In this chapter, you studied in detail the various frameworks and standards for information assets, different access control parameters, and biometrics-related risks and controls. You learned about relevant skills to conduct an audit in accordance with the IS audit standards and a risk-based IS audit strategy, as well as evaluating potential opportunities and threats associated with emerging technologies, regulations, and industry practices. The following are some important topics you covered in this chapter: • Logical access controls are the most effective way to safeguard critical data within information processing facilities. Logical access controls are technical controls, such as authentication, encryption, firewalls, and IDSs, which are very difficult to bypass by a layperson. • It is the responsibility of the appointed owner to ensure that their data and systems have appropriate security arrangements. System owners may delegate routine security responsibilities to a security administrator. However, it is the owners who remain accountable for the maintenance of appropriate security measures. • It is the accountability and responsibility of the data owner to approve the access rights for the user. Once the user is approved, system administrators should then implement or update user authorization tables. • It is very important to ensure that the applicable data privacy laws are adhered to. For example, one of the privacy principles requires organizations to use client data only for the purpose for which it is collected. The IS should ensure that consent has been obtained from the clients for the use of their data for promotional activities. • A power line conditioner is a device intended to improve the quality of power that is delivered to electrical equipment. It compensates for the peaks and valleys in the power supply. When an electrical supply is low, it provides its own power and maintains a constant voltage. Surge and spike devices help to protect against high-voltage power bursts. An alternative power supply medium (such as a power generator) is most effective when there is long-term power unavailability. • The false acceptance rate (FAR) is the rate of acceptance of a false person (that is, an unauthorized person). If biometrics allows access to an unauthorized person, then it is referred to as false acceptance. • The false rejection rate (FRR) is the rate of rejection of the correct person (that is, an authorized person). If biometrics does not allow access to an authorized person, then it is referred to as false rejection. • The cross-error rate (CER) or equal error rate (EER) is the rate at which the FAR and FRR are equal. A biometric system with the lowest CER or EER is the most effective system. A biometric system with the highest CER or EER is the most ineffective system. In the next chapter, you will explore network-related aspects.