Department
of Accounting & Law
Acc 661 Auditing of Advanced
Accounting Information Systems
Spring, 2004
______________________________________________________________________________________
Welcome to the world of Auditing of Advanced
Accounting Information Systems. The emphasis in the course will
be on gaining an in-depth understanding of the information security
technologies necessary for auditing complex accounting information systems, and
the auditing process itself.
The course will involve a healthy
mixture of theory, applications, technologies, and constant exposure to
late-breaking developments in the field. It is important that you get familiar
with the working of unix as well as windows environments, since I will not be
spending too much time on those topics. The knowledge you have gained in Acc
681 and Acc 682 should be adequate, and if new concepts are introduced, I will
be discussing them in the class.
The course is rather fast paced,
and rather formal in rigour in terms of the security modeling and its
applications. It is therefore important that you keep up with the class at all
times and not be left behind. Should you need help, seek it immediately.
Use the wonderful facilities in
the Graduate Laboratory for Accounting Information Systems.
Enjoy!
Semester: Spring, 2004
Time: T 4:15 — 7:05 PM
Room: BA 223 (PriceWaterhouseCoopers Classroom)
Instructor: Jagdish S. Gangolly
Graduate assistants: Sergey Romanov and Juri Kondratev
Office: BA 365C
Phone: (518) 442-4949
Fax: (707) 897-0601 / (518) 442-3944
Office Hours: T
3:15:00 – 4:15 PM. or by appointment
Instructor
Homepage: http://www.albany.edu/acc/gangolly
Course Homepage:
http://www.albany.edu/acc/courses/acc661
Newsgroup: sunya.class.acc661
______________________________________________________________________________
Class Conduct:
The course consists of
lectures, discussion of homework and book assignments, your presentation of
assigned topics, some programming, and security lab tutorials. You are expected
to have done the readings well ahead of
the class. Class time is to be used for the clarification of any doubts that
you may have. Do not expect to merely listen to the instructor and gain
knowledge. A sound understanding of the theory and its use in practice is
essential to excel in the field. You are required to demonstrate competence in
the topics covered in order to receive an acceptable grade. I may give occasional homework assignments. I
also shall be calling upon some of you to come to the board and discuss problems either in the textbooks, other
sources, or homework assigned. Each Thursday, you may be presenting before
the class research that you have conducted on the important developments in the
information security and auditing field during the previous week. I shall be
linking the list of issues to be researched to this page.
Software:
You are strongly urged NOT to use any security related software on any of the
machines on campus except in the CyberSecurity Lab. Such use may be a violation
of the University policy on computing.
Newsgroup/e-mail:
I shall be using the class newsgroup (sunya.class.acc661) extensively for
making announcements regarding tests, homework, quizzes (if any), added links
to this course homepage, etc. In fact, the newsgroup will be the primary means
of communication between us outside of the class. You should post to the
newsgroup all your questions and doubts for clarification. You are strongly
encouraged to answer queries posted by others, and such responses will count
towards class participation points for grading. You should communicate with me
via e-mail only for individual problems and questions.
Access to The Graduate Laboratory for
Accounting Information Systems:
As a graduate student in the Department, you have access to the Graduate
Laboratory for Accounting Information Systems. You will need to get from Ms.
Lisa Scholz the password to enter the lab. Contact her in BA 365 as soon as
possible. Should you have special requirements for software (DBMS servers) or
hardware (Windows 2000 Servers) for your projects, let me know, and
arrangements will be made for your access. You may use there only software that
is announced in the class. Use of any security related software without
permission is not allowed.
You also will need logins to the University unix cluster
and the Department's Windows 2000 server. You will need to apply on-line for an
account on the unix cluster, and contact the Graduate Assistants regarding
login for the Windows 2000 server. You can not use any machine in the lab
without these logins.
Academic
Dishonesty:
I take academic dishonesty very seriously, and will not
hesitate to impose the severest penalty that the University Policies allow an
instructor. You are expected to familiarize yourselves with the policies set
out in http://www.albany.edu/judicial_affairs/standardsofconduct.html
“Conduct including, but not
limited to, plagiarism, cheating, multiple submission, forgery, sabotage,
unauthorized collaboration, falsification, bribery or use of purchased research
service reports without appropriate notation; and theft, damage or misuse of
library or computer resources. Attempts to commit such acts shall also
constitute academic dishonesty. Students assume full responsibility for honesty
in academic exercises.”
I will not accept any
submissions in the course unless they are accompanied by a statement, signed by
you, to the effect that you have read
and understood what constitutes academic dishonesty.
Course Objectives:
Catalog Description:
Auditing
of modern complex accounting information systems. General & application
controls and the design & development of generalized audit software.
Auditing of operating systems and database management systems. Privacy &
security of data in accounting systems. Audit of on-line systems, management systems.
Prerequisite: Acc 681 and Acc 512 or
equivalent.
An Honest Description:
Modeling security. Cryptography. Watermarking &
Steganography. Operating Systems security.Trust Modeling. Intrusion Detection & Signature
Analysis.Privacy & Security. Database Security. Legal & Ethical aspects
of security.
Textbooks and Readings:
·
Recommended:
o Incident
Response: Computer Forensics Toolkit
by Douglas
Schweitzer
ISBN: 0764526367
Publisher: Prentice Hall Professional
Technical Reference
(DS in the schedule)
In addition to the above
textbooks, I expect to rely considerably on the following for my lectures. You
will be expected to read them carefully as I assign them:
An Introduction to Computer
Security: The NIST Handbook, Special Publication 800-12, National
Institute of Standards and Technology, Technology Administration, U.S.
Department of Commerce
Generally Accepted Principles and
Practices for Securing Information Technology Systems, by Marianne
Swanson and Barbara Guttman, National Institute of Standards and Technology,
Technology Administration, U.S. Department of Commerce (September 1996)
Generally
Accepted System Security Principles,
International Information Security Foundation (1999)
Information Security Guideline for NSW Government –
Part 1 Information Security Risk Management, Office of Information & Communications
Technology, Department of Commerce, NSW
Government, Australia (1997)
Information Security Guideline for NSW Government –
Part 2 Examples of Threats and Vulnerabilities, Office of
Information & Communications Technology, Department of Commerce, NSW Government, Australia (1997)
Information Security Guideline for NSW Government –
Part 3 Information Security Baseline Controls, Office of Information
& Communications Technology, Department of Commerce, NSW Government, Australia (1997)
During the semester, I shall be
referring off and on to some of the following readings in Information Security.
I also may assign specific items for you to review individually.
Guide to Information
Technology Security Services: Recommendations
of the National Institute of Standards and Technology, by Tim Grance, Joan Hash, Marc Stevens,
Kristofor O’Neal, and Nadya Bartol, Special
Publication 800-35, Computer Security Division Information Technology
Laboratory National Institute of Standards and Technology Gaithersburg, MD
20899-8930 (October, 2003)
Guide to Selecting
Information Technology Security Products: Recommendations of the National Institute of Standards and Technology, by Timothy Grance, Marc Stevens, and Marissa Myers,
Special Publication 800-36, Computer
Security Division Information Technology Laboratory National Institute of
Standards and Technology Gaithersburg, MD 20899-8930 (October, 2003)
Guideline on Network
Security Testing: Recommendations
of the National Institute of Standards and Technology, by John Wack, Miles Tracy, and Murugiah Souppaya, NIST Special Publication
800-42, Computer Security Division Information Technology Laboratory National
Institute of Standards and Technology Gaithersburg, MD 20899-8930 (October,
2003)
Security Considerations in
the Information System Development Life Cycle: Recommendations of the National Institute of
Standards and Technology, by
Tim Grance, Joan Hash, Marc
Stevens, Special Publication 800-64, Computer
Security Division Information Technology Laboratory National Institute of
Standards and Technology Gaithersburg, MD 20899-8930 (October, 2003)
Guide for Developing Security
Plans for Information Technology Systems, by Marianne Swanson, Federal Computer Security
Program Managers’ Forum Working Group, National Institute of Standards
and Technology, NIST
Special Publication 800-18, (December 1998)
Risk Management Guide for Information Technology
Systems: Recommendations of the National Institute of Standards and Technology, by
Gary Stoneburner, Alice Goguen, and Alexis Feringa, NIST
Special Publication 800-30 (2001)
Intrusion Detection Systems, by Rebecca Bace and
Peter Mell, NIST
Special Publication on Intrusion Detection Systems.
Wireless Network Security: 802.11, Bluetooth and Handheld Devices, by Tom Karygiannis and Les Owens, Special
Publication 800-48, Computer Security Division Information Technology
Laboratory National Institute of Standards and Technology Gaithersburg, MD
20899-8930 (November, 2002)
Introduction to Public Key Technology and the Federal PKI
Infrastructure, by D. Richard Kuhn, Vincent C. Hu,
W. Timothy Polk, and Shu-Jen Chang, National Institute of Standards
and Technology (February 2001)
Underlying Technical Models for Information Technology
Security: Recommendations of the
National Institute of Standards and Technology , by Gary Stoneburner, NIST Special Publication
800-33, Computer
Security Division, Information Technology Laboratory, National Institute of Standards and Technology, Gaithersburg, MD
20899-8930 (2001)
Contingency Planning Guide for Information Technology Systems:
Recommendations of the National
Institute of Standards and Technology, by Marianne
Swanson, Amy Wohl, Lucinda Pope, Tim Grance, Joan Hash, and Ray Thomas, NIST Special Publication
800-34 (2002)
The classes will consist of
lectures, solution of problems, discussion of papers and occasional programming
exercises. There will be weekly student research presentation, an in-class test, and a term paper
requirement to complete the course.
The final course grade is dependent on the following factors:
·
100 points: Test (In class
open book/notes or take home. Details will be announced in the class and
updated here)
·
100 points: Individual class
presentations through out the semester
·
200 Points: Individual Term paper (50-100 pages, based on
individual presentations above)
·
0 - 50 points: Homework, if and when given
·
25 points: Class participation
·
425 - 475 points: Total points
(max)
The final course grade is strictly relative, based on the total points
scored.
The grades, once assigned can
not be changed except in case of errors in grading. Under no circumstances
is it possible to do extra credit work to improve the grade.
Department
of Accounting & Law
Acc 661 Auditing of Advanced
Accounting Information Systems
Spring, 2004
J Gangolly
Tentative Schedule
January 27, 2004
Theme: Introduction to Information Assurance
Topics: Threats,
vulnerabilities, information characteristics, Overview of Information
Assurance.
[c.a. INFOSEC
Overview: c.a.1 threats; c.a.2 vulnerabilities; c.a.3 critical information
characteristics (c.a.3.i confidentiality; c.a.3.ii integrity; c.a.3.iii
availability); c.a.4 information states (c.a.4.i transmission; c.a.4.ii
storage; c.a.4.iii processing); c.a.5 security countermeasures (c.a.5.i
technology; c.a.5.ii policy, procedures and practices; c.a.5.iii education,
training and awareness)
c.b. Operations Security (OPSEC) (c.b.1OPSEC process; c.b.2 INFOSEC
and OPSEC interdependency, c.b.3 unclassified indicators; c.b.4 OPSEC
surveys/OPSEC planning)
d.a. National Policy and Guidance (d.a.1. AIS security; d.a.2.
communications security; d.a.3. protection of information; d.a.4. employee
accountability for agency information)
d.b. Threats to and Vulnerabilities of Systems (d.b.1. definition
of terms (e.g., threats, vulnerabilities, risk); d.b.2. major categories of
threats (e.g., fraud, Hostile Intelligence Service (HOIS), malicious logic,
hackers, environmental and technological hazards, disgruntled employees,
careless employees, HUMINT, and monitoring); d.b.3. threat impact areas;
d.c. Legal Elements (d.c.1. fraud, waste and abuse]
Readings: PP: Ch.1. FB: Ch.4 (pp.93-100). ES: Ch.1.
An
Introduction to Computer Security: The NIST Handbook, Special
Publication 800-12, National Institute of Standards and Technology,
Technology Administration, U.S. Department of Commerce (You will continue to
read this during the semester)
Generally Accepted System Security Principles, International
Information Security Foundation (1999)
February 3, 2004
Theme: Cryptography & Communications Security I
Topics: Encryption
algorithms (substitution ciphers, transpositions), Secure encryption
algorithms, Stream & Block ciphers, Data Encryption Standard (DES),
Advanced Encryption Standard (AES), Symmetric and Asymmetric (Public Key)
Encryption: RSA and El-Gamal encryption, Key management, Digital Signatures,
Digital Certificates: X.509 certificates, Certificate management, Establishment
of trust in E-Commerce.
[c.d. INFOSEC: c.d.1 cryptography (c.d.1.i strength (e.g., complexity, secrecy, characteristics of the key);
c.d.1.ii encryption (e.g., point-to-point, network, link); c.d.1.iii key
management (to include electronic key);
d.g. Concepts of Trust (d.g.1. policy; d.g.2. mechanism; d.g.3.
assurance)
g.g. Cryptosecurity:
(g.g.1. encryption/decryption method, procedure, algorithm; g.g.2.
cryptovariable or key; g.g.3. electronic key management system); g.h. Key
Management: (g.h.1. identify and inventory COMSEC material; g.h.2. access, control and storage of COMSEC
material; g.h.3. report COMSEC incidents; g.h.4. destruction procedures for
COMSEC material; g.h.5. key management protocols (bundling, electronic key,
over-the-air rekeying) ]
Readings: PP: Ch.2.
Theme: Cryptography &
Communications Security II
Topics:
Continuation of previous week.
Readings: PP: Ch.2.
Theme: Program/Application Security
Readings: PP:
Ch. 3. ES: Ch.7,8,9.
March 2, 2004
Topics: Memory & Address Protection, Access Controls
and User Authentication. Security Policies, Lattice Models of Access
Security: Bell-La Padula Model, Biba Integrity Model, Graham-Denning Model,
Harrison-Rizzo-Ullman Results, Security Features of Ordinary Operating Systems,
Orange Book Evaluation, Information Technology Security Evaluation Criteria
(ITSEC).
Readings: PP: Ch.4, 5
March 9, 2004
Topics: Database
Integrity, Confidentiality, Availability, Auditability, Security vs. Precision,
Direct & Indirect Attacks, Controls for Statistical Inference Attacks,
Multilevel Databases & Security, Distributed Databases & Security.
Readings: PP: Ch.6.
March 16, 2004
Theme: Network Security
Topics: Threats,
Protocol Flaws: Impersonation, Spoofing, Session Hijacking, Message
Confidentiality Tests, Message Integrity Tests, Web Site Defacement, Denial of
Service, Threats to Active or Mobile Code, Network Security Controls,
Firewalls, Intrusion Detection Systems, Secure E-mail.
Readings: PP: Ch.7.
March 23, 2004
Theme: Information Technology Risk Management
& Protection/Security Measures
Topics: [d.e.
Concepts of Risk Management (d.e.1. threat and vulnerability assessment, d.e.2.
cost/benefit analysis of controls; d.e.3. implementation of cost-effective
controls; d.e.4. consequences (e.g., corrective action, risk assessment);
d.e.5. monitoring the efficiency and effectiveness of controls (e.g.,
unauthorized or inadvertent disclosure of information));
f.b. Risk Management ( f.b.1.
information identification; f.b.2. roles and responsibilities of all the
players in the risk analysis process; f.b.3. risk
analysis and/or vulnerability assessment components; f.b.4. risk analysis
results evaluation; f.b.5. corrective actions; f.b.6. acceptance of risk
(accreditation))
(c.d.2 transmission security; c.d.3 emanations security; c.d.4 physical, personnel and administrative
security; c.d.5 computer security; c.d.5.i identification and authentication;
c.d.5.ii access control; c.d.5.iii
audit; c.d.5.iv object reuse)
d.h. Modes of
Operation (d.h.1. dedicated; d.h.2. system-high; d.h.3.
compartmented/partitioned; d.h.4. multilevel)]
d.j. Facets of NSTISS ( d.j.1. protection of areas; d.j.2. protection of equipment; d.j.3.
protection of passwords; d.j.4. protection
of files and data; d.j.5. protection against malicious logic; d.j.6. backup of
data and files; d.j.7. protection of magnetic storage media; d.j.8. protection
of voice communications; d.j.9. protection of data communications; d.j.10.
protection of keying material)]
[g.a. Physical Security Measures ( g.a.1.
building construction; g.a.2. alarms; g.a.3. information systems centers;
g.a.4. communications centers; g.a.5. shielding; g.a.6. cabling; g.a.7.
filtered power; g.a.8. physical access control systems (key cards, locks and
alarms); g.a.9. stand-alone systems and peripherals; g.a.10. environmental
controls (humidity and air conditioning); g.a.11. fire safety controls; g.a.12.
storage area controls; g.a.13. power controls (regulator, uninterrupted power
service (UPS), and emergency poweroff switch); g.a.14. protected distributed
systems)]
Readings:
Generally
Accepted Principles and Practices for Securing Information Technology Systems,
by Marianne Swanson and Barbara Guttman, National Institute of Standards
and Technology, Technology Administration, U.S. Department of Commerce
(September 1996)
March 30, 2004
Readings: ES: Ch.5,6.
Generally
Accepted Principles and Practices for Securing Information Technology Systems,
by Marianne Swanson and Barbara Guttman, National Institute of Standards
and Technology, Technology Administration, U.S. Department of Commerce
(September 1996)
April 6, 2004
April 13, 2004
Theme: No Class (Spring Break)
April 20, 2004
Theme: Security planning,
disaster planning
Topics: [f.a.
Security Planning (f.a.1. directives and procedures for NSTISS policy f.a.2.
NSTISS program budget; f.a.3. NSTISS program evaluation; f.a.4. NSTISS training
(content and audience definition)
f.d. Contingency Planning/Disaster Recovery : ( f.d.1. contingency plan
components; f.d.2. agency response procedures and continuity of operations;
f.d.3. team member responsibilities in responding to an emergency situation;
f.d.4. guidelines for determining
critical and essential workload; f.d.5. determination of backup requirements;
f.d.6. development of procedures for off-site processing; f.d.7. development of
plans for recovery actions after a disruptive event; f.d.8. emergency
destruction procedures]
April 27, 2004
Theme:. FLOAT
Theme: Security planning,
disaster planning
Topics: [g.f. Auditing and Monitoring (g.f.1.
effectiveness of security programs; g.f.2. conducting security reviews; g.f.3.
verification, validation, testing, and evaluation processes; g.f.4. monitoring
systems for accuracy and abnormalities; g.f.5. investigation of security
breaches; g.f.6. review of audit trails and logs; g.f.7. review of software
design standards; g.f.8. review of accountability controls; g.f.9. privacy)]
Readings: Generally
Accepted Principles and Practices for Securing Information Technology Systems,
by Marianne Swanson and Barbara Guttman, National Institute of Standards
and Technology, Technology Administration, U.S. Department of Commerce
(September 1996)
May 11, 2004
Test &
Term Paper Presentations