ISA Course Module 3 Information Systems Confidentiality, Integrity and Availability (Protection of...

ISA CourseISA Course

Module 3Module 3

Information Systems Confidentiality, Information Systems Confidentiality, Integrity and AvailabilityIntegrity and Availability(Protection of Information Assets)(Protection of Information Assets)

Module OverviewModule Overview

Logical Access Exposures and ControlsLogical Access Exposures and Controls Environmental Exposures and ControlsEnvironmental Exposures and Controls Physical Access Exposures and Physical Access Exposures and

ControlsControls Application ControlsApplication Controls

(Protection of Information Assets)(Protection of Information Assets)


Logical AccessLogical Access Exposures and Controls Exposures and Controls

Evaluate the design, implementation and Evaluate the design, implementation and monitoring of logical access controls to monitoring of logical access controls to ensure the Integrity, Confidentiality and ensure the Integrity, Confidentiality and availability of Information Assets.availability of Information Assets.



EnvironmentalEnvironmental Exposures and Controls Exposures and Controls

Evaluate the design, implementation and Evaluate the design, implementation and monitoring of environmental controls to prevent monitoring of environmental controls to prevent

and / or minimise potential losses.and / or minimise potential losses.



Physical AccessPhysical Access Exposures and Exposures and ControlsControls

Evaluate the design, implementation and Evaluate the design, implementation and monitoring of physical access controls to ensure monitoring of physical access controls to ensure that the level of protection for assets and that the level of protection for assets and facilities is sufficient to meet the organisations facilities is sufficient to meet the organisations business objectives.business objectives.(Protection of Information Assets)(Protection of Information Assets)


Application ControlsApplication ControlsApplication controls are controls over Input, Processing and Application controls are controls over Input, Processing and Output functions. Include methods for ensuring :Output functions. Include methods for ensuring :

Only complete, accurate and valid data are input,Only complete, accurate and valid data are input, Processing accomplishes the correct task,Processing accomplishes the correct task, Processing results meet expectations,Processing results meet expectations, Data are maintained.Data are maintained.


Module 3 ObjectiveModule 3 Objective

““This content area addresses the knowledge that This content area addresses the knowledge that an IS Auditor must have in order to evaluate an IS Auditor must have in order to evaluate

the logical, environmental and IT the logical, environmental and IT infrastructure security to ensure that it satisfies infrastructure security to ensure that it satisfies

the organization’s business requirements for the organization’s business requirements for safeguarding information assets against safeguarding information assets against

unauthorized use, disclosure, modification, unauthorized use, disclosure, modification, damage or loss."damage or loss."

Module 3 SummaryModule 3 Summary

According to the Certification According to the Certification Board, this Domain will represent Board, this Domain will represent approximately approximately 22%22% of the DISA of the DISA

examination.examination.

Logical Access Exposures Logical Access Exposures and Controlsand Controls

To retain a competitive advantage and to meet basic To retain a competitive advantage and to meet basic business requirements organizations must:business requirements organizations must:

Ensure the integrity of the information stored on their Ensure the integrity of the information stored on their computer systemscomputer systems

Preserve the confidentiality of sensitive dataPreserve the confidentiality of sensitive data

Ensure the continued availability of their information Ensure the continued availability of their information systemssystems

Ensure conformity to laws, regulations and standardsEnsure conformity to laws, regulations and standards


Risks Associated with Risks Associated with

Commercial, Competitive and Legislative pressures

Requires the Implementation of a proper Requires the Implementation of a proper Security PolicySecurity Policy


IS Security PolicyIS Security Policy

Objective : Objective : To protect Information Capital against all types To protect Information Capital against all types of Risks accidental or intentional of Risks accidental or intentional

Responsibility : Top Management

Implementation : Implementation : By delegation to the appropriate level of By delegation to the appropriate level of Management with permanent control Management with permanent control

Enforcement : Enforcement : Achieved through, Standards, Good Practices Achieved through, Standards, Good Practices and Guidelines and Guidelines


Components of a Security PolicyComponents of a Security Policy Management support and commitmentManagement support and commitment Access Philosophy Access Philosophy (Need to know, Need to do)(Need to know, Need to do)

Compliance with relevant legislation and regulationsCompliance with relevant legislation and regulations

Access AuthorizationAccess Authorization Reviews of Access AuthorizationReviews of Access Authorization Security AwarenessSecurity Awareness Role of the Security AdministratorRole of the Security Administrator Security CommitteeSecurity Committee


Paths of Logical AccessPaths of Logical Access

Operator consoleOperator console

Online terminalsOnline terminals

Batch job processingBatch job processing

Dial-up portsDial-up ports

Telecommunications networkTelecommunications network


• Logic bombs • Trap Doors• Asynchronous

Attacks• Data Leakage• Wire-tapping• Piggybacking• Denial of Service

Logical Access Issues and ExposuresLogical Access Issues and Exposures

Technical ExposuresTechnical Exposures• Data Diddling• Trojan Horses• Rounding Down• Salami Techniques• Viruses • Worms

VirusesVirusesUsually attack Usually attack fourfour parts of the parts of the computercomputer..

Executable program filesExecutable program files File-directory File-directory systemsystem that tracks the that tracks the

location of all the computer’s fileslocation of all the computer’s files Boot and system areas that are needed to Boot and system areas that are needed to

start the computerstart the computer Data files.Data files.


Controls over Viruses.Controls over Viruses.

Have Sound Policies & Procedures in placeHave Sound Policies & Procedures in place Technical Solution, Install Anti Virus Solutions Technical Solution, Install Anti Virus Solutions

(Hardware and / or Software)(Hardware and / or Software)

Both above are a must, neither effective without the otherBoth above are a must, neither effective without the other

There is no 100% guaranteed Anti Virus solutionThere is no 100% guaranteed Anti Virus solution

Logical Access ControlsLogical Access Controls

Controls over Viruses.Controls over Viruses. Build any system from original, clean master copies. Boot Build any system from original, clean master copies. Boot

only from original diskettes whose write protections have only from original diskettes whose write protections have always been in place.always been in place.

Allow no disk to be used until it has been scanned on a Allow no disk to be used until it has been scanned on a stand-alone machine stand-alone machine

Update virus scanning software frequently.Update virus scanning software frequently. Write-protect all diskettes with .EXE or .COM extensions.Write-protect all diskettes with .EXE or .COM extensions. Have vendors run demonstrations on their machines, not Have vendors run demonstrations on their machines, not

yours.yours.


Controls over Viruses Controls over Viruses (Some Policy issues)(Some Policy issues) Prohibit use of Shareware without it being scanned firstProhibit use of Shareware without it being scanned first Always scan before installing new software Always scan before installing new software Insist field technicians scan their disks or systems before Insist field technicians scan their disks or systems before

using or connecting to the systemusing or connecting to the system Ensure proper installation of AV SoftwareEnsure proper installation of AV Software Ensure prompt updation & upgradation of AV Software Ensure prompt updation & upgradation of AV Software

(Confirm current release)(Confirm current release) Prepare a Virus eradication procedure, etc, etc.Prepare a Virus eradication procedure, etc, etc.


Antivirus software:Antivirus software: ScannersScanners Active MonitorsActive Monitors Integrity CheckersIntegrity Checkers



Some Issues and ExposuresSome Issues and ExposuresComputer Crime ExposuresComputer Crime Exposures

• Financial LossFinancial Loss

• Legal RepercussionsLegal Repercussions

• Loss of Credibility or Competitive EdgeLoss of Credibility or Competitive Edge

• Blackmail/Industrial EspionageBlackmail/Industrial Espionage

• Disclosure of Confidential, Sensitive InformationDisclosure of Confidential, Sensitive Information

• SabotageSabotage

Logical Access Issues and ExposuresLogical Access Issues and Exposures

Computer Crime ExposuresComputer Crime Exposures

• Logical access violatorsLogical access violators– HackersHackers

– Employees and Former EmployeesEmployees and Former Employees

– IS PersonnelIS Personnel

– End UsersEnd Users

– Interested or Educated OutsidersInterested or Educated Outsiders

– Part-time and Temporary PersonnelPart-time and Temporary Personnel

– Vendors and ConsultantsVendors and Consultants

– Accidental IgnorantAccidental Ignorant


Access Control SoftwareAccess Control Software

Tasks they performTasks they perform Functions they provideFunctions they provide Authorization functionsAuthorization functions



Tasks they perform (generally)Tasks they perform (generally) Verification of the user Authorization of access to defined resources Restriction on users to specific terminals Reports on unauthorized attempts to access

computer resources, data or programs



Functions they provide -Functions they provide -Verify user authorizations to sign-on at the network and subsystem levels at the application and transaction level within the application at the field level for changes in the database Verify subsystem authorization for the user at the

file level



Authorization functionsAuthorization functions Logon-Ids and user authentication Limitation of specific terminals for specific logon

Ids Limiting access based on predetermined times User profiles Logging events



Generally processes access requests as follows,Generally processes access requests as follows,1.1. Identification of Users,Identification of Users,2.2. Authentication of UsersAuthentication of Users

Authentication is a two way process,Authentication is a two way process,1.1. Verify validity of the User, and thenVerify validity of the User, and then2.2. proceed to verify prior knowledge info.proceed to verify prior knowledge info.



Depending on the environment, Access control security can Depending on the environment, Access control security can be administered through a Centralised or a Decentralised be administered through a Centralised or a Decentralised environmentenvironmentss

Both have their advantages and disadvantagesBoth have their advantages and disadvantages


Access Control Software Access Control Software

Ways to control remote and distributed data Ways to control remote and distributed data processing locationsprocessing locations


Logical Security Features, Tools and Logical Security Features, Tools and ProceduresProcedures

Logon-IDs and PasswordsLogon-IDs and Passwords

Features of PasswordsFeatures of PasswordsPassword Syntax (format) RulesPassword Syntax (format) RulesLogging Computer AccessLogging Computer Access


Logon-IDs and PasswordsLogon-IDs and Passwords

Features of PasswordsFeatures of PasswordsA good password should be easy to remember and difficult for the perpetrator to A good password should be easy to remember and difficult for the perpetrator to

guess. When the user logs for the first time the system should force the user to guess. When the user logs for the first time the system should force the user to change the password to improve confidentiality. “change the password to improve confidentiality. “

THREE WRONG STRIKES AND YOU ARE OUT”.THREE WRONG STRIKES AND YOU ARE OUT”.

If a logon-ID has been deactivated because of a forgotten password, the user If a logon-ID has been deactivated because of a forgotten password, the user should notify the security administrator. The Security Administrator should then should notify the security administrator. The Security Administrator should then reactivate the logon-ID only after verifying the user’s identification.reactivate the logon-ID only after verifying the user’s identification.

Password should internally one way encrypted.Password should internally one way encrypted.

Password should be changed regularly/ periodically.Password should be changed regularly/ periodically.

Logical Security Logical Security TechniquesTechniques

Password Syntax RulesPassword Syntax Rules

Ideally password should be five to eight characters in length.Ideally password should be five to eight characters in length.

Password should allow for a combination of Alpha, Numeric, Upper and Lower case Password should allow for a combination of Alpha, Numeric, Upper and Lower case and special characters.and special characters.

Passwords should not be particularly identifiable with the user.Passwords should not be particularly identifiable with the user.

The system should not permit previous password(s) to be used after being changed.The system should not permit previous password(s) to be used after being changed.

Logon-Ids not used after a number of days should be deactivated to prevent Logon-Ids not used after a number of days should be deactivated to prevent possible misuse.possible misuse.

The system should automatically disconnect a logon session if no activity has The system should automatically disconnect a logon session if no activity has occurred for a period of time, say for an hour. This is also called occurred for a period of time, say for an hour. This is also called “TIME OUT”“TIME OUT”..


Avoid Bad Password likeAvoid Bad Password like

Dictionary Words.Dictionary Words.

Foreign Words.Foreign Words.

Simple Transformations of Words like tiny8, 7eleven.Simple Transformations of Words like tiny8, 7eleven.

Names, Doubled names, first name and last initial.Names, Doubled names, first name and last initial.

Uppercase or lowercase words.Uppercase or lowercase words.

An alphabet sequence.An alphabet sequence.

Very short words or just one character like cat, horse.Very short words or just one character like cat, horse.

Words that have the vowels removed.Words that have the vowels removed.

Phone numbers.Phone numbers.

Numbers substituted for letters.Numbers substituted for letters.


Operational Practices Pertaining to Operational Practices Pertaining to PasswordsPasswords

If the login ID is not used for a certain period, system administrator or If the login ID is not used for a certain period, system administrator or automatically it should be deactivated.automatically it should be deactivated.

If the user remains idle for a period of time, it should get disconnected to If the user remains idle for a period of time, it should get disconnected to avoid misuse.avoid misuse.

Once the Password is changed it should not usable thereafter.Once the Password is changed it should not usable thereafter.

Do not write the password on paper or store in a computer.Do not write the password on paper or store in a computer.


How often the Password should be changedHow often the Password should be changed

Password doesn’t meet the criteria set out in the rules and strategies listed.Password doesn’t meet the criteria set out in the rules and strategies listed.

Same Password is used for more than atleast 6 months.Same Password is used for more than atleast 6 months.

Password is told to anyone else.Password is told to anyone else.

Password is written down anywhere.Password is written down anywhere.

It is officially notified that the password does not meet current standards.It is officially notified that the password does not meet current standards.

You have visited another city or campus and logged on to a system there.You have visited another city or campus and logged on to a system there.


Logging Computer AccessLogging Computer Access

With most security packages today, computer access and With most security packages today, computer access and attempted access violations can be automatically logged by attempted access violations can be automatically logged by the computer and reported. The frequency of the security the computer and reported. The frequency of the security administrator’s review of computer access reports should be administrator’s review of computer access reports should be commensurate with the sensitivity of the computerised commensurate with the sensitivity of the computerised information being protected. The IS Auditor should ensure information being protected. The IS Auditor should ensure that the logs cannot be tampered with or altered without an that the logs cannot be tampered with or altered without an audit trail.audit trail.



Logging Computer AccessLogging Computer Access

Performing security access follow-upPerforming security access follow-upReport attempted violationsReport attempted violations



Logical Security Features, Tools and Logical Security Features, Tools and Procedures. Procedures.

Token Devices-One time PasswordsToken Devices-One time PasswordsBiometric Security Access ControlBiometric Security Access ControlTerminal Usage RestraintsTerminal Usage RestraintsDial Back Procedures.Dial Back Procedures.


Logical Security Techniques Logical Security Techniques

Restrict and Monitor Access to Restrict and Monitor Access to Computer Features that Bypass securityComputer Features that Bypass security

Logging of online activityLogging of online activity



Data ClassificationData Classification Safeguards for Confidential Data on PCSafeguards for Confidential Data on PC Naming Conventions for Access ControlsNaming Conventions for Access Controls


Auditing Logical AccessAuditing Logical Access Obtain a General Understanding of the Security RisksObtain a General Understanding of the Security Risks Document & Evaluate controls over Access paths into Document & Evaluate controls over Access paths into

the Systemthe System Test control over Access paths to determine they are Test control over Access paths to determine they are

functioning & are effectivefunctioning & are effective Evaluate the Access control environment to determine Evaluate the Access control environment to determine

that Control objectives are achievedthat Control objectives are achieved Evaluate the Security environment to assess its Evaluate the Security environment to assess its

adequacyadequacy


Auditing Logical AccessAuditing Logical AccessFamiliarization with the IS Processing Familiarization with the IS Processing

EnvironmentEnvironment

Document access pathsDocument access pathsInterview Systems PersonnelInterview Systems PersonnelReview reports from access control softwareReview reports from access control software


Audit & Evaluation Features, Tools and Audit & Evaluation Features, Tools and Procedures.Procedures. Review Application Systems Operation ManualReview Application Systems Operation Manual Review Policies, Procedures & StandardsReview Policies, Procedures & Standards Logical Access Security PoliciesLogical Access Security Policies Formal Security Awareness and TrainingFormal Security Awareness and Training Data OwnershipData Ownership Data OwnersData Owners Data CustodiansData Custodians


Audit & Evaluation Features, Tools Audit & Evaluation Features, Tools and Proceduresand Procedures Security AdministratorSecurity Administrator Data UsersData Users Documented AuthorizationsDocumented Authorizations Access StandardsAccess Standards

Test SecurityTest Security

Use of Terminal Cards and KeysUse of Terminal Cards and Keys

Terminal identificationTerminal identification

Logon-IDs and passwordsLogon-IDs and passwords

Controls over Production ResourcesControls over Production Resources

Logging and Reporting of Computer Access Logging and Reporting of Computer Access

ViolationsViolations


Test Security Test Security Continued…Continued…

Follow-up access violationsFollow-up access violations

Dial-up access controlsDial-up access controls

Authorization of network changesAuthorization of network changes

Identify Methods of Bypassing security and Identify Methods of Bypassing security and compensating controlscompensating controls

Review access controls and Password AdministrationReview access controls and Password Administration


Environmental Exposures and Environmental Exposures and ControlsControls

Environmental Issues and ExposuresEnvironmental Issues and Exposures

FireFire

Natural disastersNatural disasters

Power failure and spikePower failure and spike

Air conditioning failureAir conditioning failure

OthersOthers

Environmental Exposures Environmental Exposures and Controlsand Controls

Controls for Environmental ExposuresControls for Environmental Exposures Water DetectorsWater Detectors

Hand-held Fire ExtinguishersHand-held Fire Extinguishers

Manual Fire AlarmsManual Fire Alarms

Smoke DetectorsSmoke Detectors

Fire suppression systemsFire suppression systems– Dry pipeDry pipe– WaterWater– HalonHalon


Controls that reduce riskControls that reduce risk Computer room locationComputer room location Fire department inspectionsFire department inspections Fireproof walls, floors and ceilingsFireproof walls, floors and ceilings Electrical surge protectorsElectrical surge protectors Uninterruptible power supplyUninterruptible power supply Emergency power-off switchEmergency power-off switch


Controls that reduce riskControls that reduce risk Power leads from two substationsPower leads from two substations Wiring placed in electrical panels and Wiring placed in electrical panels and

conduitconduit Prohibitions against eating, drinking Prohibitions against eating, drinking

and smoking within the IPFand smoking within the IPF Fire resistant office materialsFire resistant office materials Documented and tested emergency Documented and tested emergency

evacuation plansevacuation plans

Environmental Exposures and ControlsEnvironmental Exposures and Controls

Auditing Environmental ControlsAuditing Environmental Controls

Water and smoke detectorsWater and smoke detectors Hand-held fire extinguishersHand-held fire extinguishers Fire suppression systemsFire suppression systems Regular Fire department inspectionsRegular Fire department inspections Fireproof Walls, Floors and Ceilings Fireproof Walls, Floors and Ceilings

Surrounding the Computer RoomSurrounding the Computer Room

Environmental Exposures and ControlsEnvironmental Exposures and Controls

Auditing Environmental Controls Auditing Environmental Controls Continued…Continued…

Electrical surge protectorsElectrical surge protectors Power leads from two substationsPower leads from two substations Fully documented and tested business continuity Fully documented and tested business continuity

planplan Wiring placed in electrical panels and conduitWiring placed in electrical panels and conduit UPS/GeneratorUPS/Generator Documented and tested emergency evacuation Documented and tested emergency evacuation

plansplans Humidity/temperature controlHumidity/temperature control

Physical Access Exposures Physical Access Exposures and Controlsand Controls

Physical Access Issues and ExposuresPhysical Access Issues and Exposures

Physical Access Issues and ExposuresPhysical Access Issues and Exposures

• Physical access exposuresPhysical access exposures

• Possible PerpetratorsPossible Perpetrators


Physical Access ExposuresPhysical Access Exposures

Unauthorized EntryUnauthorized Entry

Damage, Vandalism, Theft to Equipment or Damage, Vandalism, Theft to Equipment or Documents,Documents,

Copying or Viewing of sensitive or copyrighted Copying or Viewing of sensitive or copyrighted informationinformation

Alteration of sensitive Equipment and InformationAlteration of sensitive Equipment and Information


Physical Access Exposures … continuedPhysical Access Exposures … continued

Public disclosure of sensitive information Abuse of data processing resources Blackmail Embezzlement


PPossible Perpetratorsossible Perpetrators

Employees with authorized or unauthorized access who are: Disgruntled On strike Threatened by disciplinary action or dismissal Addicted to a substance or gambling Experiencing financial or emotional problems


PPossible Perpetratorsossible Perpetrators

Employees with authorized or unauthorized access who are notified of their termination

Former employees Interested or informed outsiders, such as competitors, thieves,

organized crime and hackers. Accidental ignorant - someone who unknowingly perpetrates a

violation (could be an employee or outsider). The most likely source of exposure is from the uninformed,

accidental or unknowing person, although the greatest impact may be from those with malicious or fraudulent intent.


Other Questions and ConcernsOther Questions and Concerns

Are Hardware facilities reasonably protected against forced entry

Are keys to the Computer facility adequately controlled to reduce the risk of unauthorized access

Are Intelligent Computer Terminals locked or Secured to prevent component removal & theft

Are Authorised Equipment passes required before Computer Equipment can be removed from its normal secure surroundings


Other Questions and ConcernsOther Questions and Concerns

Controls should extend beyond the Computer facility to include anyvulnerable access points within the entire organization and at Organizational boundaries / interfaces with external organizations, this mayinclude, Remote Locations, Rented, Leased or Shared facilities, Service providers or any other third parties,

If they are potentially vulnerable access points to sensitive information within theorganization.

PhysicalPhysical Access Exposures Access Exposures and Controlsand Controls

Physical Access ControlsPhysical Access Controls Bolting Door locksBolting Door locks Combination Door Locks (Cipher Locks)Combination Door Locks (Cipher Locks) Electronic Door LocksElectronic Door Locks Biometric Door LocksBiometric Door Locks Manual LoggingManual Logging Electronic LoggingElectronic Logging


Physical Access Controls Physical Access Controls Continued…Continued… Identification Badges (Photo Ids)Identification Badges (Photo Ids) Video CamerasVideo Cameras Security GuardsSecurity Guards Controlled visitor accessControlled visitor access Bonded personnelBonded personnel Deadman doorsDeadman doors


Physical Access Controls Physical Access Controls Continued…Continued…Not advertising the location of sensitive facilitiesNot advertising the location of sensitive facilitiesComputer terminal locksComputer terminal locksControlled single entry pointControlled single entry pointAlarm systemAlarm systemSecured report distribution cartSecured report distribution cart


Audit and Evaluation Techniques for Audit and Evaluation Techniques for Physical AccessPhysical Access

Touring the Information Systems Touring the Information Systems Processing Facility (IPF)Processing Facility (IPF)

Testing of Physical safeguards.Testing of Physical safeguards.

ISA Review CourseISA Review Course

Data Validation Processing and Data Validation Processing and Balancing ControlsBalancing Controls

Chapter OverviewChapter Overview

Component of Applications Component of Applications ControlsControls

Boundary ControlBoundary Control Input ControlsInput Controls Processing ControlsProcessing Controls Data File Processing ControlData File Processing Control Output ControlsOutput Controls Existence Control In Application Existence Control In Application

SystemSystem

Application ControlsApplication Controls

Application controls are controls over input, Application controls are controls over input,

processing and output functions, such as:processing and output functions, such as:

Only complete, accurate and valid data are entered Only complete, accurate and valid data are entered

and updated in a system.and updated in a system.

Processing accomplishes the correct task.Processing accomplishes the correct task.

Processing results meet expectations.Processing results meet expectations.

Data are maintained.Data are maintained.

Application ControlsApplication Controls

Task of an IS Auditor include:Task of an IS Auditor include:

Identifying the significant application components and flow of the transactions Identifying the significant application components and flow of the transactions

through the system.through the system.

Identifying the application control strengths and evaluating the impact of the control Identifying the application control strengths and evaluating the impact of the control

weakness.weakness.

Testing the controls to ensure their functionality and effectiveness.Testing the controls to ensure their functionality and effectiveness.

Evaluating the control environment to determine that control objectives were Evaluating the control environment to determine that control objectives were

achieved.achieved.

Considering the operational aspects of the application to ensure its programming Considering the operational aspects of the application to ensure its programming

standards.standards.

Reporting results to management.Reporting results to management.

Component of Application Component of Application ControlsControls

Application control comprises control from Application control comprises control from multi dimensional perspective:multi dimensional perspective:

Boundary controlsBoundary controls Input controlsInput controls Processing controlsProcessing controls Data file ControlsData file Controls Output ControlsOutput Controls

Boundary ControlBoundary Control

The objective of this control is to prevent The objective of this control is to prevent UNAUTHORISED ACCESS to Application and its UNAUTHORISED ACCESS to Application and its data. This can be achieved by adopting the data. This can be achieved by adopting the following techniques:following techniques:

Restricting the use of logon ID/password from specified Restricting the use of logon ID/password from specified

terminalterminal

Data transmission using ENCRYPTIONData transmission using ENCRYPTION

Storing intermediary data in input, processing or output Storing intermediary data in input, processing or output

stage stored in database in encrypted form and decrypt at stage stored in database in encrypted form and decrypt at

the time of retrievalthe time of retrieval

INPUT CONTROLSINPUT CONTROLS

Input control are responsible for ensuring Input control are responsible for ensuring ACCURACY & COMPLETENESS of data input into ACCURACY & COMPLETENESS of data input into the application system.the application system.

Data Input ControlsData Input Controls

Data Input MethodData Input Method

Source Document DesignSource Document Design

Data Entry Screen DesignData Entry Screen Design

Data Code controlData Code control

Check DigitCheck Digit

BATCH CONTROLSBATCH CONTROLS

Batch Controls group input transactions into logical or Batch Controls group input transactions into logical or physical batches. Physical batches are the group of physical batches. Physical batches are the group of transactions that constitute a physical unit such as Set transactions that constitute a physical unit such as Set of invoices of a branch bundled together. Logical of invoices of a branch bundled together. Logical batches are the groups of transactions that are divided batches are the groups of transactions that are divided on logical parameters such as cut-off dateon logical parameters such as cut-off date

BATCH CONTROLSBATCH CONTROLS

Total Financial AmountTotal Financial Amount

Total ItemsTotal Items

Hash TotalHash Total

Total DocumentTotal Document

Batch Controls and Batch Controls and BalancingBalancing

Adequate Controls should exist to ensure that:Adequate Controls should exist to ensure that:

Each transaction creates an Input document.Each transaction creates an Input document.

All documents are included in a batch.All documents are included in a batch.

All batches are submitted for processing.All batches are submitted for processing.

All batches are accepted by the computer.All batches are accepted by the computer.

Batch reconciliation is performed.Batch reconciliation is performed.

Procedures for the investigation and timely correction of differences are followed.Procedures for the investigation and timely correction of differences are followed.

Controls exist over the resubmission of rejected items.Controls exist over the resubmission of rejected items.


Control ErrorsControl Errors

Online Input

Batch Input

Program for Validation

Error File

ValidData

ErrorReport


Reporting ErrorsReporting Errors

The program must clearly identify errors and provide The program must clearly identify errors and provide adequate cross-reference to permit retrieval of source adequate cross-reference to permit retrieval of source documents it they are needed.documents it they are needed.

Screen Error MessagesScreen Error Messages

When immediate validation of input data occurs errors When immediate validation of input data occurs errors can be signaled via a buzzer or an error message can be signaled via a buzzer or an error message should be displayed to indicate the nature and should be displayed to indicate the nature and corrective action desired.corrective action desired.


Handling ErrorsHandling Errors

Rejected Only Transactions with Errors.Rejected Only Transactions with Errors.

Rejecting the Whole Batch of Transactions.Rejecting the Whole Batch of Transactions.

Accepting Batch in Suspense.Accepting Batch in Suspense.

Accepting Batch and Flagging Error Transactions.Accepting Batch and Flagging Error Transactions.


Input Control TechniquesInput Control Techniques

Transaction Log.Transaction Log.

Reconciliation of Data.Reconciliation of Data.

Documentation of user data entry .Documentation of user data entry .

Data control procedures.Data control procedures.


Error Correction ProceduresError Correction Procedures

Approval of correctionsApproval of corrections

Error fileError file

Logging of errorsLogging of errors

Suspense fileSuspense file

Timely correctionsTimely corrections

Upstream resubmissionUpstream resubmission

Validity of correctionsValidity of corrections

Data Input Validation Data Input Validation

Preprogrammed input formats ensure Preprogrammed input formats ensure that data are input to the correct field that data are input to the correct field in the correct format. A supervisor in the correct format. A supervisor should be allowed to log on, overriding should be allowed to log on, overriding the general rules of data validation and the general rules of data validation and editing and usage of specific input editing and usage of specific input procedures could facilitate this. procedures could facilitate this.

Data Validation and Data Validation and EditingEditing

Sequence Check Sequence Check is followed regarding the control number and is followed regarding the control number and checks are performed based on that number. e.g Date sequence checks are performed based on that number. e.g Date sequence of Transaction of Transaction

Limit Check and Range Check Limit Check and Range Check that is data should not exceed that is data should not exceed

the predetermined amount and range.the predetermined amount and range.

Missing Data Check Missing Data Check is checking that key field are not left blankis checking that key field are not left blank

Reasonableness Check Reasonableness Check is that data are matched to is that data are matched to

predetermined reasonable limited or occurrence rates.predetermined reasonable limited or occurrence rates.

Table Look-ups Table Look-ups where data agrees to predetermined criteria where data agrees to predetermined criteria

maintained in a computerised table of possible values.maintained in a computerised table of possible values.

Various Types of Data Validation Edits areVarious Types of Data Validation Edits are

Data Validation and Data Validation and EditingEditing

Duplicate Check Duplicate Check ensure that the same data is not keyed in twiceensure that the same data is not keyed in twice

Check Digit Check Digit is a numeric value that has been calculated is a numeric value that has been calculated

mathematically is added to the data to ensure that the original data have mathematically is added to the data to ensure that the original data have

not been altered or an incorrect but valid value substituted.not been altered or an incorrect but valid value substituted.

Completeness Check Completeness Check is to check that filed should contain data and is to check that filed should contain data and

not zeros or blanks.not zeros or blanks.

Logical Relationship Check Logical Relationship Check if a particular condition is true, then one if a particular condition is true, then one

or more additional conditions or data input relations may be required to or more additional conditions or data input relations may be required to

be true and consider the input valid.be true and consider the input valid.

Various Types of Data Validation Edits areVarious Types of Data Validation Edits are

Processing ControlProcessing Control

Data processing control perform validation checks to Data processing control perform validation checks to

identify errors during data processing. They are required identify errors during data processing. They are required

to ensure both COMPLETENESS & ACCURACY of data to ensure both COMPLETENESS & ACCURACY of data

being processed. Following are the controls:being processed. Following are the controls:

Run-To-Run TotalRun-To-Run Total

Edit checksEdit checks

Exception ReportsException Reports

DATA FILE PROCESSING DATA FILE PROCESSING CONTROLCONTROL

Version Usage Version Usage is an check that most current file should only is an check that most current file should only be processed.be processed.

Internal & External Labeling Internal & External Labeling should be there so that the should be there so that the proper files are loaded for process.proper files are loaded for process.

Data File Security Data File Security ensure that unauthorized access to data ensure that unauthorized access to data files should be prevented therefore ensure confidentiality, files should be prevented therefore ensure confidentiality, integrity and availability of data fileintegrity and availability of data file

Before & after image and logging Before & after image and logging

File updating and maintenance authorizationFile updating and maintenance authorization

Output ControlsOutput Controls

Logging and Storage of Negotiable, Sensitive and Critical Forms in a Logging and Storage of Negotiable, Sensitive and Critical Forms in a Secure Place.Secure Place.

Computer Generation of Negotiable Instruments, Forms and Computer Generation of Negotiable Instruments, Forms and SignaturesSignatures

Distribution AuthorisationDistribution Authorisation Balancing and ReconcilingBalancing and Reconciling Report DistributionReport Distribution Data Conversions and Error CorrectionsData Conversions and Error Corrections Access Controls over print spoolsAccess Controls over print spools Output Report RetentionOutput Report Retention Verification of Receipt of ReportsVerification of Receipt of Reports

They Include the followingThey Include the following

Module 3 GlossaryModule 3 Glossary

Asymmetric Key (Public Key)Asymmetric Key (Public Key) Digital SignatureDigital Signature Dry-pipe Fire Extinguisher SystemDry-pipe Fire Extinguisher System EncryptionEncryption Trojan HorseTrojan Horse

Module 3 GlossaryModule 3 Glossary

Continued… Access Control Table Authentication Biometrics Card Swipes Challenge /Response Token

Module 3 RecapModule 3 Recap

QuestionsQuestions Group discussionGroup discussion

Module 3: QuestionsModule 3: Questions

1.1. Which of the following BEST provides access Which of the following BEST provides access control to payroll data being processed on a control to payroll data being processed on a local server?local server?

A.A. Logging of all access to personal information Logging of all access to personal information B.B. Separate password for sensitive transactions Separate password for sensitive transactions C.C. Software restricts access rules to authorized Software restricts access rules to authorized

staffstaff D.D. System access restricted to business hours System access restricted to business hours


2.2. Which of the following concerns about the Which of the following concerns about the security of an electronic message would be security of an electronic message would be addressed by digital signatures?addressed by digital signatures?

A.A. Unauthorized reading Unauthorized readingB.B. Theft TheftC.C. Unauthorized copying Unauthorized copyingD.D. Alteration Alteration


3.3. The MOST effective method for limiting the The MOST effective method for limiting the effect of an attack by a software virus is:effect of an attack by a software virus is:

A.A. software controls. software controls.B.B. policies, standards and procedures. policies, standards and procedures.C.C. logical access controls. logical access controls.D.D. data communication standards. data communication standards.


4.4. Which of the following would NOT be a Which of the following would NOT be a characteristic of a private key cryptosystem?characteristic of a private key cryptosystem?

A.A. Two different keys are used for the encryption and Two different keys are used for the encryption and decryption.decryption.

B.B. The encryption key should be secure. The encryption key should be secure.

C.C. Data Encryption Standard (DES) is a typical private Data Encryption Standard (DES) is a typical private key cryptosystem.key cryptosystem.

D.D. For the decryption, the decryption key should be For the decryption, the decryption key should be equivalent to the encryption key.equivalent to the encryption key.


5.5. Which of the following would be MOST Which of the following would be MOST appropriate to ensure the confidentiality of appropriate to ensure the confidentiality of transactions via the Internet?transactions via the Internet?

A. A. Digital signature Digital signature

B. B. Data Encryption Standard (DES) Data Encryption Standard (DES)

C.C. Virtual Private Network (VPN) Virtual Private Network (VPN)

D.D. Public Key Encryption Public Key Encryption


6. During a review of system access rules, an IS 6. During a review of system access rules, an IS Auditor noted that technical support personnel Auditor noted that technical support personnel have unlimited access to all data and program have unlimited access to all data and program files. Such access authority is:files. Such access authority is:

A.A. appropriate, but all access should be logged. appropriate, but all access should be logged.B.B. appropriate because technical support personnel can appropriate because technical support personnel can

access all data and program files.access all data and program files.C.C. inappropriate, since access should be limited to a inappropriate, since access should be limited to a

need-to-know basis, regardless of position.need-to-know basis, regardless of position.D.D. inappropriate because technical support personnel inappropriate because technical support personnel

have the capacity to run the system.have the capacity to run the system.


7.7. Public Key Infrastructure (PKI) integrates all Public Key Infrastructure (PKI) integrates all of the following into an enterprise-wide of the following into an enterprise-wide network security architecture EXCEPT:network security architecture EXCEPT:

A.A. public-key cryptosystem. public-key cryptosystem.B.B. digital certificates. digital certificates.C.C. certificate Authorities (CA). certificate Authorities (CA).D.D. password key management. password key management.

8. An IS Auditor has just completed a review of an organization that has a 8. An IS Auditor has just completed a review of an organization that has a mainframe and a client/server environment where all production data reside. mainframe and a client/server environment where all production data reside. This review revealed several weaknesses. Which of the following weaknesses This review revealed several weaknesses. Which of the following weaknesses would be considered the MOST serious?would be considered the MOST serious?

A.A. The Security Officer also serves as the DBA. The Security Officer also serves as the DBA.B.B. Password controls are not administered over the client/server environment. Password controls are not administered over the client/server environment.C.C. There is no business continuity plan for the mainframe systems’ noThere is no business continuity plan for the mainframe systems’ no

D.D. n-critical applications.n-critical applications.D.D. Most LANs do not back up file server fixed disks regularly. Most LANs do not back up file server fixed disks regularly.


9. Within an EDI system which of the following 9. Within an EDI system which of the following is used to determine authorization sign-on?is used to determine authorization sign-on?

A.A. Private key cryptosystem Private key cryptosystemB.B. Digital signatures Digital signaturesC.C. Spoofing SpoofingD.D. Terminal ID and password Terminal ID and password


10. Which of the following control objectives would 10. Which of the following control objectives would NOT be part of a security review conducted by an NOT be part of a security review conducted by an IS Auditor to ensure that certain security measures IS Auditor to ensure that certain security measures have been implemented?have been implemented?

A.A. The IS department has planned and prepared for The IS department has planned and prepared for accidental damage or loss.accidental damage or loss.

B.B. The IS department is providing information in a timely The IS department is providing information in a timely and efficient manner.and efficient manner.

C.C. The potential for loss due to fraud or embezzlement is The potential for loss due to fraud or embezzlement is minimized through adequate controls.minimized through adequate controls.

D.D. Adequate physical security over the information Adequate physical security over the information processing facility is practiced.processing facility is practiced.


11. Which of the following steps would an IS Auditor 11. Which of the following steps would an IS Auditor normally perform FIRST in a Data Centre normally perform FIRST in a Data Centre Security Review ?Security Review ?

A.A. Evaluate Physical Access Test results. Evaluate Physical Access Test results.B.B. Determine the Risks/Threats to the Data Centre site. Determine the Risks/Threats to the Data Centre site.C.C. Review Business Continuity Procedures. Review Business Continuity Procedures.D.D. Test for evidence of physical access at suspect Test for evidence of physical access at suspect

locations.locations.


12. AntiVirus Software should be used as a :12. AntiVirus Software should be used as a :

A.A. Detective ControlDetective ControlB.B. Preventive ControlPreventive ControlC.C. Corrective ControlCorrective ControlD.D. Compensating ControlCompensating Control


13. Which of the following is the MOST effective 13. Which of the following is the MOST effective technique fo providing security during Data technique fo providing security during Data Transmission ?Transmission ?

A.A. Communication LogCommunication LogB.B. Systems Software LogSystems Software LogC.C. Encryption Encryption D.D. Standard ProtocolStandard Protocol


14. When logging onto a Online System, which of the 14. When logging onto a Online System, which of the following processes would the system perform following processes would the system perform first ?first ?

A.A. InitiationInitiationB.B. VerificationVerificationC.C. AuthorizationAuthorizationD.D. Standard ProtocolStandard Protocol


15. Programs that can run independently and travel 15. Programs that can run independently and travel from machine to machine across network from machine to machine across network connections with the ability to destroy data or connections with the ability to destroy data or utilise tremendous computer and communication utilise tremendous computer and communication resources, are referred to as:resources, are referred to as:

A.A. Trojan HorsesTrojan HorsesB.B. VirusesVirusesC.C. WormsWormsD.D. Logic BombsLogic Bombs


16.16. Which of the following security techniques is the Which of the following security techniques is the BEST method for authenticating a user’s BEST method for authenticating a user’s identity ?identity ?

A.A. Smart CardSmart CardB.B. BiometricsBiometricsC.C. Challenge – response tokenChallenge – response tokenD.D. User ID and passwordUser ID and password


17.17. Which of the following logical access exposures Which of the following logical access exposures involves changing data before or after or as it is involves changing data before or after or as it is being entered into the computer ?being entered into the computer ?

A.A. Data diddlingData diddlingB.B. Trojan horseTrojan horseC.C. WormWormD.D. Salami techniqueSalami technique


18. The information that requires special precaution 18. The information that requires special precaution to ensure integrity is termed ?to ensure integrity is termed ?

A.A. Public dataPublic dataB.B. Private dataPrivate dataC.C. Personal dataPersonal dataD.D. Sensitive dataSensitive data


19.19. The PRIMARY objective of a logical access The PRIMARY objective of a logical access controls review is to :controls review is to :

A.A. Review access controls provided thru software.Review access controls provided thru software.B.B. Ensure access is granted per the organisations Ensure access is granted per the organisations

authorities.authorities.C.C. Walkthrough and assess access provided in the IT Walkthrough and assess access provided in the IT

environment.environment.D.D. Provide assurance that computer hardware is Provide assurance that computer hardware is

protected adequately against abuse.protected adequately against abuse.


20.20. Which is the MOST important objective of data Which is the MOST important objective of data protection ?protection ?

A.A. Identifying persons who need access to Identifying persons who need access to informationinformation

B.B. Ensuring the integrity of informationEnsuring the integrity of informationC.C. Denying or authorising access to the IS systemDenying or authorising access to the IS systemD.D. Monitoring logical accessMonitoring logical access


21.21. Confidential data residing on a PC is BEST Confidential data residing on a PC is BEST protected by :protected by :

A.A. A passwordA passwordB.B. File encryption File encryption C.C. Removable disksRemovable disksD.D. A key operated power sourceA key operated power source


22.22. Which of the following methods of suppressing a Which of the following methods of suppressing a fire in a data centre is the MOST effective and fire in a data centre is the MOST effective and environmentally friendly ?environmentally friendly ?

A.A. Halon gasHalon gasB.B. Wet-pipe sprinklersWet-pipe sprinklersC.C. Dry-pipe sprinklersDry-pipe sprinklersD.D. Carbon dioxide gasCarbon dioxide gas


23.23. Which of the following procedures can a Which of the following procedures can a biometric system perform ?biometric system perform ?

A.A. Measure airborne contaminationMeasure airborne contaminationB.B. Provide security over physical access Provide security over physical access C.C. Monitor temperature and humidity levelsMonitor temperature and humidity levelsD.D. Detect hazardous electromagnetic fields in an Detect hazardous electromagnetic fields in an

areaarea


24.24. Which of the following physical access controls Which of the following physical access controls would provide the highest degree of security over would provide the highest degree of security over unauthorized access ?unauthorized access ?

A.A. Bolting door lockBolting door lockB.B. Cipher lockCipher lockC.C. Electronic door lockElectronic door lockD.D. Fingerprint scannerFingerprint scanner


25.25. The first step in data classification :The first step in data classification :

A.A. Establish ownershipEstablish ownershipB.B. Perform a criticality analysisPerform a criticality analysisC.C. Define access rulesDefine access rulesD.D. Create a data dictionaryCreate a data dictionary


26.26. Authentication is the process by which the :Authentication is the process by which the :

A.A. System verifies that the user is entitled to input System verifies that the user is entitled to input the transaction requested the transaction requested

B.B. System verifies the identity of the userSystem verifies the identity of the userC.C. User identifies himself to the systemUser identifies himself to the systemD.D. User indicates to the system that the transaction User indicates to the system that the transaction

was processed completelywas processed completely


27.27. Which of the following provides the framework Which of the following provides the framework for designing and developing logical access for designing and developing logical access controls :controls :

A.A. Information systems security policyInformation systems security policyB.B. Access control listsAccess control listsC.C. Password managementPassword managementD.D. System configuration files System configuration files


28.28. Data edits are an example of :Data edits are an example of :

A.A. Preventive controlsPreventive controlsB.B. Detective controlsDetective controlsC.C. Corrective controlsCorrective controlsD.D. Compensating controlsCompensating controls


29.29. Which of the following is intended to test the loss Which of the following is intended to test the loss or duplication of input ?or duplication of input ?

A.A. Hash totalsHash totalsB.B. Check digitsCheck digitsC.C. Echo checksEcho checksD.D. Transaction codesTransaction codes


30.30. The reliability of an application system’s audit The reliability of an application system’s audit trail may be questionable if:trail may be questionable if:

A.A. User id.’s are recorded in the audit trailUser id.’s are recorded in the audit trailB.B. The security administrator has read only rights to The security administrator has read only rights to

the audit filesthe audit filesC.C. Date time stamps record when an action occurs Date time stamps record when an action occurs D.D. Users can amend audit trail records when Users can amend audit trail records when

correcting system errorscorrecting system errors


ISA Course Module 3 Information Systems Confidentiality, Integrity and Availability (Protection of...

Documents

Transcript of ISA Course Module 3 Information Systems Confidentiality, Integrity and Availability (Protection of...