IT SECURITY AND APPLICATION DEVELOPMENT

11.1 PHYSICAL AND SYSTEMS SECURITY

1. Data Integrity

a. The difficulty of maintaining the integrity of the data is the most significant limitation of
computer-based audit tools

1) The degree of reliance on electronic evidence by the auditor depends on the

effectiveness of the controls over the system from which such evidence is taken.

2) When making recommendations regarding the costs and benefits of computer

security, the auditor should focus on
a) Potential loss if security is not implemented
b) The probability of the occurrences
c) The cost and effectiveness of the implementation and operation of computer security.

3) The most important control is to enact an organization-wide network security policy.

This policy should promote the following objectives:
a) Availability. The intended and authorized users should be able to access data to meet
organizational goals.
b) Security, privacy, and confidentiality. The secrecy of information that could adversely
affect the organization if revealed to the public or competitors should be ensured.
c) Integrity. Unauthorized or accidental modification of data should be prevented.

Security controls
Physical controls Physical access Keypad devices, Card reader, Biometric technologies
(limit physically controls (fingerprints, retina patterns, hand geometry)
enter the data Environmental 1) Temperature and humidity control
center) controls (to 2) Gaseous fire-suppression system (not water)
protect the 3) Data center not located on an outside wall
physical 4) Building housing data center not located in a flood plain
information
assets)
Logical controls Access control software
(to avoid Passwords and ID numbers
unauthorized File attributes can be assigned to control access to and the use of files.
access) Examples are read/write, read only, archive, and hidden.
 Access controls have been developed to prevent improper use or manipulation of data
files and programs
 A system access log records all attempts to use the system
 Controlled disposal of documents.
Def
 Compatibility test: Ascertain whether a code number is compatible with the use to be
made of the information
 Access control matrices: The lists or tables of authorized users or devices
 System access log: Records all attempts to use the system (date & time, codes used,
mode of access, data involved, operator interventions)
 Encryption: Using a fixed algorithm to manipulate plaintext
  Controlled disposal of documents: To destroy data when they are no longer in use
 Automatic log-off: Prevent the viewing of sensitive data on an unattended data terminal

2. Internet Security
a. Connection to the Internet presents security issues.
1) Thus, the organization-wide network security policy should at the very least include
a) A user account management system
b) Installation of an Internet firewall
c) Methods such as encryption to ensure that only the intended user
receives the information and that the information is complete and accurate
account management a) New accounts are added correctly and assigned only to authorized
users
b) Old and unused accounts are removed promptly
c) Passwords are changed periodically, and employees are educated
on how to choose a password that cannot be easily guessed
Firewall (separates an Firewall systems ordinarily produce reports on organization-wide
internal network from Internet use, unusual usage patterns, and system penetration attempts
an external network) (These reports are very helpful to the internal auditor as a method of
continuous monitoring, or logging, of the system.)
encryption Data traveling across the network can be encoded so that it is
indecipherable to anyone except the intended recipient
 Authentication measures verify the identity of the user, thus ensuring that only the
intended and authorized users gain access to the system
 Checksums help ensure the integrity of data by checking whether the file has been
changed (to check whether this value equals the last known value)
← Firewall
Packet filtering system examines each incoming network packet and drops (does not
pass on) unauthorized packets
Proxy server maintains copies of web pages to be accessed by specified
users
Application gateway limits traffic to specific applications
Circuit-level gateway identify a valid TCP session
Stateful inspection stores information about the state of a transmission and uses
it as background for evaluating messages from similar sources
* Firewalls do not provide adequate protection against computer viruses. Thus, an
organization should include one or more antivirus measures in its network security
policy.
3. Data Storage
a. Storing all related data on one storage device creates security problems.
1) Greater emphasis on security is required to provide backup and restrict access to
the database.
2) The responsibility for creating, maintaining, securing, and restricting access to the
database belongs to the database administrator (DBA).

11.2 INFORMATION PROTECTION

1. Business Objective
Five categories are IT Business Assurance Objectives: ACFPA
Availability Ensure that information, processes, and services are available at all times
Capability Ensure reliable and timely completion of transactions
Functionality Ensure that systems are designed to user specifications to fulfill business
requirements
Protectability Ensure that a combination of physical and logical controls prevents
unauthorized access to system data (Controls over access and change
management processes should be in place)
Accountability Ensure that transactions are processed under firm principles of data
ownership, identification, and authentication (The roles, actions, and
responsibilities for security should be defined)

2. Malicious Software (Malware)

Malware
Trojan horse hidden function that may do damage when activated
Worm copies itself not from file to file but from computer to computer
Repeated replication overloads a system by depleting memory or disk space
Logic bomb like a Trojan horse except it activates only upon some occurrence, e.g., on a
certain date
Denial of overwhelming a system or website with more traffic than it can handle
service
Virus a program code that copies itself from file to file. The virus may destroy data or
programs

3. Controls Against Malware

a. A policy should require
b. Antivirus software should continuously monitor the system
c. Software and data for critical systems should be regularly reviewed
d. Business continuity (recovery) plans should be drafted
4. Types of Attacks

5. Countermeasures -- Intrusion Detection Systems (IDS)

a. If an organization’s computer system has external connections, an IDS is needed to
respond to security breaches
1) The IDS complements the computer system’s firewalls. It responds to attacks on
a) The network infrastructure (protected by the network IDS component)
i) Routers
ii) Switches
iii) Bandwidth
b) Servers (protected by the host IDS component)
i) Operating systems
ii) Applications
2) An IDS responds to an attack by
a) Taking action itself
b) Alerting the management system
* A host IDS provides maximum protection only when the software is installed on each computer

6. Information Integrity and Reliability

a. The IIA provides guidance on this topic in Practice Advisory 2130.A1-1, Information
Reliability and Integrity:
1) “Internal auditors determine whether senior management and the board have a
clear understanding that information reliability and integrity is a management
responsibility. This responsibility includes all critical information of the
 organization regardless of how the information is stored. Information reliability
and integrity includes accuracy, completeness, and security” (para. 1).
2) “The chief audit executive (CAE) determines whether the internal audit activity
possesses, or has access to, competent audit resources to evaluate information
reliability and integrity and associated risk exposures. This includes both
internal and external risk exposures, and exposures relating to the
organization’s relationships with outside entities” (para. 2).
3) “Internal auditors assess the effectiveness of preventive, detective, and
mitigation measures against past attacks, as appropriate, and future attempts
or incidents deemed likely to occur. Internal auditors determine whether the
board has been appropriately informed of threats, incidents, vulnerabilities
exploited, and corrective measures” (para. 4).
4) “Internal auditors periodically assess the organization’s information reliability and
integrity practices and recommend, as appropriate, enhancements to, or
implementation of, new controls and safeguards. Such assessments can either
be conducted as separate stand-alone engagements or integrated into other
audits or engagements conducted as part of the internal audit plan” (para. 5).

7. Privacy
a. Management is responsible for ensuring that an organization’s privacy framework is in
place. Internal auditors’ primary role is to ensure that relevant privacy laws and other
regulations are being properly communicated to the responsible parties.
b. The IIA provides guidance on this topic in Practice Advisory 2130.A1-2, Evaluating an
Organization’s Privacy Framework:
1) “Risks associated with the privacy of information encompass personal privacy
(physical and psychological); privacy of space (freedom from surveillance); privacy of
communication (freedom from monitoring); and privacy of information (collection, use,
and disclosure of personal information by others)” (para. 2).
a) Personal information is information associated with a specific individual.
2) “Effective control over the protection of personal information is an essential
component of the governance, risk management, and control processes of an
organization. The board is ultimately accountable for identifying the principal risks to the
organization and implementing appropriate control processes to mitigate those risks.
This includes establishing the necessary privacy framework for the organization and
monitoring its implementation” (para. 3).

3) “In conducting such an evaluation of the management of the organization’s privacy

framework, the internal auditor:
a) Considers the laws, regulations, and policies relating to privacy in the jurisdictions
where the organization operates;
b) Liaisons with in-house legal counsel to determine the exact nature of laws,
regulations, and other standards and practices applicable to the organization and the
country/countries in which it operates;
c) Liaisons with information technology specialists to determine that information security
and data protection controls are in place and regularly reviewed and assessed for
appropriateness;
d) Considers the level or maturity of the organization’s privacy practices.
Depending upon the level, the internal auditor may have differing roles” (para. 7).

11.3 AUTHENTICATION AND ENCRYPTION

1. Application Authentication
a. Application authentication: taking a user’s identity from the operating system
b. There are three classes of authentication information.
1) Remembered information: name, birth date, account number, password, PIN
2) Possessed objects: badge, plastic card, key, finger ring
3) Personal characteristics: fingerprint, voiceprint, hand size, signature, retinal pattern
2. Encryption Overview
a. Encryption technology converts data into a code
b. Encryption technology may be either hardware- or software-based
3. Public-Key (Asymmetric) Encryption
a. Public-key (asymmetric) encryption requires two keys (Public to Private) private key is known
only to the recipient
b. This arrangement is more secure than a single-key system
c. A digital signature: authentication of an electronic document (validity of a purchase order,
acceptance of a contract)
d. A digital certificate: another means of authentication used in e-business
e. The public key infrastructure permits secure monetary and information exchange over
the Internet: HTTPS (HTTP Secure).
4. Private-Key (Symmetric) Encryption
a. Private-key, or symmetric, encryption is less secure than the public-key method
because it requires only a single (secret) key

11.4 END-USER COMPUTING (EUC)

1. End-User vs. Centralized Computing
1) Certain environmental control risks are more likely in EUC
Ex. copyright violations, Unauthorized access to application programs, physical access controls,
application-level controls, and other controls found in mainframe or networked environments
a. Program development, documentation, and maintenance also may lack the centralized
control found in larger systems.
1) They may not be subject to appropriate standards, controls, and quality assurance
procedures
2) EUC applications may update and define the data in different ways. Thus, determining
the location of data and ensuring data consistency become more difficult.
3) The auditors should determine that EUC applications contain controls that allow users to
rely on the information produced.
a) The first concern is to discover their existence and their intended functions.
b) The next step is risk assessment
c) The third step is to review the controls included in the applications chosen in the
risk assessment
b. In a personal computer setting, the user is often the programmer and operator. Thus the
protections provided by segregation of duties are eliminated
c. The audit trail is diminished because of the lack of history files, incomplete printed output
d. In general, available security features for stand-alone machines are limited compared with
those in a network
2. Three Basic Architectures for Desktop Computing
Client-server divides processing of an application between a client machine on a network
model and a server
Dummy lack stand-alone processing power have access to remote computers in
terminal model a network
Application a three-tiered or distributed network application. EX. the user’s (front-end)
server model server  middle (application) Load balancing  database (back-end) server
11.5 PROGRAM CHANGE CONTROL
1. Program Change Control Process
a. Once a change to a system has been approved, the programmer should save a copy of the
production program in a test area of the computer
b. The programmer makes the necessary changes to this copy of the program (source code)
c. The programmer transforms the changed program into a form that the computer can
execute (executable code) by a compiler
d. Once the executable version of the changed program is ready, the programmer tests it to
see if it performs the new task as expected (not actual data test data)
e. The programmer demonstrates the new functionality for the user who made the request.
(accept or go futher)
f. Once the program is in a form acceptable to the user, the programmer moves it to a
holding area. (Programmers (except in emergencies) should never be able to put programs
directly into production)
g. The programmer’s supervisor reviews the new program, approves it, and authorizes its
move into production, generally carried out by operations personnel.

11.6 APPLICATION DEVELOPMENT

1. Build or Buy
2. Systems Development Life Cycle (SDLC)
a. The feedback gathered during the maintenance of a system provides information for
developing the next generation of systems, hence the name life cycle.
b. The phases and component steps of the traditional SDLC:
Definition The need for the application and the business function(s) that it will affect.
(Systems analysts)
Design Data flow diagrams (DFDs) and structured flowcharts are commonly used
(Systems analysts)
Development The actual program code and database structures that will be used in the
(programmers) new system (test each new program module of the system) TEST DATA
Implementation converting to the new system can be used
Maintenance
3. Prototyping
a. Prototyping is an alternative approach to application development

STUDY UNIT TWELVE

IT SYSTEMS
12.1 WORKSTATIONS AND DATABASES
1. Database Overview
a. A database is a series of related files combined to eliminate redundancy of data items.
A single integrated system allows for improved data accessibility
b. Security is required to provide backup and restrict access to the database

2. Relational Database Structure

* Normalization prevents inconsistent deletion, insertion, and updating of data items
a. The relational structure requires careful planning, but it is easy to maintain and processes
queries efficiently
b. The three basic operations in the relational model are selecting, joining, and projecting.
1) Selecting creates a subset of records that meet certain criteria.
2) Joining is the combining of relational tables based on a common field or combination of
fields.
3) Projecting results in the requested subset of columns from the table. This operation creates
a new table containing only the required information.