Access Control
- Identification: login
- Authentication: password; secret key, biometrics (know; have; are)
- Authorization: read-write-execute; Role-based Access Control (RBAC)
Access Control: read-write execute rights
- Confidentiality: who may read?
- Integrity: who may write, or execute?
Organizing access control
- Access control based on groups (e.g. in Unix)
- Access control based on individuals
Access control based on groups
- Groups of people have similar access rights based on their function
- But: no individual accountability
- But: individuals can be in more groups, leading to access violation
Acces control based on individuals
- Individuals are held accountable (traceability )
* But: hard to develop, implement and test access control policies
DAC: discretionary access control
leave protection to system operator
MAC: mandatory access control
under control of vendor: protect OS against malware from within
•e.g. Trusted platform modules (TPM): at each stage of booting, hash of previous stage is needed, to retrieve key for next stage; used in Windows Vista from 2006
Role-based Access Control (RBAC)
- RBAC: separate subjects and permissions by an abstraction, called a role
- Dynamic Segregation of Duties: some roles or permissions may not be combined for one object or session, but may be combined in general (Botha and Eloff 2001).
- e.g. roles of bank employee and client of a bank may be combined, but not for the same mortgage!
Confidentiality and thee security properties:
- The Simple Security Property - a subject at a given security level may not read an object at a higher security level (no read-up).
- The ★-property - a subject at a given security level must not write to any object at a lower security level (no write-down).
- The Discretionary Security Property - use of an access control matrix
Integrity of Information
- Internal consistency: meets integrity constraints
- External consistency: corresponds to ‘reality’
- An integrity verification procedure (IVP) verifies whether a data set is valid, i.e. meets applicable integrity constraints.
- A transformation procedure (TP) verifies (1) whether newly entered input data is valid, and (2) guarantees that for all authorized transformations data will remain valid.
- Requires IT general controls, incl. testing and change management!
Availability
- Build redundancy into infrastructure : avoid single point of failure.
- Can be expressed in ‘up-time’ or service windows.
- “uptime 99% 24/7, except Saturdays between 20.00 and 23.00”
- Continuity management: a process of intelligence gathering about needs, risks and response, to reduce downtime.
- Capacity management: monitoring and predicting how much capacity is used and how much will be needed.
- Back-up and retrieval: must be tested (under emergency conditions)
- Now: mostly in the cloud (virtualization)
- Data storage
- Processing power
What is audit?
“Auditing is the systematic process of objectively obtaining and evaluating evidence regarding assertions about economic activities and events to ascertain the degree of correspondence between the assertions and established criteria, and communicate the results to interested users” (American Accounting Association, 1972).
“Audit is testing to a norm”
Audit (regulatory supervision): based on a paradox
- Accountability: management must provide reliable evidence of financial results (compliance) to stakeholder (regulator)
- Paradox: evidence is generated by procedures and information systems, which are controlled by the party being regulated•Internal controls: precautions built into the processes, information systems and governance structure to ensure reliability
- Audit: provide assurance over reliability (accuracy and completeness) of the evidence, and hence over reliability of internal controls
What is internal control?
“Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (1) effectiveness and efficiency of operations, (2) reliability of financial reporting, and (3) compliance with applicable laws and regulations’’ (COSO 1992)
5 pillars of COSO
- Control environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
Designing Control Measures
Control measures: measures implemented to prevent, or else to detect and correct a control risk, i.e. an event that might result in not meeting objectives.
- Preventative measures: make risk (nearly) impossible to occur
- E.g. pay before deliver
- E.g. purchase orders authorized up to € 6000, or additional approval
- Detective measures: make sure no risks go unnoticed
- E.g. all purchase orders are recorded, and verified against inventory needs, and list of known suppliers before being approved.
- E.g. payment is verified against invoice, purchase order and delivery
- E.g. monthly totals are compared to yearly averages
- Corrective measures: when detected, react appropriately (respond and recover)
- E.g. CFO will cancel purchase orders to unknown suppliers
- E.g. in case of incident, Twitter team is ready to counter negative image
Segregation of Duties
- Authorize | Execute | Record
- Authorize | Store | Record
- Two consecutive steps in a business process
- IT systems:
- manager HR (authorize) | system admin (execute) | system logs (record)
- Development, Testing | Acceptance | Production
Three kinds of IT audits:
- Design: system is adequate for its purpose
- Implementation: design is effectively implemented and operational; procedures are known and used
- Operating effectiveness: system is effectively operational, for full duration of period •sample; for each item a walk through or test of controls
Three lines of Defense
1st line of Defense: Management Controls & Internal Control Measures
2nd line of Defense: Financial Control & Security & Risk Management & Quality & Inspection & Compliance
3rd line of Defense: Internal Audit
1-3 have line to Senior Management
3 also has line to Governing Body / Board / Audit Committee
Three feedback loops
- Monitoring of incidents and follow up – learning (e.g. weekly)
- Risk assessment and re-evaluation of adequacy of controls (e.g. yearly)
- External reasons for adjustment (when required, or e.g. yearly)
Criticism on COSO ERM
- Since the COSO framework and the accounting scandals a huge `industry’ of risk management has developed, in particular in the financial industry. Michael Power is critical of the way risk management has taken shape: “The security provided by ERM is at best limited to certain states of the world and at worst it is illusory: the risk management of nothing”.
- In particular, he observes that risk management did little to prevent or slow down the financial crisis.
- Nothing about systemic risks
- Nothing about comparability of risk across departments
- Tends to be based on risks that are easy to measure and record
- Real risks are about human decision: E.g. Lehmann brothers. (Report of Valukas)
Conclusions
- Security architecture: thinking in layers (assume-guarantee)
- Internal Control: coherent system of controls measures, to ensure the organization meets objectives
- Reliability of evidence (accuracy and completeness)
- Continuity: effectiveness of processes, profitability,
- Compliance: demonstrate adherence to laws and regulations (evidence)
- Risk management: systematic means to make trade-offs
- However: Power (2009) has criticism on COSO ERM (bias; no systemic risk)
