IT Security and Control

8/3/2019 IT Security and Control

1/28

1

IT SECURITY AND CO NTROL AND

COMPUTER FRAUD:

PREVENTION AND CONTROL

By:

O. K. Ibedu (CGEIT, CISA)

Deputy Director, CBN

WAIFEM

Regional Course On Computer Applications In Accounting

Auditing and Financial Management, Lagos, Nigeria.

(July 13th 20th, 2009)


2/28

2

IT SECURITY AND CONTROL AND COMPUTER FRAUD:

PREVENTION AND CONTROL

OUTLINE

Components of Security Policy

Logical Access Issues and Exposure

Computer Crime Exposures

Access Control Software

Auditing Logical Access

Network Infrastructure Security Auditing Environmental Controls

Auditing Physical Access

a) Components of a Security Policy

The framework and intent of security must be clearly established

and communicated to all appropriate parties for security to be

successfully implemented and maintained. The key to the

framework is a written security policy that serves to heighten

security awareness throughout the organization.

Key components of security policy include the following:

i) Management support and commitment: Management must

demonstrate a commitment to security by clearly approving and

supporting formal security awareness and training. This may require

special management-level training since security is not necessarily

a part of management expertise.


3/28

3

ii) Access Philosophy: Access to computerized information should

be based on a documented need-to-know, need-to-do basis.

iii) Compliance with Relevant Legislation and Regulations:- The

Policy should state that compliance is required with all relevant

legislation, such as that requiring the confidentiality of personal

information, or specific regulations relating to particular industries,

e.g. banking and financial institutions.

iv) Access Authorization: The data owner or manager who is

responsible for the accurate use and reporting of the information

should provide written authorization for users to gain access to

computerized information. The manager should give this

documentation directly to the security administrator so mishandling

or alteration of the authorization does not occur.

v) Review of Access Authorisation: Access controls should be

evaluated regularly to ensure they are still effective. Personnel and

departmental changes, malicious efforts and just plain carelessness

can impact the effectiveness of access controls. For this reason, the

security administration, with the assistance of the managers who

provide access authorization, should review access controls. Any

access exceeding the need-to-know , need-to-do philosophy

should be changed accordingly.

vi) Security Awareness:- All employees, including management, need

to be made aware on a regular basis of the importance of security.

A number of different mechanisms are available for raising security

awareness including:

Distribution of a written security policy.


4/28

4

Training on a regular basis of new employees, users and

support staff.

Non-disclosure statements signed by the employee.

Use of different media in promulgating security (e.g. company

newsletter, web page, videos, etc)

Visible enforcement of security rules.

Simulate security incidents for improving security procedures

Reward employees who report suspicious events.

Periodic audits.

vii) Responsibilities of Employees:- The employees have thefollowing responsibilities for security:

Reading the security policy

Keeping logon-IDs and passwords secret

Reporting suspected violations of security to the security

administrator

Maintaining good physical security by keeping doors locked,safeguarding access keys, not disclosing access door lock

combinations and questioning unfamiliar people.

Conforming to local laws and regulations.

Adhering to privacy regulations with regard to confidential

information (e.g. health, legal, etc)

Non-employees with access to company systems also should be held

accountable for security policies and responsibilities. This includes

contract employees, vendors, programmers/analysts, maintenance

personnel and clients. Security awareness should not disclose sensitive


5/28

5

information. Security policies provided to employees should not identify

such sensitive security features as password file names, technical

security configuration, methods to bypass electronic security or system

software file.

viii) Role of Security Administrator:- The security administrator,

typically a member for implementing systems Department, is

responsible for implementing, monitoring and enforcing the security

rules that management has established and authorized. For proper

segregation of duties, the security administrator should not be

responsible for updating application data nor be an end user,

application programmer, computer operator or data entry clerk. In

large organizations, the security administrator is usually a full-time

function; in small organizations, someone may perform this function

with other non-conflicting responsibilities.

ix) Security Committee:- Security policies, procedures and guidelines

affect the entire organizational and as such, should have the

support and suggestions of end users, executive management,

security administration, IS personnel and legal counsel. Therefore,

individuals representing various management levels, should meet

as a committee to discuss and establish security practices. The

committee should be formally established with appropriate terms of

reference and regular meetings with action items, which are

followed up on at each meeting.

b) Logical Access Issues and Exposures: Inadequate logical

access controls increase an organizations potential for losses


6/28

6

resulting from exposures. These exposures can result in minor

inconveniences or total shutdown of computer functions.

Exposures that exist from accidental or intentional exploitation of

logical access control weaknesses include technical exposures

and computer crime.

i) Technical Exposures:- Unauthorised intentional or

unintentional implementation or modification of data and

software may result in any of the following:

Data Diddling:- Involves changing data before or as they

are entered into the computer. This is one of the mostcommon abuses because it requires limited technical

knowledge and occurs before computer security can

protect data.

Trojan Horses:- Involves hiding malicious, fraudulent code

in an authorized computer program. This hidden code will

be executed whenever the authorized program is

executed. A classic example is the Trojan horse in the

pay-roll calculating program that shares a barely

noticeable amount off each paycheque and credits it to

the perpetrator s payroll account.

Rounding Down:- Involves drawing off small amounts of

money from an computerized transaction or account and

re-rounding it to the perpetrators account. The term

rounding down refers to rounding small fractions of a

denomination down and transferring these small fractions

into the unauthorized account. Since the amounts are so

small, they are rarely noticed.


7/28

7

Salani Techniques:- Involve the slicing of small amounts

of money from a computerized transaction or account and

is similar to the rounding down technique.

The different between the rounding down technique and the

Salami techniques is that in rounding down the program rounds off

by fraction such as Penny or Kobo or cents. For example, if a

transaction amount in U.S. Dollar were $1,500,500.39 the

rounding down techniques may round the transaction to

$1,500,500.35. The Salami technique truncates the last few digitsfrom the transaction amount so $1,500,500.39 becomes

$1,500,000.30 or $1,500,500.00 depending on the calculation built

into the program.

Viruses:- Viruses are malicious program code inserted into

other executable code that can self-replicate and spread from

computer to computer, via sharing of computer diskettes,

transfer of logic over telecommunication lines or direct contact

with an infected machine/code. A virus can harmlessly display

cute messages on computer terminals, dangerously erase or

alter computer files or simply fill computer memory with junk to

a point where the computer can no longer function. An added

danger is that a virus may be dormant for some time until

triggered by a certain event or occurrence, such as a date (26

December Happy boxing day) or being copied a pre-specified

number of times. During this time, the virus has silently been

spreading.


8/28

8

Worms:- Worms are destructives programs that may destroy

data or utilize tremendous computer and communication

resources but do not replicate like viruses. Such programs do

not change over programs, but can run independently and

travel from machine to machine across network connections.

Worms may also have portions of themselves running on many

different machines.

Logic Bombs:- Logic bombs are similar computer viruses

except that they do not self-replicate. The creation of logic

bombs requires some specialized knowledge, as it involvesprogramming the destruction or modification of data at a

specific time in the future. However, unlike viruses or worms,

logic bombs are very difficult to detect before they blow-up;

thus, they have the greatest potential for damage. Detonation

can be timed to cause maximum damage long after the

departure of the perpetrator. It may also be used as a tool of

extortion, with a ransom being demanded in exchange for

disclosure of the location of the bomb.

Trap Doors:- Traps doors are exits out of an authorized

program that allow insertion of specific logic, such as program

interrupts, to permit a review of data during processing. These

holes also permit insertion of unauthorized logic.

Asynchronous Attacks:- This occurs in multi processing

environments where data move asynchronously (one character

at a time with a start and stop signal) across

telecommunications lines. As a result, numerous data

transmissions must wait for the line to be free (and flowing in


9/28

9

the proper direction) before being transmitted. Data that are

waiting are susceptible to unauthorized accesses called

asynchronies attacks. These attacks which are usually very

small pin like insertions into cable, may be committed via

hardware and are extremely hard to detect. There are many

form of asynchronous attacks and the IS Auditor will require the

assistance of a network manager and/or a system software

analyst to evaluate the very complex and technical exposure.

Data Leakage:- Involves siphoning or leaking information out of

the computer. This can involve dumping files to paper or can beas simple as stealing computer reports and tapes.

Wire-Tapping:- Involves eavesdropping on information being

transmitted over telecommunications lines.

Piggybacking:- This is the act of following an authorised

person through a secured door or electronically attacking to an

authorized telecommunications link to intercept and possibly

alter transmissions.

Shut-Down of the Computer:- This can be initiated through

terminals or microcomputers connected directly (on-line) or

indirectly (dial-up-lines) to the computer. Only individuals

knowing a high-level systems logon-ID can usually initiate the

shutdown process. This security measure is effective only if

proper security access controls are in place for the high-level

logon-ID and the telecommunications connections into the

computer. Some systems have proven to be vulnerable to

shutting themselves down under certain conditions of overload.


10/28

10

Denial of Service:- This is an attack that disrupts or completely

denies service to legitimate users, networks, systems or other

resources. The intent of any such attack is usually malicious in

nature and often takes little skill because the requisite tools are

readily available.

c) Computer Crime Exposures:- Computer systems can be used to

steal money, goods, software or corporate information. Crimes

also can be committed when the computer application process or

data are manipulated to accept false or unauthorised transactions.

There also is the simple, non-technical method of stealingcomputer equipment.

Computer crime can be performed with absolutely nothing

physically being taken or stolen. Simply viewing computerized data

can provide an offender with enough intelligence to steal ideas or

confidential information (intellectual property). Committing crimes

that exploit the computer and the information it contains can be

damaging to the reputation, morale and very existence of an

organization. Loss of customers, embarrassment to management

and legal actions against the organization can result.

Threats to business include the following:

Financial Loss:- Can be direct, through loss of electronic funds

or indirect, through the costs of correcting the exposure.

Legal Repercussions: There are numerous privacy can human

rights laws an organization should consider when developing

security policies and procedures. These laws can protect the

organization but can also protect the perpetrator from prosecution.


11/28

11

In addition, not having proper security measures could expose the

organization to law suits from investors and insurers if a significant

loss occurs from a security violation. Banks must comply with

industry-specific regulatory agencies. The IS Auditor should obtain

legal assistance when reviewing the legal issues associated with

computer security.

Loss of Credibility or Competitive Edge: Banks, savings and

loans and investment firms, need credibility and public trust to

maintain a competitive edge. A security violation can severally

damage this credibility, resulting in a loss of business and prestige. Blackmail/Industrial Espionage: By gaining access to

confidential information or the means to adversely impact

computer operations, a perpetrator can extort payments or

services from an organization by threatening to exploit the security

breach.

Disclosure of Confidential, Sensitive or Embarrassing

Information: Events of this nature can damage an organization s

credibility and its means of conducting business. Legal or

regulatory actions against the bank may also be the result of

disclosure.

Sabotage: Some perpetrators are not looking for financial gain.

They merely want to cause damage due to dislike of the

organization or for self-gratification.

Logical access violators are often the same people who exploit physical

exposures, although the skills needed to exploit logical exposures are

more technical and complex.


12/28

12

Hackers: Hackers are typically attempting to test the limits of

access restrictions to prove their ability to overcome the obstacles.

They usually do not access a computer with the intent of

destruction; however, this is quite often the result.

Employees: Maybe authorized or unauthorized but cam exploit

logical exposures.

IS Personnel: These individuals have the easiest access to

computerized information since they are the custodians of this

information. In addition, to logical access controls, good

segregation of duties and supervision help reduce logicalviolations by these individuals.

End Users

Former Employees: Former employees who have left on

unfavourable terms could exploit logical exposures.

Interested or Educated Outsiders

- Competitors

- Foreigners

- Organized criminals

- Crackers (Paid hackers working for a third party)

- Phreakers (hackers attempting access into the

telephone/communication system)

Part-time and Temporary Personnel: Office cleaners often have

a great deal of physical access and may well be competent in

computing.

Vendor and Consultants


13/28

13

Accidental Ignorant: Someone could perpetrate a violation

unknowingly.

d) Access Control Software

Access Control software is designed to prevent unauthorized

access to data, use of system functions and programs,

unauthorised updates/changes to data and detect or prevent an

authorized attempt to access computer resources. Access control

software interfaces with the operating system and acts as a central

control for all security decisions. The access control softwarefunctions under the operating system software and provides the

capability of restricting access to data processing resources either

on-line or in batch processing.

To be effective, access control software should be used at the

system software level in protecting all computer resources,

applications, and data. At this level, access control is either an

inherent feature of the operating system or is an add-on product

that interfaces with the operating system. For example, Microsoft

windows NT operating systems include access control software as

an inherent feature of its operating system. Also, Novelle Wetware

operating systems include access control software as inherent

feature.

Access control software generally performs the following tasks:

Verification of the user

Authorisation of access to defined resources

Restriction of users to specific terminals


14/28

14

Reports on unauthorised attempts to access computer

resources, data or programs.

Access control software may provide the following functions:

Verify user authorization to sign-on at the network and sub-system

levels.

Verify user authorization at the application and transaction level.

Verify user authorization within the application

Verify user authorization at the field level for changes within a

database. Verify sub system authorization for the user at the file level.

Authorization is the most important component of access control

software. Some authorization functions include as follows:

Logon-IDs and user authentication

Limitation of specific terminals for specific logon-IDs.

Limiting access based on predetermined times.

Limiting specific tasks to be initiated from a predefined authorized

library.

Establishment of rules of access.

Creation of individual accountability and audit ability.

Installation defined options.

User profiles.

Data file and database profiles

Logging events

Logging user activities


15/28

15

Logging database/data communications access activities for

monitoring access violations.

Reporting capabilities.

Access control software generally access request in the following way:

- Identification Users Must identify themselves to the access

control software such as name and account number.

- Authentication Users must prove that they are who they claim to

be. Authentication is a two way process where the software must

first verify the validity of the user and then proceed to verify priorknowledge information. For example, user may provide the

following information:

Remember information such as name, account number and

password.

Processor objects such as badge, plastic cards and key.

Personal characteristics such as fingerprint, voice and

signature.

e) Auditing Logical Access:

When evaluating logical access controls the IS Auditor should:

i) Obtain a general understanding of the security risks facing

information processing through a review of relevant

documentation, inquiry, observation, risk assessment and

evaluation techniques.

ii) Document and evaluate controls over potential access paths

into the system to assess their adequacy, efficiency and


16/28

16

effectiveness by reviewing appropriate hardware and software

security features and identifying and deficiencies or

redundancies.

Note that paths of Logical Access include:

Operator console

On-line Terminals

Batch job processing

Dial-up ports

Telecommunication Network

iii) Test controls over access paths to determine that they are

functioning and effective by applying appropriate audit

techniques.

iv) Evaluate the access control environment to determine if the

control objectives are achieved by analyzing test results and

other audit evidence.

v) Evaluate the security environment to assess its adequacy by

reviewing written policies, observing practices and procedures

and comparing them with appropriate security standards or

practices and procedures used by other organizations.

f) Network Infrastructure Security: Communication networks (wide

area or local area networks) generally include devices

connected to the network, and programs and files supporting

the network operations control is accomplished through a


17/28

17

network control terminal and specialized communications

software.

The following are controls over the communication network:

- Network control functions should be performed by technically

qualified operators.

- Network control functions should be separated and duties rotated

on a regular basis where possible.

- Network control software must restrict operator access from

performing certain functions (such as the ability to amend/delete

operator activity logs).

- Network control software should maintain an audit trail of all

operator activities.

- Audit trails should be reviewed periodically by operations

management to detect any unauthorized network operations

activities.

- Network operations standards and protocols should be

documented and made available to the operators and should be

reviewed periodically to ensure compliance.

- Network access by the system engineers should be closely

monitored and reviewed to detect unauthorized access to network.

- Analysis should be performed to ensure workload balance, fast

response time and system efficiency.

- A terminal identification file should be maintained by the

communications software to check the authentication of a terminal

when it tries to send or receive messages.

- Data encryption should be used when appropriate to protect

messages from disclosure during transmission.


18/28

18

Some common network management/control software packages are:

* 3 com * Netpass

* AT & T STARLAN * EREP

* Novell Netware * Windows NT

* NCP/VTAM * UNIX

* Net View * Unicenter TNG

LAN RISKS AND ISSUES

Local Area Networks (LANs) facilitate the storage and retrieval of

programs and data used by a group of people. LAN software and

practices also need to provide for the security of these programmes and

data. Unfortunately, most LAN software provides low level of security as

emphasis has been on providing capability and functionality rather than

security.

Software vendors and network users have recognized the need to

provide diagnostic capabilities to identify the cause of problems when

the network goes down or functions in an unusual manner. The use of

logon-IDs and passwords with associated administration facilities is now

standard. LANs can represent a form of decentralized computing.

Decentralised local processing provides the potential for a more

responsive computing environment; however, organizations do not

always give the opportunity to efficiently develop staff to address the

technical, operational and control issues that the complex LAN

technology represents. As a result, local LAN administrators frequently

lack the experience, expertise and time to effectively manage the

computing environment. The various alternatives of media, protocol


19/28

19

hardware, transmission techniques, topology and network software

ensure that each LAN is unique. This mix of vendors and unique

environments make it difficult to implement standard management,

operating and auditing practices. As a result, the costs of resolving

problems, when they occur, can be substantial.

Normal LAN users recognize only one attribute of the LAN- it works. In a

well structural LAN the unsophisticated user is not able to judge whether

the technology is appropriate, the software installed and documented

properly or that necessary control and security measures are taken.

Audit trails are considered only after a problem occurs.

Client/Server Security

Client/server technology enables business units to develop and deliver

products and services to market much more quickly than traditional

legacy methods. Clients/server systems utilize distributed techniques,

creating increased risk of access to data and processing. To effectively

secure the client/server environment, all access points should be

identified. In mainframe-based applications, centralized processing

techniques require the user to go through one pre-defined route to

access all resources. In a client/server environment, several access

routes exist, as application data may exit on the server or on the client.

Each of these routes must therefore be examined individually and in

relation to each other to determine that no exposures are left

unchecked.

In order to increase the security in a client/server environment, an IS

Auditor may want to see that the following control techniques are in

place:


20/28

20

Security access to the data or application on the client/server may

be performed by disabling the disk drive, much like keyless

workstation that has access to a mainframe. Diskless workstations

prevent access control software from being by-passed and

rendering the workstation vulnerable to unauthorized access. By

securing the automatic boot or start-up batch files, unauthorized

users may be prevented from overriding login scripts and access.

Network monitoring devices may be used to inspect activity from

known or unknown users. These devices may identify client

addresses; allowing proactive session termination as well as findingevidence of unauthorized access for alternative investigation.

However, the method of securing the client/server environment may

only be as good as the administrator who monitors it. Since this is a

detective control, if the network administrator does not monitor or

maintain these devices, the tool becomes useless against

unauthorized intruders.

Data encryption techniques (symmetric or asymmetric encryption)

can help protect sensitive or proprietary data from unauthorized

access.

Authentication systems may provide environment wide, logical

facilities that can differentiate among users. Another method,

system smart cards, uses intelligent hand-held devices and

encryption techniques to decipher random codes provided by

client/server systems. A smart card displays a temporary password

that is provided by an algorithm on the system and must be re-

entered by the user during the login session for access into the

client/server system.


21/28

21

The use of application level access control programs and the

organization of end-users into functional groups is a management

control that restricts access by limiting users to only those functions

needed to perform their duties.

Encryption

Encryption is the process of converting a plain text message into a

secure coded form of text called Cipher text that cannot be understood

without converting back via decryption (the reverse process) to plain text

again. This is done via a mathematical function and a specialencryption/decryption password called the key. In many countries

encryption is subject to governmental law and regulations.

Encryption is generally used to:

Protect data in transit over networks from unauthorized interception

and manipulation.

Protect information stored on computers from unauthorized viewing

and manipulation.

Deter and detect accidental or intentional alterations of data.

Verify authenticity of a transaction or document.

Key Elements of Encryption Systems

Encryption Algorithm A mathematically based function or

calculation which encrypts/decrypts data.

Encryption keys A piece of information that is used within an

encryption algorithm (calculation) to make the encryption or


22/28

22

decryption process unique. Similar to passwords, a user needs to

use the correct key to access or decipher a message. The wrong

key will decipher the message into an unreadable form.

Key Length A predetermined length for the key. The longer the

key, the more difficult it is to compromise in a brute-force attack

where all possible key combinations are tried.

Most encrypted transactions over the internet use a combination of

private keys, public keys, secret keys, hash functions (fixed values

derived mathematically from a text message) and digital

certificates to achieve confidentially message integrity and non-repudiation by either sender or recipient (i.e. also known as a

public-key infrastructure). This hybrid public/private key encryption

process allows data to be stored and transported with reduced

exposure when a company s corporate data are secure as they

move across the Internet or other networks.

There are two common encryptions or cryptographic systems:

Symmetric Cryptosystem

Symmetric encryption algorithms use a secret key to encrypt the

plain text to the cipher text. They also use the same key to decrypt

the cipher text to the corresponding plain text. In this case, the key

is symmetric because the encryption key is the same as the

decryption key. The most common private key cryptography

system is data encryption standard (DES).

Asymmetric Cryptosystem

Asymmetric encryption systems use two keys which work together

as a pair. One key is used to encrypt data, the other is used to


23/28

23

decrypt data. Either key can used to encrypt or decrypt, but once

one key has been used to encrypt data, only its partner can be

used to decrypt the data (even the key that was used to encrypt

the data cannot be used to decrypt it). Generally, with asymmetric

encryption, one key is known only to one person the secret or

private key the other key is known by many people the public

key.

Asymmetric encryption algorithms are generally less efficient (take

more computer resources) to compute than private key systems.

A common form of asymmetric encryption is RSA (named after its

inventors Rivest, Shamir and Adelman).

g) Auditing Environmental Controls: Environmental exposures are

primarily due to naturally occurring events; however, with proper

controls exposures to these elements can be reduced. Common

exposures and their controls are as follows:

Water and smoke Detectors: Verify the presence of water and

smoke detectors in the computer room. Determine if the

power supply to these detectors is sufficient, especially in

instances of battery-operated devices. Also, visually verify that

the locations of the devices are clearly marked and visible.

Hand-Held Fire Extinguisher: Verify that hand-held fire

extinguishers are in strategic locations throughout the facility,

are highly visible and all have been inspected within the last

year.


24/28

24

Fire suppression systems: Fire suppression systems are

expensive to test and therefore limit the IS Auditor s ability to

determine operability. IS Auditors may need to limit their tests

to reviewing documentation to ensure the system has been

inspected and tested within the last year. The exact testing

interval should comply with industry and insurance standards

and guidelines.

Regular Inspection by Fire Department: Confirm if a local fire

department inspector or insurance evaluator has been invited

to tour and inspect the facilities recently. If so, obtain a copy ofthe report and determine how deficiencies noted are being

addressed.

Fireproof walls, floors and ceilings surrounding the computer

Room: Locate the documentation that identifies the fire rating

of the walls surrounding the information processing facility

with the assistance of building management. The walls should

have at least a two-hour fire resistance rating.

Electrical Surge Protectors: Observe the presence of electrical

surge protectors for sensitive and expensive computer

equipment.

Power Leads from Two Substations: Locate documentations

concerning the use and placement of redundant power lines

into the information processing facility with the assistance of

building management.


25/28

25

Fully Documented and Tested Business Continuity Plan:

Ensure that the Business continuity plan is tested at least

once in a year and review the report of the test.

Wiring placed in Electrical panels and Conduit: Verify that

wiring in the information processing facility is placed in fire-

resistance panels and conduit.

UPS/Generator: Determine when last tested and review test

reports.

Documented and Tested Emergency Evacuation Plans:

Obtain a copy of the emergency evaluation plan. Determine ifit prescribes how to leave the information processing facilities

in an organized manner that does not leave the facilities

physically unsecured. Interview a sample of IS employees and

determine if they are familiar with the documented plan. Verify

whether the emergency evacuation plans are posted

throughout the facilities.

Humidity/Temperature Control: Determine if temperature and

humidity are adequate.

The testing procedures noted above should also be applied to any off-

site storage and processing facilities.

h) Auditing Physical Access: Touring the information processing

facility (IPF) is useful to gain an overall understanding and

perception of the installation being reviewed. This tour provides the

opportunity to begin reviewing physical access restrictions (control

over employees, visitors, intruders and vendors).


26/28

26

The tour should include the information processing facility

(computer room, programmers area, tape library, printer status

and management offices) and any off-site storage facilities.

Physical safeguards can be achieved by observing the

safeguards noted previously. Documents to assist with this

effort include emergency evacuation procedures, inspection

tags (recent inspection?), fire suppression system test results

(successful? Recently tested?) and key lock logs (all keys

accounted for and not outstanding to former employees or

consultants?)

Testing should extend beyond IPF to include the following related

facilities:

Location of all operator consoles

Printer rooms

Computer storage rooms (this includes equipment, paper and

supply rooms)

Ups/Generator

Location of all communications equipment identified on the

network diagram.

Tape Library

Off-site back-up storage facility.

The IS Auditor should look above the ceiling panels and below the

raised floor in the computer operations centre observing smoke and


27/28

27

water detectors, general cleanliness and walls that extend all the way to

the real ceiling (not just the suspended ceiling).

The following paths of physical entry should be evaluated for proper

security:

All entry doors

Glass windows and walls

Movable walls and modular cubicles

Above suspended ceiling and beneath raised floors.

Verification systems Over a curtain, fake wall.

Examples of some of the more common access controls are:

Bolting Door locks

Combustion Door locks (cipherlock)

Electronic Door locks Biometric Door locks

Manual Logging

Electronic logging

Identification Badges (Photo IDs)

Video cameras

Security Guards

Controlled Visitor Access

Bonded Personnel

Dead man Doors

Not advertising the location of sensitive facilities.


28/28

Computer Terminal locks

Controlled single entry point

Alarm system

Secured Report/Document Distribution cart.