IS Security PolicyISMT 350

week #4

IS Security: The Challenge Presented by Computers Practicum: Recognizing Fraud – The Anonymous Caller

Instructor: Professor J. Christopher Westland, PhD, CPA

Time: Tue & Thur 10:30am-11:50amVenue: Rm. 2463Duration: 5 Sep – 7 Dec

Text. Champlain, Auditing Information Systems (2nd ed.), Wiley, 2003

Contact: Office: 852 2358 7643 Fax: 852 2358 2421 Email: westland@ust.hk URL: http://teaching.ust.hk/~ismt350/

Course TopicsTopic Readings Practicum

    Competency Case Study

What is Information Systems (IS) Auditing?

Industry Profile: The Job of the IS Auditor

Identifying Computer Systems Chapter 1 Evaluating IT Benefits and Risks

Jacksonville Jaguars

IS Audit Programs Chapter 2 The Job of the Staff Auditor A Day in the Life of Brent Dorsey

IS Security Chapter 3 Recognizing Fraud The Anonymous Caller

Utility Computing and IS Service Organizations

Chapter 4 Evaluating a Prospective Audit Client

Ocean Manufacturing

Physical Security Chapters7 Inherent Risk and Control Risk

Comptronix Corporation

Logical Security Chapter 8 Evaluating the Internal Control Environment

Easy Clean

IS Operations Chapter 9 Fraud Risk and the Internal Control Environment

Cendant Corporation

Controls Assessment Chapter 10 IT-based vs. Manual Accounting Systems

St James Clothiers

Encryption and Cryptography Chapter 11 Materiality / Tolerable Misstatement

Dell Computer

New Challenges from the Internet: Privacy, Piracy, Viruses and so forth

Course Wrap-up Information Systems and Audit Evidence

Henrico Retail

Logical Structure of the CourseWith Readings from the Text

I S Au d itin g

C u r r en t an dF u tu r e I s s u es in

I S Au d itin g

I S C o m p o n en tsC h . 1 & 2

Au d it C o m p o n en tsC h 3 & 4

C o n tr o ls o v er I SAs s e ts

C h . 7 & 8

P r o c ed u r a lC o n tr o ls

C h . 9

Au d it S tan d ar d san d P r o c ed u r es

C h . 1 0

F o r en s ic s an dF r au d Au d its

C h . 1 2

E n c r y p tio nC h . 11

What is a Security Policy?

A security policy establishes what must be done to protect

information stored on computers

A well-written policy contains sufficient definition of “what” to do so that the “how” can be identified and measured or

evaluated Policy is the “Formal” part of a strategy

What is Strategy’?O u tco m es

P ro cesses

P r o f it- m ax im iz in g

E m er g en tD elib er a te

P lu r a l

C la ssica lE v o lu tio n a ry

S ystem ic P ro cessu a l

1970 s

1980 s

1 9 9 0 s

C lassica l M ilitary S tra tegy

Outcomes and ProcessesDiffering perspectives on Strategy

Ou

tcomes

P r o c e s s e s

P ro f it-m a xim izing

P lu ra listic

D elib era te E m erg en t

C LA SSIC A L E V O LU TIO N A R Y

SY STE M IC PR O C E SSU A L

Classical Perspective on StrategyInside the Firm (Operations)

Env ironmenta lCompetitiv e

Interna l Financ ia lIn terna l

Non- f inanc ia l

Prof itab ilityEf f ic ienc y

Grow thSurv iv a l

QuantityQuality

Cos tTime

Manpow erMoney

Mac hinesMethodsMater ia ls

PlanOrganiz eA c tuateContro l

I n fo rm a t io n I n pu ts O u tpu ts O bje ct iv e sM a n a g e r A ct io n

In form ation System

Inform ation System s

Inf ormation Sy s tem

Inform ation System

Strategy Policy

Strategy defines the way that Top Management achieves corporate objectives

Policy is a written set of procedures, guidelines and rules Designed to accomplish a subset of strategic

tasks By a particular subgroup of employees

Effective security policy

An effective security policy also protects people. Anyone who makes decisions or takes action in a

situation where information is a risk incurs personal risk as well.

A security policy allows people to take necessary actions without fear of reprisal.

Security policy compels the safeguarding of information, while it eliminates, or at least reduces, personal liability for

employees.

Effective information security policy

Information security policy defines the organization’s attitude to information, and announces internally and externally that information is

an asset Which is to be protected from unauthorized access,

modification, disclosure, and destruction

Effective information security policies Will turn staff into participants in the company’s

security The process of developing these policies will help to

define a company’s information assets

Why Do You Need Security Policy?

A security policy should Protect people and information Set the rules for expected behavior by users, system

administrators, management, and security personnel Authorize security personnel to monitor, probe, and

investigate Define and authorize the consequences of violation

Who Will Use Your Policies? Count Your Audiences Your audience is of course all your company employees

This group can be divided into sub-categories: Management Technical Custodians End-Users

All users will fall into at least one category (end-user) and some will fall into two or even all three

The audience for the policy will determine what is included in each policy document.

W h at?

How?

When?

Where?

Who

?

W h y ?

Policies will Answer Questions

Rudyard Kipling’s ‘six honest serving men’ What, who, when, where, how & why?

What is the problem? Who (which individual in the case) is responsible for

solving the problem and making a decision? Where is the money? (The value generated by the

solution) When does the problem need to be solved? How will you measure success? Why did you have this problem, and what will you do to

prevent it in the future?

The “Why”

You may not always want to include a description of why something is necessary in a policy But if your reader is an end-user,

it may be helpful to incorporate a description of why a particular security control is necessary

because this will not only aid their understanding, but will also make them more likely to comply with the policy.

Establishing the Company’s Risk Profile(It’s Surprisingly Similar to the Auditor’s Risk Assessment Database)

Asset (Ex 2.1) Risk Assessment (Ex. 2.2 with improvements)

Primary OS Owner

Application

Asset Value ($000,000 to Owner)*

Transaction Flow Description

Total Annual Transaction Value Flow managed by Asset($000,000)*

Risk Description

Probability of Occurrence (# per Year)

Cost of single occurrence ($)

Expected Loss

Win XPReceiving Dock A/P 0.002

RM Received from Vendor 23 Theft 100 100 10000

Win XPReceiving Dock A/P 0.002

RM Received from Vendor 23

Obsolescence and spoilage 35 350 12250

Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc

Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc

Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc

*Whether you list depends on Audit Materiality

Why are auditors interested in IS Security Policy?

E x ter n a l R ea lW o r ld E n tit ies

an d E v en ts th a tC r ea te an d

D es tr o y Valu e

Au d it R ep o r t /O p in io n

J o u r n a l E n tr ies

'O w n e d ' A s s e t sa n d Lia b ilit ie s

R ep o r ts :S ta tis t ic s

I n te r n a lO p er a tio n so f th e F ir m

Ac c o u n tin gS y s tem s

Au d itP r o g r am

T r an s ac tio n s

T ra n sa c tio n s

The P hys i c al W o r l d

The P ar al l e l (L o g i c al )W o r l d o f Ac c o unt i ng

L ed g er s :D atab as es

Audi t i ng

C o r p o r a te L aw

Su b

stan

tiv e

Te s

ts

Te st s o f T

ran sa c ti o n s

Attes ta tion

A n a ly tic a l T ests

Practicum: Recognizing Fraud

The Anonymous Caller

Recognizing It's a Fraud and Evaluating What to Do

How to Write An IS Security Policy

The Three Elements of Policy Implementation

Standards – Standards specify the use of specific technologies in a uniform way. The example the book gives is the standardization of operating procedures

Guidelines – Similar to standards but are recommended actions

Procedures – These are the detailed steps that must be performed for any tasks.

Steps to Creation of IS Security PolicyPolicy Development Lifecycle

1. Senior management buy-in2. Determine a compliance grace period 3. Determine resource involvement . 4. Review existing policy5. Determine research materials (Internet, SANS, white papers, books…)6. Interview parties {Responsible, Accountable, Controlling} assets

1. Define your objectives 2. Control the interview 3. Sum up and confirm

4. Post-interview review

7. Review with additional stakeholders 8. Ensure policy is reflected in “awareness” strategies 9. Review and update 10. Gap Analysis11. Develop communication strategy12. Publish

What’s in a Policy Document

Governing Policy

Should cover Address information security policy at a general level define significant concepts describe why they are important, and detail what your company’s stand is on them

Governing policy will be read by managers and by technical custodians

Level of detail: governing policy should address the “what” in terms of security policy.

Governing Policy Outlinemight typically include

1. Authentication 2. Access Control 3. Authorization 4. Auditing 5. Cryptography 6. System and Network Controls 7. Business Continuity/Disaster Recovery 8. Compliance Measurement

Technical Policies

Used by technical custodians as they carry out their security responsibilities for the system they work with.

Are more detailed than the governing policy and will be system or issue specific, e.g., AS-400 or physical security.

Technical Policy Outline might typically include

1. Authentication 2. Authorization 3. Auditing 4. Network Services 5. Physical Security 6. Operating System 7. Business Continuity/Disaster Recovery 8. Compliance Measurement

User Policies Cover IS security policy that end-users should ever have to know

about, comply with, and implement. Most of these will address the management of

transaction flows and databases associated with applications

Some of these policy statements may overlap with the technical policy

Grouping all end-user policy together means that users will only have to go to one place and read one document in order to learn everything they need to do to ensure compliance with company security

User Policy Outline might typically include 1. User Access 2. User Identification and Accountability 3. Passwords 4. Software 5. System Configuration and Settings 6. Physical 7. Business Continuity Planning 8. Data Classification 9. Encryption 10. Remote Access 11. Wireless Devices/PDAs 12. Email 13. Instant Messaging 14. Web Conferencing 15. Voice Communications 16. Imaging/Output

Special Topics

New IS Security Threats that have arisen or grown in

importance over the Last Decade

Social Engineering

Tricking firm personnel into Revealing passwords Relinquishing control of sensitive or valuable information Allowing entry to intruders Or other activity destructive or detrimental to the firm

Only ‘Awareness’ programs can control for social engineering

Recent News: Email Fraud and HSBC

Policy on Information Sharing Identify Assets, Threats, and Countermeasures

Information which needs to be protected: Information created by, intended solely for, or of sole possession of a single user. Information considered personal or private to a single user. Information relating to employee health or social security number, Non disclosure

Agreement protected information, publicly identifiable research subject or customer data, classified information, and information protected by the greater organization’s program policy.

To help determine which protective countermeasures will be employed, the threats to the protected information need to be determined.

Breach of user confidentiality or privacy due to unauthorized access of protected information.

Breach of information integrity, ownership, or accountability due to unauthorized modification of protected information.

Breach of information availability due to unauthorized deletion, movement, or other suppression of protected information.

The focus of the information sharing policy is to mitigate the threat from other users within the organizational unit.

Related technical policies such as policy for router configuration, firewall configuration, or anti-virus protection must also be designed to help mitigate those threats.

Managing Internet Use Big Brother or Due Diligence?

Internet access has become an established business tool, taken for granted along with email, telephone and facsimile

Like these other media, giving staff access to the Internet has risks

will they spend all day downloading porn or swapping chat messages with their friends?

Will they infect the network with viruses or publish company secrets?

Responsibility Accounting Each bubble is associated with a person or entity

that is responsible for that process The same individuals with:

Managerial Control Accountability Responsibility for the process

Should all be responsible for the same bubble

Example (next slide) of Traditional Flowchart Often, traditional accounting flowcharts place responsibility

centers across the top of the chart, and sequence of processes from top (first) to bottom (last)

Example of an Internet Risk Assessment Matrix

Threat Vulnerability Impact Risk Mitigati on

(High, Med, Low) (High, Med, Low) (High, Med, Low) (1-27)  

Excessive Internet Inadequate Wasted time (M) 18 Acceptable Use Policy.

Use (H) reporting of use     Usage monitoring and

(H)     reporting

Excessive Internet Connection not Lack of 27 Require all connections to be

Use (H) authenticated (H) accountability (H)   authenticated

Inappropriate Staff able to Can be sued for 8 Acceptable Use Policy.

Internet Use (M) access such sites hostile workplace   Implement blocking capability.

  (M) (M)   Disciplinary Process.

Unauthorised Staff able to Local PC 2 Policy

software (M) install software destabilised (L)   Lock Down PC

  (L)     Audit

Unauthorised Non-compliance Sued by vendor 12 Policy

software (M) with li censes (M) (H)   Lock Down PC

        Audit

        Approved purchase route

Unauthorised Virus/Trojan Loss or disclosure 6 Policy

software (M) introduced (L) of data (H)   Lock Down PC

        Anti-virus software

Users don’t spea k System messages Policy not 8 Translate Policy

English (M) in English (M) followed because   Login banners in local

    not understood   language

    (M)   Error pages in local language

Excessive non-business related Internet use Risk both in terms of lost productivity and in competition for

infrastructure resources for legitimate business use

Surveys have estimated the time spent on non-business browsing by US and UK workers to average 30 to 60 minutes a day.

Lost productivity of a pharmaceutical industry worker who spends one hour a day on non-business use as $43,000 a year (est. Surfcontrol, Inc.)

News, chat and email represent the greatest problems

Where Internet Use Occurs

Unauthorized Software

Employees with Internet access are able to download software.

This could be commercial software or shareware that is not part of the standard desktop, but could also be Trojans and viruses.

There is also the risk of non-compliance with licensing terms, for example commercial use of a product that is only free for personal use (those these problems are decreasing)

The impact of unauthorised software will vary depending on the sensitivity of the system on which it is installed

Installation of unauthorised software on strictly controlled PCs that are part of formally defined and validated systems compromises the entire system.

Policy implementation alternatives Authentication Having the client authenticate with the Internet gateway ensures that usage is assigned to

individual user IDs. It also provides the opportunity to display an acceptable use banner. Logging Usage logs may be created by firewall and proxy servers. These will contain User ID, Client IP,

URL requested and time stamp. Logs should be regularly reviewed to detect inappropriate use. URL Blocking Given the low cost of blocking software, typically $10 a seat, it would be difficult for a company to

defend a hostile workplace action unless it had implemented blocking. Reporting Usage reporting should be automated using the capabilities of the blocking software, with

reporting tools such as WebTrends or with custom scripts. Care should be taken when reporting individuals’ usage as this risks infringing their privacy.

Investigation Of Inappropriate Use IT Security should avoid becoming the moral guardians of the company. Inappropriate use is

primarily a line management issue so any investigation should be managed by Human Resources departments, with IT security staff providing technical assistance. Policy should describe an escalation process by which incidents can be handed off from IT to HR and on to corporate security or even the police if necessary.

Data Retention Companies should define a process to archive or dispose of log files. HR should retain any data

that has been used as part of a disciplinary process, with other records relating to the case.

There is little legal foundation in the US or Asia to protect individuals’ privacy

Since the employer owns the computer network and the terminals, he or she is free to use them to monitor employees

The main requirement of the Electronic Communications Privacy Act is that employees must give their consent to monitoring and employers notify staff of their monitoring policy on hiring and annually thereafter.

"If an employer electronically monitors an employee without giving the required notice, an employee may sue for civil damages. Compensatory damages are capped at $5000, and total damages are capped at $20,000 . In a case where many employees are affected, per incident damages are capped at $500,000,"

Scant Privacy Protection Conversely, there is a requirement on employers to

take steps to protect their staff from a hostile workplace.

"[The Supreme Court requires that] companies must take reasonable steps to prevent as well as quickly correct any hostile environment or sexual harassment behaviors as they occur. It can b e interpreted that if there are reasonable technologies to able to prevent this from ever happening, companies must take those steps."

The conclusion is that US law requires companies to implement processes, such as monitoring and blocking, to protect their staff and staff should have no expectation of privacy providing they have been informed of the monitoring.