As technology advances in leaps and bounds today, much attention is paid by companies, especially IT organizations, to safeguard security. In spite of the advancement, security continues to be a vulnerable area in most organizations. This paper throws light on the important aspects of in-house controls, testing security controls, identifying penetration points, assessing security and the attributes of an effective security control.
In-House Control
Interest in in-house control has been highlighted by publicized penetrations of security and the increased importance of information systems and the data contained by those systems. The passage of the Sarbanes-Oxley Act in particular, highlighted interest in in-house control.
The Sarbanes-Oxley Act, sometimes referred to as SOX, was passed in response to the numerous accounting scandals such as Enron and WorldCom. While much of the act relates to financial controls, there is a major section relating to in-house controls. Because misleading attestation statements is a criminal offense, top corporate executives take in-house control as a very important topic. Many of those controls are incorporated into information systems, and thus the need for testing those controls.
The following four key terms are used extensively in in-house control and security: risk, exposure, threat, controls.
Let's look at an example of these terms using a homeowner's insurance policy. To that policy we will look at one risk, which is the risk of fire. The exposure associated with a risk of fire would be the value of your home. A threat that might cause that risk to turn into a loss might be an improper electrical connection or children playing with matches. Controls that would minimize the loss associated with risk would include such things as fire extinguishers, sprinkler systems, fire alarms and non-combustible material used in construction.
In looking at the same situation in IT, we might look at the risk of someone penetrating a banking system and improperly transferring funds to the perpetrators personal account. The risk obviously is the loss of funds in the account, which was penetrated. The exposure is the amount of money in the account, or the amount of money that the bank allows to be transferred electronically. The threat is inadequate security systems, which allow the perpetrator to penetrate the banking system. Controls can include passwords limiting access, limiting the amount that can be transferred at any one time, and unusual transactions such as transferring the money to an overseas account, a control which limits who can transfer money from the account.
Testing Security Controls
Security is too important to organizations that testing them can be ignored. The following tasks can add value to the security control testing:
Task 1 --Where Security is Vulnerable to Penetration
Data and report preparation areas and computer operations facilities with the highest concentration of manual functions are areas most vulnerable to having security penetrated. Nine primary IT locations are listed below:
Vulnerable Areas Rank
1. Data and Report Preparation Facilities
2. Computer Operations
3. Non-IT Areas
4. Online Systems
5. Programming Offices
6. Online Data and Report Preparation
7. Digital Media Storage Facilities
8. Online Operations
9. Central Processors
Task 2 -- Building a Penetration Point Matrix Interface Activities
- Technical interface to the computer environment
- Development and maintenance of application systems
- Privileged users
- Vendor interfaces Development Activities
- Training
- Database administration
- Communications
- Documentation
- Program change control
- Records retention program
Operations Activities
- Media libraries
- Error handling
- Production library control
- Computer operations
- Disaster planning
- Privileged utilities and commands
- Understand their roles and responsibilities related to the organizational mission.
Task 3 -- Assess Security Awareness Training
Step 1 -- Create a Security Awareness Policy
Step 2 -- Develop a Security Awareness Strategy
Step 3 -- Assign the Roles for Security Awareness
Task 4 -- Understand the Attributes of an Effective Security Control
When security control is evaluated, we need to understand what makes an effective security control. The following security control attributes of an effective security control are designed to help determine whether or not a security control is effective.
Task 5 -- Selecting Techniques to Test Security
Often, several of these testing techniques are used together to gain more comprehensive assessment of the overall network security posture. For example, penetration testing usually includes network scanning and vulnerability scanning to identify vulnerable hosts and services that may be targeted for later penetration. Some vulnerability scanners incorporate password cracking. None of these tests by themselves will provide a complete picture of the network or its security posture.
Conclusion
References
- Dustin, Elfriede, et al. Quality Web Systems: Performance, Security, and Usability. Addison-Wesley, First Edition, 2001
- Mosley, Daniel J. and Bruce A. Posey. Just Enough Software Test Automation. Prentice Hall, First Edition, 2002
- Pham, Hoang. Software Reliability and Testing. IEEE Computer Society Press, First Edition, 1995
For more information on Software Testing, visit Software Testing Concepts.
Posts
No comments:
Post a Comment