it security and control
TRANSCRIPT
-
8/3/2019 IT Security and Control
1/28
1
IT SECURITY AND CO NTROL AND
COMPUTER FRAUD:
PREVENTION AND CONTROL
By:
O. K. Ibedu (CGEIT, CISA)
Deputy Director, CBN
WAIFEM
Regional Course On Computer Applications In Accounting
Auditing and Financial Management, Lagos, Nigeria.
(July 13th 20th, 2009)
-
8/3/2019 IT Security and Control
2/28
2
IT SECURITY AND CONTROL AND COMPUTER FRAUD:
PREVENTION AND CONTROL
OUTLINE
Components of Security Policy
Logical Access Issues and Exposure
Computer Crime Exposures
Access Control Software
Auditing Logical Access
Network Infrastructure Security Auditing Environmental Controls
Auditing Physical Access
a) Components of a Security Policy
The framework and intent of security must be clearly established
and communicated to all appropriate parties for security to be
successfully implemented and maintained. The key to the
framework is a written security policy that serves to heighten
security awareness throughout the organization.
Key components of security policy include the following:
i) Management support and commitment: Management must
demonstrate a commitment to security by clearly approving and
supporting formal security awareness and training. This may require
special management-level training since security is not necessarily
a part of management expertise.
-
8/3/2019 IT Security and Control
3/28
3
ii) Access Philosophy: Access to computerized information should
be based on a documented need-to-know, need-to-do basis.
iii) Compliance with Relevant Legislation and Regulations:- The
Policy should state that compliance is required with all relevant
legislation, such as that requiring the confidentiality of personal
information, or specific regulations relating to particular industries,
e.g. banking and financial institutions.
iv) Access Authorization: The data owner or manager who is
responsible for the accurate use and reporting of the information
should provide written authorization for users to gain access to
computerized information. The manager should give this
documentation directly to the security administrator so mishandling
or alteration of the authorization does not occur.
v) Review of Access Authorisation: Access controls should be
evaluated regularly to ensure they are still effective. Personnel and
departmental changes, malicious efforts and just plain carelessness
can impact the effectiveness of access controls. For this reason, the
security administration, with the assistance of the managers who
provide access authorization, should review access controls. Any
access exceeding the need-to-know , need-to-do philosophy
should be changed accordingly.
vi) Security Awareness:- All employees, including management, need
to be made aware on a regular basis of the importance of security.
A number of different mechanisms are available for raising security
awareness including:
Distribution of a written security policy.
-
8/3/2019 IT Security and Control
4/28
4
Training on a regular basis of new employees, users and
support staff.
Non-disclosure statements signed by the employee.
Use of different media in promulgating security (e.g. company
newsletter, web page, videos, etc)
Visible enforcement of security rules.
Simulate security incidents for improving security procedures
Reward employees who report suspicious events.
Periodic audits.
vii) Responsibilities of Employees:- The employees have thefollowing responsibilities for security:
Reading the security policy
Keeping logon-IDs and passwords secret
Reporting suspected violations of security to the security
administrator
Maintaining good physical security by keeping doors locked,safeguarding access keys, not disclosing access door lock
combinations and questioning unfamiliar people.
Conforming to local laws and regulations.
Adhering to privacy regulations with regard to confidential
information (e.g. health, legal, etc)
Non-employees with access to company systems also should be held
accountable for security policies and responsibilities. This includes
contract employees, vendors, programmers/analysts, maintenance
personnel and clients. Security awareness should not disclose sensitive
-
8/3/2019 IT Security and Control
5/28
5
information. Security policies provided to employees should not identify
such sensitive security features as password file names, technical
security configuration, methods to bypass electronic security or system
software file.
viii) Role of Security Administrator:- The security administrator,
typically a member for implementing systems Department, is
responsible for implementing, monitoring and enforcing the security
rules that management has established and authorized. For proper
segregation of duties, the security administrator should not be
responsible for updating application data nor be an end user,
application programmer, computer operator or data entry clerk. In
large organizations, the security administrator is usually a full-time
function; in small organizations, someone may perform this function
with other non-conflicting responsibilities.
ix) Security Committee:- Security policies, procedures and guidelines
affect the entire organizational and as such, should have the
support and suggestions of end users, executive management,
security administration, IS personnel and legal counsel. Therefore,
individuals representing various management levels, should meet
as a committee to discuss and establish security practices. The
committee should be formally established with appropriate terms of
reference and regular meetings with action items, which are
followed up on at each meeting.
b) Logical Access Issues and Exposures: Inadequate logical
access controls increase an organizations potential for losses
-
8/3/2019 IT Security and Control
6/28
6
resulting from exposures. These exposures can result in minor
inconveniences or total shutdown of computer functions.
Exposures that exist from accidental or intentional exploitation of
logical access control weaknesses include technical exposures
and computer crime.
i) Technical Exposures:- Unauthorised intentional or
unintentional implementation or modification of data and
software may result in any of the following:
Data Diddling:- Involves changing data before or as they
are entered into the computer. This is one of the mostcommon abuses because it requires limited technical
knowledge and occurs before computer security can
protect data.
Trojan Horses:- Involves hiding malicious, fraudulent code
in an authorized computer program. This hidden code will
be executed whenever the authorized program is
executed. A classic example is the Trojan horse in the
pay-roll calculating program that shares a barely
noticeable amount off each paycheque and credits it to
the perpetrator s payroll account.
Rounding Down:- Involves drawing off small amounts of
money from an computerized transaction or account and
re-rounding it to the perpetrators account. The term
rounding down refers to rounding small fractions of a
denomination down and transferring these small fractions
into the unauthorized account. Since the amounts are so
small, they are rarely noticed.
-
8/3/2019 IT Security and Control
7/28
7
Salani Techniques:- Involve the slicing of small amounts
of money from a computerized transaction or account and
is similar to the rounding down technique.
The different between the rounding down technique and the
Salami techniques is that in rounding down the program rounds off
by fraction such as Penny or Kobo or cents. For example, if a
transaction amount in U.S. Dollar were $1,500,500.39 the
rounding down techniques may round the transaction to
$1,500,500.35. The Salami technique truncates the last few digitsfrom the transaction amount so $1,500,500.39 becomes
$1,500,000.30 or $1,500,500.00 depending on the calculation built
into the program.
Viruses:- Viruses are malicious program code inserted into
other executable code that can self-replicate and spread from
computer to computer, via sharing of computer diskettes,
transfer of logic over telecommunication lines or direct contact
with an infected machine/code. A virus can harmlessly display
cute messages on computer terminals, dangerously erase or
alter computer files or simply fill computer memory with junk to
a point where the computer can no longer function. An added
danger is that a virus may be dormant for some time until
triggered by a certain event or occurrence, such as a date (26
December Happy boxing day) or being copied a pre-specified
number of times. During this time, the virus has silently been
spreading.
-
8/3/2019 IT Security and Control
8/28
8
Worms:- Worms are destructives programs that may destroy
data or utilize tremendous computer and communication
resources but do not replicate like viruses. Such programs do
not change over programs, but can run independently and
travel from machine to machine across network connections.
Worms may also have portions of themselves running on many
different machines.
Logic Bombs:- Logic bombs are similar computer viruses
except that they do not self-replicate. The creation of logic
bombs requires some specialized knowledge, as it involvesprogramming the destruction or modification of data at a
specific time in the future. However, unlike viruses or worms,
logic bombs are very difficult to detect before they blow-up;
thus, they have the greatest potential for damage. Detonation
can be timed to cause maximum damage long after the
departure of the perpetrator. It may also be used as a tool of
extortion, with a ransom being demanded in exchange for
disclosure of the location of the bomb.
Trap Doors:- Traps doors are exits out of an authorized
program that allow insertion of specific logic, such as program
interrupts, to permit a review of data during processing. These
holes also permit insertion of unauthorized logic.
Asynchronous Attacks:- This occurs in multi processing
environments where data move asynchronously (one character
at a time with a start and stop signal) across
telecommunications lines. As a result, numerous data
transmissions must wait for the line to be free (and flowing in
-
8/3/2019 IT Security and Control
9/28
9
the proper direction) before being transmitted. Data that are
waiting are susceptible to unauthorized accesses called
asynchronies attacks. These attacks which are usually very
small pin like insertions into cable, may be committed via
hardware and are extremely hard to detect. There are many
form of asynchronous attacks and the IS Auditor will require the
assistance of a network manager and/or a system software
analyst to evaluate the very complex and technical exposure.
Data Leakage:- Involves siphoning or leaking information out of
the computer. This can involve dumping files to paper or can beas simple as stealing computer reports and tapes.
Wire-Tapping:- Involves eavesdropping on information being
transmitted over telecommunications lines.
Piggybacking:- This is the act of following an authorised
person through a secured door or electronically attacking to an
authorized telecommunications link to intercept and possibly
alter transmissions.
Shut-Down of the Computer:- This can be initiated through
terminals or microcomputers connected directly (on-line) or
indirectly (dial-up-lines) to the computer. Only individuals
knowing a high-level systems logon-ID can usually initiate the
shutdown process. This security measure is effective only if
proper security access controls are in place for the high-level
logon-ID and the telecommunications connections into the
computer. Some systems have proven to be vulnerable to
shutting themselves down under certain conditions of overload.
-
8/3/2019 IT Security and Control
10/28
10
Denial of Service:- This is an attack that disrupts or completely
denies service to legitimate users, networks, systems or other
resources. The intent of any such attack is usually malicious in
nature and often takes little skill because the requisite tools are
readily available.
c) Computer Crime Exposures:- Computer systems can be used to
steal money, goods, software or corporate information. Crimes
also can be committed when the computer application process or
data are manipulated to accept false or unauthorised transactions.
There also is the simple, non-technical method of stealingcomputer equipment.
Computer crime can be performed with absolutely nothing
physically being taken or stolen. Simply viewing computerized data
can provide an offender with enough intelligence to steal ideas or
confidential information (intellectual property). Committing crimes
that exploit the computer and the information it contains can be
damaging to the reputation, morale and very existence of an
organization. Loss of customers, embarrassment to management
and legal actions against the organization can result.
Threats to business include the following:
Financial Loss:- Can be direct, through loss of electronic funds
or indirect, through the costs of correcting the exposure.
Legal Repercussions: There are numerous privacy can human
rights laws an organization should consider when developing
security policies and procedures. These laws can protect the
organization but can also protect the perpetrator from prosecution.
-
8/3/2019 IT Security and Control
11/28
11
In addition, not having proper security measures could expose the
organization to law suits from investors and insurers if a significant
loss occurs from a security violation. Banks must comply with
industry-specific regulatory agencies. The IS Auditor should obtain
legal assistance when reviewing the legal issues associated with
computer security.
Loss of Credibility or Competitive Edge: Banks, savings and
loans and investment firms, need credibility and public trust to
maintain a competitive edge. A security violation can severally
damage this credibility, resulting in a loss of business and prestige. Blackmail/Industrial Espionage: By gaining access to
confidential information or the means to adversely impact
computer operations, a perpetrator can extort payments or
services from an organization by threatening to exploit the security
breach.
Disclosure of Confidential, Sensitive or Embarrassing
Information: Events of this nature can damage an organization s
credibility and its means of conducting business. Legal or
regulatory actions against the bank may also be the result of
disclosure.
Sabotage: Some perpetrators are not looking for financial gain.
They merely want to cause damage due to dislike of the
organization or for self-gratification.
Logical access violators are often the same people who exploit physical
exposures, although the skills needed to exploit logical exposures are
more technical and complex.
-
8/3/2019 IT Security and Control
12/28
12
Hackers: Hackers are typically attempting to test the limits of
access restrictions to prove their ability to overcome the obstacles.
They usually do not access a computer with the intent of
destruction; however, this is quite often the result.
Employees: Maybe authorized or unauthorized but cam exploit
logical exposures.
IS Personnel: These individuals have the easiest access to
computerized information since they are the custodians of this
information. In addition, to logical access controls, good
segregation of duties and supervision help reduce logicalviolations by these individuals.
End Users
Former Employees: Former employees who have left on
unfavourable terms could exploit logical exposures.
Interested or Educated Outsiders
- Competitors
- Foreigners
- Organized criminals
- Crackers (Paid hackers working for a third party)
- Phreakers (hackers attempting access into the
telephone/communication system)
Part-time and Temporary Personnel: Office cleaners often have
a great deal of physical access and may well be competent in
computing.
Vendor and Consultants
-
8/3/2019 IT Security and Control
13/28
13
Accidental Ignorant: Someone could perpetrate a violation
unknowingly.
d) Access Control Software
Access Control software is designed to prevent unauthorized
access to data, use of system functions and programs,
unauthorised updates/changes to data and detect or prevent an
authorized attempt to access computer resources. Access control
software interfaces with the operating system and acts as a central
control for all security decisions. The access control softwarefunctions under the operating system software and provides the
capability of restricting access to data processing resources either
on-line or in batch processing.
To be effective, access control software should be used at the
system software level in protecting all computer resources,
applications, and data. At this level, access control is either an
inherent feature of the operating system or is an add-on product
that interfaces with the operating system. For example, Microsoft
windows NT operating systems include access control software as
an inherent feature of its operating system. Also, Novelle Wetware
operating systems include access control software as inherent
feature.
Access control software generally performs the following tasks:
Verification of the user
Authorisation of access to defined resources
Restriction of users to specific terminals
-
8/3/2019 IT Security and Control
14/28
14
Reports on unauthorised attempts to access computer
resources, data or programs.
Access control software may provide the following functions:
Verify user authorization to sign-on at the network and sub-system
levels.
Verify user authorization at the application and transaction level.
Verify user authorization within the application
Verify user authorization at the field level for changes within a
database. Verify sub system authorization for the user at the file level.
Authorization is the most important component of access control
software. Some authorization functions include as follows:
Logon-IDs and user authentication
Limitation of specific terminals for specific logon-IDs.
Limiting access based on predetermined times.
Limiting specific tasks to be initiated from a predefined authorized
library.
Establishment of rules of access.
Creation of individual accountability and audit ability.
Installation defined options.
User profiles.
Data file and database profiles
Logging events
Logging user activities
-
8/3/2019 IT Security and Control
15/28
15
Logging database/data communications access activities for
monitoring access violations.
Reporting capabilities.
Access control software generally access request in the following way:
- Identification Users Must identify themselves to the access
control software such as name and account number.
- Authentication Users must prove that they are who they claim to
be. Authentication is a two way process where the software must
first verify the validity of the user and then proceed to verify priorknowledge information. For example, user may provide the
following information:
Remember information such as name, account number and
password.
Processor objects such as badge, plastic cards and key.
Personal characteristics such as fingerprint, voice and
signature.
e) Auditing Logical Access:
When evaluating logical access controls the IS Auditor should:
i) Obtain a general understanding of the security risks facing
information processing through a review of relevant
documentation, inquiry, observation, risk assessment and
evaluation techniques.
ii) Document and evaluate controls over potential access paths
into the system to assess their adequacy, efficiency and
-
8/3/2019 IT Security and Control
16/28
16
effectiveness by reviewing appropriate hardware and software
security features and identifying and deficiencies or
redundancies.
Note that paths of Logical Access include:
Operator console
On-line Terminals
Batch job processing
Dial-up ports
Telecommunication Network
iii) Test controls over access paths to determine that they are
functioning and effective by applying appropriate audit
techniques.
iv) Evaluate the access control environment to determine if the
control objectives are achieved by analyzing test results and
other audit evidence.
v) Evaluate the security environment to assess its adequacy by
reviewing written policies, observing practices and procedures
and comparing them with appropriate security standards or
practices and procedures used by other organizations.
f) Network Infrastructure Security: Communication networks (wide
area or local area networks) generally include devices
connected to the network, and programs and files supporting
the network operations control is accomplished through a
-
8/3/2019 IT Security and Control
17/28
17
network control terminal and specialized communications
software.
The following are controls over the communication network:
- Network control functions should be performed by technically
qualified operators.
- Network control functions should be separated and duties rotated
on a regular basis where possible.
- Network control software must restrict operator access from
performing certain functions (such as the ability to amend/delete
operator activity logs).
- Network control software should maintain an audit trail of all
operator activities.
- Audit trails should be reviewed periodically by operations
management to detect any unauthorized network operations
activities.
- Network operations standards and protocols should be
documented and made available to the operators and should be
reviewed periodically to ensure compliance.
- Network access by the system engineers should be closely
monitored and reviewed to detect unauthorized access to network.
- Analysis should be performed to ensure workload balance, fast
response time and system efficiency.
- A terminal identification file should be maintained by the
communications software to check the authentication of a terminal
when it tries to send or receive messages.
- Data encryption should be used when appropriate to protect
messages from disclosure during transmission.
-
8/3/2019 IT Security and Control
18/28
18
Some common network management/control software packages are:
* 3 com * Netpass
* AT & T STARLAN * EREP
* Novell Netware * Windows NT
* NCP/VTAM * UNIX
* Net View * Unicenter TNG
LAN RISKS AND ISSUES
Local Area Networks (LANs) facilitate the storage and retrieval of
programs and data used by a group of people. LAN software and
practices also need to provide for the security of these programmes and
data. Unfortunately, most LAN software provides low level of security as
emphasis has been on providing capability and functionality rather than
security.
Software vendors and network users have recognized the need to
provide diagnostic capabilities to identify the cause of problems when
the network goes down or functions in an unusual manner. The use of
logon-IDs and passwords with associated administration facilities is now
standard. LANs can represent a form of decentralized computing.
Decentralised local processing provides the potential for a more
responsive computing environment; however, organizations do not
always give the opportunity to efficiently develop staff to address the
technical, operational and control issues that the complex LAN
technology represents. As a result, local LAN administrators frequently
lack the experience, expertise and time to effectively manage the
computing environment. The various alternatives of media, protocol
-
8/3/2019 IT Security and Control
19/28
19
hardware, transmission techniques, topology and network software
ensure that each LAN is unique. This mix of vendors and unique
environments make it difficult to implement standard management,
operating and auditing practices. As a result, the costs of resolving
problems, when they occur, can be substantial.
Normal LAN users recognize only one attribute of the LAN- it works. In a
well structural LAN the unsophisticated user is not able to judge whether
the technology is appropriate, the software installed and documented
properly or that necessary control and security measures are taken.
Audit trails are considered only after a problem occurs.
Client/Server Security
Client/server technology enables business units to develop and deliver
products and services to market much more quickly than traditional
legacy methods. Clients/server systems utilize distributed techniques,
creating increased risk of access to data and processing. To effectively
secure the client/server environment, all access points should be
identified. In mainframe-based applications, centralized processing
techniques require the user to go through one pre-defined route to
access all resources. In a client/server environment, several access
routes exist, as application data may exit on the server or on the client.
Each of these routes must therefore be examined individually and in
relation to each other to determine that no exposures are left
unchecked.
In order to increase the security in a client/server environment, an IS
Auditor may want to see that the following control techniques are in
place:
-
8/3/2019 IT Security and Control
20/28
20
Security access to the data or application on the client/server may
be performed by disabling the disk drive, much like keyless
workstation that has access to a mainframe. Diskless workstations
prevent access control software from being by-passed and
rendering the workstation vulnerable to unauthorized access. By
securing the automatic boot or start-up batch files, unauthorized
users may be prevented from overriding login scripts and access.
Network monitoring devices may be used to inspect activity from
known or unknown users. These devices may identify client
addresses; allowing proactive session termination as well as findingevidence of unauthorized access for alternative investigation.
However, the method of securing the client/server environment may
only be as good as the administrator who monitors it. Since this is a
detective control, if the network administrator does not monitor or
maintain these devices, the tool becomes useless against
unauthorized intruders.
Data encryption techniques (symmetric or asymmetric encryption)
can help protect sensitive or proprietary data from unauthorized
access.
Authentication systems may provide environment wide, logical
facilities that can differentiate among users. Another method,
system smart cards, uses intelligent hand-held devices and
encryption techniques to decipher random codes provided by
client/server systems. A smart card displays a temporary password
that is provided by an algorithm on the system and must be re-
entered by the user during the login session for access into the
client/server system.
-
8/3/2019 IT Security and Control
21/28
21
The use of application level access control programs and the
organization of end-users into functional groups is a management
control that restricts access by limiting users to only those functions
needed to perform their duties.
Encryption
Encryption is the process of converting a plain text message into a
secure coded form of text called Cipher text that cannot be understood
without converting back via decryption (the reverse process) to plain text
again. This is done via a mathematical function and a specialencryption/decryption password called the key. In many countries
encryption is subject to governmental law and regulations.
Encryption is generally used to:
Protect data in transit over networks from unauthorized interception
and manipulation.
Protect information stored on computers from unauthorized viewing
and manipulation.
Deter and detect accidental or intentional alterations of data.
Verify authenticity of a transaction or document.
Key Elements of Encryption Systems
Encryption Algorithm A mathematically based function or
calculation which encrypts/decrypts data.
Encryption keys A piece of information that is used within an
encryption algorithm (calculation) to make the encryption or
-
8/3/2019 IT Security and Control
22/28
22
decryption process unique. Similar to passwords, a user needs to
use the correct key to access or decipher a message. The wrong
key will decipher the message into an unreadable form.
Key Length A predetermined length for the key. The longer the
key, the more difficult it is to compromise in a brute-force attack
where all possible key combinations are tried.
Most encrypted transactions over the internet use a combination of
private keys, public keys, secret keys, hash functions (fixed values
derived mathematically from a text message) and digital
certificates to achieve confidentially message integrity and non-repudiation by either sender or recipient (i.e. also known as a
public-key infrastructure). This hybrid public/private key encryption
process allows data to be stored and transported with reduced
exposure when a company s corporate data are secure as they
move across the Internet or other networks.
There are two common encryptions or cryptographic systems:
Symmetric Cryptosystem
Symmetric encryption algorithms use a secret key to encrypt the
plain text to the cipher text. They also use the same key to decrypt
the cipher text to the corresponding plain text. In this case, the key
is symmetric because the encryption key is the same as the
decryption key. The most common private key cryptography
system is data encryption standard (DES).
Asymmetric Cryptosystem
Asymmetric encryption systems use two keys which work together
as a pair. One key is used to encrypt data, the other is used to
-
8/3/2019 IT Security and Control
23/28
23
decrypt data. Either key can used to encrypt or decrypt, but once
one key has been used to encrypt data, only its partner can be
used to decrypt the data (even the key that was used to encrypt
the data cannot be used to decrypt it). Generally, with asymmetric
encryption, one key is known only to one person the secret or
private key the other key is known by many people the public
key.
Asymmetric encryption algorithms are generally less efficient (take
more computer resources) to compute than private key systems.
A common form of asymmetric encryption is RSA (named after its
inventors Rivest, Shamir and Adelman).
g) Auditing Environmental Controls: Environmental exposures are
primarily due to naturally occurring events; however, with proper
controls exposures to these elements can be reduced. Common
exposures and their controls are as follows:
Water and smoke Detectors: Verify the presence of water and
smoke detectors in the computer room. Determine if the
power supply to these detectors is sufficient, especially in
instances of battery-operated devices. Also, visually verify that
the locations of the devices are clearly marked and visible.
Hand-Held Fire Extinguisher: Verify that hand-held fire
extinguishers are in strategic locations throughout the facility,
are highly visible and all have been inspected within the last
year.
-
8/3/2019 IT Security and Control
24/28
24
Fire suppression systems: Fire suppression systems are
expensive to test and therefore limit the IS Auditor s ability to
determine operability. IS Auditors may need to limit their tests
to reviewing documentation to ensure the system has been
inspected and tested within the last year. The exact testing
interval should comply with industry and insurance standards
and guidelines.
Regular Inspection by Fire Department: Confirm if a local fire
department inspector or insurance evaluator has been invited
to tour and inspect the facilities recently. If so, obtain a copy ofthe report and determine how deficiencies noted are being
addressed.
Fireproof walls, floors and ceilings surrounding the computer
Room: Locate the documentation that identifies the fire rating
of the walls surrounding the information processing facility
with the assistance of building management. The walls should
have at least a two-hour fire resistance rating.
Electrical Surge Protectors: Observe the presence of electrical
surge protectors for sensitive and expensive computer
equipment.
Power Leads from Two Substations: Locate documentations
concerning the use and placement of redundant power lines
into the information processing facility with the assistance of
building management.
-
8/3/2019 IT Security and Control
25/28
25
Fully Documented and Tested Business Continuity Plan:
Ensure that the Business continuity plan is tested at least
once in a year and review the report of the test.
Wiring placed in Electrical panels and Conduit: Verify that
wiring in the information processing facility is placed in fire-
resistance panels and conduit.
UPS/Generator: Determine when last tested and review test
reports.
Documented and Tested Emergency Evacuation Plans:
Obtain a copy of the emergency evaluation plan. Determine ifit prescribes how to leave the information processing facilities
in an organized manner that does not leave the facilities
physically unsecured. Interview a sample of IS employees and
determine if they are familiar with the documented plan. Verify
whether the emergency evacuation plans are posted
throughout the facilities.
Humidity/Temperature Control: Determine if temperature and
humidity are adequate.
The testing procedures noted above should also be applied to any off-
site storage and processing facilities.
h) Auditing Physical Access: Touring the information processing
facility (IPF) is useful to gain an overall understanding and
perception of the installation being reviewed. This tour provides the
opportunity to begin reviewing physical access restrictions (control
over employees, visitors, intruders and vendors).
-
8/3/2019 IT Security and Control
26/28
26
The tour should include the information processing facility
(computer room, programmers area, tape library, printer status
and management offices) and any off-site storage facilities.
Physical safeguards can be achieved by observing the
safeguards noted previously. Documents to assist with this
effort include emergency evacuation procedures, inspection
tags (recent inspection?), fire suppression system test results
(successful? Recently tested?) and key lock logs (all keys
accounted for and not outstanding to former employees or
consultants?)
Testing should extend beyond IPF to include the following related
facilities:
Location of all operator consoles
Printer rooms
Computer storage rooms (this includes equipment, paper and
supply rooms)
Ups/Generator
Location of all communications equipment identified on the
network diagram.
Tape Library
Off-site back-up storage facility.
The IS Auditor should look above the ceiling panels and below the
raised floor in the computer operations centre observing smoke and
-
8/3/2019 IT Security and Control
27/28
27
water detectors, general cleanliness and walls that extend all the way to
the real ceiling (not just the suspended ceiling).
The following paths of physical entry should be evaluated for proper
security:
All entry doors
Glass windows and walls
Movable walls and modular cubicles
Above suspended ceiling and beneath raised floors.
Verification systems Over a curtain, fake wall.
Examples of some of the more common access controls are:
Bolting Door locks
Combustion Door locks (cipherlock)
Electronic Door locks Biometric Door locks
Manual Logging
Electronic logging
Identification Badges (Photo IDs)
Video cameras
Security Guards
Controlled Visitor Access
Bonded Personnel
Dead man Doors
Not advertising the location of sensitive facilities.
-
8/3/2019 IT Security and Control
28/28
Computer Terminal locks
Controlled single entry point
Alarm system
Secured Report/Document Distribution cart.