Hello,

Please complete my assignment. My homework is related to my Accounting Information Systems class. I am struggling with it. Must type about one page.

Chapter 11 (Information Security and Computer Fraud) Discussion Questions 1. Phishing is a type of social engineering. Give two examples of phishing. 4. Give an example of employee fraud, and identify reasons it may occur. Problems 2. Many internal auditors and IT professionals believe wireless networks and mobile devices pose high risks in a firm's network system. Collect information to examine whether this concern is valid. If so, identify the risks and the general controls to help reduce these risks. Chapter 11 Information Security and Computer Fraud Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. Learning Objectives LO#1 Describe the risks related to information security and systems integrity. LO#2 Understand the concepts of encryption and authentication. LO#3 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques. LO#4 Define vulnerabilities, and explain how to manage and assess vulnerabilities. LO#5 Explain issues in system availability, disaster recovery, and business continuity. 11-2 LO# 1 Integrity and Information Security Since 2003, information security management has been ranked as the top one technology issue for CPAs. According to AICPA, information security management is \"an integrated, systematic approach that coordinates people, policies, standards, processes, and controls used to safeguard critical systems and information from internal and external security threats.\" The goal of information security management is to protect the confidentiality, integrity and availability (CIA) of a firm's information. - Confidentiality - information is not accessible to unauthorized individuals or processes - Integrity - information is accurate and complete - Availability - information and systems are accessible on demand 11-3 LO# 2 Encryption and Authentication Encryption is a preventive control providing confidentiality and privacy for data transmission and storage. There are two algorithmic schemes that encode plaintext into non-readable form or cyphertext: Symmetric-key encryption - fast and suitable for encrypting large data sets. - both the sender and the receiver use the same key to encrypt and decrypt messages. - managing one key for each pair of users is not cost-effective given the large number of users among the firms. Asymmetric-key encryption - slow and is not appropriate for encrypting large data sets. - since each user has a pair of two keys, the public key and the private key, asymmetric-key encryption solves the problems in key distribution and key management - A common name for asymmetric-key encryption is public-key encryption or two-key encryption. Authentication is a process that establishes the origin of information or determines the identity of a user, process, or device. 11-4 LO# 2 Encryption and Authentication Combination of two methods: 1. Both the sender and receiver use asymmetric-key encryption method to authenticate each other. 2. Either the sender (or the receiver) generates a symmetric key (called session key because it is valid for a certain timeframe only) to be used by both parties. 3. Use asymmetric-key encryption method to distribute the session key. (For example, the sender uses the receiver's public key to encrypt the session key and sends it to the receiver. The receiver uses his/her own private key to decrypt to get the session key.) 4. After both parties have the session key, use the session key to transmit confidential data/information. This is because using symmetric key for encryption is faster in data transmission. 11-5 LO# 2 Digital Signature A digital signature is a message digest (MD) of a document (or data file) that is encrypted using the document creator's private key. Digital signatures can: - Ensure data integrity - Prevent repudiation of Transactions Asymmetric-key Encryption Key Factors: - Certificate Authority (CA) - digital certificate - public key infrastructure (PKI) 11-6 LO# 2 Digital Signature Process Process: 1. Both the sender (A) and receiver (B) use asymmetric-key encryption method to authenticate each other. 2. A makes a copy of the document and uses SHA-256 to hash the copy and get an MD. 3. A encrypts the MD using A's private key to get A's digital signature. 4. A uses B's public key to encrypt the original document and A's digital signature (for confidentiality). 5. A sends the encrypted package to B. 6. B receives the package and decrypts it using B's private key. B now has the document and A's digital signature. 7. B decrypts A's digital signature using A's public key to get the sent-over MD. B also authenticates that A is the document creator (to assure nonrepudiation). 8. B makes a copy of the received document and uses SHA-256 to hash the copy and get a calculated MD. 9. If the sent-over MD is the same as the calculated MD, B ensures data integrity (no changes made to the document). 11-7 LO# 3 Computer Fraud and Abuse The International Professional Practices Framework (the IIA's IPPF) of the Institute of Internal Auditors (IIA) defines fraud as: \"Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. According to the fraud triangle, three conditions exist for a fraud to be perpetrated. Incentive: provides a reason to commit fraud Opportunity: for fraud to be perpetrated Rationalize: the individuals committing the fraud possess an attitude that enables them to rationalize the fraud 11-8 LO# 3 Computer Fraud Risk Assessment Global Technology Audit Guides (GTAG) Common computer frauds: The theft, misuse, or misappropriation of assets by altering computer-readable records and files. The theft, misuse, or misappropriation of assets by altering the logic of computer software. The theft or illegal use of computer-readable information. The theft, corruption, illegal copying, or intentional destruction of computer software. The theft, misuse, or misappropriation of computer hardware. Risk Assessment Steps: Identifying relevant IT fraud risk factors. Identifying potential IT fraud schemes and prioritizing them based on likelihood and impact. Mapping existing controls to potential fraud schemes and identifying gaps. Testing operating effectiveness of fraud prevention and detection controls. Assessing the likelihood and business impact of a control failure and/or a fraud incident 11-9 LO# 3 Computer Fraud Schemes Phase Scenario Oversights Requirements Definition Phase 195 illegitimate drivers' licenses are created and sold by a police communications officer who accidentally discovers she can create them. - Lack of authentication and role-based access control requirements. - Lack of segregation of duties System Design Phase - A special function to expedite handling of cases allows two caseworkers to pocket $32,000 in kickbacks. - An employee realizes there is no computerized control in his firm's system, so he entered and profited from $20 million in fake health insurance claims. - Insufficient attention to security details in automated workflow processes - Lack of consideration for security vulnerabilities posed by authorized system access System Implementation Phase - An 18-year old former Web developer uses backdoors he inserted into his code to access his former firm's network, spam its customers, alter its applications, and ultimately put the firm out of business. - Lack of code reviews System Deployment Phase - A computer technician uses his unrestricted access to customers' systems to plant a virus on their networks that brings the customers' systems to a halt. - A software engineer did not document or backup his source code intentionally, and then deleted the only copy of the source code once the system is in production. - Lack of enforcement of documentation practices and back-up procedures - Unrestricted access to all customers' systems System Maintenance Phase - A foreign currency trader covers up losses of $691 million over a fiveyear period by making unauthorized changes to the source code. - A logic bomb sits undetected for six months before finally performing a mass deletion of data on a telecommunications firm. - Lack of code reviews - End-user access to source code - Ineffective back-up processes 11-10 LO# 3 Computer Fraud Prevention and Detection A fraud prevention program starts with a fraud risk assessment across the entire firm, taking into consideration the firm's critical business divisions, processes, and accounts, performed by the management. A fraud detection program should include an evaluation by internal auditors on the effectiveness of business processes, along with an analysis of transaction-level data to obtain evidence on the effectiveness of internal controls and to identify indicators of fraud risk or actual fraudulent activities. 11-11 LO# 4 Vulnerability Assessment and Management Types of vulnerabilities within a Physical IT Environment Threats Vulnerabilities Physical intrusion External parties entering facilities without permission and/or providing access information Unauthorized hardware changes Natural disasters No regular review of a policy that identifies how IT equipments are protected against environmental threats Inadequate or outdated measures for environmental threats Excessive heat or humidity Humidity alarm not in place Outdated devices not providing information on temperature and humidity levels Water seepage in a data center Server room located in the basement Clogged water drain Electrical disruptions or blackouts Insufficient backup power supply No voltage stabilizer Examples of Vulnerabilities within an Information System Threats Vulnerabilities System intrusion (e.g., spyware, malware, etc.) Software not patched immediately Open ports on a main server without router access Outdated intrusion detection/prevention system Logical access control failure Work performed not aligned with business requirements Poor choice of password Failure to terminate unused accounts in a timely manner Improper system configuration and customization Poor service level agreements (SLAs) monitoring on service providers Interruption of a system 11-12 LO# 4 Vulnerability Assessment and Management Examples of Vulnerabilities within the Processes of IT Operations Threats Vulnerabilities Social engineering Employee training not providing information about social engineering attempts Unintentional disclosure of sensitive information by employee Inappropriate data classification rule Poor user access management allows some users to retrieve sensitive information not pertaining to their roles and responsibilities Intentional destruction of information Not requiring approval prior to deleting sensitive data Poor employee morale Writable disk drive containing data which shall not be deleted such as transaction logs Inappropriate end-user computing Ineffective training as to the proper use of computer End-user computing policy has not been reviewed Poor firewall rules allowing users to access illegitimate websites 11-13 An Overall Framework for Vulnerability Assessment and Management LO# 4 Prerequisites: 1. Determine the main objectives of its vulnerability management, as the firm's resource for managing vulnerabilities is limited. 2. assign roles and responsibility for vulnerability management. 11-14 LO# 4 An Overall Framework for Vulnerability Assessment and Management Main components: VULNERABILITY ASSESSMENT II. Risk I. Identification Assessment IT Asset Inventory Vulnerability Assessment Threat Vulnerability Identification Prioritization Vulnerability Identification VULNERABILITY MANAGEMENT III. Remediation Risk Response Plan Policy and Requirements Control Implementation IV. Maintenance Monitoring Ongoing Assessment Continuous Improvement 11-15 Availability, Disaster Recovery and Business Continuity LO# 5 A key component of IT service delivery and support is making sure the data is available at all times or, at a minimum, in the moment it is needed. Uninterruptible power supply Fault tolerance Virtualization or Cloud computing 11-16 Availability, Disaster Recovery and Business Continuity LO# 5 Disaster recovery planning (DRP) identifies significant events that may threaten a firm's operations, outlining the procedures that ensure the firm's smooth resuming of operations in the case this event occurs. Business continuity management (BCM) refers to the activities required to keep a firm running during a period of interruption of normal operations. 11-17 Chapter 11 Information Security and Computer Fraud Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. Learning Objectives LO#1 Describe the risks related to information security and systems integrity. LO#2 Understand the concepts of encryption and authentication. LO#3 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques. LO#4 Define vulnerabilities, and explain how to manage and assess vulnerabilities. LO#5 Explain issues in system availability, disaster recovery, and business continuity. 11-2 LO# 1 Integrity and Information Security Since 2003, information security management has been ranked as the top one technology issue for CPAs. According to AICPA, information security management is \"an integrated, systematic approach that coordinates people, policies, standards, processes, and controls used to safeguard critical systems and information from internal and external security threats.\" The goal of information security management is to protect the confidentiality, integrity and availability (CIA) of a firm's information. - Confidentiality - information is not accessible to unauthorized individuals or processes - Integrity - information is accurate and complete - Availability - information and systems are accessible on demand 11-3 LO# 2 Encryption and Authentication Encryption is a preventive control providing confidentiality and privacy for data transmission and storage. There are two algorithmic schemes that encode plaintext into non-readable form or cyphertext: Symmetric-key encryption - fast and suitable for encrypting large data sets. - both the sender and the receiver use the same key to encrypt and decrypt messages. - managing one key for each pair of users is not cost-effective given the large number of users among the firms. Asymmetric-key encryption - slow and is not appropriate for encrypting large data sets. - since each user has a pair of two keys, the public key and the private key, asymmetric-key encryption solves the problems in key distribution and key management - A common name for asymmetric-key encryption is public-key encryption or two-key encryption. Authentication is a process that establishes the origin of information or determines the identity of a user, process, or device. 11-4 LO# 2 Encryption and Authentication Combination of two methods: 1. Both the sender and receiver use asymmetric-key encryption method to authenticate each other. 2. Either the sender (or the receiver) generates a symmetric key (called session key because it is valid for a certain timeframe only) to be used by both parties. 3. Use asymmetric-key encryption method to distribute the session key. (For example, the sender uses the receiver's public key to encrypt the session key and sends it to the receiver. The receiver uses his/her own private key to decrypt to get the session key.) 4. After both parties have the session key, use the session key to transmit confidential data/information. This is because using symmetric key for encryption is faster in data transmission. 11-5 LO# 2 Digital Signature A digital signature is a message digest (MD) of a document (or data file) that is encrypted using the document creator's private key. Digital signatures can: - Ensure data integrity - Prevent repudiation of Transactions Asymmetric-key Encryption Key Factors: - Certificate Authority (CA) - digital certificate - public key infrastructure (PKI) 11-6 LO# 2 Digital Signature Process Process: 1. Both the sender (A) and receiver (B) use asymmetric-key encryption method to authenticate each other. 2. A makes a copy of the document and uses SHA-256 to hash the copy and get an MD. 3. A encrypts the MD using A's private key to get A's digital signature. 4. A uses B's public key to encrypt the original document and A's digital signature (for confidentiality). 5. A sends the encrypted package to B. 6. B receives the package and decrypts it using B's private key. B now has the document and A's digital signature. 7. B decrypts A's digital signature using A's public key to get the sent-over MD. B also authenticates that A is the document creator (to assure nonrepudiation). 8. B makes a copy of the received document and uses SHA-256 to hash the copy and get a calculated MD. 9. If the sent-over MD is the same as the calculated MD, B ensures data integrity (no changes made to the document). 11-7 LO# 3 Computer Fraud and Abuse The International Professional Practices Framework (the IIA's IPPF) of the Institute of Internal Auditors (IIA) defines fraud as: \"Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. According to the fraud triangle, three conditions exist for a fraud to be perpetrated. Incentive: provides a reason to commit fraud Opportunity: for fraud to be perpetrated Rationalize: the individuals committing the fraud possess an attitude that enables them to rationalize the fraud 11-8 LO# 3 Computer Fraud Risk Assessment Global Technology Audit Guides (GTAG) Common computer frauds: The theft, misuse, or misappropriation of assets by altering computer-readable records and files. The theft, misuse, or misappropriation of assets by altering the logic of computer software. The theft or illegal use of computer-readable information. The theft, corruption, illegal copying, or intentional destruction of computer software. The theft, misuse, or misappropriation of computer hardware. Risk Assessment Steps: Identifying relevant IT fraud risk factors. Identifying potential IT fraud schemes and prioritizing them based on likelihood and impact. Mapping existing controls to potential fraud schemes and identifying gaps. Testing operating effectiveness of fraud prevention and detection controls. Assessing the likelihood and business impact of a control failure and/or a fraud incident 11-9 LO# 3 Computer Fraud Schemes Phase Scenario Oversights Requirements Definition Phase 195 illegitimate drivers' licenses are created and sold by a police communications officer who accidentally discovers she can create them. - Lack of authentication and role-based access control requirements. - Lack of segregation of duties System Design Phase - A special function to expedite handling of cases allows two caseworkers to pocket $32,000 in kickbacks. - An employee realizes there is no computerized control in his firm's system, so he entered and profited from $20 million in fake health insurance claims. - Insufficient attention to security details in automated workflow processes - Lack of consideration for security vulnerabilities posed by authorized system access System Implementation Phase - An 18-year old former Web developer uses backdoors he inserted into his code to access his former firm's network, spam its customers, alter its applications, and ultimately put the firm out of business. - Lack of code reviews System Deployment Phase - A computer technician uses his unrestricted access to customers' systems to plant a virus on their networks that brings the customers' systems to a halt. - A software engineer did not document or backup his source code intentionally, and then deleted the only copy of the source code once the system is in production. - Lack of enforcement of documentation practices and back-up procedures - Unrestricted access to all customers' systems System Maintenance Phase - A foreign currency trader covers up losses of $691 million over a fiveyear period by making unauthorized changes to the source code. - A logic bomb sits undetected for six months before finally performing a mass deletion of data on a telecommunications firm. - Lack of code reviews - End-user access to source code - Ineffective back-up processes 11-10 LO# 3 Computer Fraud Prevention and Detection A fraud prevention program starts with a fraud risk assessment across the entire firm, taking into consideration the firm's critical business divisions, processes, and accounts, performed by the management. A fraud detection program should include an evaluation by internal auditors on the effectiveness of business processes, along with an analysis of transaction-level data to obtain evidence on the effectiveness of internal controls and to identify indicators of fraud risk or actual fraudulent activities. 11-11 LO# 4 Vulnerability Assessment and Management Types of vulnerabilities within a Physical IT Environment Threats Vulnerabilities Physical intrusion External parties entering facilities without permission and/or providing access information Unauthorized hardware changes Natural disasters No regular review of a policy that identifies how IT equipments are protected against environmental threats Inadequate or outdated measures for environmental threats Excessive heat or humidity Humidity alarm not in place Outdated devices not providing information on temperature and humidity levels Water seepage in a data center Server room located in the basement Clogged water drain Electrical disruptions or blackouts Insufficient backup power supply No voltage stabilizer Examples of Vulnerabilities within an Information System Threats Vulnerabilities System intrusion (e.g., spyware, malware, etc.) Software not patched immediately Open ports on a main server without router access Outdated intrusion detection/prevention system Logical access control failure Work performed not aligned with business requirements Poor choice of password Failure to terminate unused accounts in a timely manner Improper system configuration and customization Poor service level agreements (SLAs) monitoring on service providers Interruption of a system 11-12 LO# 4 Vulnerability Assessment and Management Examples of Vulnerabilities within the Processes of IT Operations Threats Vulnerabilities Social engineering Employee training not providing information about social engineering attempts Unintentional disclosure of sensitive information by employee Inappropriate data classification rule Poor user access management allows some users to retrieve sensitive information not pertaining to their roles and responsibilities Intentional destruction of information Not requiring approval prior to deleting sensitive data Poor employee morale Writable disk drive containing data which shall not be deleted such as transaction logs Inappropriate end-user computing Ineffective training as to the proper use of computer End-user computing policy has not been reviewed Poor firewall rules allowing users to access illegitimate websites 11-13 An Overall Framework for Vulnerability Assessment and Management LO# 4 Prerequisites: 1. Determine the main objectives of its vulnerability management, as the firm's resource for managing vulnerabilities is limited. 2. assign roles and responsibility for vulnerability management. 11-14 LO# 4 An Overall Framework for Vulnerability Assessment and Management Main components: VULNERABILITY ASSESSMENT II. Risk I. Identification Assessment IT Asset Inventory Vulnerability Assessment Threat Vulnerability Identification Prioritization Vulnerability Identification VULNERABILITY MANAGEMENT III. Remediation Risk Response Plan Policy and Requirements Control Implementation IV. Maintenance Monitoring Ongoing Assessment Continuous Improvement 11-15 Availability, Disaster Recovery and Business Continuity LO# 5 A key component of IT service delivery and support is making sure the data is available at all times or, at a minimum, in the moment it is needed. Uninterruptible power supply Fault tolerance Virtualization or Cloud computing 11-16 Availability, Disaster Recovery and Business Continuity LO# 5 Disaster recovery planning (DRP) identifies significant events that may threaten a firm's operations, outlining the procedures that ensure the firm's smooth resuming of operations in the case this event occurs. Business continuity management (BCM) refers to the activities required to keep a firm running during a period of interruption of normal operations. 11-17