5-1

5-2

05

Fraud Prevention and Risk Fraud Prevention and Risk ManagementManagement

McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

5-3

Fraud Prevention and Risk Management Overview

Fraud prevention requires information security and good internal control. Information security can’t be obtained simply by studying and applying lists of security measures. Rather security must be studied and applied as a management system in the context of enterprise risk management.

This chapter focuses primarily on one the information security management system (ISMS), which is an organizational internal control process that ensures the following 3 objectives in relation to data and information within the organization: integrity, confidentiality, and availability.

Information systems security is merely the application of standard internal control principles to information resources.

5-4

ISMS Security Objectives:

Integrity involves accuracy and completeness. Accuracy means inputting the correct data into the system and

then processing it as intended, without errors. Completeness ensures that no unauthorized additions,

removals, or modifications are made to data that has been inputted into the system.

Confidentiality This concept involves ensuring that data and information are made available only to authorized persons.

Availability This concept involves ensuring that data and information are available when and where they are needed.

5-5

Key Concepts in ISMS

Organizational Embedding, Risk Management, and Internal Control

Prevention, Detection, and ResponseThe ISMS Life Cycle and PDCARisk Management and Threat and Vulnerability Analysis

5-6

ISO 27001: Implementing ISMSsPlan Phase

Initiating the projectDefining the scope of the ISMSEstablishing an ISMS policy, Performing a risk assessment, Selecting risk treatments, Selecting control objectives, and Producing a statement of applicability

5-7

Assets and Risk Assessment

General categories of assets at risk:Human resourcesInformationDocumentsSoftwarePhysical equipmentServicesCompany image and reputation

Each asset should also be classified according to its desired access security level:Unclassified, Shared, Company only, Confidential

5-8

Active Threats

Input manipulation (most common source of fraud)Direct file alteration (bypass normal software)Program alteration (requires sophistication)Data theft (hard to detect and prove)Sabotage (disgruntled employees)Misappropriation of information system resources

5-9

ISO 27001: Implementing ISMSsDo Phase

Applying the controls defined in the SOA Operating the ISMSEnsuring that all employees are properly trained and

competent to perform their security duties Mechanisms for compliance monitoringMechanisms for incident detection and response

5-10

ISO 27001: Implementing ISMSsCheck and Act Phases

The check phase ensures that all the controls objectives are being met and that all controls are in place and working. Various check activities identified in ISO 27001 include intrusion detection, incident handling, learning from outside sources, internal and external audits, self-policing procedures, and management reviews.

The act phase involves continually improving the entire ISMS based on analysis of incident reports and the overall efficiency and effectiveness of the ISMS processes.

5-11

IT Security Assurance Defined

Information security assurance (ISA) refers to some type of evidence-based assertion that increases the certainty that a security-related deliverable can withstand specified security threats.

Information security assurance is achieved for a target of evaluation (TOE) by performing assurance activities that satisfy a predefined security target or security protection profile.

5-12

Key Definitions Relating to Assurance

Target of evaluation (TOE) This is the information security deliverable, the object for which assurances are made.

Assurance activities These activities depend on the method of assessment. Various methods of assessment are discussed later.

Security target (ST) This is the set of security specifications and requirements used to evaluate the target of evaluation.

Security protection profile (SPP) Similar to a security target, this profile is much broader in scope. Unlike an ST, a SPP does not apply to any one particular deliverable but represents the security needs of a given individual or group of individuals.

5-13

Forms of Assurance

Informal or semiformal An internal project development leader could simply write a letter to management indicating that the product meets company security standards.

Formal certification by an accredited certification body Some ISO standards, such as ISO 27002, are designed so that organizations can be certified against them.

Self-certification Some organizations perform their own internal certification process as part of their internal quality assurance process. Self-certification can be against internally developed standards or widely recognized standards.

5-14

Assurance Methods and Approaches

An assurance method is a recognized specification for assurance activities that yields reproducible assurance results. Assurance results are reproducible when different evaluators working independently of each other are likely to obtain similar assurance results.

Assurance Approaches are categories of assurance methods.

ISO 15443 classifies assurance approaches according to the methods used to develop the deliverable, and the environment in which the deliverable is deployed.Methods that assess the deliverable itself, that assess the

deliverable’s development process, that assess the deliverable’s development environment

Life cycle phases: design, integration, transition, operation

5-15

Some Well-know Assurance Methods/Approaches

ISO 21827: Systems Security Engineering Capability Maturity Model (SSE-CMM®) and Security Engineering

Baseline Protection Manual Trusted Product Evaluation Program (TPEP) and the Trust Technology

Assessment Program (TTAP) IEC 15408—Evaluation Criteria for IT Security (the Common Criteria) Information Technology Security Evaluation Criteria ISO/IEC 27000 Series The Trusted Capability Maturity Model (TCMM) ISO/IEC 13335—Management of Information and Communications

Technology Security (MICTS) Certified Information Systems Security Professionals (CISSP) Federal Information Processing Standard 140 (FIPS 140) Control Objectives for Information and Related Technology (COBIT)

5-16

ISO/IEC 27002 Areas Applied to ISMSs

Security PolicyOrganization of Information SecurityAsset ManagementHuman Resources SecurityPhysical and Environmental SecurityCommunications and Operations ManagementAccess ControlsInformation Systems Acquisition, Development and

MaintenanceInformation Security Incident ManagementBusiness Continuity ManagementCompliance