CHAPTER 8 INFORMATION SYSTEM CONTROLS for SYSTEMS RELIABILITY
Part 1: Information Security SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 8.1 Explain why an organization would want to use all of the following information security controls: firewalls, intrusion prevention systems, intrusion detection systems, and a CIRT. Using this combination of controls provides defense-in-depth. Firewalls and intrusion prevention systems are preventive controls. Intrusion detection systems are used to identify problems and incidents. The purpose of a Computer Incident Response Team (CIRT) is to respond to and mediate problems and incidents. According to the time-based model of security, information security is adequate if the firewalls and intrusion prevention systems can delay attacks from succeeding longer than the time it takes the intrusion detection system to identify that an attack is in progress and for the CIRT to respond.
8.2 What are the advantages and disadvantages of having the person responsible for information security report directly to the chief information officer (CIO), who has overall responsibility for all aspects of the organization’s information systems? It is important for the person responsible for security (the CISO) to report to senior management. Having the person responsible for information security report to a member of the executive committee such as the CIO, formalizes information security as a top management issue.
One potential disadvantage is that the CIO may not always react favorably to reports indicating that shortcuts have been taken with regard to security, especially in situations where following the recommendations for increased security spending could result in failure to meet budgeted goals. Therefore, just as the effectiveness of the internal audit function is improved by having it report to someone other than the CFO, the security function may also be more effective if it reports to someone who does not have responsibility for information systems operations.
8.3 Reliability is often included in service level agreements (SLAs) when outsourcing. The toughest thing is to decide how much reliability is enough. Consider an application like e-mail. If an organization outsources its e-mail to a cloud provider, what is the difference between 95%, 99%, 99.99%, and 99.9999% reliability? The differences in promised reliability levels over the course of a year in terms of days when the e-mail system may not work are:
95% reliability = 18.25 days
99% reliability = 3.65 days
99.99% reliability = .0365 days or approximately 52.56 minutes
99.9999% reliability = .000365 days or less than one minute