INFORMATION SYSTEM CONTROLS for SYSTEMS RELIABILITY
SUGGESTED ANSWERS TO DISCUSSION QUESTIONS
1. Encryption is the final layer of preventative controls in that encrypting data provides a barrier against an intruder who has obtained access to company data. Encryption employing a digital signature and a public key infrastructure (PKI) can also strengthen authentication procedures and helps to ensure and verify the validity of e-business transactions. The digital signature is some sort of identifying information about the signer that is encrypted with the signer’s private key. This identifying information can only be decrypted using the corresponding public key. Since a private key is only known to it’s owner, only the owner can hold both the public and the private key and be the creator of the digital signature. Thus, digital signatures can be used to authenticate a particular party involved in a transaction as being the creator of a document. This provides for non-repudiation: the creator of the digital signature cannot deny having signed a document.. A digital certificate is an electronic document that is digitally signed by a trusted third party that certifies the identity of the owner of a pair of public and private keys. The PKI is a system that is used to process and manage the public and private keys used in digital signatures and digital certificates. An organization that handles digital certificates is called a certificate authority.
2. The effectiveness of control procedures depends on how well employees understand and follow the organization’s security policies. If all employees are taught proper security measures and taught to follow safe computing practices, such as never opening unsolicited email attachments, using only approved software, not sharing or revealing passwords, and taking steps to physically protect laptops, company-wide security will increase.
3. Firewalls use hardware and software to block unauthorized access to the company’s system.
4. A intrusion detection system (IDS) create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions This provides a means to monitor the number of attempted intrusions successfully blocked by the firewall, and can provide early warning signals that the organization is being targeted.
5. A virtual private network (VPN) is a network that controls access to a company’s extranet by using encryption, identification, and authentication tools and techniques. (Definition from the text’s glossary, p.794, 10th ed.)
Additional facts: A virtual private network (VPN) increases system reliability by encrypting data prior to sending it over the Internet. The data is then decrypted once it arrives at its intended destination. Thus, a private network is created using the Internet as the network connection and encryption as the method to make it private and secure the data from public disclosure.
Having the person responsible for information security report directly to the Chief Information Officer (CIO) raises the visibility and therefore the importance of information security to all levels of management and to the company at large. Security must be recognized as a top management issue, having the information security officer report to a member of the executive committed such as the CIO, formalizes information security as a top management issue. One potential disadvantage is that the CIO may not always react favorably to reports indicating that shortcuts have been taken with regard to security, especially in situations where following the recommendations for increased security spending could result in failure to meet budgeted goals. Thus, just as the effectiveness of the internal audit function is improved by having it report to someone other than the CFO, the security function may also be more...