General Computer & Application Controls, A Primer

Posted by Michael Paulie

The following guide is meant to be a primer on the subject of general computer controls and general application controls, it is by no means a complete guide to these controls but rather aims to provide a foundation by which to build upon.

Businesses rely on technology to operate and achieve their goals, and with all technology come risks. To mitigate the risks every IT system and environment requires controls to be in place to keep the system and data within it secure, maintain continuous operations, and reduce the chance of errors in data processing and transactions.  These types of controls are commonly called general computer controls and general application controls, and ensure IT systems are functioning reliably and as management intended.

In Information Security and Information Technology audits most things boil down to the CIA triad… Confidentiality, Integrity, and Availability.  The blend of general and applications controls in every system are the measures put in place to support the CIA triad and ensure IT systems can be relied on to sustain business operations.  We also test to ensure the controls are functional, effective, and comply with policies and procedures.

Compliance is also a reason why general computer controls and application controls are important, regulations such as HIPAA, SOX, GLBA as well as PCI-DSS compliance require the attestation of the effectiveness of certain general computer and application controls.

General Computer Controls

General controls are the controls applied over the IT infrastructure of a system, without them it is possible unauthorized changes may occur, users with privileged access may go unknown, measures would not be taken to ensure systems are available, and data may be accessible to unauthorized users.  General controls form the control environment to ensure these risks are appropriately mitigated.  The following list is a high level description of the controls you should expect to see in just about every IT system.

Along with best practices, all of the following general computer controls should be tested against documented company policies, procedures, and standards.

Physical security

Controls should be in place to ensure physical access is limited and controlled (ID badges, locks, man-traps, guards), fire suppression systems are in place, and power systems are adequate.  I'm not going to go into more detail here because most of the time when reviewing general controls for systems, they are located in a data center which should have it's own review performed.

Change and patch management

Generally speaking changes to a system, including installing patches, should be performed in accordance to change management policies and procedures with proper approvals and separation of duties. System owners should ensure they are made aware of patches, specifically security patches, timely and evaluate them based on criticality and risk to the organization.

Performance monitoring and capacity management

Key performance indicators (KPIs) should be monitored based on the function of a system and its criticality with automated alerting for the timely response to any problems.  Monitoring should also be performed for capacity management of resources such as disk, processor, memory, bandwidth, and license usage.  This should be done periodically to ensure the capacity of the system supports its current and projected usage.

Backup & recovery and high availability

IT systems should have data and configuration backed up appropriately to support the recovery of the system in the event of a disaster or loss of data.  If the system has an associated Recovery Point Objective (RPO), which is a specified maximum amount of time the business can afford to lose data, backup jobs should be scheduled accordingly.  For example if a system has an RPO of 1 hour, data must be backed up at a minimum, every hour.  For high availability, based on risk, systems and infrastructure should be configured to be highly available in support of business continuity.  Examples included clustered or fail-over system configurations, redundant network connections, disk arrays, etc.

Security configuration, administration, and access review

Security configuration within IT systems is made up of the configuration for how users are authenticated (centrally or local),  secure communications of the authentication traffic (e.g. Secure LDAP, Kerberos, SSH, SSL/TLS),  password policies, audit logging, etc. Systems should comply with documented security standards and analyzed based on risk.

Security administration concerns the granting and removal of access to systems, access should be based on least privileged with the use of groups or roles where applicable. There should be a separation of duties between the grantors of access and the users with privileged access.

Security access reviews should be performed periodically to verify the access of users within the system is appropriate and access has been granted or removed timely.  There should be a separation of duties here as well between the reviewers of access and the grantors of access.

General Application Controls

Application controls center around the accuracy and validity of data as it is processed through a system.  The objective is to ensure that data is accurate and approved when sent to a system, processed, and output.  It's very important to walk-through and understand the process flow and flow of data when it comes to reviewing general application controls.  To properly test them you should have a full understanding of the flows and know where and when specific controls should apply.

Controls for input data include validity and approval of the input, its accuracy, as well as it's completeness and management overrides. In many cases there should be segregation of duties between initiation and approval of transactions.  For the processing of transactions there should be controls in place which record every transaction as well as check for completeness, and accuracy.  There are many ways to test transactions and calculation including re-performance through the use of computer aided auditing techniques (CAATs).

The same controls apply for the output data, they should ensure completeness and accuracy of the data.  A couple additional controls which apply to output data are error reporting and the security over the new data wherever it has been output.  No matter on where the data is stored or its location in a database, controls should be in place to ensure only authorized uses should have access.

Final Thoughts

General computer and application controls can quickly become a very involved topic and noticeably I have not covered everything in this guide, including controls over operations and systems development, acquisition, and maintenance. Nor have I covered approaches to testing the controls such as compliance or attribute and substantive testing, however the purpose was to provide solid overview and foundation which could easily be built on and translated to multiple environments.  Feel free to leave your comments below, happy auditing!

Photo by Faramarz Hashemi   / CC BY
[Read more]

Cybersecurity: Why every employee is a target, and what you can do about it

Posted by Michael Paulie
Photo Credit: Gianni Dominici

As of late you've probably been hearing about various types of cyber attacks and the methods used to execute them relating to the ever mounting number of security and data breaches at large organizations.  Advanced Persistent Threats (APTs), spear phishing, and whaling are just some of the more sophisticated ways threat agents are launching attacks by specifically targeting employees and vendors to gain access to corporate and government networks.

Social media sites like Facebook and LinkedIn offer a wealth of information which is used to select and target individuals for social engineering, phishing, and malware attacks.  From information in your profile such as your job title, department, and company, attackers can extrapolate the type and extent of your access to data and systems within their target organization, and begin launching attacks against YOU.  Examples include emailing or in-app messaging of a job with a description attachment, that you might be interested in, which executes malware or the message might contain links to articles in your field which direct you to a website attempting to execute malware. .

Zero-day vulnerabilities, which are as yet unknown and do not have a patch, have always been a risk, however the attacks have become increasingly more sophisticated. You may have noticed web browsers on your home computers complaining about Adobe Flash needing to be updated frequently over the past couple of months. This was due to recent zero-day vulnerabilities in the Adobe software.  In an effort to compromise government and U.S. financial services employees, attackers compromised advertising servers used by to serve up malicious advertisements.  The malicious advertisements were then displayed on which exploited Adobe Flash and Internet Explorer of visitors to the site1.  The end result of this targeted attack was malware installed on home, work, and government workstations which sent data back to the attackers.

Threat agents are not only attacking the front door but targeting those who have the keys and stealing them.

What you can do about it.

1. Limit public information on social media and be cautious of who you let in your social media network.  Use privacy settings to limit the information for people you don’t know but wish to network with.  If settings are unavailable, limit the information provided on your job and responsibilities.

2. Think before you click. Links and attachments in email, on social media, and advertising are often the way computers become compromised. If it looks suspicious, even if you know the source, it’s best to delete it.

3. Passwords, we're stuck with them until there's a better and more secure method of authentication.  I’m sure you’ve heard this before, make passwords long, complex, and change them regularly.  Use two-factor authentication if available.   Also, use different passwords, especially between work and personal accounts in the event one is compromised.

4. Keep software updated.  Having the latest updates to your anti-virus software, operating system, and web browser is one of the best defenses against viruses and malware.  Use the option to have these automatically update.

5. Using public Wi-Fi is like talking on the phone in the middle of a crowd, assume everyone can hear your conversation.  Limit the type of usage and if you must use it, be sure to use secure VPN.

6. BYOD, a convenience and security risk. Using your personal device for work means what you do at home or on other networks can put your corporate network at risk.  The best thing to do is keep your work and personal devices separate.

These measures will not only protect your organization but also yourself from identity theft and fraud.

Photo by Gianni Dominici  / CC BY
[Read more]