Professional Documents
Culture Documents
1. General controls pertain to entity-wide concerns such as controls over the data center,
organization databases, systems development, and program maintenance.
2. Application controls ensure the integrity of specific systems such as sales order processing,
accounts payable, and payroll applications.
a. IT Organizational Controls
A. IT Organizational Controls
SEGREGATION OF DUTIES - One of the most important control activities is the segregation of
employee duties to minimize incompatible functions.
Distributed Data Processing (DDP) - involves reorganizing the IT function into small
information processing units (IPUs) that are distributed to end users and placed under their
control. IPUs may be distributed according to business function, geographic location, or
both.
A. Operating System Security - involves policies, procedures, and controls that determine who
can access the operating system, which resources (files, programs, printers) they can access, and
what actions they can take.
Log-On Procedure - is the operating system’s first line of defense against unauthorized
access. When the user initiates the process, he or she is presented with a dialog box
requesting the user’s ID and password. The system compares the ID and password to a
database of valid users. If the system finds a match, then the log-on attempt is
authenticated. If, however, the password or ID is entered incorrectly, the log-on attempt
fails and a message is returned to the user.
Access Token - If the log-on attempt is successful, the operating system creates an
access token that contains key information about the user, including user ID, password,
user group, and privileges granted to the user. The information in the access token is
used to approve all actions the user attempts during the session.
Access Control List - assigned to each resource controls access to system resources such
as directories, files, programs, and printers. These lists contain information that defines
the access privileges for all valid users of the resource. When a user attempts to access a
resource, the system compares his or her ID and privileges contained in the access token
with those contained in the access control list. If there is a match, the user is granted
access.
Discretionary Access Privileges - The central system administrator usually determines
who is granted access to specific resources and maintains the access control list. In
distributed systems, however, end users may control (own) resources. Resource owners
in this setting may be granted discretionary access privileges, which allow them to grant
access privileges to other users. For example, the controller, who is the owner of the
general ledger, may grant read-only privileges to a manager in the budgeting
department. The accounts payable manager, however, may be granted both read and
write permissions to the ledger. Any attempt the budgeting manager makes to add,
delete, or change the general ledger will be denied. The use of discretionary access
control needs to be closely supervised to prevent security breaches because of its liberal
use.
B. Password Controls - A password is a secret code the user enters to gain access to systems,
applications, data files, or a network server. If the user cannot provide the correct password, the
operating system should deny access.
Reusable Passwords - The user defines the password to the system once and then
reuses it to gain future access. The quality of the security a reusable password provides
depends on the quality of the password itself.
ONE-TIME Passwords - was designed to overcome the aforementioned problems. Under
this approach, the user’s password changes continuously.
a. Access Controls
b. Backup Controls
A. Access Controls - Access controls prevent and detect unauthorized and illegal access to the
firm’s assets.
User View (Subschema) - is a subset of the total database that defines the user’s data
domain and restricts his or her access to the database accordingly.
Database Authorization Table - contains rules that limit the actions a user can take.
Each user is granted certain privileges that are coded in the authority table, which is
used to verify the user’s action requests.
User-Defined Procedures - allows the user to create a personal security program or
routine to provide more positive user identification than a password can.
Data Encryption - uses an algorithm to scramble selected data, thus making it
unreadable to an intruder browsing the database. In addition to protecting stored data,
encryption is used for protecting data that are transmitted across networks.
Biometric Devices - The ultimate in user authentication procedures is the use of
biometric devices, which measure various personal characteristics such as fingerprints,
voiceprints, retina prints, or signature characteristics. These user characteristics are
digitized and stored permanently in a database security file or on an identification card
that the user carries.
B. Backup Controls
Transaction Log (Journal) - feature provides an audit trail of all processed transactions.
It lists transactions in a transaction log file and records the resulting changes to the
database in a separate database change log.
Database Backup - makes a periodic backup of the entire database. This is an automatic
procedure that should be performed at least once a day. The backup copy should then
be stored in a secure remote area.
Checkpoint Feature - suspends all data processing while the system reconciles the
transaction log and the database change log against the database. At this point, the
system is in a quiet state. Checkpoints occur automatically several times an hour. If a
failure occurs, it is usually possible to restart the processing from the last checkpoint.
Thus, only a few minutes of transaction processing must be repeated.
Recovery Module - uses the logs and backup files to restart the system after a failure.
Smurf attack - the targeted organization can program their firewall to ignore all
communication from the attacking site, once the attacker’s IP address is
determined.
Distributed denial of service attacks - are the most difficult of the three to
counter. The victim’s site becomes inundated with messages from thousands of
zombie sites that are distributed across the Internet. The company is rendered
helpless because it cannot effectively block transmissions from so many different
locations.
Intrusion Prevention Systems (IPS) - that employ deep packet inspection (DPI) to
determine when an attack is in progress.
C. Encryption - is the conversion of data into a secret code for storage in databases and
transmission over networks. The sender uses an encryption algorithm to convert the
original message called cleartext into a coded equivalent called ciphertext. At the
receiving end, the ciphertext is decoded (decrypted) back into cleartext. The encryption
algorithm uses a key, which is a binary number that typically is from 56 to 128 bits in
length.
PRIVATE KEY ENCRYPTION.
a. Advance encryption standard (AES) - The AES algorithm uses a
single key known to both the sender and the receiver of the
message.
b. Triple-DES encryption – older version technique called Data
Encryption Standard (DES).
c. EEE3 - uses three different keys to encrypt the message three
times.
d. EDE3- uses one key to encrypt the message. A second key is
used to decode it. The resulting message is garbled because
the key used for decoding is different from the one that
encrypted it. Finally, a third key is used to encrypt the garbled
message.
PUBLIC KEY ENCRYPTION - uses two different keys: one for encoding
messages and the other for decoding them.
RSA (Rivest-Shamir-Adleman)- is a highly secure public key
cryptography method. This method is, however, computationally
intensive and much slower than standard DES encryption.
Digital envelope - Both DES and RSA are used together.
G. Message Transaction Log - all incoming and outgoing messages, as well as attempted
(failed) access, should be recorded in a message transaction log. The log should record
the user ID, the time of the access, and the terminal location or telephone number from
which the access originated.
H. Request-Response Technique - control message from the sender and a response from
the receiver are sent at periodic, synchronized intervals. The timing of the messages
should follow a random pattern that will be difficult for the intruder to determine and
circumvent.
I. Call-Back Devices - requires the dial-in user to enter a password and be identified. The
system then breaks the connection to perform user authentication. If the caller is
authorized, the call-back device dials the caller’s number to establish a new connection.
Parity Check - incorporates an extra bit (the parity bit) into the structure
of a bit string when it is created or transmitted. Parity can be both
vertical and horizontal (longitudinal).
V. GENERAL CONTROLS- ELECTRONIC DATA INTERCHANGE (EDI)
Transaction Authorization and Validation - Both the customer and the
supplier must establish that the transaction being processed is to (or
from) a valid trading partner and is authorized
Controlling Systems Development Activities - This section and the one that follows
examine several controllable activities that distinguish an effective systems
development process.
a. Systems Authorization Activities - All systems should be properly authorized to
ensure their economic justification and feasibility. This requires a formal
environment in which users submit requests to systems professionals in written
form.
b. User Specification Activities - Users need to be actively involved in the systems
development process. The technical complexity of the system should not stifle user
involvement.
c. Technical Design Activities - translate user specifications into a set of detailed
technical specifications for a system that meets the user’s needs. The scope of these
activities includes systems analysis, feasibility analysis, and detailed systems design.
d. Internal Audit Participation - an organization’s internal audit department needs to
be independent, objective, and technically qualified. As such, the internal auditor
can play an important role in the control of systems development activities. The
internal auditor can serve as a liaison between users and the systems professionals
to ensure an effective transfer of knowledge.
e. Program Testing - All program modules must be thoroughly tested before they are
implemented
f. User Test and Acceptance Procedures - Prior to system implementation, the
individual modules of the system need to be formally and rigorously tested as a
whole. The test team should be composed of user personnel, systems professionals,
and internal auditors.