Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Session 10 - Management Considerations of Outsourcing • Risk and accountability are not outsourced with services • In most cases, risk increases as the organization receiving service has less direct control EECS4482 2015 Amanagement Considerations of Outsourcing • Control risk will further increase if service provider in turn outsources • Many controls are impractical to be duplicated or compensated for with inhouse procedures EECS4482 2015 20 Questions • Has management clearly defined its operational, technical and financial objectives? • Has management considered how the organization will be affected by the loss of skills or intellectual capital? EECS4482 2015 20 Questions • Does management monitor the service provider’s expertise, size, financial health, culture, operational capability and experience? • Does the user organization have the core competency, capacity, tools and policies to evaluate and manage the quality of service? EECS4482 2015 20 Questions • Is management confident in the effectiveness of the service provider’s internal controls? • Is management satisfied with effective risk mitigation mechanisms related to information protection, business continuity, change control and regulatory compliance? EECS4482 2015 20 Questions • If the outsourced services are provided by a supplier that is located in or subject to foreign law, has management mitigated the risks related to the economic, cultural and political backdrop, the technical sophistication, and the legal profile of the foreign jurisdiction? • The U. S. Patriot Act requires U. S. companies to turn over info to the U. S. Government upon a legal request. EECS4482 2015 20 Questions • Are actual and attempted security violations, operations problems and control breakdowns promptly recorded and reported by the service provider? • Does the service provider maintain adequate business continuity and disaster recovery plans? EECS4482 2015 20 Questions • Do contingency plans exist that can be activated when the service provider fails to continue providing service? • Does the contract describe the significant terms of arrangement including the level of service to be provided and legal obligations? EECS4482 2015 20 Questions • Are the roles and responsibilities defined and understood by both parties? • Does the organization have rights to audit? • Can management impose control requirements in the event the service provider offers services to a competitor, changes key personnel, or engage third parties to help deliver the services? EECS4482 2015 20 Questions • Do effective accountabilities and processes exist to monitor and manage the relationship with the service provider? • Has management considered the issues and disputes that remain unresolved with the service provider and the impediments to their resolution? EECS4482 2015 20 Questions • Are objective and reliable performance measures defined? • Has the service provider been able to consistently meet expectations? EECS4482 2015 20 Questions • Is management able to respond to situations where the service provider fails to meet service delivery expectations? • Does management ensure the correctness of billings under the agreement? EECS4482 2015 Conclusion • Information systems auditing is increasingly important in light of Sarbanes-Oxley and the Investor’s Confidence Rule. • Outsourcing is on the rise and it increases the audit risk. EECS4482 2015 OUTSOURCING OPTIONS • Big selling point for offshore outsourcing “inexpensive good work” EECS4482 2015 OUTSOURCING OPTIONS EECS4482 2015 OFFSHORE OUTSOURCING • Three categories of outsourcing countries: leaders, up-and-comers, rookies EECS4482 2015 The Leaders • • • • • Canada India Ireland Israel Philippines EECS4482 2015 The Leaders • Canada EECS4482 2015 The Leaders • India EECS4482 2015 The Leaders • Ireland EECS4482 2015 The Leaders • Israel EECS4482 2015 The Leaders • Philippines EECS4482 2015 The Up-and-Comers • • • • • • Brazil China Malaysia Mexico Russia South Africa EECS4482 2015 The Up-and-Comers • Brazil EECS4482 2015 The Up-and-Comers • China EECS4482 2015 The Up-and-Comers • Malaysia EECS4482 2015 The Up-and-Comers • Mexico EECS4482 2015 The Up-and-Comers • Russia EECS4482 2015 The Up-and-Comers • South Africa EECS4482 2015 Operating System • A big program written in low level language that bridges applications, database management systems and the central processing unit. • It directly controls the allocation of hardware resources like memory. • Common commercial OS include Windows, variants of Unix, OS X for Mac Book and EECS4482 2015 Z/OS for IBM mainframes. OS Confiruation • Controlled by a system administrator. A system administrator has full control of a computer and must therefore be closely monitored by management, think of Snowden. • Organizations should have a standard blue print for each OS to ensure consistency. EECS4482 2015 OS Configuration • Standard blueprint should minimize the enabling of ports and services. • A port is like a common mail gateway to facilitate standardize transmission of Internet or intranet data, e.g., port 80 for browsing. • A service is a utility program of an OS that supports common applications. EECS4482 2015 System Administrator Control • Careful screening before hiring, e.g., criminal record check, psychology test. • Rotation of duties among servers. • Segregation of duties, e.g.., an SA must not also be a DBA. • Use vendor supplied tools to generate reports on SA activities for frequent management review. EECS4482 2015 User Control • General users should not be given root access to the operating system. • General users should not be given administrative privilege to their computers so that they cannot change OS setting and cannot install programs. • This helps to prevent virus spreading, copyright infringement and hacking. EECS4482 2015 Patching • Computers should be set to check for patches and download them automatically. For example, my home computer is set to check Microsoft for patches every time it is shut down. If a patch is available, it will be installed before the shut down. EECS4482 2015 Patching • Organizations should procure patching tools to check for updates from OS vendors, test the updates and then automatically distribute the updates to servers, workstations and laptops. • Patching should also apply to organization owned smart phones. • Devices should be checked by the EECS4482 2015 up to date patches organization network for Patching • A patch is a fix from an operating system vendor to cover a security hole used by hackers. • A security hole is also called a vulnerability, it is made up of a service, port, combination thereof, or the way some services can be combined to achieve successful hacking. EECS4482 2015 Access Control • Access control lists (ACL) can be set up in an OS to restrict access by applications and those users who have direct access an OS. • An ACL will define the subject (application), object (data and OS services etc.) and the type of access (read, write, delete). • Most business users access don’t need EECS4482 direct access to the OS.2015 Operating System Access Controls Differences between operating systems in terms of access controls mainly have to do with authentication, authorization and logging. EECS4482 2015 Browser Security • • Ordinary users without local administration privilege can change browser security and privacy settings. This means more monitoring and education are required. The web usage policy should indicate what options should not be turned on. EECS4482 2015 Modern OS Security Features • Anti-virus software, firewall and full hard drive encryption now come standard with commercial PC operating systems. EECS4482 2015 Windows Action Center • It allows the user to schedule Windows updates so that updates will be downloaded and implemented automatically. Organizations usually disable this function and instead, let the domain controller (server) oversee this function. EECS4482 2015 Windows Action Center • Locking down users to prevent them from installing programs. • Defining user access rights as guest, folder owner, administrator (full access), and specific user (requiring logon account). • Defining access control lists for folders and files. EECS4482 2015 Windows Action Center • Data Execution Prevention feature that prevents buffer overflow by marking certain memory pages intended for data as non-executable. This feature is turned on by default in Windows XP and later versions of Windows. • Protected Media Path to protect digital rights management through denying access of digitally righted material by unauthorized applications. This prevents the copying of programs that can only be executed. EECS4482 2015 Active Directory This hierarchical access authentication and authorization structure has replaced the function of the primary domain controllers and backup domain controllers in authentication and authorization. It has the following features: • Central location for network administration and security • Information security and single sign-on for user access to networked resources • The ability to scale up or down easily • Standardizing access to application data • Synchronization of directory updates across servers EECS4482 2015 Password Salting • Most operating systems add a bit string to the raw password before hashing to make it difficult to crack. • Unix uses a 12 bit random salt each time a password is created or changed. • Windows salts passwords only for offline access to compensate for the lack of Active Directory authentication. EECS4482 2015 File Permissions on Critical Files • Unix controls access to files, programs, and all other resources via file permissions. • Unix permission are controlled by three categories: Owner, Group, and World • Each category has the ability to either READ, WRITE, and/or EXECUTE Unix files or resources • Ex. –rwxr-x--x EECS4482 2015 Syslog • The syslog utility allows systems administrators to log various events occurring on the Unix system. • If Syslog is configured correctly, Unix can log many security events without the use of a third party plug-in. EECS4482 2015 Mainframe Operating System z/OS has weaker security than Windows and Unix because its predecessors, Multiple Virtual Storage and Virtual Memory, were developed well before the Internet and not designed to mitigate the risk of hacking. RACF should be installed to provide commercial grade security for Z series servers. EECS4482 2015 Resource Access Control Facility (RACF) • RACF provides user authentication, resource access control, security logging and audit reporting. It is much more granular than operating system security. For example, it makes available 254 security levels (labels) that can be assigned to each resource object. A label indicates the users or objects that can access a resource and how. A resource object may be a data table (file), a program, a workstation, an ATM or another network device. The type of access may be read, write, delete. EECS4482 2015 RACF • Each user has a profile that controls that user in terms of access allowed and binds the user to security policies like password change frequency, password length. A user may also be restricted by day of week and time of day. • An administrator has full access. An “auditor” in RACF has full read access, including generating reports on access, EECS4482 2015 Conclusion • • • • • PC and PC based server security continues to be improved by their vendors. Recently made available features include full hard disk encryption, application firewall and integrated malicious software features including anti-virus. In security, the weakest link is people, including people’s commitment to defining strong policies and complying with policies. Organizations should have tight operating system images for desktops and servers across the enterprise to comply with their policies. User access rights should be limited to their job functions and users should not be given administrator privilege to their desktops and laptops. System administrators should be controlled with thorough reference check, criminal record check before hiring and periodically thereafter, rotation of duties among servers, limiting the servers they support, limiting their other duties and regular management review of the system logs using software products to turn system logs into meaningful management reports. EECS4482 2015