part 2- an it auditing framework why do how our systems work matter? why do how we manage our...
TRANSCRIPT
Part 2- An IT Auditing Framework
Why do how our systems work matter? Why do how we manage our systems
matter? How can systems harm a unit’s ability to
accomplish its goals?
What are you hoping to obtain from these courses?
Foundations of System Controls
System Control’s Foundation Blocks
IT Dependent Manual Controls
Application Controls (Automated)
Job Scheduling and Management
Application Security
Network Security
Change Management
Data Security - Database
Data Security -Operating System
Physical Security
Proposed Foundation StrategyIT Dependent Manual
ControlsApplication Controls
(Automated)
Job Scheduling and Management
Application Security
Network Security
Change Management
Data Security - Database
Data Security -Operating System
Physical Security
System Control Pyramid
Network Security
Data Security - Database
Data Security -Operating System
Change Management
Application Security
IT Dependent
Manual Controls
Application Controls
(Automated)
Staf
fing
Workstation
ConfigurationD
isas
ter
Rec
over
y
Equipm
ent
Managem
ent
IT General Controls
Job Scheduling and Management
Physical Security
High Level Control Framework
IT General Controls (ITGCs) - Provide assurance that IT-Dependent and Application Controls can be relied upon
Include controls over the IT environment, computer operations, access to applications and data (security), and program changes
IT General Control Definition
Strong ITGC -Prevention and Detection Controls Prevention controls stop inappropriate items from
occurring New user approval process Strong password controls Access termination process
Detection controls identify inappropriate items that can then be corrected Periodic Access Review
Not all textbook controls must be designed and operating effectively to address significant risks and provide a strong ITGC environment
Strong ITGC Determination
Automated (Application) Controls IT Dependent Manual Controls (Purely) Manual Control
Business Process Controls
Sufficient Controls must act in concert
Consider securing an application like a house
ITGC Controls and the Application's House
How does a front door protect your house?
What are the Key Components?
ITGC Controls and the Application’s House
ITGC Controls and the Application's House
Burglar smashed the window on the door and accessed the dead bolt lever
Subsequently battered the door handle lock until the frame caved in
How (My) Front Door Failed
Internal hacker exploits a vulnerability in the Operating System
Vulnerability used to disable application controls
Hacker later uses a “brute force” attack to gain access via the network and embezzle from the University
How (Application’s) Front Door Could Fail
For my house’s – A camera
For a server –Intrusion monitor that monitors OS activity
Compensating Control - Detection
Where do you believe an audit should start? What initial items should be confirmed?
Where Should an Audit Start
Strong ITGCs provide assurance that effective system related controls may be relied upon ITGCs build upon each other Not all textbook controls are always required ITGCs include both Preventative and Detective
controls System related controls include application
(automated) and IT-dependent (system supported) controls
(Purely) Manual Controls do not require system review
IT in the Control Universe Summary
Future discussion items1. Evaluating Code Change Management
Processes
2. Evaluating Disaster Recovery Preparations
3. Evaluating Server Configurations/Security
4. Evaluating Network Concerns and Intrusion Risks
5. Evaluating Workstation Management
Future discussion items6. Evaluating Application Design, Controls, and
Integration with the Business Processes
7. Evaluating IT strategies – Strategic vs. Tactical issues
8. Strategies used to build the overall IT audit plan for the department
9. Looking at IT governance frameworks -Cobit