Risk Management Training-UCC
Download
Report
Transcript Risk Management Training-UCC
ISACA KAMPALA CHAPTER
30TH MAY 2012
AGUMA MPAIRWE
B.A(HONS),CISA,CIA,FCCA.
DEFINITIONS
KEY CONCEPTS
APPLICATIONS
KEY CONSIDERATIONS
POINTS TO NOTE
QUESTIONS
THIS PRESENTATION HAS BEEN PREPARED FOR
EDUCATIONAL PURPOSES.
ATTRIBUTION IS MADE TO PARTICULAR
SOURCES OF INFORMATION WHICH SHOULD
BE RE-CHECKED FOR COMPLETENESS AS
CONTENT MAY HAVE BEEN REDUCED FOR THE
SAKE OF BREVITY.
BIOMETRICS – AUTOMATED METHODS OF
DISCOVERING AN INDIVIDUAL BASED ON
MEASURABLE BIOLOGICAL AND BEHAVIOURAL
CHARACTERISTICS (SOURCE- BIOMETRICS .GOV)
BIOMETRIC CHARACTERISTIC – A
MEASURABLE PHYSIOLOGICAL OR
BEHAVIOURAL TRAIT OF A LIVING PERSON,
ESPECIALLY ONE THAT CAN BE USED TO
DETERMINE OR VERIFY THE IDENTITY OF A
PERSON IN ACCESS CONTROL OR CRIMINAL
FORENSICS. (SOURCE-GARTNER GLOSSARY)
“BIOMETRICS FOR IDENTIFICATION AND SCREENING TO
ENHANCE NATIONAL SECURITY,”
SIGNED BY PRESIDENT BUSH ON JUNE 5, 2008.
ESTABLISHES A FRAMEWORK TO ENSURE FEDERAL
DEPARTMENTS AND AGENCIES USE COMPATIBLE
METHODS AND PROCEDURES IN THE COLLECTION,
STORAGE, USE, ANALYSIS, AND SHARING OF BIOMETRIC
AND ASSOCIATED BIOGRAPHIC AND CONTEXTUAL
INFORMATION OF INDIVIDUALS IN A LAWFUL AND
APPROPRIATE MANNER, WHILE RESPECTING PRIVACY
AND OTHER LEGAL RIGHTS UNDER UNITED STATES LAW.
(SOURCE – BIOMETRICS.GOV)
GENERAL PHYSICAL ACCESS CONTROL –
OFFICES, FINGER,THUMB.
INTERNAL AFFAIRS – IMMIGRATION, AIRPORT –
IDENTIFICATION OF PASSPORTHOLDER –
FINGER/PALM/FACE BIOMETRIC RECOGNITION.
ELECTORAL COMMISSION – VOTER
REGISTRATION.
DRIVING PERMIT – DRIVER RECOGNITION.
.
VISA APPLICATION – UK VISA.
FINANCIAL SERVICES
CREDIT REFERENCE BUREAU – COMPUSCAN
MICROFINANCE
ATM – IN ADDITION TO ATM CARD/PIN
POINT OF SALES TERMINALS
MOBILE MONEY SERVICES - ENROLLMENT
AND IDENTIFICATION AT CASHOUT
CLAIM OF IDENTITY – STATEMENT THAT A
PERSON IS OR IS NOT THE SOURCE OF A
REFERENCE IN A DATABASE, CAN BE POSITIVE
(IN THE DATABASE), NEGATIVE (NOT IN THE
DATABASE) OR SPECIFIC (I AM USER 123).
COMPARISION – PROCESS OF COMPARING A
BIOMETRIC REFERENCE WITH A PREVIOUSLY
STORED REFERENCE TO MAKE AN
IDENTIFICATION OR VERIFICATION DECISION.
(SOURCE – BIOMETRICS.GOV)
ENROLLMENT – PROCESS OF COLLECTING A
BIOMETRIC SAMPLE FROM AN END USER,
CONVERTING IT INTO A BIOMETRIC
REFERENCE AND STORING IT IN THE
DATABASE FOR LATER COMPARISION.
EQUAL ERROR RATE (EER) – A STATISTIC USED
TO SHOW BIOMETRIC PERFORMANCE. THE
LOWER THE EER, THE HIGHER THE
ACCURACCY OF THE SYSTEM.
(SOURCE – BIOMETRICS.GOV)
FAILURE TO ACQUIRE – FAILURE OF A
BIOMETRIC SYSTEM TO CAPTURE AND OR
EXTRACT USABLE INFORMATION FROM A
BIOMETRIC SAMPLE
FAILURE TO ENROL – FAILURE OF A
BIOMETRIC SYSTEM TO FORM A PROPER
ENROLLMENT REFERENCE FOR AN END USER
(TRAINING, SENSOR QUALITY).
(SOURCE – BIOMETRICS.GOV)
FALSE ACCEPTANCE RATE – THE PERCENTAGE
OF TIMES A SYSTEM PRODUCES A FALSE
ACCEPT – AN INDIVIDUAL IS INCORRECTLY
MATCHED TO ANOTHER INDIVIDUAL’S
EXISTING BIOMETRIC. T2
FALSE ALARM RATE – THE PERCENTAGE OF
TIMES AN ALARM IS INCORRECTLY SOUNDED
ON AN INDIVIDUAL WHO IS NOT IN THE
BIOMETRIC SYSTEM’S DATABASE
(SOURCE – BIOMETRICS.GOV)
FALSE REJECTION RATE – THE PRECENTAGE OF
TIMES THE SYSTEM PRODUCES A FALSE
REJECT. THIS OCCURS WHEN AN INDIVIDUAL
IS NOT MATCHED TO HIS/HER OWN EXISTING
BIOMETRIC TEMPLATE. T1
ALGORITHM – A LIMITED SEQUENCE OF
INSTRUCTIONS OR STEPS THAT TELLS A
COMPUTER HOW TO SOLVE A PARTICULAR
PROBLEM – IMAGE PROCESSING, TEMPLATE
GENERATION, COMPARISIONS E.T.C
(SOURCE – BIOMETRICS.GOV)
VERIFICATION – A TASK WHERE BIOMETRIC SYSTEM
ATTEMPTS TO CONFIRM AN INDIVIDUALS IDENTITY
BY COMPARING A SUBMITTED SAMPLE TO ONE OR
MORE PREVIOUSLY ENROLLED TEMPLATES –USED
TO CONFIRM THAT INDIVIDUAL IS ENROLLED AND
HAS CLAIMED AUTHORISATIONS
AM I WHO I CLAIM I AM ? – SYS ADMIN
IDENTIFICATION – A TASK WHERE A BIOMETRIC
SYSTEM ATTEMPTS TO DETERMINE THE IDENTITY
OF AN INDIVIDUAL, A BIOMETRIC IS COLLECTED
AND COMPARED TO ALL TEMPLATES IN THE
DATABASE – WHO AM I ? SOURCES – (MICHIGAN STATE UNIVERSITY ARTICLE, BIOMETRICS
.GOV)
IDENTIFICATION: CAN BE
‘OPEN SET’ – PERSON NOT GUARANTEED TO
EXIST IN THE DATABASE
‘CLOSED SET’ – PERSON IS KNOWN TO EXIST
IN THE DATABASE
(SOURCE – BIOMETRICS.GOV)
FAILURE TO ENROLL RATE (FTER) = NUMBER
OF UNSUCCESSFUL ENROLLMENTS/TOTAL
NUMBER OF USERS ATTEMPTING TO ENROLL.
CROSS-OVER ERROR RATE (CER)—A MEASURE
REPRESENTING THE PERCENT AT WHICH FRR
EQUALS FAR. THIS IS THE POINT ON THE GRAPH
WHERE THE FAR AND FRR INTERSECT.
THE CROSS-OVER RATE INDICATES A SYSTEM WITH
GOOD BALANCE OVER SENSITIVITY AND
PERFORMANCE.
(SOURCE ISACA)
AS A PHYSICAL ACCESS CONTROL
AS A MECHANISM FOR LOGICAL ACCESS
CONTROL
IN LOGICAL ACCESS CONTROL PART OF
IDENTIFICATION AND AUTHENTICATION
PROCESS
IN LOGICAL ACCESS CONTROL SOFTWARE, IS
‘THE PROCESS OF PROVING ONE’S IDENTITY’
IDENTIFICATION – MEANS BY WHICH USER
PROVIDES CLAIMED IDENTITY
HELPS ESTABLISH USER ACCOUNTABILITY
FIRST LINE OF DEFENSE
SOURCE – CISA REVIEW MANUAL 2003
IS A TECHNICAL MEASURE THAT PREVENTS
UNAUTHORISED PEOPLE (OR UNAUTHORISED
PROCESSES) FROM ENTERING A COMPUTER
SYSTEM
I & A TECHNIQUES:
SOMETHING YOU KNOW – PASSWORD, STATIC
PIN
SOMETHING YOU HAVE – TOKEN CARD, PIN
GENERATOR
SOMETHING YOU ARE – BIOMETRIC
CHARACTERISTIC
SOURCE –CISA REVIEW MANUAL 2003
PHYSIOLOGICAL & BEHAVIOURAL
FINGERPRINT
FINGERVEIN
PALM PRINT
HAND GEOMETRY
IRIS RECOGNITION
RETINA RECOGNITION
VOICE RECOGNITION
SIGNATURE RECOGNITION
FACE RECOGNITION
KEYSTROKE DYNAMICS
DNA ? DEBATE, AS NOT PERFORMED BY AN
‘AUTOMATED’ METHOD-BIOMETRICS.GOV
GAIT ? – IN DEVELOPMENT / PRACTICAL ??
ADVANTAGES
MULTIPLE FINGERS!
EASY TO USE
LOW STORAGE SPACE
LARGE EXISTING DATABASES GLOBALLY FOR
WATCHLIST CHECKS
PROVEN EFFECTIVE OVER TIME
DISADVANTAGES
PUBLIC PERCEPTIONS – CRIMINAL
CONNOTATIONS
HEALTH CONCERNS – EBOLA, BIRD FLU
AGE, OCCUPATION, WEIGHT GAIN, CUTS
(SOURCE – BIOMETRICS.GOV)
ADVANTAGES
NO CONTACT REQUIRED
HIGHLY STABLE OVER TIME
DISADVANTAGES
DIFFICULT TO CAPTURE- FOR SOME ,
TRAINING
EASILY OBSCURED – REFLECTIONS FROM
CORNEA, EYELIDS, EYELASHES
PUBLIC FEARS OF ‘SCANNING’ THE EYE WITH
LIGHT SOURCE –INFRARED LIGHT USED TO
ILLUMINATE IRIS – (SOURCE FINDBIOMETRICS .COM)
LIMITED EXISTING DATA FOR WATCHLIST
CHECKS
(SOURCE – BIOMETRICS.GOV)
ADVANTAGES
NO CONTACT
COMMONLY AVAILABLE SENSORS – CAMERA
LARGE AMOUNTS OF EXISTING DATA
EASY FOR HUMANS TO VERIFY RESULTS
DISADVANTAGES
OBSTRUCTION OF IMAGE BY HAIR, GLASSES,
HATS.
CHANGE OVER TIME
(SOURCE – BIOMETRICS.GOV)
ADVANTAGES
PUBLIC ACCEPTANCE
NO CONTACT REQUIRED
SENSORS COMMON TELEPHONES,
MICROPHONES
DISADVANTAGES
NOT SUFFICIENTLY DISTINCTIVE OVER LARGE
DATABASES
(SOURCE – BIOMETRICS.GOV)
UNIQUENESS
THE TWINS CHALLENGE
PERMANENCE
ITERATIVE AVERAGING PROCESS.
ACQUIRE BIOMETRIC SAMPLE (PHYSICAL
/BEHAVIOURAL).
EXTRACT UNIQUE FEATURES FROM SAMPLE
FEATURES CONVERTED INTO MATHEMATICAL
CODE
CREATION OF INITIAL ‘TEMPLATE’ – (DIGITAL
REPRESENTATION OF THE BIOMETRIC)
COMPARISION OF NEW SAMPLES WITH WHAT
HAS BEEN STORED
DEVELOPING FINAL TEMPLATE
ENCRYPTION
USE TO IDENTIFY USER
(e.g. FINGERPRINT latent v Conventional – Source NIST,
BIOMETROCS.GOV)
SECURE ?
CONVINIENT ?
CANNOT BE STOLEN ?
CANNOT BE FORGOTTEN
DIFFICULT TO FORGE
(SOURCE SMARTCARDALLIANCE)
TEMPLATE SKIMMING
NOT ALWAYS ACCURATE - FAR’s/ FRR’s –
10% OF POPULATION HAVE
WORN/CUT/UNRECOGNISABLE
FINGERPRINTS!! – SOURCE BIOMETRIC NEWSPORTAL
BIOMETRIC FEATURES MAY ALTER DEGRADE
WITH AGE, DISEASE, WEIGHT GAIN
SECURITY RISKS - CAR THEFT!!
VOICE BIOMETRICS – BACKGROUND NOISE
STORAGE AND TRANSMISSION QUALITY LOSS
MULTIMODAL BIOMETRICS – USE OF MORE
THAN ONE BIOMETRIC IDENTIFIER FOR
INCREASED ACCURACCY
COMBINATION OF BIOMETRICS WITH PINS
AND TOKENS
SMARTCARDS – ICC, MEMORY, STORAGE OF
BIOMETRIC TEMPLATES TO AVOID
VERIFICATION AT LONG DISTANCE HOST
(SOURCE –VARIOUS)
AUDIT CONTROLS IN MATCHING TEMPLATES
GENERATED TO OTHER DATA – CRIMINAL
RECORDS, FINANCIAL DEFAULT HISTORIES
IS AUDIT GUIDELINE ISACA G36
PRIVACY CONCERNS
INTRUSIVENESS OF DATA COLLECTION
HEALTH CONCERNS
SKILL OF SYSTEM USE BY STAFF
ROBUSTNESS OF TECHNOLOGY – RELIABLE
COST OF DEPLOYMENT
LEGISLATIVE AND REGULATORY COMPLIANCE
RESISTANCE TO CHANGE/USE
COST –BENEFIT CONSIDERATIONS
PRACTICALITY AND EFFICIENCY – AIRPORT
QUEUES, VOTING PROCESSES.
ACCURACCY – FAR, FRR, EER
CULTURE – GLOBAL COMPANIES!
NON-CO-OPERATION, HEALTH CONCERNS
(SOURCE NIST, BIOMETRICS.GOV)
WILL IMAGES BE COMPACT ENOUGH FOR
EFFECTIVE TRANSMISSION ACROSS
NETWORKS WITHOUT DEGRADATION?
WILL IMAGES/TEMPLATES BE COMPACT
ENOUGH FOR STORAGE ON SMART CARD?
INTEROPERABILITY AND STANDARDISATION –
IMMIGRATION FACE CAMERA AND FINGER
PRINT CAPTURE TO SINGLE
APPLICATION/DEVICE
(SOURCE NIST)
INTEROPERABILITY – ACROSS GOVERNMENT
AGENCIES
PRIVACY CONCERNS
DATA SHARING - ACROSS JURISDICTIONS ?
LEGAL IMPLICATIONS ?
DATA STORAGE REQUIREMENTS
QUESTIONS?
CIO MAGAZINE http://www.cio.com/article/573113/Using_Biometric_Access_Systems_Dos_a
nd_Don_ts?page=3&taxonomyId=3092
BIOMETRICS.GOV http://www.biometrics.gov/
2003 CISA REVIEW MANUAL (2003). INFORMATION SYSTEMS AUDIT AND
CONTROL ASSOSCIATION.
GARTNER IT GLOSSARY - http://www.gartner.com/it-glossary/biometrics/
MULTIMODAL BIOMETRICS – BIOMETRIC NEWS PORTAL
http://www.biometricnewsportal.com/multimodal-biometrics.asp
NEW NIST BIOMETRIC DATA STANDARD ADDS DNA, FOOTMARKS AND
ENHANCED FINGERPRINT DESCRIPTIONShttp://www.nist.gov/itl/iad/biometric-120611.cfm
SMARTCARD AND BIOMETRICS - SMARTCARD ALLIANCE –
http://www.smartcardalliance.org/pages/publications-smart-cards-andbiometrics
IRIS SCANNERS AND RECOGNITION – http://www.findbiometrics.com/irisrecognition/
AN OVERVIEW OF BIOMETRIC RECOGNITION
http://biometrics.cse.msu.edu/info.html
ISACA AUDIT GUIDELINE 36 – BIOMETRICS http://www.isaca.org/KnowledgeCenter/Standards/Pages/IS-Auditing-Guideline-G36-BiometricControls.aspx