Testing Software Controls and the Adequacy of Security Procedures

1
Testing Software Controlsand the Adequacy
ofSecurity Procedures

• By Abel Almeida

2
COSO 9.1

• In the 1990s, five major accounting organizations
  developed a framework for internal control.
• The five members of the group known as the
  Committee of Sponsoring Organizations, frequently
  referred to as COSO, include Financial
  Executives International, American Institute of
  Certified Public Accountants, American Accounting
  Association, The Institute of Internal Auditors,
  and the Institute of Management Accountants.

3
Principles and Concepts of Internal Control 9.1

• COSO defines internal control as
• A process, effected by an organizations Board
  of Directors, management and other personnel,
  designed to provide reasonable assurance
  regarding the achievement of objectives in the
  following categories
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations.

4
Key terms related to internal control and
security 9.1

• Risk The probability that an undesirable event
  will occur.
• Exposure The amount of loss that might occur
  if an undesirable event occurs.
• Threat A specific event that might cause an
  undesirable event to occur.
• Control Anything that will reduce the impact of
  risk.

5
Internal Control Responsibilities 9.1.1

• While everyone in an organization, particularly
  Management, has some responsibility for internal
  control, it is the chief executive officer that
  holds ultimately responsibility for the
  organizations internal control system.

6
Software Testers Internal Control
Responsibilities 9.1.2

• Since the software system incorporates controls,
  software testers should test that those controls
  exist and perform as specified.

7
Internal Auditors Internal Control
Responsibilities 9.1.3

• The Institute of Internal Auditors defines
  internal auditing as
• an independent, objective assurance and
  consulting activity designed to add value and
  improve an organizations operations. It helps an
  organization accomplish its objectives by
  bringing a systematic, disciplined approach to
  evaluate and improve the effectiveness of risk
  management, control, and governance processes.

8
Risk versus Control 9.1.4

• Formula for risk Risk Frequency x Probable
  Loss
• To calculate the loss due to risk, one must first
  determine
• The frequency with which an unfavorable event
  will occur
• The probable loss associated with that
  unfavorable occurrence

9
Environmental versus Transaction Processing
Controls 9.1.5

• Two components of controls
• 1. environmental (sometimes called general
  controls)
• 2. transaction processing controls within an
  individual business application.

10
Environmental or General Controls 9.1.5.1

• Organizational policies
• Organizational structure in place to perform
  work
• Method of hiring, training, supervising and
  evaluating personnel
• Processes provided to personnel to perform
  their day-to-day work activities, such as a
  system development methodology for building and
  testing software systems.

11
Transaction Processing Controls 9.1.6

• The object of a system of internal control in a
  business application is to minimize business
  risks. There are two systems in every business
  application.
• The system that processes business transactions.
• The system that controls the processing of
  business transactions.
• From the perspective of the system designer,
  these two are designed and implemented as one
  system.

12
The Two Systems in Every Business Application Fig
9-1
13
Preventive, Detective and Corrective Controls
9.1.7

• Preventive Controls - act as a guide to help
  things happen as they should. This type of
  control is most desirable because it stops
  problems from occurring.
• Detective Controls - Detective controls alert
  individuals involved in a process so that they
  are aware of a problem. Detective controls should
  bring potential problems to the attention of
  individuals so that action can be taken.
• Corrective Controls - Corrective controls assist
  individuals in the investigation and correction
  of causes of risk exposures that have been
  detected. These controls primarily collect
  evidence that can be utilized in determining why
  a particular problem has occurred.

14
Internal Control Models 9.2

• The ERM Process - The framework defines risk and
  enterprise risk management, and provides a
  foundational definition, conceptualizations,
  objectives categories, components, principles and
  other elements of a comprehensive risk management
  framework.

15
Components of ERM Fig 9-2
ERM consists of eight interrelated components.
These are derived from the way management runs a
business, and are integrated with the management
process.
16
COSO Internal Control Framework Model 9.2.2

• In the COSO internal control framework, those
  developing the framework chose to use control
  objectives as opposed to defining risk.
• COSOs internal control framework consists of
  five interrelated components
• 1. Control Environment
• 2. Risk Assessment
• 3. Control Activities
• 4. Information and Communication
• 5. Monitoring

17
COSO Internal Control Framework Components Fig 9-3

• The model depicts the dynamics of internal
  control systems. Internal control is not a serial
  process, where one component affects only the
  next. It is a multidirectional interactive
  process in which almost any component can and
  will influence another.

18
Cause and Effect Diagram Fig 9-4

• In viewing this cause/effect diagram from an
  internal control perspective the effect is the
  achievement of a control objective.

19
CobiT Model 9.2.3

• The components of the four parts of the CobiT
  cycle can be shown by listing the tasks within
  each component
• Part 1 Plan and Organize
• Includes Define strategic IT plan.
• Part 2 Acquire and Implement
• Includes Identify automated solutions.
• Part 3 Deliver and Support
• Includes Defining and managing service
  levels, performance, problems and incidences.
• Part 4 Monitor
• Includes Managing the processes and
  internal control practices.

20
Testing Internal Controls 9.3

• Internal control models emphasize the importance
  of environmental controls. However, these
  controls are specified by management and assessed
  by auditors. Software testers need to focus on
  testing to determine whether or not the control
  requirements are effectively implemented.
• Testing the controls in a software system
  involves accomplishing these objectives
• The requirements for the controls have
  been defined. These are normally the risks that
  need to be minimized or eliminated.
• The defined controls are in place and
  working, which is traditional testing.
• Test that the enterprise controls are
  included in the software system and are working.
  Enterprise controls are those controls specified
  by the enterprise for all software systems.
  Examples of enterprise controls include security
  controls and control documentation.

21
Perform Risk Assessment 9.3.1

• Building controls starts with risk assessment
  because reduction in risk is the requirement for
  a control. Risk assessment allows an organization
  to consider the extent to which potential events
  might have an impact on achievement of
  objectives.
• The risk assessment component of Enterprise Risk
  Management or ERM is comprised of these
  sub-components
• Inherent and Residual Risk
• Estimating Likelihood and Impact
• Qualitative and Quantitative Methodology and
  Techniques
• Correlation of Events

22
Test Transaction Processing Controls 9.3.2

• System controls for computer applications involve
  automated and manual procedures. Automated
  procedures may include data entry performed in
  user areas, as well as the control of the data
  flow within a computer system. Manual procedures
  in user areas are developed to ensure that the
  transactions processed by IT are correctly
  prepared, authorized, and submitted to IT.

23
Model for Testing Transaction Processing Controls
Fig 9-5
Here are six steps of a transaction flow through
a computer application system. Transaction flow
is used as a basis for classifying transaction
processing controls, because it provides a
framework for testing the controls for
transaction processing.
24
Testing Security Controls 9.4

• Testers are not security experts. However,
  security is too important to organizations for
  testers to ignore. These test tasks can add value
  to the testers activities
• 1. Understand the points where security is most
  frequently penetrated and understand the
  difference between accidental and intentional
  loss.
• 2. Build a penetration point matrix to identify
  software system vulnerabilities and then
  investigate the adequacy of the security controls
  at the point of greatest potential penetration.
• 3. Assess the security awareness training program
  to assure the stakeholders in security are aware
  of their security responsibilities.
• 4. Understand the attributes of an effective
  security control.
• 5. Understand the process for selecting
  techniques to test security.

25
Task 1 - Where Security is Vulnerable to
Penetration 9.4.1

• Data and report preparation areas and computer
  operations facilities with the highest
  concentration of manual functions are areas most
  vulnerable to having security penetrated.
• Vulnerable Areas Ranking
• Data and report preparation facilities 1
• Computer operations 2
• Non-IT areas 3
• Online storage 4
• Programming offices 5
• Online data and report preparation 6
• Digital media storage facilities 7
• Online operations 8
• Central processors 9

26
Task 2 - Building a Penetration Point Matrix 9.4.2

• Controlling People by Controlling Activities
• Selecting Computer Security Activities
• Interface Activities
• Development Activities
• Operations Activities
• Controlling Business Transactions
• Transaction origination
• Transaction authorization
• Data entry
• Transaction communication
• Transaction storage
• Transaction processing
• Transaction retrieval
• Transaction preparation (output)
• Transaction usage
• Transaction destruction

27
Task 3 Assess Security Awareness Training 9.4.3

• Step 1 Create a Security Awareness Policy -The
  CIO and/or the IT Director need to establish a
  security awareness policy. The policy needs to
  state managements intension regarding security
  awareness.
• Step 2 Develop a Security Awareness Strategy
• 1. developing an IT security policy that reflects
  business needs tempered by known risks
• 2. informing users of their IT security
  responsibilities, as documented in the security
  policy and procedures
• 3. establishing processes for monitoring and
  reviewing the program.
• Step 3 Assign the Roles for Security Awareness
• While it is important to have a policy that
  requires the development and implementation of
  security and training, it is crucial that IT
  organizations understand who has responsibility
  for IT security awareness and training.

28
The IT Security Learning Continuum Fig 9-7
29
Task 4 Understand the Attributes of an
Effective Security Control 9.4.4

• Security control attributes of an effective
  security control are designed to help testers
  determine whether or not a security control is
  effective.
• Simplicity
• Fail Safe
• Complete Mediation
• Open Design
• Separation of Privilege
• Psychological Acceptability
• Layered Defense
• Compromise Recording

30
Task 5 Selecting Techniques to Test Security
9.4.5

• Recommended testing techniques for testing
  security
• Network scanning
• Vulnerability scanning
• Password cracking
• Log review
• Integrity checkers
• Virus detection
• War dialing
• War driving (wireless LAN testing)
• Penetration testing

31
Selecting Techniques to Test Security 9.4.5

• Step 1 Understand Security Testing Techniques
• The individual selecting the security testing
  techniques should be knowledgeable in both
  security and the available testing techniques for
  security.
• Step 2 Select Security Testing Techniques Based
  on the Strengths and Weaknesses of Those
  Techniques
• Security testers should have identified a testing
  objective prior to selecting the security testing
  techniques.

32
Selecting Techniques to Test Security (Cont) 9.4.5

• Step 3 Determine the Frequency of Use of
  Security Testing Techniques Based on the System
  Category
• Category 1 systems are those sensitive systems
  that provide security for the organization that
  provide other critical functions.
• These systems often include
• Firewalls, routers, and perimeter defense
  systems such as for intrusion detection,
• Public access systems such as web and e-mail
  servers,
• DNS and directory servers and other internal
  systems that would likely be intruder targets.
• Category 2 systems are generally all other
  systems, such as those systems that are protected
  by firewalls, etc., but still must be tested
  periodically.