An accountant's guide to managing control risks In today's networked world, security and risk control are no longer just the province of the IT department. Accountants and other business managers who are responsible for corporate risk management must fully understand the control and security risks that can affect the financial health of the entire organization. Risks, Controls and Security: Concepts and Applications introduces you to today's control risks and how to manage them. Beginning with basic systems controls and security awareness, the book provides you with a clear comprehension of the concepts, issues, and techniques of information security in a networked environment. Moving from theory to application, you'll cover all the key security principles that are applicable to all businesses, including e-businesses: * Enterprise risk management * Control and security frameworks * Basic cryptography and public key infrastructure * Security for operating systems, applications, database management systems, and telecommunications * Network and web security * Policy, regulation, and ethics Real-world problem scenarios and a wealth of pedagogical features--discussion questions, short exercises, example cases, and "concept maps" that help you visualize the material--ensure your confident grasp of the material and enable you to put "security into practice." Designed for practicing professionals as well as for students in accounting, business management, and computer science, Risks, Controls and Security will prepare you well for meeting the challenge of protecting information assets.

Table of Contents:
Preface xiii CHAPTER 1 Enterprise Risk Management 1 Security in practice 1.1 1 Learning objectives 1 Concept maps 2 Introduction 2 Enterprise risk management 4 Business environment risk 6 Business strategy risk 7 Business process risk 8 Business outcomes risk 9 Business and information systems 9 Organization structure 9 Business processes 11 Information systems 11 Business processes and information systems 12 Information systems assurance 14 Assurance and risk management 15 An information systems assurance approach 16 Management’s role in information systems assurance 16 Summary 18 Key words 19 Multiple-choice questions 19 Discussion questions 19 Exercises 20 CHAPTER 2 Information Systems Concerns and Risks 23 Security in practice 2.1 23 Learning objectives 23 Introduction 24 Target system 25 Target system boundary (perimeter) 27 Target system communication 27 Target system location and spread 27 Target system control and security 28 Risk 29 Risk exposures 29 Factors causing changes in risk 30 Risk management 32 Security, functionality, and usability 34 Risk management and change 35 Control systems 35 Components of control systems 36 Designing effective control systems 38 Logical constructs of control systems 39 Security in practice 2.2 43 Common criteria 43 Implications for assurance 44 Summary 45 Key words 46 Multiple-choice questions 46 Discussion questions 46 Exercises 47 CHAPTER 3 Control and Security Frameworks 48 Security in practice 3.1 48 Learning objectives 48 Introduction 49 Protecting information assets 50 Need for protecting information assets 50 Vulnerabilities and threats 51 Internal control and information security 54 Definition of internal control 54 Classification of internal controls 54 Definition of information security 55 Classification of information security measures 55 Relationship between internal control and information security 56 Internal control and information security objectives 56 Internal control objectives 56 Information security objectives 58 Comparison of internal control and security objectives 61 Relationship between internal control and security objectives 62 Frameworks for control and security 63 COBIT 64 ISO 17799 66 COSO 67 A comparison of frameworks 70 Implementing a framework 71 Assurance considerations 74 Summary 74 Key words 75 Multiple-choice questions 76 Discussion questions 76 Exercises 77 APPENDIX 3.1 A Summary of Section 404, Sarbanes-Oxley Act 81 APPENDIX 3.2 Aksarben Furniture Mart (AFM) 82 CHAPTER 4 Systems Availability and Business Continuity 94 Security in practice 4.1 94 Learning objectives 94 Introduction 95 Systems availability and business continuity 96 Systems availability 97 Incident response 98 Incidents 98 Incident response team 99 Nature of response 100 Preventive measures 100 Disaster recovery 101 Postdisaster phases 101 Disaster recovery planning 103 Components of planning 104 Assessing potential losses: disaster impact analysis 105 Value-based recovery planning 106 Finding criticality 107 Disaster recovery strategies 107 Recovery locations 108 Disaster recovery teams 110 Disaster readiness 110 Business continuity planning 111 Business impact analysis 111 Business recovery 112 Assurance considerations 112 Method 112 Content 113 Live testing 114 Summary 114 Key words 115 Multiple-choice questions 115 Discussion questions 116 Exercises 116 CHAPTER 5 Basic Cryptography 120 Security in practice 5.1 120 Learning objectives 120 Introduction 121 Basic concepts 122 Meaning of cryptography 122 Purposes of cryptography 123 Terms and definitions 124 Process components 124 Method and key 125 Using cryptography 126 Secret key cryptography 126 Basic approaches 126 Method and key in secret key cryptography 129 Cryptographic algorithms 129 Advantages and limitations of secret key cryptography 133 Cryptanalysis of secret key cryptography 134 Current secret key algorithms 134 Message digests 135 Message digest methods 137 Role in cryptography 137 Public key cryptography 138 Basic approach 138 Method and key in PKC 138 Current public key algorithms 138 Advantages and limitations of public key cryptography 140 Cryptanalysis of PKC 140 Implications for assurance 141 Summary 143 Key words 143 Multiple-choice questions 144 Discussion questions 144 Exercises 145 CHAPTER 6 Public Key Cryptography: Concepts and Applications 146 Security in practice 6.1 146 Learning objectives 147 Introduction 147 Distribution of secret keys 148 Key distribution 148 Key agreement 149 Digital signature 150 Trust in public keys 153 Need for trust 154 Trust compared to security 154 Sources and levels of trust 155 Meeting requirements of trust 155 Digital (public key) certificate 155 Certification authority 156 Trust levels in digital certificates 158 Web trust models 158 Public key infrastructure 159 Infrastructure 159 Nature and characteristics 160 X.509 162 PKI applications 164 Assurance considerations 164 Summary 167 Key words 168 Multiple-choice questions 168 Discussion questions 169 Exercises 170 CHAPTER 7 Operating Systems Security 171 Security in practice 7.1 171 Learning objectives 172 Introduction 172 Operating systems primer 174 Goals of operating systems 175 Management concerns 176 Common operating systems 177 Common risks and controls 178 Authentication 178 Authorization 183 Trust relationships 185 Job scheduling 187 File systems 189 Software updates 194 Assurance considerations 197 Summary 198 Key words 199 Multiple-choice questions 199 Discussion questions 200 Exercises 200 CHAPTER 8 Application Security 202 Security in practice 8.1 202 Learning objectives 202 Introduction 203 Applications primer 204 Application architecture 205 Advantages of application tiers 206 Management concerns 207 Common risks and controls 208 Boundary checking 208 Input manipulation 210 Application authentication 216 Session management 218 Change control and change management 222 Application infrastructure 225 Assurance considerations 226 Summary 227 Key words 228 Multiple-choice questions 228 Discussion questions 229 Exercises 230 CHAPTER 9 Database Management Systems Security 231 Security in practice 9.1 231 Learning objectives 231 Introduction 233 Database management systems primer 233 Need for databases 233 Types of databases 234 Management concerns 237 Common risks and controls 237 Authentication 238 Trust relationships 242 Networking within databases and with operating systems 245 Insecure design of database applications 248 Assurance considerations 254 Summary 255 Key words 256 Multiple-choice questions 256 Discussion questions 257 Exercises 257 CHAPTER 10 Telecommunications Security 259 Security in practice 10.1 259 Learning objectives 259 Introduction 261 Telecommunications primer 261 Public switched telephone network (PSTN) 262 A closer look at PSTN 263 Voice over IP networks 267 The promise of VoIP networks 269 Management concerns 269 Common risks and controls 270 Direct inward system access 270 Maintenance ports 271 Silent monitoring 272 Telecom scams 272 Voice mail and conferencing systems 274 VoIP security 275 Assurance considerations 277 Summary 278 Key words 279 Multiple-choice questions 279 Discussion questions 280 Exercises 280 CHAPTER 11 Network Security 282 Security in practice 11.1 282 Learning objectives 282 Introduction 283 Network primer 284 OSI network model 284 TCP/IP model 286 TCP/IP protocols 286 IP addresses 288 Ports 289 Protocols, IP addresses, ports—how does it all fit? 290 Goals of networks 291 Management concerns 292 Common risks and controls 292 Clear-text transmissions 292 Modems 293 Virtual private networks 296 Firewalls 299 Wireless networks 306 Denial of service attacks 308 Simple network management protocol 315 Assurance considerations 316 Summary 318 Key words 318 Multiple-choice questions 319 Discussion questions 320 Exercises 320 CHAPTER 12 Web Security 322 Security in practice 12.1 322 Learning objectives 322 Introduction 323 Web primer 324 Web client 325 Transport mechanisms 325 Web server 326 Static and dynamic content 326 Databases 327 Management concerns 327 Common risks and controls 328 Web browsers 329 Web servers 333 Web applications 337 Assurance considerations 343 Summary 344 Key words 344 Multiple-choice questions 345 Discussion questions 346 Exercises 346 CHAPTER 13 Policy, Regulation, and Ethics 348 Security in practice 13.1 348 Learning objectives 348 Introduction 349 Policy, regulation, and ethics 349 Organization and accountability 350 Security policies 352 Characteristics of a policy 353 Classification of policies 355 Policy development process 356 Regulatory requirements 357 Information assets protection 358 Ethical behavior in organizations 362 Frameworks for ethical behavior 362 Business ethics 364 Ethics and information technology 364 Social engineering 366 Threats 366 Countermeasures 367 Assurance considerations 368 Security policy development, implementation, and enforcement 368 Compliance with regulations 368 Ethical behavior 369 Summary 369 Key words 370 Multiple-choice questions 370 Discussion questions 371 Exercises 371 Glossary 375 Index 395