C
HAPTER 7
Information Systems Controls
for Systems Reliability
Part 1: Information Security
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
1 of 222
INTRODUCTION
• Questions to be addressed in this chapter:
– How does security affect systems reliability?
– What are the four criteria that can be used to evaluate
the effectiveness of an organization’s information
security?
– What is the time-based model of security and the
concept of defense-in-depth?
– What types of preventive, detective, and corrective
controls are used to provide information security?
– How does encryption contribute to security and how
do the two basic types of encryption systems work?
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
2 of 222
INTRODUCTION
• One basic function of an AIS is to provide
information useful for decision making. In
order to be useful, the information must be
reliable, which means:
– It provides an accurate, complete, and timely
picture of the organization’s activities.
– It is available when needed.
– The information and the system that produces
it is protected from loss, compromise, and
theft.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
3 of 222
INTRODUCTION
SYSTEMS
RELIABILITY
© 2008 Prentice Hall Business Publishing
• The five basic principles that
contribute to systems reliability:
Accounting Information Systems, 11/e
Romney/Steinbart
4 of 222
INTRODUCTION
SYSTEMS
RELIABILITY
• The five basic principles that
contribute to systems reliability:
– Security
•
Access to the system and its data
is controlled.
SECURITY
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
5 of 222
INTRODUCTION
CONFIDENTIALITY
SYSTEMS
RELIABILITY
• The five basic principles that
contribute to systems reliability:
– Security
– Confidentiality
•
Sensitive information is protected
from unauthorized disclosure.
SECURITY
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
6 of 222
INTRODUCTION
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
• The five basic principles that
contribute to systems reliability:
–
–
–
•
Security
Confidentiality
Privacy
Personal information about
customers collected through
e-commerce is collected, used,
disclosed, and maintained in an
appropriate manner.
SECURITY
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
7 of 222
INTRODUCTION
PROCESSING INTEGRITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
• The five basic
principles that
contribute to systems
reliability:
• Data is processed:
– –Security
Accurately
Completely
– –Confidentiality
– In a timely manner
– –Privacy
With proper authorization
– Processing integrity
SECURITY
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
8 of 222
INTRODUCTION
SECURITY
© 2008 Prentice Hall Business Publishing
AVAILABILITY
PROCESSING INTEGRITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
• The five basic
principles that
contribute to systems
reliability:
– Security
– Confidentiality
The system
is available to meet
–• Online
privacy
operational and contractual
– Processing
obligations. integrity
– Availability
Accounting Information Systems, 11/e
Romney/Steinbart
9 of 222
INTRODUCTION
SECURITY
© 2008 Prentice Hall Business Publishing
AVAILABILITY
PROCESSING INTEGRITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
• Note the importance of
security in this picture. It is
the foundation of systems
reliability. Security
procedures:
– Restrict system access to
only authorized users and
protect:
• The confidentiality of sensitive
organizational data.
• The privacy of personal
identifying information
collected from customers.
Accounting Information Systems, 11/e
Romney/Steinbart
10 of 222
INTRODUCTION
• Security procedures also:
SECURITY
© 2008 Prentice Hall Business Publishing
– Provide for processing
integrity by preventing:
AVAILABILITY
PROCESSING INTEGRITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
• Submission of unauthorized or
fictitious transactions.
• Unauthorized changes to
stored data or programs.
– Protect against a variety of
attacks, including viruses
and worms, thereby
ensuring the system is
available when needed.
Accounting Information Systems, 11/e
Romney/Steinbart
11 of 222
INTRODUCTION
• This chapter provides a broad introduction
to the topic of information systems
security.
• Anyone interested in a career in
information systems security would need
to undertake additional detailed study.
• Chapter 8 will discuss controls relevant to
the other four reliability principles.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
12 of 222
INTRODUCTION
• The press carries many stories about
information security incidents including:
–
–
–
–
Denial of service attacks
Fraud
Loss of trade secrets
Identity theft
• Accountants and IS professionals need to
understand basic principles of information
security in order to protect their organizations
and themselves.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
13 of 222
COBIT and Trust Services
• Control Objectives for
Information
Technology (COBIT)
• Information systems
controls required for
achieving business
and governance
objectives
© 2008 Prentice Hall Business Publishing
Adequate Controls
Accounting Information Systems, 11/e
Romney/Steinbart
14 of 222
COBIT and Trust Services
• COBIT IT resources:
–
–
–
–
Applications
Information
Infrastructures
People
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
15 of 222
COBIT and Trust Services
• COBIT information
criteria:
–
–
–
–
–
–
–
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
16 of 222
COBIT and Trust Services
• COBIT domains:
– Basic management
activities for IT
– Help organize 34
generic IT controls
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
17 of 222
COBIT and Trust Services
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
18 of 222
COBIT and Trust Services
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
19 of 222
COBIT and Trust Services
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
20 of 222
COBIT and Trust Services
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
21 of 222
COBIT and Trust Services
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
22 of 222
COBIT and Trust Services
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
23 of 222
COBIT and Trust Services
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
24 of 222
COBIT and Trust Services
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
25 of 222