AIS Chapter 12

Information Security

an integrated, systematic approach that coordinates people, policies, standards, processes, and controls used to safeguard critical systems and information from internal and external security threats

Primary focus of Information System

Confidentiality

information is not accessible to unauthorized individuals or processes

Integrity

information is accurate and complete

Availability

information and systems are accessible on demand

Information Security Risks and Attacks

Virus

A self-replicating program that runs and spreads by modifying other programs/files

Worm

A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself.

Trojan horse

A non-self-replicating program that has a useful purpose in appearance, but in fact has a different, malicious purpose.

Spam

Sending unsolicited bulk information

Botnet (Bot)

A collection of software robots that overruns computers to act automatically in response to the bot-herder’s control through Internet.

Information Security and System Integrity

Denial-of-service (DoS)

The prevention of authorized access to resources (such as servers) or the delaying of time-critical operations.

Spyware

Software secretly installed into an information system to gather information on individuals or organizations without their knowledge of; a type of malicious code.

Spoofing

Sending a network packet that appears to come from a source other than its actual source.

Social engineering

Manipulating someone to take certain action that may not be in that person’s best interest such as revealing confidential information or granting access to physical assets, networks, or information.

Encryption

preventive control providing confidentiality and privacy for data transmission and storage. Main factors of encryption are key length, key management, and encryption algorithm

Factors of Encryption

Key length

Encryption algorithm

Key management

Symmetric-key Encryption

Fast

Suitable for large data set

Key distribution and key management are problematic

+ difficult to distribute key in secure way

+ managing one key is not cost effective

Asymmetric-key Encryption

Slow

Not suitable for large data set

Key distribution and key management are solved

+ public key is widely used while private key is kept secret

+ transmit confidential information

Authentication

process that establishes the origin of information or determines the identity of a user, process, or device

Asymmetric-key Encryption Key Factors

Certificate Authority (CA)

A trusted entity that issues and revokes digital certificates.

Digital Certificate

A digital document issued and digitally signed by the private key of a Certificate Authority that binds the name of a subscriber to a public key.

Public Key Infrastructure (PKI)

A set of policies, processes, server platforms, software and workstations used for the purpose of administering certificates and public-private key pairs to issue, maintain, and revoke public key certificates. message digest

Message Digest

short code generated through a process called hashing, where the original document passes through an algorithm such as SHA-256 or MD-5

Digital Signature

message digest (MD) of a document (or data file) that is encrypted using the document creator’s private key

Creation of digital signature

document creator must use his/her own private key to encrypt the MD, so the digital signature also authenticates the document creator

Criteria of Cybersecurity Risk Management Framework

1. description of the company’s cybersecurity risk management system

2. evaluation of the company’s cybersecurity controls

Fraud

Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force

The Statement of Auditing Standards (SAS) No. 99:

Consideration of Fraud in a Financial Statement Audit states that an entity’s management has primary responsibility for establishing and monitoring all aspects of the entity’s fraud risk-assessment and prevention activities and has both the responsibility and the means to implement measures to reduce the incidence of fraud

Fraud Triangle

Computer fraud risk assessment

a systematic process that assists management and internal auditors in discovering where and how fraud may occur and who may commit the specific fraud.

a component of a firm’s enterprise risk management (ERM) program.

focuses on fraud schemes and scenarios to determine whether the controls exist and how the controls might be circumvented.

Computer Fraud Risk Assessment Steps

1. Identifying relevant IT fraud risk factors.

2. Identifying potential IT fraud schemes and prioritizing them based on likelihood and impact.

3. Mapping existing controls to potential fraud schemes and identifying gaps.

4. Testing operating effectiveness of fraud prevention and detection controls.

5. Assessing the likelihood and business impact of a control failure and/or a fraud incident

Fraud Prevention

Starts with a fraud risk assessment across the entire firm, taking into consideration the firm’s critical business divisions, processes, and accounts, performed by the management

Fraud Detection

Include an evaluation by internal auditors on the effectiveness of business processes, along with an analysis of transaction-level data to obtain evidence on the effectiveness of internal controls and to identify indicators of fraud risk or actual fraudulent activities

GDPR (General Data Protection Regulation)

protects European Union (EU) citizens from privacy and data breaches. GDPR aims to provide customers greater control of their personal data

Vulnerability

Weaknesses or exposures in IT assets or processes that may lead to a business risk, compliance risk, or security risk

risk management

more complex and strategic process, mostly conducted using a top-down, risk-based approachvulnerability manag

Vulnerability Management

tactical and short-term effort, frequently conducted using an IT asset-based approach

Vulnerability management prereqs

Determine the main objectives of its vulnerability management, as the firm’s resource for managing vulnerabilities is limited (in some cases, it could be to comply with applicable laws, regulations, and standards)

Assign roles and responsibility for vulnerability management.

Overall Framework for Vulnerability Assessment and Management

Uninterruptible power supply

a device using battery power to enable a system to operate long enough to back up critical data and shut down properly during the loss of power

Fault tolerance

using redundant units to provide a system the ability to continue functioning when part of the system fails

Cloud computing

Good alternatives to backup data and applications

System and Organization Controls (SOC Reports)

Required to show reports of service providers prior to signing agreements for specific services.

SOC 1 Report

focuses on the impact of the service provider’s controls on the user company’s financial statementsS

SOC 2 & 3 report

Provide the evaluations on a broader set of controls relevant to security, availability, processing integrity, confidentiality, or privacy implemented by the service provide

SOC 1 Type 1

reports on (1) the fairness of the presentation of management’s description of the service organization’s system and (2) the suitability of the design of the controls to achieve the related control objectives as of a specified date

SOC 1 Type 2

Provides the same content as SOC 1 Type 1 report, but the examination should be throughout a specified period

SOC 2 (Type 1 & 2) Report

(1) the fairness of the presentation of management’s description of the service organization’s system and (2) the suitability of the design of the controls to achieve the related control objectives

Type 1 - Specified Date

Type 2 - Specified Period

SOC 3 Report

examines service organizations based on the Trust Services criteria and is a report for general use

SOC 2+ Report

SOC for Cybersecurity examination and report

SOC for Supply Chain reporting framework

Whitepapers on the Implications of the Use of Blockchain in SOC for Service Organization

Disaster recovery planning (DRP)

identifies significant events that may threaten a firm’s operations, outlining the procedures that ensure the firm’s smooth resuming of operations in the case this event occurs

Business Continuity management

the activities required to keep a firm running during a period of interruption of normal operations.
DRP and BCM are the most critical corrective controls, and DRP is a key component of the BCM.