Encryption is the final layer of preventative controls in that encrypting data provides a barrier against an intruder who has obtained access to company data. Encryption employing a digital signature and a public key infrastructure (PKI) can also strengthen authentication procedures and helps to ensure and verify the validity of e-business transactions.
The digital signature is some sort of identifying information about the signer that is encrypted with the signer’s private key. This identifying information can only be decrypted using the corresponding public key. Since a private key is only known to it’s owner, only the owner can hold both the public and the private key and be the creator of the digital signature. Thus, digital signatures can be used to authenticate a particular party involved in a transaction as being the creator of a document.
This provides for non-repudiation: the creator of the digital signature cannot deny having signed a document. A digital certificate is an electronic document that is digitally signed by a trusted third party that certifies the identity of the owner of a pair of public and private keys. The PKI is a system that is used to process and manage the public and private keys used in digital signatures and digital certificates. An organization that handles digital certificates is called a certificate authority.
The effectiveness of control procedures depends on how well employees understand and follow the organization’s security policies. If all employees are taught proper security measures and taught to follow safe computing practices, such as never opening unsolicited email attachments, using only approved software, not sharing or revealing passwords, and taking steps to physically protect laptops, company-wide security will increase. Firewalls use hardware and software to block unauthorized access to the company’s system.
A intrusion detection system (IDS) create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions This provides a means to monitor the number of attempted intrusions successfully blocked by the firewall, and can provide early warning signals that the organization is being targeted. A virtual private network (VPN) is a network that controls access to a company’s extranet by using encryption, identification, and authentication tools and techniques. (Definition from the text’s glossary, p. 794, 10th ed. )
A virtual private network (VPN) increases system reliability by encrypting data prior to sending it over the Internet. The data is then decrypted once it arrives at its intended destination. Thus, a private network is created using the Internet as the network connection and encryption as the method to make it private and secure the data from public disclosure.
Having the person responsible for information security report directly to the Chief Information Officer (CIO) raises the visibility and therefore the importance of information security to all levels of management and to the company at large. Security must be recognized as a top management issue, having the information security officer report to a member of the executive committed such as the CIO, formalizes information security as a top management issue.
One potential disadvantage is that the CIO may not always react favorably to reports indicating that shortcuts have been taken with regard to security, especially in situations where following the recommendations for increased security spending could result in failure to meet budgeted goals. Thus, just as the effectiveness of the internal audit function is improved by having it report to someone other than the CFO, the security function may also be more effective if it reports to someone who does not have responsibility for information systems operations.
The most effective auditor is a person who has training and experience as an auditor and training and experience as an information systems or computer specialist. However, few people have such an extensive background, and personnel training and development are both expensive and time consuming. So, many organizations may find it necessary to accept some tradeoffs in staffing the Information Systems audit function. Since auditors generally work in teams, one common solution is to include members who have computer training and experience. Then, as audit teams are created for specific purposes, care should be taken to ensure that the members of each audit team have an appropriate mix of skills and experience.
However, in today’s technological age, all internal and external auditors on an audit engagement team must have a sound understanding of basic information security concepts so that during the course of an audit, they would be able to identify, report, and communicate security risks and exposures to the security specialists on the audit team for further assessment and investigation.
To provide absolute information security an organization must follow Jeff Richards’ “Laws of Data Security. ” Don’t buy a computer. If you buy a computer, don’t turn it on. As this humorous solution indicates, there is no way to make a system absolutely secure. However, as discussed in the text, there are numerous methods to make a system more secure.
Penetration testing provides a rigorous way to test the effectiveness of an organization’s computer security by attempting to break into the organization’s information system. Internal audit and external security consulting team perform penetration tests in which they try to compromise a company’s system. Some outside consultants claim that they can get into 90 percent or more of the companies they attack.
This is not surprising, given that it is impossible to achieve 100% security. Thus, one limitation of penetration testing is that it almost always shows that there are ways to break into the system. The more important analysis, however, is evaluating how difficult it was to break in and the cost-effectiveness of alternative methods for increasing that level of difficulty. Another limitation is that failure to break in may be due to lack of skill by the tester. Finally, penetration testing typically focuses on unauthorized access by outsiders; thus, it does not test for security breaches from internal sources.
Top management support is always essential for the success of any program an entity undertakes. Thus, top management support and participation in security awareness training is essential to maximize its impact on the employees and managers of the firm. Effective instruction and hands-on active learning techniques will also help to maximize training.
Many employees have extensive experience and/or expertise in security, these employees should be involved in the design and execution of the security training. Real life” example should be used throughout the training so that employs can view or at least visualize the exposures and threats they face as well as the controls in place to address the exposures and threats. Role-playing has been shown to be an effective method to maximize security awareness training especially with regard to social engineering attack training.
The total quality movement focuses on continuous improvement and the elimination of errors. Security, like quality, is a moving target which can always be improved. Another similarity is the need for active top management support. The focus on quality only began to achieve momentum when top management supported the up-front investment costs to improve quality and refused to accept the argument that the benefits of further improvements in quality did not justify the costs required to attain them. Similarly, top management needs to actively support the goal of ever-improving levels of security and the investment necessary to achieve that result.
What are the advantages and disadvantages of biometric security devices, such as fingerprint readers, in comparison with other security measures such as passwords and locked doors? The advantages of biometric security devices include:
- Providing security advantages over traditional methods because physical traits are almost impossible to duplicate.
- Ease of use.
- Cannot be forgotten like passwords and user id’s.
- Cannot be left at home, in a rental car, or in a taxi.
- Cannot be inadvertently lost or stolen.
Nonbiometric access methods such as passwords and keys can be stolen and used by others, lost, or forgotten. It is easier for someone else to get access to tokens, smart cards, or passwords and use them to gain entry to the system.
