GENERAL CONTROLS FOR IT SYSTEMS (STUDY OBJECTIVE 2)

The general controls described in this section are divided into five broad categories:

1. Authentication of users and limiting unauthorized access
2. Hacking and other network break-ins
3. Organizational structure
4. Physical environment and physical security of the system
5. Business continuity

AUTHENTICATION OF USERS AND LIMITING UNAUTHORIZED USERS

Authentication of users is a process or procedure in an IT system to ensure that the person accessing the IT system is a valid and authorized user. Unauthorized users trying to access IT systems is a prevalent, difficult, and ongoing problem that organizations must try to control. Unauthorized users may be hackers or people outside the organization, or users within the company trying to gain access to data they are not entitled to. In order to limit unauthorized access, there are many general controls that should be in place.

First, it is important to authenticate users as they attempt to access the IT system. Users may be authenticated in one or more of several ways. An IT system should require that users log in with a distinct user identification, or user ID, and password. Log in means to make the computer recognize you in order to create a connection at the beginning of a computer session. To increase the effectiveness of log-in restriction, user IDs must be unique for each user. A password is a secret set of characters that identifies the user as the authentic owner of that associated user ID. Passwords should be at least eight characters in length and contain at least one nonalphanumeric character. Such passwords would be difficult to guess. For example, a password such as xEq7f$23 would be much more difficult to guess than the user's initials. Passwords should also be case-sensitive and changed every 90 days. The weak link in passwords is the human aspect. Many people have trouble remembering passwords, particularly if the password meets the strict criteria just mentioned. In addition, many people have several passwords for the different work and private systems they access. Therefore, some users write passwords down and keep them under the keyboard or in a drawer. This, of course, defeats the purpose of having passwords. Due to the weaknesses in passwords, some organizations use passwords in conjunction with other tools such as smart cards, tokens, and biometrics.

The use of passwords can be strengthened by the use of a smart card that the user carries. The smart card is plugged into the computer's card reader and helps authenticate that the user is valid. The smart card is a credit card–sized device with an integrated circuit that displays a constantly changing ID code. The user enters her password, and then the smart card displays an ID that she uses to log in. The smart card typically changes the user ID every 5 minutes or so.

A newer technology to authenticate users is a security token, which plugs into the USB port and thereby eliminates the need for a card reader. Otherwise, the purpose and use of the security token are the same as those of a smart card. Exhibit 4-3 shows the size and portability of a USB security token.

Exhibit 4-3 A USB Security Token

The use of smart cards or tokens can reduce unauthorized access, since the person who logs in must physically possess and use the smart card or token. The authentication of the user is called two-factor authentication because it is based on something the user has, the token, and something the user knows, the password. A hacker located several hundred miles away from the organization would not have access to the smart card or token.

Biometric devices can also be used to authenticate users and limit unauthorized access. Biometric devices use some unique physical characteristic of the user to identify the user and allow the appropriate level of access to that user. Examples of physical characteristics being used in biometric devices are fingerprint matching, retina scans, voice verification, and face verification. Of these methods, fingerprint recognition is the most widely used technology. For example, it is possible to buy a mouse with a small window for your thumb or finger that scans the fingerprint to authenticate the user. Biometric devices are intended to allow only the authorized user to log in, according to his or her unique fingerprint, iris, voice, or facial features. Biometric devices are becoming more popular as their prices decrease and their reliability increases.

All of the methods described here are intended to limit log-ins exclusively to authorized users. However, none of these methods is foolproof, and it is important to have additional controls. First, all accesses should be logged. The organization should maintain a computer log of all log-ins. This log serves two purposes. The computer log is a complete record of all dates, times, and uses for each user. Any abnormalities in log-in or use can be examined in more detail to determine any weaknesses in log-in procedures. Also, the log-in procedures and logs establish nonrepudiation of users. Nonrepudiation means that a user cannot deny any particular act that he or she did on the IT system. That is, if a user logged in and changed data fraudulently, the log-in procedures and logs help establish undeniably which user took the action. Nonrepudiation is extremely important in verifying sales to customers. A danger is that a customer could log in via the company website, place an order that is subsequently received, and then deny that he or she initiated the transaction. Log-in of customers and computer logs help establish nonrepudiation of sales transactions.

The log-in procedure should also be established so that the session is terminated after three unsuccessful attempts and that these terminated sessions are also logged. Again, the purpose of the log is to allow proper followup if there are patterns of abnormal log-in or terminated log-ins. To maintain a record of log-in attempts, the system should keep an automated log to detect suspicious or unusual log-in attempts.

After a user logs in with valid authentication, the access granted in the IT system should be limited by the user profile. The user profile, which should be established for every authorized user, determines each user's access levels to hardware, software, and data according to the individual's job responsibilities. For example, an employee who enters payroll data does not need access to sales data, so this user's access to sales data should be restricted. In addition, the level of access must be established within the authority tables. An authority table contains a list of valid, authorized users and the access level granted to each one. For instance, one user within the payroll area may need to both read and write data, while another may need only read access. These user profiles may be defined in authority tables. Authority tables are an integral part of the computer system, and when a user logs in, the system looks up the nature and type of access to which that user is entitled. The authority table defines the type of access that a user has to data within the computer. A sample authority table is illustrated in Exhibit 4-4.

Exhibit 4-4 Authority Table

The IT system also has configuration tables for hardware, software, and application programs that contain the appropriate set-up and security settings. It is important to limit user access to these configuration tables so that security settings are not changed by unauthorized users. The hardware and operating system configuration table contains security and operating settings for hardware and the operating system. The application software configuration table contains security and operating settings for the application software. In a large-scale IT system, access to configuration tables is limited by the user profile and by control of physical access to the tables. The user ID and password for a particular user should not allow access to the configuration tables unless that user is authorized to change configuration settings.

HACKING AND OTHER NETWORK BREAK-INS

When an IT system is networked to either internal networks or the Internet, those networks are open to opportunities for unauthorized access. The more extensive the series of network connections, the greater chance there is for unauthorized access by hackers, others outside the organization, and unauthorized employees. When an IT system has network connections, the organization should employ one or more firewalls in the network. A firewall is hardware, software, or a combination of both that is designed to block unauthorized access. All data traveling between the internal network and the Internet should pass through the firewall first. The firewall examines all data passing through it, and if the firewall detects unauthorized attempts to pass data, it prevents the flow of such data. The firewall can prevent the unauthorized flow of data in both directions, blocking access to data on the network server by preventing unauthorized requests to log in or read data. Ideally, a firewall would be like a brick wall and allow nothing to pass through it. However, this would stop legitimate as well as illegitimate network traffic. Thus, the firewall has to examine data flow and attempt to block only the traffic that appears to be unauthorized. A way to think of the firewall is to compare it to the building security system at a large company. The security system will let employees with the proper badges enter and exit the building, but visitors without ID badges are stopped at the door. Similarly, information passes through a firewall in individual packets, and each packet must have the proper ID. Packets without the proper ID are stopped by the firewall.

Since these authorization and access controls cannot be completely effective, there are still possibilities that unauthorized access will occur. To limit the potential damage of unauthorized access, sensitive data should be encrypted. Encryption is the process of converting data into secret codes referred to as cipher text. Encrypted data can only be decoded by those who possess the encryption key or password. Encryption renders the data useless to those who do not possess the correct encryption key.

There are two types of encryption: symmetric encryption and public key encryption. Symmetric encryption uses a single encryption key that must be used to encrypt data and also to decode the encrypted data. The sender of the data and the receiver must have the same encryption key. However, it is difficult for the sender to communicate the encryption key to the receiver without compromising the key. Public key encryption uses both a public key and a private key. The public key, which can be known by everyone, is used to encrypt the data, and a private key is used to decode the encrypted data. Knowing which public encryption method a receiver uses enables the sender to use that public key to encrypt the data, and the receiver will use her private key to decode the data.

The strength of the encryption refers to how difficult it would be to break the code. Much the same as with passwords, the longer the encryption key is in bits, the stronger the encryption will be and the harder it will be to break the code. Many Internet encryption schemes use 128-bit encryption; that is, the encryption key is 128 bits in length. Under current U.S. standards, the longest encryption keys are 256 bits, but they are not yet widely adopted. Examining the possible combinations of keys proves the difficulty of breaking the encryption key. A 128-bit key size can create 340 undecillion different possible combinations, or 340 followed by 36 zeros. A 256-bit key size can create a combination set of 11 followed by 76 zeros. Someone who wished to randomly guess at the encryption key would potentially have to attempt all of these key possibilities. Even the use of a computer to try the various possibilities is infeasible because of the sheer number of possible combinations.

Encryption is especially important for wireless networks, which send network data as high frequency radio signals through the air. As in the case of radio transmissions, anyone who has the correct receiver can intercept network data waves in a wireless network. Since anyone within range of these radio signals can receive the data, protecting data through encryption is extremely important. A wireless network must have an access point, or a transmitter, that sends the network signals. The computer connected to the wireless network must have a wireless network card to receive the signals. Wireless network equipment, such as access points and wireless network cards, uses an encryption method called wired equivalency privacy, or WEP. Depending on the equipment used, WEP employs 64-, 128-, or 256-bit encryption methods. The encryption is symmetric in that both the sending and receiving network nodes must use the same encryption key. Because WEP has proven to be susceptible to hacking, the industry has developed a new wireless network security system called wireless protected access, or WPA, which has improved encryption and user authentication. With the improved encryption method, WPA can check to see whether encryption keys have been tampered with. WEP is based on a computer-specific address, which is easy for hackers to determine and misuse; A wireless network that uses WPA, on the other hand, requests connection to the network via an access point. The access point then requests the user identity and transmits that identity to an authentication server. Thus, WPA authenticates the computer and the user.

Another important security feature that should be used in wireless networks is a unique service set identifier, or SSID. The SSID is a password that is passed between the sending and receiving nodes of a wireless network. Most wireless network equipment sets a default SSID of “any” so that any wireless equipment can connect to it. For example, if you have a laptop computer with wireless network equipment built in, it theoretically can connect to any similarly equipped networks if the same SSID is used in the laptop and other network nodes. However, security is improved if “any” is changed to a unique SSID that only those within the organization use. Using a unique SSID makes it more difficult for an outsider to access the wireless network.

In many organizations, authorized employees may need to access the IT system from locations outside the organization. There are at least two examples of the need for such legitimate outside access. One is employees who telecommute and are permitted to work from home, using a computer connected to the IT system. A second example is sales staff who may be traveling to other cities, but must have access there to the IT system in order to service customers. In these cases, the authorized employees should connect to the IT system by using a virtual private network (VPN). A virtual private network utilizes tunnels, authentication, and encryption within the Internet network to isolate Internet communications so that unauthorized users cannot access or use certain data. A VPN is employed when the employee connects to the IT system through a public network such as the Internet. A VPN uses the Internet—it is therefore not truly private, but virtually private. The network traffic can be made to be virtually private by technology. Tunnels are end-to-end connections of network cards or other hardware; The VPN traffic can be thought of as traveling through a separate tunnel within the Internet network of public lines.

In addition, network traffic between the organization and all authorized users that is sent via the Internet should limit access by the use of Web-based technology called secure sockets layer, or SSL. SSL is a communication protocol built into Web server and browser software that encrypts data transferred on that website. If you have ever ordered products on a website, you were probably using SSL technology to encrypt personal data such as your credit card number. You can determine whether such sites use SSL technology by examining the URL address. Most website addresses begin with http:// preceding the URL, but SSL addresses begin with https:// preceding the URL.

IT system operations are also threatened by the many network break-in attempts that are undertaken to insert viruses or worms into a system. A virus is a self-replicating piece of program code that can attach itself to other programs and data and perform malicious actions such as deleting files or shutting down the computer. A worm is a small piece of program code that attaches to the computer's unused memory space and replicates itself until the system becomes overloaded and shuts down. To avoid destruction of data programs and to maintain operation of the IT system, an organization must employ antivirus software, which continually scans the system for viruses and worms and either deletes or quarantines them. Antivirus software renders virus and worm program code harmless.

All of the authentication controls mentioned in this section should assist in limiting unauthorized access. However, people who attempt to access an organization's systems in an unauthorized manner are continually exploiting new ways to gain access. Therefore, an organization must maintain a plan to continually monitor and test the vulnerability of its IT system to unauthorized access. To monitor exposure long range, the organization should engage in vulnerability assessment, intrusion detection, and penetration testing. Vulnerability assessment is the process of proactively examining the IT system for weaknesses that can be exploited by hackers, viruses, or malicious employees. When an organization engages in vulnerability assessment by using manual testing or automated software tools, it can identify weaknesses before they become network break-ins and attempt to fix these weaknesses before they are exploited. Intrusion detection systems are specific software tools that monitor data flow within a network and alert the IT staff to hacking attempts or other unauthorized access attempts. An intrusion detection system can be thought of as the burglar alarm for the IT system in that it alerts the appropriate users of break-ins. Penetration testing is the process of legitimately attempting to hack into an IT system to find whether weaknesses can be exploited by unauthorized hackers. Penetration testing is sometimes done by the IT staff within an organization, but more often an outside consultant with experience in penetration testing is hired to complete the tests.

ORGANIZATIONAL STRUCTURE

Organizations with extensive IT systems should govern the overall development and operation of IT systems through the use of an IT governance committee, usually made up of top executives. Its function is to govern the overall development and operation of IT systems. The committee, which would include officers such as the chief executive officer (CEO), chief financial officer (CFO), chief information officer (CIO), and the heads of business units such as the vice president of marketing, has several important responsibilities, including the following:

1. Align IT investments to business strategy. Investing funds and resources in the most beneficial IT systems should enhance the long-range goal of achieving the business strategy.
2. Budget funds and personnel for the most effective use of the IT systems.
3. Oversee and prioritize changes to IT systems. Within organizations, many user groups will concurrently request improvements or changes to their subsystem within the IT system. The IT governance committee will appoint a steering committee to prioritize these requests according to the best match to the business strategy and the feasibility of designing, developing, and implementing the necessary changes.
4. Develop, monitor, and review all IT operational policies. The organization should maintain policies and descriptions of procedures for operating and developing its IT systems.
5. Develop, monitor, and review security policies. The organization should maintain policies and descriptions of procedures related to security. For example, the organization should have established procedures to monitor and follow up on security breaches to the IT system.

While there are many types of IT policies that must be in place, the description of policies in this section will focus only on those that are related to general controls over IT systems. It is important to understand that the IT governance committee delegates many of its duties by the policies that it develops. Because the IT governance committee consists of top management, its role is to develop policies and to delegate duties such that those policies are properly implemented. Perhaps the most important factor in controlling IT systems is the competence of the personnel. Thus, it is important that the IT governance committee ensure that the organization maintains hiring and promotion procedures which screen candidates and verify the background and references of applicants. The IT governance committee should also see that the organization maintains written job descriptions and requirements for IT positions.

The manner in which an organization establishes, delegates, and monitors IT system functions is part of the general control over IT systems. The division of duties and the policies of the organization in relation to those duties must be so designed that they strengthen control over IT systems. The functional responsibilities within an IT system must include proper segregation of duties. This segregation is different from the accounting-related segregation described in Chapter 3. In an IT system, the duties to be segregated are those of systems analysts, programmers, operators, and the database administrator. Systems analysts analyze and design IT systems, while programmers actually write the software, using a programming language. Operations personnel are employees who are responsible for processing operating data. The database administrator develops and maintains the database and ensures adequate controls over data within the database. In a properly segregated IT system, no single person or department should develop computer programs and also have access to data that is commensurate with operations personnel. Similarly, the database administrator should not develop or write programs.

The IT governance committee should ensure that policies are in place which require the listing of all software used in the organization and that this list include important information such as the level and version of the software and any patches that have been applied. Patches are bug fixes, or security enhancements, to existing software.

In addition, the IT governance committee should develop policies and assign responsibilities to ensure that hardware and software systems are tested annually and that the test results are used to continually improve the security and effectiveness of IT systems. The committee should be established prior to major changes in any IT systems and should meet monthly to review items such as investment decisions, change requests, and security policies. When changes to IT systems are proposed, the IT governance committee should already have in place a system development process that controls the initiation, approval, development, and maintenance of those changes. This process, called the system development life cycle, or SDLC, is described in detail in Chapter 6. The system development life cycle can be generally described as the systematic steps undertaken to plan, prioritize, authorize, oversee, test, and implement large-scale changes to the IT system.

PHYSICAL ENVIRONMENT AND SECURITY

The general controls for an IT system should include controls over the physical environment of the system and physical access controls to limit who is in contact with the system. The physical environment includes the location, operating environment, and backup systems of the IT system. Physical security is intended to limit physical access to computer hardware and software so that malicious acts or vandalism do not disrupt the system, and so that data are protected.

Especially for large IT systems, the security of the environment in which they reside and operate is crucial. A large IT system should be physically located in an area and building that are least at risk of natural disasters such as flood, earthquake, hurricane, and fire. Natural disasters can easily destroy or disrupt IT system operations. To the extent possible, IT systems should be installed in locations that are unlikely to be affected by natural disasters.

Computer systems can also be affected by environmental extremes of temperature and humidity. Therefore, a large-scale IT system must be located in a building that properly controls dust, temperature, and humidity. The building should also have a fire protection system that does not use water sprinklers, as water can rain the hardware and data. The fire prevention systems should use a gas, such as halon gas, that eliminates oxygen in the room, since a fire cannot burn without oxygen.

The computer system should also have both an uninterruptible power supply (UPS) and an emergency power supply (EPS). An uninterruptible power supply includes a battery to maintain power in the event of a power outage in order to keep the computer running for several minutes after a power outage. An emergency power supply is an alternative power supply that provides electrical power in the event that a main source is lost. An example of an EPS is a gasoline-powered generator.

As you may have found with your personal computer, loss of electrical power can result in lost or corrupted data. In the case of an electrical power failure, backup power supplies such as UPS and EPS can keep the IT system operating at least until the individual applications and data can be saved and gradually shut down.

THE REAL WORLD

Battery power (UPS) and generators (EPS) served as the uninterruptible power supply and emergency power supply systems that enabled these networks to continue operations during the blackout.

The hardware and data in an IT system are also vulnerable to damage, destruction, disruption, or theft if an unauthorized person can physically access them. Large-scale IT systems should be protected by physical access controls. Such controls include the following:

1. Limited access to computer rooms through employee ID badges or card keys
2. Video surveillance equipment
3. Logs of persons entering and exiting the computer rooms
4. Locked storage of backup data and offsite backup data

BUSINESS CONTINUITY

Business continuity planning (BCP) is a proactive program for considering risks to the continuation of business and developing plans and procedures to reduce those risks. Since such a large number of organizations rely on IT systems to operate, the continuation of IT systems is an integral part of business continuity. BCP is a broad type of planning that focuses on key personnel, resources, and activities critical to business continuation.

THE REAL WORLD

BCP is a broad concept, but because of the importance of IT systems as a critical business resource, a large part of BCP includes IT continuation. Two parts of business continuity are related to IT systems:

1. A strategy for backup and restoration of IT systems, to include redundant servers, redundant data storage, daily incremental backups, a backup of weekly changes, and off-site storage of daily and weekly backups
2. A disaster recovery plan

If IT systems are to continue without interruption, it is important to have backups for both the hardware and software systems, as well as the data. One approach to a backup processing system is called redundant servers—two or more computer network or data servers that can run identical processes or maintain the same data. If one of the servers fails, a redundant server functions in its place. In many IT systems, redundant data storage is accomplished by the use of redundant arrays of independent disks (RAIDs), often set up such that two or more disks are exact mirror images. If one disk drive fails, the mirror image on a second drive can serve in its place. In addition to the backup files on a RAID, the organization should maintain daily and weekly incremental backups. This backup protection is improved by off-site backup, an additional copy of the backup files stored in an off-site location. In some cases, on-site backups may be destroyed and the off-site backup files would be necessary.

The plan for the continuance of IT systems after a disaster is called a disaster recovery plan (DRP). Whereas BCP is proactive planning, DRP is a more reactive plan to restore business operations to normal after a disaster occurs. Disaster recovery plans should include all plans necessary to continue IT operation after a disaster. Although disaster recovery planning has been an important concept in IT systems for many years, there was much more activity regarding disaster recovery planning after the New York City terrorist attacks in September 2001. Those events reminded companies that catastrophes happen very unexpectedly and can cause IT systems to be damaged or destroyed.

Since disasters can destroy systems and data, it is important that organizations maintain backup systems and backup data. Organizations must have regular processes to back up data and to store at least one copy of the backup off site. The off-site backup is necessary in case all data are destroyed at the on-site location.