into their
laptop to “see what was on it,” which resulted in a keystroke logger being installed
on that laptop.
Preventive: Security awareness training. Teach employees to never insert USB drives
i. Once an attack on the company’s website was discovered, it took more than 30
minutes to determine who to contact to initiate response actions.
Preventive: Document all members of the CIRT and their contact information.
j. To facilitate working from home, an employee installed a modem on his office
workstation. An attacker successfully penetrated the company’s system by dialing
into that modem.
Preventive: Routinely check for unauthorized or rogue modems by dialing all telephone
k. An attacker gained access to the company’s internal network by installing a wireless
access point in a wiring closet located next to the elevators on the fourth floor of a
high-rise office building that the company shared with seven other companies.
Preventive: Secure or lock all wiring closets.
