Page 252 - COSO Guidance Book
P. 252
2. Two-factor authentication. This requires a user to provide two different authentication factors in order
to protect the user’s credentials and the resources the user can access. For example, the user might
be required to enter both a password and insert a bank card into an ATM screen in order to withdraw
cash or to conduct other banking transactions. (This is a type of multifactor authentication that
requires “something you have” in addition to “something you know” to access protected resources.)
3. RFID chips. This control requires a transponder chip containing identifying information to be
implanted into a human. This chip is read by a radio-frequency identification (RFID) scanner and
allows the person to access protected resources. RFID chips that have been inserted into Mexican
prosecutors’ arms give them access to sensitive areas of their headquarters. This access control was
21
implemented nearly two decades ago.
RFID chips use is varied and, at one company, employees purchase items from a vending machine by
swiping a hand implanted with an RFID chip near a scanner attached to the vending machine. (RFID
chips do not require the line of sight that barcode scanners do.)
4. Biometrics. This method of access uses a person’s unique physical attributes to permit access to
protected resources. Laptops have long had the option to scan a fingerprint in order to log onto the
operating system. More recently, users of laptops can implement facial recognition software to
accomplish similar tasks. Some smartphones have the option of using fingerprint or thumbprint
recognition to gain access to the smartphone’s features and data.
5. Security tokens. There are different types of tokens, all with the objective to authenticate users. One
type of token is a physical device which displays a number generated by an algorithm. The number
changes every 30 to 45 seconds. (An RSA token displays six numbers). The token is provided to the
user by whomever the user wishes to connect with online (such as the user’s online bank account).
The user is required to provide an account number, password, and the number generated by the
token to access the bank account.
Assume a perpetrator has been able to infect a user’s computer with keylogging software. The user-
entered account number, password, and token number is recorded by the keylogging software and
transmitted to the perpetrator. By the time the perpetrator has obtained the user’s account number,
password, and token number and attempts to access the user’s bank account, the token number will
have changed and the perpetrator’s scheme will be foiled.
6. Encryption. Sensitive data files, emails, text messages, and other electronic information (voicemail,
etc.) should be encrypted as a safeguard to prevent perpetrators and others from obtaining
confidential information.
7. Connectivity. Consider connecting to the internet only when needed to prevent unauthorized access to
an IT device.
8. Backup. Files should be routinely backed up and not stored on the live operational system. The backup
should be tested periodically to provide assurance that the entity’s backup policies are followed.
9. Security software. Security software should be installed on the IT system and IT devices. Security
software can perform functions such as scanning email and files for viruses before being downloaded.
10. Penetration tests. Some entities employ third parties to conduct penetration tests. A third party analyzes
the IT system from the perspective of a hacker. This has the goal of identifying weaknesses in the
system that could be exploited and recommending controls to mitigate any identified exposures.
21
http://www.nbcnews.com/id/5439055/ns/technology_and_science-tech_and_gadgets/t/microchips-implanted-
mexican-officials/#.XZKyDEZKg2w
© 2020 Association of International Certified Professional Accountants. All rights reserved. 5-18
