As technology advances in leaps and bounds today, much attention is paid by companies, especially IT organizations to safeguard security. In spite of the advancement, security continues to be a vulnerable area in most organizations. This paper throws light on the important aspects of in-house controls, testing security controls, identifying penetration points, assessing security and the attributes of an effective security control.
Interest in in-house control has been highlighted by publicized penetrations of security and the increased importance of information systems and the data contained by those systems. The passage of the Sarbanes-Oxley Act in particular, highlighted interest in in-house control. The Sarbanes-Oxley Act, sometimes referred to as SOX, was passed in response to the numerous accounting scandals such as Enron and WorldCom. While much of the act relates to financial controls, there is a major section redribbonlive relating to in-house controls. Because misleading attestation statements is a criminal offense, top corporate executives take in-house control as a very important topic. Many of those controls are incorporated into information systems, and thus the need for testing those controls.
The following four key terms are used extensively in in-house control and security:
o Risk – The probability that an undesirable event will occur.
o Exposure – The amount of loss that might occur if an undesirable event occurs.
o Threat – A specific event that might cause an undesirable event to occur.
o Control – Anything that will reduce the impact of risk.
Let’s look at an example of these terms using a homeowner’s insurance policy. To that policy we will look at one risk, which is the risk of fire. The exposure associated with a risk of fire would be the value of your home. A threat that might cause that risk to turn into a loss might be an improper electrical connection or children playing with matches. Controls that would minimize ristomanager the loss associated with risk would include such things as fire extinguishers, sprinkler systems, fire alarms and non-combustible material used in construction. In looking at the same situation in IT, we might look at the risk of someone penetrating a banking system and improperly transferring funds to the perpetrators personal account. The risk obviously is the loss of funds in the account, which was penetrated. The exposure is the amount of money in the account, or the amount of money that the bank allows to be transferred electronically. The threat is inadequate security systems, which allow the perpetrator to penetrate the banking system. Controls can include passwords limiting access, limiting the amount that can be transferred at any one time, and unusual transactions such as transferring the money to an overseas account, a control which limits who can transfer money from the account.
Testing Security Controls
Security is too important to organizations for MATRIX CRACK testing them to be ignored. The following tasks can add value to the security control testing:
1. Understand the points where security is most frequently penetrated; and understand the difference between accidental and intentional loss.
2. Build a penetration point matrix to identify software system vulnerabilities; and then investigate the adequacy of the security controls at the point of greatest potential penetration.
3. Assess the security awareness training program to assure the stakeholders in security are aware of their security responsibilities.
4. Understand the attributes of an effective security control.
5. Understand the process for selecting techniques to test security.
Task 1 -Where Security is Vulnerable to Penetration
Data and report preparation areas and computer operations facilities with the highest concentration of manual functions are areas most vulnerable to having security penetrated. Nine primary IT locations are listed below:
Vulnerable Areas Rank
Data and report preparation facilities 1
Computer operations 2
Non-IT areas 3
Online storage 4
Programming offices 5
Online data and report preparation 6
Digital media storage facilities 7
Online operations 8
Central processors 9
1. Data and Report Preparation Facilities
Vulnerable areas include key, computer job setup, output control and distribution, data collection, and data transportation.
2. Computer Operations
All locations with computers in the immediate vicinity and rooms housing central computer systems are included in this category. Detached areas that contain peripheral equipment connected to computers by cable and computer hardware maintenance areas or offices are also included.
3. Non-IT Areas
Security risks also derive from business decisions in such non-IT areas as management, marketing, sales, and business offices; and primary abusive acts may originate from these areas.
4. Online Systems
The vulnerable functional areas are within online systems, where acts occur by execution of programmed instructions as generated by terminal commands.
5. Programming Offices
This area includes office areas in which programmers produce and store program
listings and documentation.
6. Online Data and Report Preparation
This category includes the functions for preparing online scripts.
7. Digital Media Storage Facilities
This area includes data libraries and any storage place containing usable data.
8. Online Operations
This category is the equivalent of the computer operations discussed previously, but involves the online terminal areas.
9. Central Processors
These IT areas are within computer systems themselves, and abusive acts may originate from within the computer operating system (not from terminals).
Task 2 – Building a Penetration Point Matrix
There is a dilemma in the question where to test security. Security is needed to protect the resources of the organization. People are the security problem and therefore security should be placed over people. Computer security is best achieved through controlling activities. The activities in turn control people. For example, we want to stop people from removing computer media from the media library unless they are so authorized. This can best be accomplished by placing controls over the computer media in the form of a librarian; we can then exercise our security procedures through the computer media library and librarian. This task identifies the activities that need control, as well as the data flow points where penetration is most likely to occur. Creating the penetration point matrix is not covered in the scope of this paper.
o Users of application data and programs
Users are the operational activities for which the applications have been developed and for which the processing results are needed. The primary users of computer resources are the operational areas responsible for the application being processed. Secondary users include various staff units in the organization.
o Technical interface to the computer environment
The computer environment includes many system software packages, for example, operating systems, database management systems and administrative scheduling systems. These individual packages need to be generated and installed; then the interfaces between the packages need to be established. Many of the technical interfaces are performed by systems programmers and other specialists such as database administrators.
o Development and maintenance of application systems
Application systems are the software packages that process user data to produce the results needed by the users. These application systems can be developed from internally generated specifications, acquired as commercially available software, or developed under contract to vendors who develop applications on a fee basis. The activity includes testing to ensure that the application functions correctly, and then making any change necessary to ensure the operational correctness of the application. These applications can be developed by the professional data processing staff or by the users themselves.
o Privileged users
Each organization has a group of users who by their stature in the organization are privileged. This means that they may not be subject to the same level of control as non-privileged users. The two primary categories of privileged users are senior management and auditors. Other privileged users may be specialists within the data processing area or senior data processing management.
o Vendor interfaces
Organizations contract with a variety of vendors for special services. These include the vendors of hardware, software, and other support services such as contract maintenance, contract cleaning, and contract consulting services. In the performance of vendors’ duties, it may be necessary for vendor personnel to interact with computer operations during normal operating periods.
o Policies, procedures, and standards
The data processing organization develops policies on how the function is to be performed. These policies are implemented through procedures, such as system development methods by which data processing work is performed. These standards can apply to both the professional data processing area and other users of data processing resources, such as microcomputer users.
Training is one of the key attributes of a quality data processing organization. Dr. W.
Edwards Deming, the individual given credit for the turnaround of the Japanese economy after the Second World War, states that training is one of the keys to quality data processing. Dr. Deming’s philosophy states that individuals should be fully trained in how to perform their job and then evaluated by supervision to ensure that they have mastered those skills. Once fully trained, the individual can then operate with minimal supervision and be expected to produce high-quality work.
o Database administration
Databases are groupings of data that are managed independently of the application programs that utilize the data. The creation of the databases requires a new organization structure to manage and administer the use of this new development. In many organizations, the database also includes the definition of data and the use of the data dictionary software documentation tool.
This activity encompasses the electronic movement of data between one computer facility and another. In most organizations, the communication facilities involve the use of common carrier lines. When common carrier facilities are used, the organization loses control over the security of information from the time it passes into the hands of the common carrier until it is again returned to the organization.
Documentation includes all of the narrative information developed and maintained about data processing activities. In the developmental application, it involves record definitions, system specifications, program listings, test conditions and results, operator manuals, user manuals, control documentation, flow charts, and other pictorial representations. Note that the documentation may be in hard copy format, or may be maintained on electronic media.
o Program change control
The maintenance activity has the responsibility to define, implement and test changes to application systems. Nevertheless, the control of those changes should be independent of the activity that actually performs the program maintenance. The program change control activity involves logging changes, monitoring their implementation, and verifying that all of the changes to programs are appropriately authorized and that all authorized changes are made.
o Records retention program
This activity is designed both to retain needed computer-related documents and to appropriately destroy unneeded computer documents. While the computer media is designed to physically store the data, the records retention program relates to the amount of time that the information will be retained. The records retention program includes both manual and computer media. The time and method by which data will be destroyed is an important part of the records retention program. Many organizations either shred or burn key hard-copy computer documentation. In addition, some organizations have custodians to retain and control important records.
o Computer processing
This is the activity of processing data to produce desired results. Processing is used in this context to indicate the totality of steps performed between the initiation of a transaction and the final termination of that transaction. Processing includes both manual and automated functions that manipulate data.
o Media libraries
Media libraries are repositories for computer media. The most common media are disks, and diskettes. The media libraries may be on-site and off-site. Off-site libraries are used to protect data in the event of a disaster to the on-site media library.
o Error handling
This activity begins when data is rejected from normal processing and continues until the time the problem has been resolved and the transaction has been correctly processed. Error handling normally involves a logging of errors and then a monitoring of the correction and reentry process. It is a particularly vulnerable point in many application systems because the reentry may only be subject to minimal control.
o Production library control
The production library is the repository for computer programs and program-related parameters. For example, job control language statements are necessary to support programs, but are retained in libraries other than the production library. There are many libraries, but the emphasis in this activity is on control over those libraries that affect the integrity of computer processing.