Chapter EightGeneral ControlsSecurity PlansProject Development ControlsIA DHS RevisitedMission ImpossibleLogic ControlsMore Logic Access ControlParanoia or Security?Simple MeasuresEncryptionRouting VerificationDocumentationIC as Prevention“Every Day is Y2K”When do you press the “save” key?Disaster Recovery PlanAlternative SitesInternet Controls (a different “IC”)Application ControlsAuditor UsageChapter EightCBIS and ChecklistsGeneral Controls•12 controls•Planning, controls, standards, security•Continuous updating–e.g., C&L 66% of firms inadequate monitoring•Plans made -- not implementedSecurity Plans•Who•What•When•WhichProject Development Controls•Long-range, 3-5 year, master plan–and, what happens next year?•Project Development Plan - use milestones•DP Schedule - comp resources as “scarce”•Define responsibility / method of evaluation•Postimplementation Review / MeasureIA DHS Revisited•$12 million project development•Failed (at point of success?)•Funding ended•Project development failure?•Or, communication failure?Mission Impossible•Limit physical access•Limit access to computer logic•Problem - insiders–where are my tennis shoes?•Security breaches–the Net?Logic Controls•Passwords–random assignment,•ID cards–use your PIN number for CC purchases?–Active badges (as opposed to inactive?)•Biometric Identification–permit or limit access–cocaine residue on a four year old–“sniffer” at the airportMore Logic Access Control•Compatibility Tests–multiple layers of passwords for access to records–screen passwords, e.g., payroll–print passwords, e.g., contracts–e-mail attachment controls?Paranoia or Security?•Outside workers with access–Webco customer list theft•CIA director - national security on home PC•Mattel stolen laptopsSimple Measures•Property listing in files–resume example•Floppy read/write limits•File passwords•Volume names•External labelsEncryption•Private key only–threat?•Public key only–threat?•Public and Private Keys–threat?Routing Verification•Great for phone callers–Too busy now, can I call you back?–Verify the caller’s identity and authorization•Automated - as discussed in your textDocumentation•Administrative–overall uses and change authorization•System–flowcharts, narrative, libraries•Operating–hardware & software program considerationsIC as Prevention•UPS•Preventive maintenance–RAM test–Microprocessor test–Hard and Removable Disk interfaces“Every Day is Y2K”•Disaster Recovery Plans–e.g., your grades–WTC bombing 43% of firms failed•Electronic vaulting–“my computer” default and mail on a server–backup nightly•Backup–Master Vs. Transaction filesWhen do you press the “save” key?When should you complete a system backup?Disaster Recovery PlanPress release: who, what, when, where, why•Prioritize the process (what)•Backup data and program files (when, where)•Have specific assignments (who)•Complete recovery documentation (why)•Alternative (backup) telecommunication sites (where II)Alternative Sites•Alliances•Hot site–fully configured–current copies of most recent backups–access guaranteed, ready to run•Cold site–no equipment in-place–contracts provided to provide service on-demandInternet Controls(a different “IC”)•NWS - six Denmark hackers–NWS goes down, airlines stop flying–Anyone see a business opportunity here?•Firewalls, tunneling, •Separate systems–external (in-coming) internet site–internal intranetApplication ControlsData entry and reporting controls•Source Data Controls•Input Validation Routines•On-Line Data Entry Controls•DP and File Maintenance Controls•Output ControlsAuditor Usage•Page 263 and