Week 2C

Question 1

Access Control

Answer 1

• Identification: login
• Authentication: password; secret key, biometrics (know; have; are)
• Authorization: read-write-execute; Role-based Access Control (RBAC)

Question 2

Access Control: read-write execute rights

Answer 2

• Confidentiality: who may read?

- Integrity: who may write, or execute?

Question 3

Organizing access control

Answer 3

• Access control based on groups (e.g. in Unix)

- Access control based on individuals

Question 4

Access control based on groups

Answer 4

• Groups of people have similar access rights based on their function
• But: no individual accountability
• But: individuals can be in more groups, leading to access violation

Question 5

Acces control based on individuals

Answer 5

• Individuals are held accountable (traceability )

* But: hard to develop, implement and test access control policies

Question 6

DAC: discretionary access control

Answer 6

leave protection to system operator

Question 7

MAC: mandatory access control

Answer 7

under control of vendor: protect OS against malware from within

•e.g. Trusted platform modules (TPM): at each stage of booting, hash of previous stage is needed, to retrieve key for next stage; used in Windows Vista from 2006

Question 8

Role-based Access Control (RBAC)

Answer 8

• RBAC: separate subjects and permissions by an abstraction, called a role
• Dynamic Segregation of Duties: some roles or permissions may not be combined for one object or session, but may be combined in general (Botha and Eloff 2001).
• e.g. roles of bank employee and client of a bank may be combined, but not for the same mortgage!

Question 9

Confidentiality and thee security properties:

Answer 9

1. The Simple Security Property - a subject at a given security level may not read an object at a higher security level (no read-up).
2. The ★-property - a subject at a given security level must not write to any object at a lower security level (no write-down).
3. The Discretionary Security Property - use of an access control matrix

Question 10

Integrity of Information

Answer 10

• Internal consistency: meets integrity constraints
• External consistency: corresponds to ‘reality’
• An integrity verification procedure (IVP) verifies whether a data set is valid, i.e. meets applicable integrity constraints.
• A transformation procedure (TP) verifies (1) whether newly entered input data is valid, and (2) guarantees that for all authorized transformations data will remain valid.
• Requires IT general controls, incl. testing and change management!

Question 11

Availability

Answer 11

• Build redundancy into infrastructure : avoid single point of failure.
• Can be expressed in ‘up-time’ or service windows.
  
  • “uptime 99% 24/7, except Saturdays between 20.00 and 23.00”
• Continuity management: a process of intelligence gathering about needs, risks and response, to reduce downtime.
• Capacity management: monitoring and predicting how much capacity is used and how much will be needed.
• Back-up and retrieval: must be tested (under emergency conditions)
• Now: mostly in the cloud (virtualization)
  
  • Data storage
  • Processing power

Question 12

What is audit?

Answer 12

“Auditing is the systematic process of objectively obtaining and evaluating evidence regarding assertions about economic activities and events to ascertain the degree of correspondence between the assertions and established criteria, and communicate the results to interested users” (American Accounting Association, 1972).

“Audit is testing to a norm”

Question 13

Audit (regulatory supervision): based on a paradox

Answer 13

• Accountability: management must provide reliable evidence of financial results (compliance) to stakeholder (regulator)
• Paradox: evidence is generated by procedures and information systems, which are controlled by the party being regulated•Internal controls: precautions built into the processes, information systems and governance structure to ensure reliability
• Audit: provide assurance over reliability (accuracy and completeness) of the evidence, and hence over reliability of internal controls

Question 14

What is internal control?

Answer 14

“Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (1) effectiveness and efficiency of operations, (2) reliability of financial reporting, and (3) compliance with applicable laws and regulations’’ (COSO 1992)

Question 15

5 pillars of COSO

Answer 15

• Control environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring

Question 16

Designing Control Measures

Answer 16

Control measures: measures implemented to prevent, or else to detect and correct a control risk, i.e. an event that might result in not meeting objectives.

• Preventative measures: make risk (nearly) impossible to occur
  
  • E.g. pay before deliver
  • E.g. purchase orders authorized up to € 6000, or additional approval
• Detective measures: make sure no risks go unnoticed
  
  • E.g. all purchase orders are recorded, and verified against inventory needs, and list of known suppliers before being approved.
  • E.g. payment is verified against invoice, purchase order and delivery
  • E.g. monthly totals are compared to yearly averages
• Corrective measures: when detected, react appropriately (respond and recover)
  
  • E.g. CFO will cancel purchase orders to unknown suppliers
  • E.g. in case of incident, Twitter team is ready to counter negative image

Question 17

Segregation of Duties

Answer 17

• Authorize | Execute | Record
• Authorize | Store | Record
• Two consecutive steps in a business process
• IT systems:
  
  • manager HR (authorize) | system admin (execute) | system logs (record)
  • Development, Testing | Acceptance | Production

Question 18

Three kinds of IT audits:

Answer 18

• Design: system is adequate for its purpose
• Implementation: design is effectively implemented and operational; procedures are known and used
• Operating effectiveness: system is effectively operational, for full duration of period •sample; for each item a walk through or test of controls

Question 19

Three lines of Defense

Answer 19

1st line of Defense: Management Controls & Internal Control Measures
2nd line of Defense: Financial Control & Security & Risk Management & Quality & Inspection & Compliance
3rd line of Defense: Internal Audit

1-3 have line to Senior Management
3 also has line to Governing Body / Board / Audit Committee

Question 20

Three feedback loops

Answer 20

• Monitoring of incidents and follow up – learning (e.g. weekly)
• Risk assessment and re-evaluation of adequacy of controls (e.g. yearly)
• External reasons for adjustment (when required, or e.g. yearly)

Question 21

Criticism on COSO ERM

Answer 21

• Since the COSO framework and the accounting scandals a huge `industry’ of risk management has developed, in particular in the financial industry. Michael Power is critical of the way risk management has taken shape: “The security provided by ERM is at best limited to certain states of the world and at worst it is illusory: the risk management of nothing”.
• In particular, he observes that risk management did little to prevent or slow down the financial crisis.
• Nothing about systemic risks
• Nothing about comparability of risk across departments
• Tends to be based on risks that are easy to measure and record
• Real risks are about human decision: E.g. Lehmann brothers. (Report of Valukas)

Question 22

Conclusions

Answer 22

• Security architecture: thinking in layers (assume-guarantee)
• Internal Control: coherent system of controls measures, to ensure the organization meets objectives
• Reliability of evidence (accuracy and completeness)
• Continuity: effectiveness of processes, profitability,
• Compliance: demonstrate adherence to laws and regulations (evidence)
• Risk management: systematic means to make trade-offs
• However: Power (2009) has criticism on COSO ERM (bias; no systemic risk)