Week 9 Accounting Information Systems

Romney and SteinbartLinda BatchMarch 2012

Learning Objectives• Chapter 8 is Controls for System Reliability

– Chapter 8 COBIT’s four domains – recall that COBIT is the control framework to ensure systems reliability

– Preventive, Detective, Corrective Controls• We are going to do lots of examples and work from several text

book problems

• Hand back and review the Midterm Exam if we have not done so already

• Assignment 3 status, questions?• Microsoft Access

• Forms• Advanced Queries

Chapter 8 – Controls for System Reliability

• Security is a Management Issue not an IT Issue– SOX requires the CEO and CFO to certify the financial

statements fairly present the corporate results

– The accuracy of an organization’s financial statements depends on the reliability of the information systems

– Information security is the foundation for systems reliability

– Therefore security is a management responsibility

Chapter 8 – COBIT Framework

• Information provided to management must satisfy seven key criteria:

• Effectiveness – information must be relevant and timely• Efficiency – information must be produced cost effectively• Confidentiality – sensitive information must be protected• Integrity – information must be accurate, complete, and valid• Availability – information must be available when needed• Compliance – controls must ensure compliance with internal

policies and with external legal and regulatory requirements• Reliability – management must have access to appropriate

information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities

Tip: Know Three

Chapter 8 – Controls for System Reliability

• The COBIT Framework shows achieving the organization’s business and governance objectives requires adequate control over IT resources

• Just to recap and to emphasize the difference:

– COSO–IC and COSO-ERM address general internal control

– COBIT addresses information technology internal control

Chapter 8 – COBIT Figure 8-1, pg 220

• COBIT addresses control from three vantage points

– Business Objectives• To satisfy business objectives, information must conform to the

seven key criteria– Information Criteria

• Define for IT the information required by the business– IT Processes

• Broken into four domains (management processes)

Chapter 8 – Holcim Example – Think about this as we go through this material

• Two companies – Holcim US and Holcim Canada• From an international perspective they report through to the

North American Regional Manager at the head office.• Implement shared service model for manufacturing services,

financial shared services, commercial services. The starting point is the following:– Two separate SAP systems with different general ledgers– Different manufacturing processes to produce the same material– Different sales processes to sell to similar customers– Different organizational structure to manage finance and

manufacturing– Different financial close process and timing– Identical reporting requirements and timelines (reporting

standards are already in place

Chapter 8 – Holcim Example – Think about this as we go through this material

• Implement shared service model for manufacturing services, financial services, commercial services. IT was already a shared service for North America

1. How does this affect the IT strategic plan?2. What would be the time horizon over which the alignment

would occur?3. Reporting requirements are currently standardized. What

would be aligned first, the organizational structure, the business processes, or the systems?

Work in four groups and prepare your answer (4 power points)Make your argument!

Chapter 8 – COBIT Framework

– Plan and Organize (PO) – properly designing and managing information systems

– Acquire and Implement (AI) – obtaining and installing technology solutions

– Deliver and Support (DS) – effectively and efficiently operating the systems and providing information management requires

– Monitor and Evaluate (ME) – essential processes for assessing the operation of an IT system.

• COBIT processes, to properly manage and control IT resources, are grouped into four basic management activities or domains

Chapter 8 – COBIT – Plan And Organize

• PO1 – define a strategic IT plan• PO2 – define the information architecture• PO3 – determine the technology direction• PO4 – define the IT processes, organization, and

relationships• PO5 – manage the IT investment• PO6 – communicate management aims and

direction• PO7 – manage IT human resources• PO8 – manage quality• PO9 – assess and manage IT risks• PO10 – manage projects

Plan & Organize

Tip: Know Three

Holcim Example

Chapter 8 – COBIT – Acquire and Implement (AI)

• AI1 – identify automated solutions• AI2 – acquire and maintain application software• AI3 – acquire and maintain technology

infrastructure• AI4 – enable operations and use• AI5 – procure IT resources• AI6 – manage changes• AI7 – install and accredit solutions and changes

Acquire & Implement

Tip: Know Three

Chapter 8 – COBIT – Deliver and Support (DS)

• DS1 – define and manage service levels• DS2 – manage third party services• DS3 – manage performance and capacity• DS4 – ensure continuous service• DS5 – ensure systems security• DS6 – identify and allocate costs• DS7 – educate and train users• DS8 – manage service desk and incidents• DS9 – manage the configuration• DS10 – manage problems• DS11 – manage data• DS12 – manage the physical environment• DS13 – manage operations

Deliver & Support

Tip: Know Three

Chapter 8 – COBIT – Monitor and Evaluate (ME)

• ME1 – monitor and evaluate IT performance• ME2 – monitor and evaluate internal control• ME3 – ensure compliance with external

requirements• ME4 – provide IT governance

Monitor &

Evaluate

Tip: Know Three

Chapter 8 – Steps in an IT Attack

Chapter 8 – Information Security

Detective Controls•Log analysis•Intrusion detection software•Security testing and audits•Management reports

Corrective Controls•Computer incident response team (CIRT)•Chief Information Security Officer (CISO)•Patch management

To mitigate risks of an attack use •Preventive Controls•Detective Controls•Corrective Controls

Preventive Controls•Training•User access controls such as authentication and authorization•Physical access controls•Network access controls•Patch management

Chapter 8 – Checkpoint

What is the difference between authentication and authorization?•Authentication: process for verifying the identity of a person accessing the system

– Something they know– Something they have– A physical characteristic

•Authorization: is the process used to restrict the access of authenticated users to specific parts of the system

– Often implemented using an access control matrix– This can get very complicated.– It can be simplified by using standard position groups for each job in your

organization

Used together – multifactor authentication

Chapter 8 – Checkpoint – Problem 8.3

Reliability is often included in service level agreements (SLAs) between the business and the IT group. How much reliability is enough? •What is the difference between 95%, 99%, 99.99%, and 99.9999% reliability?

The differences in promised reliability levels over the course of a year in terms of days when the system may not work are:•95% reliability = 18.25 days •99% reliability = 3.65 days •99.99% reliability = .0365 days or approximately 52.56 minutes•99.9999% reliability = .000365 days or less than one minute

Chapter 8 – Problem 8.4

What preventive, detective or corrective controls will best mitigate the following situations?1.An employees laptop was stolen at the airport. Sensitive employee data was stored on the hard drive.•Preventive:

– Policies against storing sensitive information on laptops– Requiring that if any such information must exist on the laptop that it be

encrypted. – Training on how to protect laptops while travelling to minimize the risk of

theft.

•Corrective: – Installation of “phone home” software might help the organization either

recover the laptop or remotely erase the information it contains.

Chapter 8 – Problem 8.4

2. A sales person successfully logged into the payroll system by guessing the payroll supervisors password.

• Preventive: – Strong password requirements such as at least an 8 character length, use

of multiple character types, random characters, and require that passwords be changed frequently.

• Detective: – Locking out accounts after 3-5 unsuccessful login attempts; since this was

a “guessing” attack, it may have taken more than a few attempts to login.

Chapter 8 – Problem 8.4

3. A criminal remotely accessed a sensitive database using the authentication credentials (user ID and strong password) of an IT manager. At the time the attack occurred, the IT manager was logged into the system at his workstation at company headquarters.

• Preventive: – Integrate physical and logical security. In this case, the system should

reject any user attempts remotely log into the system if that same user is already logged in from a physical workstation.

• Detective: – Having the system notify appropriate security staff about such an

incident.

Chapter 8 – Problem 8.4

4. An employee received an email purporting to be from her boss informing her of an important new attendance policy. When she clicked on a link embedded in the email to view the new policy, she infected her laptop with a keystroke logger.

• Preventive: – Security awareness training is the best way to prevent such problems.

Employees should be taught that this is a common example of a sophisticated phishing scam.

• Detective and Corrective: – Anti-spyware software that automatically checks and cleans all detected

spyware on an employee's computer as part of the logon process for accessing a company's information system.

Chapter 8 – Problem 8.4

5. A company’s programming staff wrote custom code for the shopping cart feature on its web site. The code contained a buffer overflow vulnerability that could be exploited when the customer typed in the ship-to address.

• Preventive: – Teach programmers secure programming practices, including the need to

carefully check all user input. – Management must support the commitment to secure coding practices,

even if that means a delay in completing, testing, and deploying new programs.

• Detective: – Make sure programs are thoroughly tested before being put into use – Have internal auditors routinely test in-house developed software.

Chapter 8 – Checkpoint1. Which of the following is a preventive control?

a. trainingb. Log analysisc. CIRTd. Patch management

2. What is log analysis?System logs record who accesses the system and what specific

actions each user performed. It is an audit trail.– Logs must be analysed– Changes to logs must also be monitored – changes are not normal and

may be made to hide unauthorized activities.

Chapter 8 – Checkpoint

3. A weakness that an attacker can take advantage of to either disable or take control of a system is called a (an)a. Exploitb. Patchc. Vulnerabilityd. Attack

Chapter 8 – Checkpoint4. What is a transmission control protocol?

Information traverses the internet and internal local area networks in the form of packets. Documents are not sent in their complete state, they are divided into these packets which are recreated at the end point.

TCP – transmission control protocol – specifies the procedures for dividing the information into packets and how they are to be reassembled

IP – internet protocol – defines the structure of the packets and how to route them to their proper destination

Is this a preventive, detective, or corrective control?

Chapter 8 – Checkpoint4. What is deep packet inspection?

– Stateful packet filtering looks at IP header which is similar to inspecting the destination and the return address of mail

• If the information contained there is not on a list of unacceptable sources, or the true nature of the source is disguised, undesirable information may not be appropriately filtered out.

– Deep packet inspection effectively opens up the packet to determine the content allowing the firewall to better protect the organization.

Is this a preventive, detective, or corrective control?

Chapter 8 – Checkpoint4. What is endpoint configuration?

– What is an endpoint? Workstations, servers, printers, and other devices

– Many operating systems turn on programs or services that are not really required. These can represent vulnerabilities to your system.

– At the system endpoints turn off any services or operating programs that are not really required

– This is called hardening

Chapter 8 – TIPS for Final Exam• Know why IT security is a management concern• Information for management must satisfy 7 key criteria (know three)• Know what COBIT is and why it is different than COSO IC and COSO ERM• Know the three vantage points from which COBIT addresses control • For COBIT processes know three examples each of

• PO – Plan and Organize• AI - Acquire and Implement• DS - Deliver and Support• ME - Monitor and Evaluate

• Question 8-4 has more parts than we covered today• Do not learn the steps in an IT attack• Holcim example will not be on the final exam