such elements as the length of a password; how long it remains active before the user must change it;
            and factors to strengthen the password.


            Admin rights

            The broadest access is reserved for admin (administrators), who can view and access any file or folder
            contained in the O/S, for purposes of managing the O/S, and correcting mistakes, flaws, and other minor
            changes to files or folders. The admin access usually also assigns logical access credentials to the O/S
            to all other personnel.

            It is risky if too many users have admin rights because of the increased opportunity for someone to make
            a mistake using admin access. In addition, a person who commits a fraud and has O/S admin rights can
            delete files, access and change raw data, or perform other activities to hide a fraud or destroy evidence.


            Network level
            The network level generally resides above the O/S and application and thus needs to provide adequate
            access control to users. Similar to the operating system, access rights and administrative rights to the
            network are critical aspects to control, and are usually assessed at a relatively high IR. There is also a
            concern for external unauthorized access risk.


            Firewalls
            Firewall controls basically address the information security triangle of major points: availability,
            confidentiality, and integrity.

            An effective firewall will provide for adequate

              availability of its services and functionality,
              confidentiality of the data it stores and processes, and
              integrity over the results produced as information.
            Integrity and confidentiality are at risk from external hackers, and internally for the entity’s own
            employees. Some hacker tools are aimed at bringing systems down (for example, denial of service), so
            even availability is also at risk from external or internal malicious attacks.

            Firewall technology provides tools that can effectively reduce the risk of external unauthorized access
            and other external risks. Firewalls usually have configurations that allow various settings to filter traffic
            and establish connectivity rules. Thus, the CITP would be interested in examining the settings of the
            firewall, which exist in hardware or software.

            The types of firewalls include packet filtering firewalls, inspection firewalls, and proxy firewalls, which are
            especially related to applications. Wireless networks present additional risks because communications
            are easier to intercept than wired ones if not encrypted or protected.

            One problem with firewalls and threats or risks is that most malicious activity is actually perpetrated by
            insiders, such as employees, contractors, and so on. After all, anyone inside the entity is generally treated



            © 2019 Association of International Certified Professional Accountants. All rights reserved.    1-15