Introduction
As technology advances in leaps and bounds today, much attention is paid by companies, especially It organizations to safeguard security. In spite of the advancement, protection continues to be a vulnerable area in most organizations. This paper throws light on the foremost aspects of in-house controls, testing protection controls, identifying penetration points, assessing protection and the attributes of an effective protection control.
In-House control
Interest in in-house operate has been highlighted by publicized penetrations of protection and the increased significance of information systems and the data contained by those systems. The passage of the Sarbanes-Oxley Act in particular, highlighted interest in in-house control. The Sarbanes-Oxley Act, sometimes referred to as Sox, was passed in response to the numerous accounting scandals such as Enron and WorldCom. While much of the act relates to financial controls, there is a major section relating to in-house controls. Because misleading attestation statements is a criminal offense, top corporate executives take in-house operate as a very foremost topic. Many of those controls are incorporated into information systems, and thus the need for testing those controls.
The following four key terms are used extensively in in-house operate and security:
o Risk - The probability that an undesirable event will occur.
o Exposure - The amount of loss that might occur if an undesirable event occurs.
o Threat - A specific event that might cause an undesirable event to occur.
o Control - anyone that will cut the impact of risk.
Let's look at an example of these terms using a homeowner's insurance policy. To that procedure we will look at one risk, which is the risk of fire. The exposure related with a risk of fire would be the value of your home. A threat that might cause that risk to turn into a loss might be an improper electrical relationship or children playing with matches. Controls that would minimize the loss related with risk would comprise such things as fire extinguishers, sprinkler systems, fire alarms and non-combustible material used in construction. In seeing at the same situation in It, we might look at the risk of man penetrating a banking system and improperly transferring funds to the perpetrators personal account. The risk obviously is the loss of funds in the account, which was penetrated. The exposure is the amount of money in the account, or the amount of money that the bank allows to be transferred electronically. The threat is inadequate protection systems, which allow the perpetrator to jab the banking system. Controls can comprise passwords limiting access, limiting the amount that can be transferred at any one time, and unusual transactions such as transferring the money to an overseas account, a operate which limits who can replacement money from the account.
Testing protection Controls
Security is too foremost to organizations for testing them to be ignored. The following tasks can add value to the protection operate testing:
1. Understand the points where protection is most frequently penetrated; and understand the variation between accidental and intentional loss.
2. Build a penetration point matrix to recognize software system vulnerabilities; and then investigate the adequacy of the protection controls at the point of most potential penetration.
3. Assess the protection awareness training agenda to assure the stakeholders in protection are aware of their protection responsibilities.
4. Understand the attributes of an effective protection control.
5. Understand the process for selecting techniques to test security.
Task 1 -Where protection is Vulnerable to Penetration
Data and article preparation areas and computer operations facilities with the highest attention of hand-operated functions are areas most vulnerable to having protection penetrated. Nine primary It locations are listed below:
Vulnerable Areas Rank
Data and article preparation facilities 1
Computer operations 2
Non-It areas 3
Online storage 4
Programming offices 5
Online data and article preparation 6
Digital media storehouse facilities 7
Online operations 8
Central processors 9
1. Data and article preparation Facilities
Vulnerable areas comprise key, computer job setup, production operate and distribution, data collection, and data transportation.
2. Computer Operations
All locations with computers in the immediate vicinity and rooms housing central computer systems are included in this category. Detached areas that comprise peripheral tool related to computers by cable and computer hardware maintenance areas or offices are also included.
3. Non-It Areas
Security risks also procure from firm decisions in such non-It areas as management, marketing, sales, and firm offices; and primary abusive acts may generate from these areas.
4. Online Systems
The vulnerable functional areas are within online systems, where acts occur by operation of programmed instructions as generated by terminal commands.
5. Programming Offices
This area includes office areas in which programmers yield and store program
listings and documentation.
6. Online Data and article Preparation
This class includes the functions for preparation online scripts.
7. Digital Media storehouse Facilities
This area includes data libraries and any storehouse place containing usable data.
8. Online Operations
This class is the equivalent of the computer operations discussed previously, but involves the online terminal areas.
9. Central Processors
These It areas are within computer systems themselves, and abusive acts may generate from within the computer operating system (not from terminals).
Task 2 - building a Penetration Point Matrix
There is a dilemma in the ask where to test security. protection is needed to safe the resources of the organization. Habitancy are the protection qoute and therefore protection should be settled over people. Computer protection is best achieved through controlling activities. The activities in turn operate people. For example, we want to stop Habitancy from removing computer media from the media library unless they are so authorized. This can best be fulfilled, by placing controls over the computer media in the form of a librarian; we can then practice our protection procedures through the computer media library and librarian. This task identifies the activities that need control, as well as the data flow points where penetration is most likely to occur. Creating the penetration point matrix is not covered in the scope of this paper.
Interface Activities
o Users of application data and programs
Users are the operational activities for which the applications have been industrialized and for which the processing results are needed. The primary users of computer resources are the operational areas responsible for the application being processed. Secondary users comprise assorted staff units in the organization.
o Technical interface to the computer environment
The computer environment includes many system software packages, for example, operating systems, database supervision systems and menagerial scheduling systems. These individual packages need to be generated and installed; then the interfaces between the packages need to be established. Many of the technical interfaces are performed by systems programmers and other specialists such as database administrators.
o Development and maintenance of application systems
Application systems are the software packages that process user data to yield the results needed by the users. These application systems can be industrialized from internally generated specifications, acquired as commercially available software, or industrialized under covenant to vendors who develop applications on a fee basis. The action includes testing to ensure that the application functions correctly, and then development any convert necessary to ensure the operational correctness of the application. These applications can be industrialized by the pro data processing staff or by the users themselves.
o Privileged users
Each society has a group of users who by their stature in the society are privileged. This means that they may not be subject to the same level of operate as non-privileged users. The two primary categories of privileged users are senior supervision and auditors. Other privileged users may be specialists within the data processing area or senior data processing management.
o Vendor interfaces
Organizations covenant with a collection of vendors for extra services. These comprise the vendors of hardware, software, and other reserve services such as covenant maintenance, covenant cleaning, and covenant consulting services. In the operation of vendors' duties, it may be necessary for vendor personnel to interact with computer operations during general operating periods.
Development Activities
o Policies, procedures, and standards
The data processing society develops policies on how the function is to be performed. These policies are implemented through procedures, such as system development methods by which data processing work is performed. These standards can apply to both the pro data processing area and other users of data processing resources, such as microcomputer users.
o Training
Training is one of the key attributes of a potential data processing organization. Dr. W.
Edwards Deming, the individual given prestige for the turnaround of the Japanese economy after the Second World War, states that training is one of the keys to potential data processing. Dr. Deming's doctrine states that individuals should be fully trained in how to accomplish their job and then evaluated by supervision to ensure that they have mastered those skills. Once fully trained, the individual can then operate with minimal supervision and be staggering to yield high-quality work.
o Database administration
Databases are groupings of data that are managed independently of the application programs that use the data. The creation of the databases requires a new society buildings to conduct and administer the use of this new development. In many organizations, the database also includes the definition of data and the use of the data dictionary software documentation tool.
o Communications
This action encompasses the electronic movement of data between one computer facility and another. In most organizations, the transportation facilities involve the use of tasteless carrier lines. When tasteless carrier facilities are used, the society loses operate over the protection of information from the time it passes into the hands of the tasteless carrier until it is again returned to the organization.
o Documentation
Documentation includes all of the article information industrialized and maintained about data processing activities. In the developmental application, it involves article definitions, system specifications, agenda listings, test conditions and results, operator manuals, user manuals, operate documentation, flow charts, and other pictorial representations. Note that the documentation may be in hard copy format, or may be maintained on electronic media.
o Program convert control
The maintenance action has the responsibility to define, implement and test changes to application systems. Nevertheless, the operate of those changes should be independent of the action that literally performs the agenda maintenance. The agenda convert operate action involves logging changes, monitoring their implementation, and verifying that all of the changes to programs are appropriately authorized and that all authorized changes are made.
o Records holding program
This action is designed both to reserve needed computer-related documents and to appropriately destroy unneeded computer documents. While the computer media is designed to physically store the data, the records holding agenda relates to the amount of time that the information will be retained. The records holding agenda includes both hand-operated and computer media. The time and method by which data will be destroyed is an foremost part of the records holding program. Many organizations whether shred or burn key hard-copy computer documentation. In addition, some organizations have custodians to reserve and operate foremost records.
Operations Activities
o Computer processing
This is the action of processing data to yield desired results. Processing is used in this context to indicate the totality of steps performed between the initiation of a transaction and the final termination of that transaction. Processing includes both hand-operated and automatic functions that manipulate data.
o Media libraries
Media libraries are repositories for computer media. The most tasteless media are disks, and diskettes. The media libraries may be on-site and off-site. Off-site libraries are used to safe data in the event of a disaster to the on-site media library.
o Error handling
This action begins when data is rejected from general processing and continues until the time the qoute has been resolved and the transaction has been correctly processed. Error handling ordinarily involves a logging of errors and then a monitoring of the improvement and reentry process. It is a particularly vulnerable point in many application systems because the reentry may only be subject to minimal control.
o Production library control
The production library is the repository for computer programs and program-related parameters. For example, job operate language statements are necessary to reserve programs, but are retained in libraries other than the production library. There are many libraries, but the emphasis in this action is on operate over those libraries that affect the integrity of computer processing.
o Computer operations
These are the steps complex in ensuring that the desired results are achieved through computer processing. Operations involve terminal usage, reserve operations such as off-line printers and office systems, and the central computer facility. Operations can also occur at off-site service centers.
o Disaster planning
Disaster planning encompasses the holding of data for purposes other than general operations, and all of the procedures and methods needed to restore the integrity of operation in the event that it is lost. Since disasters can occur at any point of action - for example, at a terminal operation - there may be many separate activities included within the disaster plan. It is generally advisable to involve users in the development of the plan affecting their operations.
o Privileged utilities and commands
Various aids are employed to aid the technicians, operators, and developers in the operation of their job responsibilities. Many of these utilities and aids are designed to circumvent the general operation controls in order to rule a problem.
Task 3 - Assess protection Awareness Training
The best approach to Assess the adequacy of their organization's protection awareness agenda is to Assess that agenda against a world-class protection awareness program. This task describes a world-class protection awareness program. The evaluation will recognize activities in the world-class protection agenda that are not included in your organization's protection awareness program. Based on the results of this assessment, It supervision can rule the merits of enhancing their protection awareness program.
It organizations cannot safe the confidentiality, integrity, and availability of information in today's very networked systems environment without ensuring that all the Habitancy complex in using and managing It:
o Understand their roles and responsibilities related to the organizational mission.
o Understand the organization's It protection policy, procedures, and practices.
o Have at least adequate knowledge of the assorted management, operational, and technical controls required and available to safe the It resources for which they are responsible.
Step 1 - generate a protection Awareness Policy
The Cio and/or the It Director need to develop a protection awareness policy. The procedure needs to state management's intension regarding protection awareness. Once the procedure has been established, supervision makes protection awareness happen through supporting the development of a strategy and tactics for protection awareness, appropriately funding those activities, and then becoming personally complex in ensuring the staff knows of management's reserve for protection awareness. A protection awareness procedure can be as simple as ensuring that all stakeholders complex in the use of information technology and the information controlled by that technology, be made aware of their role and responsibility in assuring the protection over that technology and information.
Generally that procedure would be clarified and extensive with a statement such as:
Step 2 - develop a protection Awareness Strategy
A flourishing It protection agenda consists of: 1) developing an It protection procedure that reflects firm needs tempered by known risks; 2) informing users of their It protection responsibilities, as documented in the protection procedure and procedures; and 3) establishing processes for monitoring and reviewing the program. protection awareness and training should be focused on the organization's entire user population. supervision should set the example for permissible It protection behavior within an organization. An awareness agenda should begin with an exertion that can be deployed and implemented in assorted ways and is aimed at all levels of the society including senior and menagerial managers. The effectiveness of this exertion will ordinarily rule the effectiveness of the awareness and training program. This is also true for a flourishing It protection program.
An effective It protection awareness and training agenda explains permissible rules of behavior for the use of an organization's It systems and information. The agenda communicates It protection policies and procedures that need to be followed. This must precede and lay the basis for any sanctions imposed due to noncompliance. Users first should be informed of the expectations. responsibility must be derived from a fully informed, well-trained, and aware workforce.
Step 3 - Assign the Roles for protection Awareness
While it is foremost to have a procedure that requires the development and implementation of protection and training, it is crucial that It organizations understand who has responsibility for It protection awareness and training. This step identifies and describes those within an society that have responsibility for It protection awareness and training. Some organizations have a mature It protection program, while other organizations may be struggling to accomplish basic staffing, funding, and support. The form that an awareness and training agenda takes can vary greatly from society to organization. This is due, in part, to the maturity of that program. One way to help ensure that a agenda matures is to develop and document It protection awareness and training responsibilities for those key positions upon which the success of the agenda depends.
Task 4 - Understand the Attributes of an effective protection Control
When protection operate is evaluated, we need to understand what makes an effective protection control. The following protection operate attributes of an effective protection operate are designed to help rule whether or not a protection operate is effective.
o Simplicity
o Fail Safe
o Open Design
o Separation of Privilege
o Psychological Acceptability
o Layered Defense
o Compromise Recording
Task 5 - selecting Techniques to Test Security
Some protection testing techniques are predominantly manual, requiring an individual to originate and show the way the test. Other tests are very automatic and need less human involvement. The following protection testing techniques are recommended for testing security:
o Network scanning
o Vulnerability scanning
o Password cracking
o Log review
o Integrity checkers
o Virus detection
o Penetration testing
Often, any of these testing techniques are used together to gain more ample evaluation of the ample network protection posture. For example, penetration testing ordinarily includes network scanning and vulnerability scanning to recognize vulnerable hosts and services that may be targeted for later penetration. Some vulnerability scanners combine password cracking. None of these tests by themselves will furnish a perfect photograph of the network or its protection posture.
Conclusion
The individual selecting the protection testing techniques should be knowledgeable in both protection and the available testing techniques for security. Testing information protection is a specialized competency. The testing objective should have been fixed prior to beginning the protection testing. The selection of the technique should be based on the vigor and infirmity of the technique to rule the applicability to the testing objective. Based on the class and sensitivity of the system, the periodicity of the testing technique should also be determined appropriately.
Reference
Lewis, William E. Software Testing and continuous potential improvement Auerbach publishers, Second edition 2000
Dustin, Elfriede, et al. potential Web Systems: Performance, Security, and Usability.
Addison-Wesley, First Edition, 2001
Mosley, Daniel J. And Bruce A. Posey. Just adequate Software Test Automation.
Prentice Hall, First Edition, 2002
Pham, Hoang. Software Reliability and Testing. Ieee Computer society Press, First
Edition, 1995