Accounting Information Systems: Fourteenth Edition
Accounting Information Systems: Fourteenth Edition
Accounting Information Systems: Fourteenth Edition
Fourteenth Edition
Chapter 8
Controls for Information
Security
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Learning Objectives (2 of 2)
• Discuss how organizations can timely respond to attacks
against their information system.
• Explain how virtualization, cloud computing, and the
Internet of Things affect information security.
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Trust Services Framework (1 of 2)
• Security
– Access to the system and data is controlled and restricted to
legitimate users.
• Confidentiality
– Sensitive organizational data is protected.
• Privacy
– Personal information about trading partners, investors, and
employees are protected.
• Processing integrity
– Data are processed accurately, completely, in a timely manner,
and only with proper authorization.
• Availability
– System and information are available.
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Trust Services Framework (2 of 2)
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Security Life Cycle
Security is a management issue
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Security Approach
• Time-based model, security is effective if:
– P > D + C where
P is time it takes an attacker to break through preventive controls
D is time it takes to detect an attack is in progress
C is time it takes to respond to the attack and take corrective action
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Understanding Targeted Attacks
• Conduct reconnaissance
• Attempt social engineering
• Scan and map the target
• Research
• Execute the attack
• Cover tracks
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
How to Mitigate Risk of Attack
Preventive Controls Detective Controls
• People • Log analysis
• Process • Intrusion detection systems
• IT Solutions • Continuous monitoring
• Physical security
Response
• Computer Incident Response
Teams (CIRT)
• Chief Information Security Officer
(CISO)
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Preventive: People
• Culture of security
– Tone set at the top with management
• Training
– Follow safe computing practices
Never open unsolicited e-mail attachments
Use only approved software
Do not share passwords
Physically protect laptops/cellphones
– Protect against social engineering
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Preventive Process: User Access Controls
• Authentication—verifies the person
1. Something person knows
2. Something person has
3. Some biometric characteristic
4. Combination of all three
• Authorization—determines what a person can access
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Preventive Process: Change Controls and
Change Management
• Formal process used to ensure that modifications to
hardware, software, or processes do not reduce systems
reliability
• Good change management and control requires
– Documentation
– Approval
– Testing
– Develop “backout” plan
– Monitoring
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Preventive: IT Solutions
• Antimalware controls
• Network access controls
• Device and software hardening controls
• Encryption
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Preventive: Physical Security: Access
Controls
• Physical security access controls
– Limit entry to building
– Restrict access to network and data
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Detecting Attacks
• Log Analysis—examining logs to identify evidence of
possible attacks
• Intrusion Detection Systems (IDSs) —system that
creates logs of network traffic that was permitted to pass
the firewall and then analyzes those logs for signs of
attempted or successful intrusions
• Continuous Monitoring—employee compliance with
organization’s information security policies and overall
performance of business processes
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Responding to Attacks
• Computer Incident Response Team (CIRT)
• Chief Information Security Officer (CISO)
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Security Implications of Virtualization, Cloud
Computing, and the Internet of Things
• Virtualization and Cloud Computing
– Positive impact on security
Implementing strong access controls is good security over all the systems
– Negative impact on security
Reliability issues
Risk of theft or destruction if unsupervised physical access
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Key Terms
• Time-based model of security • Access control list (ACL)
• Defense-in-depth • Packet filtering
• Social engineering • Deep packet inspection
• Authentication • Intrusion prevention system
• Biometric identifier • Endpoints
• Multifactor authentication • Vulnerabilities
• Multimodal authentication • Vulnerability scanners
• Authorization • Exploit
• Access control matrix • Patch
• Compatibility test • Patch management
• Penetration test • Hardening
• Change control and change • Log analysis
management • Intrusion detection system (IDS)
• Border router • Computer incident response team
• Firewall (CIRT)
• Demilitarized zone (DMZ) • Virtualization
• Routers • Cloud Computing
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved