Central Bank of Libya


29 Νοε 2013 (πριν από 4 χρόνια και 7 μήνες)

123 εμφανίσεις

Information Technology (IT)
Internal Controls Presentation for the

Central Bank of Libya

Royce Walker

Financial Services Volunteer Corps

March 23

25, 2009

IT Internal Controls


Topics of Discussion:

Definition of Internal Control

Overview of Internal Control/Risk Management

Information Technology Internal Controls

IT Internal Controls

Definition of Internal Control

Internal Control is a process, effected by an entity’s board
of directors, management and other personnel. This
process is designed to provide reasonable assurance
regarding the achievement of objectives in effectiveness
and efficiency of operations, reliability of financial
reporting, and compliance with applicable laws and

Source: The Committee on Sponsoring Organizations of the Treadway Commission.


IT Internal Controls

Internal Control/Risk Management Frameworks

wide Frameworks

The Cadbury Committee (United Kingdom)

The Canadian Criteria of Control Committee (CoCo) (Canada)

The Committee on Sponsoring Organizations (COSO) (United

IT Frameworks

The Information Systems Audit and Control Association

Objectives for Information Technology (COBIT)

Information Technology Infrastructure Library (ITIL)

The International Organization for Standardization (ISO)

IT Internal Controls

Information Technology Internal Controls


Who is in charge of IT?

Governance is one of the most important controls. If
someone or some group is not actively overseeing the IT
function, the result will be chaos.

IT Internal Controls

Governance (continued)

Achieved through management structure, assignment of
responsibilities and authority, establishment of policies,
standards and procedures, allocation of resources,
monitoring, and accountability.

Required to ensure tasks are completed appropriately,
accountability is maintained, and risk is managed for the
entire enterprise.

Responsibility of the board of directors and executive

Fundamentally concerned with two issues: 1) IT delivers
value, 2) IT risks are mitigated.

Source: Federal Financial Institutions Examination Council, Information Security, IT Examination Handbook, and Information Sy
ms and Control
Association CISA Review Manual 2006, Chapter 2, IT Governance

IT Internal Controls

Governance (continued)

Management Structure

IT should be governed/supported by:

Board of Directors.

IT officers and supervisory personnel.

IT employees.

IT users.


Service providers and contractors.

IT Internal Controls

IT Risk Assessment

An IT risk assessment includes three parts:

Gathering technical and non
technical information about
the IT function.

Analyzing the information to

classify and rank sensitive data, systems, and

assess threats and vulnerabilities.

evaluate control effectiveness.

Setting priorities for responses.

IT Internal Controls

IT Risk Assessment (continued)

Necessary Information

Examples of technical information include:

Data and systems to be protected (electronic and paper).

Network diagrams of internal and external connectivity.

Hardware, software, database file inventories.

Examples of non
technical information include:

Policies, standards, and procedures for security.

Vendor contracts, including insurance coverage

Reports of security monitoring, self
assessments, metrics,
and independent tests.

IT Internal Controls

IT Risk Assessment (continued)

Classify/Rank Sensitive Data, Systems, and Applications

Assess/classify relative importance of information systems,
classify data to identify and rank data, systems, and
applications in order of importance.

Assess Threats and Vulnerabilities

Determine which threats and vulnerabilities deserve priority
attention relative to value of the information or information
systems being protected.

IT Internal Controls

IT Risk Assessment (continued)

Evaluate Control Effectivenes

Identify controls that will mitigate impact threat/vulnerability.

Preventive Control

Keeps something from occurring.

Detective Control

Finds something after it occurred.

Corrective Control

Corrects problems that occurred.

Assign Risk Ratings

Risk ratings should be assigned to information systems and
data to establish importance and criticality.

IT Internal Controls

Information Security Strategy

Typical steps to building an information security strategy

Defining control objectives.

Identifying and assessing approaches to security.

Establishing of benchmarks and metrics.

Preparing and implementing testing plans.

IT Internal Controls

Information Security Strategy (continued)

Control Framework Considerations

Using a widely recognized technology standard, such as:

COBIT, ITIL, ISO 17799, etc.

Policies and Procedures

Primary component of strategy; guides decisions made by
users, administrators, and managers.

Inform individuals of their responsibilities, specify ways of
meeting responsibilities.

Provide guidance in acquiring, configuring, and auditing
information systems.

IT Internal Controls

Information Security Strategy (continued)

Technology Design

Provides effective network
level monitoring, limits
intruder’s ability to traverse the network, offers minimum
level of services required by business needs.

If updated in a timely manner, mitigates newly discovered
threats and vulnerabilities.

IT Internal Controls

Information Security Strategy (continued)

Outsourced Security Services

Security services may be outsourced to obtain greater
expertise, greater range of services, and lower costs.

Institution retains same responsibilities for security as if
those services were performed in

Sufficient expertise is needed to oversee and manage
outsourced security service relationship properly.

Detailed contract is needed for scope and nature of services
as well as for expected and required service levels.

IT Internal Controls

Information Security Internal Controls

Internal controls should be established to minimize IT Risk.

Access Control

Physical and Environmental Protections


Malicious Code Prevention

Systems Development, Acquisition, and Maintenance

Personnel Security

Data Security

Service Provider Oversight

Business Continuity Considerations



IT Internal Controls

Access Control

Goal of access control is to allow access by authorized
individuals and devices and to disallow access by all others.

Limit to specifically authorized persons.

Authorize only individuals whose identity is established.

Limit activities to those required for business purposes.

Approve device installation in accordance policy.

Use change controls for devices and software used inside
the external perimeter, configure institution devices to
accept authorized connections from outside the perimeter.

IT Internal Controls

Access Rights Administration

Implement an effective process to administer access rights.

Assign users and devices only the access required to
perform their required functions (business need).

Update access rights based on personnel and system

Review users’ access rights at periodic intervals.

Design acceptable
use policies and require users to agree
to them in writing.

Review exception reports.

IT Internal Controls


Use effective authentication methods.

Select authentication mechanisms based on risk associated
with application or services.

Consider when multi
factor authentication is appropriate.

Encrypt transmission and storage of authenticators (e.g.,
passwords, personal identification numbers (PINs), digital
certificates, biometric templates).

IT Internal Controls

Authentication (continued)

Shared Secret Systems

Uniquely identify user by matching
knowledge on system to knowledge only system and user are
expected to share.

Passwords, pass phrases, current transaction knowledge.

Password string


Pass phrase

My favorite candy is peppermint.

Current transaction knowledge

Account balance on
the last statement mailed to the user/customer.

Controls should prevent user from re
using shared secrets
that were compromised, or recently used by user.

IT Internal Controls

Authentication (continued)

Shared Secret Systems (continued)

Passwords and pass phrases should be difficult to guess.

Strength is lack of disclosure of and about the secret,
difficulty in guessing it, length of time before it is changed.

User should select passwords and pass phrases without
assistance from other users. (Exception

password to create new account).

IT Internal Controls

Authentication (continued)

Shared Secret Systems (continued)

Automated tools can assist enforcement of shared secret
system policies.



Periodic changes (e.g., every 30, 60, 90 days)

Lock out after unsuccessful password attempts

Disallow re
use of password

IT Internal Controls

Authentication (continued)

Other Authentication Systems

Token Systems

factor authentication of something
user has and something user knows.

Public Key Infrastructure (PKI)

Combines hardware
components, system software, policies, practices, standards
for authentication, data integrity, defense against customer
repudiation, and confidentiality.


Verifies user by reference to unique physical or
behavioral characteristics (e.g., thumbprint, iris pattern). May
or may not require use of a token.

IT Internal Controls

Authentication (continued)

Other Authentication Systems (continued)

Authenticator Reissuance

Needed when user forgets
shared secret, loses token, biometric identifier changes.

Behavioral Authentication

Assurance gained from
comparing connection
related or activity
related information
with expectations.

Device Authentication

Supplements authentication of
individuals or when assurance is needed that the device is
authorized to be on the network.

IT Internal Controls

Network Access

Secure access to computer networks through multiple layers
of access controls to protect against unauthorized access.

Group servers, applications, data, users into security
domains (e.g., untrusted external networks, external
service providers, various internal user systems).

Establish access requirements within/between domains.

Implement technological controls to meet access
requirements consistently.

Monitor cross
domain access for security policy violations
and anomalous activity.

IT Internal Controls

Network Access (continued)


Devices (computers, routers, and software) that
mediate access between different security domains. All
traffic between security domains must pass through the
firewall, regardless of the direction of the flow.

Malicious Code Filtering

Devices that act as a control
point to enforce the institution’s security policy over
incoming communications (e.g., anti
virus, anti
spyware, and
spam filtering, blocking of downloading of executable
files, and other actions).

IT Internal Controls

Network Access (continued)

Outbound Filtering

Devices that inspect outbound
communications for compliance with the institution’s security
policy (e.g., forbid origination of outbound communications
from certain computers).

Network Intrusion Prevention System (IPS)

Devices that
allow or disallow access based on an analysis of packet
headers and packet payloads (similar to firewalls).

Intrusion Detection System (IDS)

Software and/or devices
designed to detect unwanted attempts to access, manipulate,
disabling computer systems or information.

IT Internal Controls

Network Access (continued)

Vulnerability Assessment Systems

Systems to identify,
quantify, prioritize vulnerabilities in networked systems.

Data Loss Prevention

System to identify, monitor, and
protect data while it is being used, stored, transmitted;
designed to detect and prevent the unauthorized use and
transmission of confidential information.

Security Information Management System (SIMS)

Consolidates reports from firewalls, IPS, IDS, and system
and event logs into a central repository for trend analysis.

IT Internal Controls

Operating System Access

Secure access to operating systems of all system components.

Secure access to system utilities.

Restrict and monitor privileged access.

Log and monitor user/program access to sensitive
resources and alert on security events.

Update operating systems with security patches.

Secure devices that can access the operating system
through physical and logical means.

IT Internal Controls

Application Access

Control access to applications.

Use authentication and authorization controls appropriately
robust for the risk of the application.

Monitor access rights to ensure they are the minimum
required for user’s current business needs.

Use time
day limitations on access as appropriate.

Log access and security events.

Use software that enables rapid analysis of user activities.

IT Internal Controls

Remote Access

Secure remote access to and from systems.

Disable remote communications if no business need exists.

Control access via management approval and review.

Implement robust controls over configurations at both ends
of the remote connection to prevent malicious use.

Log and monitor all remote access communications.

Secure remote access devices.

Use strong authentication and encryption to secure

IT Internal Controls

Physical and Environmental Protection

Define physical security zones and implement preventive and
detective controls in each zone to protect against:

Physical access by malicious or unauthorized people.

Damage from environmental contaminants.

Electronic access through active or passive electronic

IT Internal Controls

Physical and Environmental Protection (continued)

Data Center Security

Major objective is to limit risk of exposure from internal and
external sources.

Choose an area relatively safe from exposure to fire, flood,
explosion, or similar environmental hazards.

Deter intruders with guards, fences, barriers, surveillance
equipment, etc.

Ensure air conditioning equipment maintains temperature
for optimal equipment operation.

IT Internal Controls

Physical and Environmental Protection (continued)

Data Center Security (continued)

Record access by vendors and other persons not assigned
to data center.

Secure doors and windows with switches that activate
alarm systems.

Do not identify location by signage or other indicators.

Use detection devices (e.g., security cameras) to prevent
theft and safeguard equipment.

IT Internal Controls

Physical and Environmental Protection (continued)

Data Center Security (continued)

Minimize risk from environmental threats with fire
suppression systems, smoke alarms, raised flooring, and
heat sensors.

Use maintenance logs to determine whether devices are
appropriately maintained.

Periodically test the devices to determine they are
operating correctly.

IT Internal Controls

Physical and Environmental Protection (continued)

Data Center Security (continued)

Require visitors to sign in and wear proper IDs so that they
can be monitored and identified easily.

Install power supply conditioning equipment (e.g., surge

Install uninterruptible power supply equipment that will
activate immediately in the event of power loss from the
main power supply.

IT Internal Controls

Physical and Environmental Protection (continued)

Cabinet and Vault Security

Install protective containers designed to meet fire
and theft
resistant standards.

Physical Security In Distributed Environments

Protect personal computers in unrestricted areas such as
lobbies by securing them to workstations, locking or
removing disk drives and unnecessary physical ports, and
activating screensaver passwords or automatic timeouts.

IT Internal Controls


Implement encryption to mitigate risk of disclosure or
alteration of sensitive information in storage and in transit.

Encryption strength sufficient to protect information from
disclosure until disclosure poses no material risk.

Effective key management practices.

Robust reliability.

Appropriate protection of the encrypted communication’s

IT Internal Controls

Malicious Code Prevention

Implement appropriate controls to prevent and detect
malicious code, and engage in user education.

Malicious code is any program that acts in unexpected and
potentially damaging ways.

Common types of malicious code are viruses, worms,
Trojan horses, monitoring programs such as spyware, and
site scripts, key
stroke loggers, and screen

IT Internal Controls

Malicious Code Prevention (continued)

Controls To Protect Against Malicious Code

Controls use technology, policies and procedures, and
training, all applied in a layered manner from perimeters
inward to hosts and data. Controls are applied at the host,
network, and user levels.

Host Level

Host hardening, including patch application and security
minded configurations of the operating system (OS),
browsers, and other network
aware software.

IT Internal Controls

Malicious Code Prevention (continued)

Controls To Protect Against Malicious Code (continued)

Network Level

Limit transfer of executable files through the perimeter,
and use IDS and IPS to monitor incoming and outgoing
network traffic.

User Level

User education in awareness, safe computing practices,
indicators of malicious code, and response actions.

IT Internal Controls

Systems Development, Acquisition, and Maintenance

Ensure that systems are developed, acquired, and maintained
with appropriate security controls.

Ensure systems are developed and implemented with
appropriate security features enabled.

Ensure software is trustworthy by implementing
appropriate controls in the development process, reviewing
source code, reviewing the history and reputation of
vendors and third party developers, and implementing
appropriate controls outside of the software to mitigate
unacceptable risks from any deficiencies.

IT Internal Controls

Systems Development, Acquisition, and Maintenance

Maintain appropriately robust configuration management
and change control processes.

Establish an effective patch management process.

Use a separate system to test software changes/patches
before moving into the production environment.

IT Internal Controls

Personnel Security

Mitigate risks posed by employees and other internal users.

Perform background checks/screening of new employees.

Obtain agreements covering confidentiality, nondisclosure,
and authorized use.

Use job descriptions, employment agreements, and training
to increase accountability for security.

Provide training to support awareness/policy compliance.

IT Internal Controls

Data Security

Control and protect access to paper, film, and computer
media to avoid loss or damage.

Develop a data classification policy.

Establish/ensure compliance with policies for handling and
storing information,

Ensure safe and secure disposal of sensitive media.

Secure information in transit or transmission to third

IT Internal Controls

Service Provider Oversight

Exercise security responsibilities for outsourced operations.

Conduct due diligence in service provider research and

Obtain contractual assurances regarding security
responsibilities, controls, and reporting.

Get nondisclosure agreements regarding systems and data.

Require independent review of service provider’s security
though appropriate audits and tests.

Coordinate incident response policies and contractual
notification requirements.

IT Internal Controls

Business Continuity Considerations

Implement an effective business continuity plan.

Identify personnel with key security roles during
continuity plan implementation, and train personnel in
those roles.

Identify security needs for back
up sites and alternate
communication networks.

Periodically test the business continuity plan.

Update the plan when business processes change or new
technologies are implemented.

IT Internal Controls


Evaluate the extent and availability of insurance coverage in
relation to the specific risks being mitigated.

Insurance can be an effective method to transfer risks from
the institution to insurance carriers.

Insurance not a substitute for an effective security

Insurance companies typically require companies to certify
that certain security practices are in place.

IT Internal Controls

Security Monitoring

Assure adequacy of risk mitigation strategy/implementation.

Monitor to identify policy violations, anomalous behavior.

Monitor to identify unauthorized configuration, conditions
that increase risk of intrusion, or other security events.

Analyze results to accurately and quickly identify, classify,
escalate, report, and guide responses to security events.

Respond to intrusions, other security events.

Continuously gather and analyze information regarding
new threats, vulnerabilities, actual attacks, effectiveness of
existing security controls.

IT Internal Controls


I hope this presentation has given you a better understanding
of internal controls that can be implemented for information
technology to protect the institution and its customers.

Thank you for your interest and attention today!!!

IT Internal Controls


1. The Committee on Sponsoring Organizations of the Treadway


Federal Financial Institutions Examination Council, IT Examination
Handbook, 2006.

Information Systems Audit and Control Association, CISA Review
Manual, 2006.