INFORMATION SYSTEM CONTROLS for SYSTEMS RELIABILITY

Accounting Information Systems

CHAPTER 7

INFORMATION SYSTEM CONTROLS for SYSTEMS RELIABILITY

SUGGESTED ANSWERS TO DISCUSSION QUESTIONS

7.1

1. Encryption is the final layer of preventative controls in that encrypting data provides a barrier against an intruder who has obtained access to company data. Encryption employing a digital signature and a public key infrastructure (PKI) can also strengthen authentication procedures and helps to ensure and verify the validity of e-business transactions. The digital signature is some sort of identifying information about the signer that is encrypted with the signer’s private key. This identifying information can only be decrypted using the corresponding public key. Since a private key is only known to it’s owner, only the owner can hold both the public and the private key and be the creator of the digital signature. Thus, digital signatures can be used to authenticate a particular party involved in a transaction as being the creator of a document. This provides for non-repudiation: the creator of the digital signature cannot deny having signed a document.. A digital certificate is an electronic document that is digitally signed by a trusted third party that certifies the identity of the owner of a pair of public and private keys. The PKI is a system that is used to process and manage the public and private keys used in digital signatures and digital certificates. An organization that handles digital certificates is called a certificate authority.

2. The effectiveness of control procedures depends on how well employees understand and follow the organization’s security policies. If all employees are taught proper security measures and taught to follow safe computing practices, such as never opening unsolicited email attachments, using only approved software, not sharing or revealing passwords, and taking steps to physically protect laptops, company-wide security will increase.

3. Firewalls use hardware and software to block unauthorized access to the company’s system.

4. A intrusion detection system (IDS) create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions This provides a means to monitor the number of attempted intrusions successfully blocked by the firewall, and can provide early warning signals that the organization is being targeted.

5. A virtual private network (VPN) is a network that controls access to a company’s extranet by using encryption, identification, and authentication tools and techniques. (Definition from the text’s glossary, p.794, 10th ed.)

Additional facts: A virtual private network (VPN) increases system reliability by encrypting data prior to sending it over the Internet. The data is then decrypted once it arrives at its intended destination. Thus, a private network is created using the Internet as the network connection and encryption as the method to make it private and secure the data from public disclosure.

7.2

Having the person responsible for information security report directly to the Chief Information Officer (CIO) raises the visibility and therefore the importance of information security to all levels of management and to the company at large. Security must be recognized as a top management issue, having the information security officer report to a member of the executive committed such as the CIO, formalizes information security as a top management issue. One potential disadvantage is that the CIO may not always react favorably to reports indicating that shortcuts have been taken with regard to security, especially in situations where following the recommendations for increased security spending could result in failure to meet budgeted goals. Thus, just as the effectiveness of the internal audit function is improved by having it report to someone other than the CFO, the security function may also be more effective if it reports to someone who does not have responsibility for information systems operations.

7.3The most effective auditor is a person who has training and experience as an auditor and training and experience as an information systems or computer specialist. However, few people have such an extensive background, and personnel training and development are both expensive and time consuming. So, many organizations may find it necessary to accept some tradeoffs in staffing the Information Systems audit function. Since auditors generally work in teams, one common solution is to include members who have computer training and experience. Then, as audit teams are created for specific purposes, care should be taken to ensure that the members of each audit team have an appropriate mix of skills and experience. However, in today’s technological age, all internal and external auditors on an audit engagement team must have a sound understanding of basic information security concepts so that during the course of an audit, they would be able to identify, report, and communicate security risks and exposures to the security specialists on the audit team for further assessment and investigation.

7.4To provide absolute information security an organization must follow Jeff Richards’ “Laws of Data Security.”

1. Don’t buy a computer
2. If you buy a computer, don’t turn it on.

As this humorous solution indicates, there is no way to make a system absolutely secure. However, as discussed in the text, there are numerous methods to make a system more secure.

7.5Penetration testing provides a rigorous way to test the effectiveness of an organization’s computer security by attempting to break into the organization’s information system. Internal audit and external security consulting team perform penetration tests in which they try to compromise a company’s system. Some outside consultants claim that they can get into 90 percent or more of the companies they attack. This is not surprising, given that it is impossible to achieve 100% security. Thus, one limitation of penetration testing is that it almost always shows that there are ways to break into the system. The more important analysis, however, is evaluating how difficult it was to break in and the cost-effectiveness of alternative methods for increasing that level of difficulty. Another limitation is that failure to break in may be due to lack of skill by the tester. Finally, penetration testing typically focuses on unauthorized access by outsiders; thus, it does not test for security breaches from internal sources.

7.6Top management support is always essential for the success of any program an entity undertakes. Thus, top management support and participation in security awareness training is essential to maximize its impact on the employees and managers of the firm. Effective instruction and hands-on active learning techniques will also help to maximize training. Many employees have extensive experience and/or expertise in security, these employees should be involved in the design and execution of the security training. “Real life” example should be used throughout the training so that employs can view or at least visualize the exposures and threats they face as well as the controls in place to address the exposures and threats. Role-playing has been shown to be an effective method to maximize security awareness training especially with regard to social engineering attack training.

7.7The total quality movement focuses on continuous improvement and the elimination of errors. Security, like quality, is a moving target which can always be improved. Another similarity is the need for active top management support. The focus on quality only began to achieve momentum when top management supported the up-front investment costs to improve quality and refused to accept the argument that the benefits of further improvements in quality did not justify the costs required to attain them. Similarly, top management needs to actively support the goal of ever-improving levels of security and the investment necessary to achieve that result.

7.8What are the advantages and disadvantages of biometric security devices, such as fingerprint readers, in comparison with other security measures such as passwords and locked doors?

The advantages of biometric security devices include:

• Providing security advantages over traditional methods because physical traits are almost impossible to duplicate.
• Ease of use.
• Cannot be forgotten like passwords and user id’s.
• Cannot be left at home, in a rental car, or in a taxi.
• Cannot be inadvertently lost or stolen.

Nonbiometric access methods such as passwords and keys can be stolen and used by others, lost, or forgotten. It is easier for someone else to get access to tokens, smart cards, or passwords and use them to gain entry to the system. As such, the greatest advantage of biometric devices is that they ARE the person and so cannot be lost, stolen, or forgotten.

Drawbacks to such devices include:

• Limited flexibility in responding to changes in the physically measured features. Such common problems as laryngitis, eye infections, and cut fingers alter physical features temporarily.
• Non-revocability. If a password is guessed, a new one can be issued. Likewise, if a token is lost or stolen, a new one can be issued. However, if biometric template is compromised, it cannot be re-issued (e.g., you cannot assign someone a new fingerprint). Thus, secure storage of the template is crucial.
• Users may not accept certain types of biometric methods. For example, in some cultures, fingerprints may have negative connotations that preclude their widespread use for authentication.

7-1

© 2009 Pearson Education, Inc. Publishing as Prentice Hall

Accounting Information Systems

SUGGESTED SOLUTIONS TO THE PROBLEMS

7.1

1. An employee’s laptop was stolen at the airport. The laptop contained personally identifying information about the company’s customers that could potentially be used to commit identity theft.

Solution: Encrypt data stored on company laptops.

1. A salesperson successfully logged into the payroll system by guessing the payroll supervisor’s password.

Solution: Employ and enforce strong password techniques such as at least an 8 character length, multiple character types, random characters, changed frequently. Also lock out accounts after 3-5 unsuccessful login attempts.

1. A criminal remotely accessed a sensitive database using the authentication credentials (user ID and strong password) of an IT manager. At the time the attack occurred, the IT manager was logged into the system at his workstation at company headquarters.

Solution: Integrate physical and logical security. In this case, the system should reject any attempts from any user to remotely log into the system if that same user is already logged in from a physical workstation. The system should also notify appropriate security staff about such an incident.

1. An employee received an email purporting to be from her boss informing her of an important new attendance policy. When she clicked on a link embedded in the email to view the new policy, she infected her laptop with a keystroke logger.

Solution: Security awareness training is the best way to prevent such problems. Employees should be taught that this is a common example of a sophisticated phishing scam. Detective and corrective controls include employing anti-spyware software that automatically checks and cleans all detected spyware on an employee's computer as part of the logon process for accessing a company's information system.

1. The director of R&D quit abruptly after an argument with the CEO. The company cannot access any of the files about several new projects because the R&D director had encrypted them before leaving.

Solution: Employ a policy that files can only be encrypted using company encryption software and where IT security has access to the encryption keys through some form of key escrow. Internal Audit should test encrypted files and encryption keys.

1. A company wrote custom code for the shopping cart feature on its web site. The code contained a buffer overflow vulnerability that could be exploited when the customer typed in the ship-to address.

Solution: Teach programmers secure programming practices, including the need to carefully check all user input. It is also important for management to support the commitment to secure coding practices, even if that means a delay in completing, testing, and deploying new programs. Useful detective controls include to make sure programs are thoroughly tested before being put into use and to have internal auditors routinely test in-house developed software.

1. A company purchased the leading “off-the-shelf” e-commerce software for linking its electronic storefront to its inventory database. A customer discovered a way to directly access the back-end database by entering appropriate SQL code.

Solution: Insist on secure code as part of the specifications for purchasing any 3rd party software. Thoroughly test the software prior to use. Employ a patch management program so that any vendor provided fixes and patches are immediately implemented.

1. Attackers broke into the company’s information system through a wireless access point located in one of its retail stores. The wireless access point had been purchased and installed by the store manager without informing central IT or security.

Solution: Enact a policy that forbids any implementation of unauthorized wireless access points. Conduct routine audits for unauthorized or rouge wireless access points.

1. An employee picked up a USB drive in the parking lot and plugged it into their laptop to “see what was on it,” which resulted in a keystroke logger being installed on that laptop.

Solution: The best preventive control is security awareness training. Teach employees to never insert USB drives unless they are absolutely certain of their source. In addition, employ anti-spyware software that automatically checks and cleans all detected spyware on an employee's computer as part of the logon process for accessing a company's information system.

1. A competitor intercepted the company’s bid for a lucrative contract that was emailed to the local government’s web site. The competitor used the information contained in the email to successfully underbid and win the contract.

Solution: Encrypt sensitive files sent via email. Send sensitive files over a secure channel.

1. When an earthquake destroyed the company’s main data center, the CIO spent half a day trying to figure out who in the organization needed to be contacted in order to implement the company’s cold site agreement.

Solution: Implement and document emergency response procedures. Periodic testing would likely uncover any such problems prior to an actual disaster.

1. Although logging was enabled, the information security staff did not review the logs early enough to detect and stop an attack that resulted in the theft of information about a new strategic initiative.

Solution: Implement and enforce log review and analysis policies by proper management oversight of the information security staff or contract with a security information management service to perform such analysis.

1. To facilitate working from home, an employee installed a modem on his office workstation. An attacker successfully penetrated the company’s system by dialing into that modem.

Solution: Routinely check for unauthorized or rouge modems by dialing all telephone numbers assigned to the company and identifying those connected to modems.

1. An attacker gained access to the company’s internal network by installing a wireless access point in a wiring closet located next to the elevators on the fourth floor of a high-rise office building that the company shared with seven other companies.

Solution: Secure or lock all wiring closets. Require strong authentication of all attempts to log into the system from a wireless client. Employ an intrusion detection system.

7.2

Solution: The article in the Journal of Accountancy is very well written and the instructions are easy to follow. If students follow the instructions they will have no problem completing the problem and will learn a new tool for Excel. It is expected that the instructor will familiarized themselves with the article prior to grading the assignment; however, the following are some screenshot of what the instructor may expect from student submissions.

Part b.

Part c., sub-parts:

a. password to open, b. password to modify, c. apply password to individual sheets, e. set workbook to be Read-only

Part c – sub-part d. Encrypt the data

Part c – sub-part f-1 protect cells.

Part c – sub-part f-2 protect sheet.

7.3 a.Access control matrix:

System User / Payroll Program / Inventory Update Program / Payroll MasterFile / Inventory Master File / System Log Files
Salesperson / 0 / 0 / 0 / 1 / 0
Inventory Control Clerk / 0 / 0 / 0 / 3 / 0
Payroll clerk / 1 / 0 / 2 / 0 / 0
Human Resources Manager / 0 / 0 / 3 / 0 / 0
Payroll Programmer / 3 / 0 / 1 / 0 / 1
Inventory Programmer / 0 / 3 / 0 / 1 / 1
CISO / 3 / 3 / 3 / 3 / 3

Codes for type of access:

0 = No Access Permitted.

1 = Read (Display) Only.

2 = Read and Modify.

3 = Read, Modify, Create, and Delete.

b.Inventory control clerk. Should not have create and delete rights to the inventory file. This analyst should only have read, and modify (update) rights to the inventory master file.

Payroll clerk. Should be able to run the payroll program but not display the code, modify it, create, or delete it.

CISO. Although this person may need read (display) access to many programs and files, the CISO should not have create, delete, and modify privileges to many of the functional files and programs. For example, should not be able to create new employee records or change pay rates. In addition, the CISO’s actions should be monitored regularly.