Professional Documents
Culture Documents
Sets strategies and objectives Structure business activities Identifies, assesses, and responds to risk
An event is an incident or occurrence, either internal or external, that affects the implementation of strategy or achievement of objectives
Reduce Accept
Share
Avoid
Design effective controls and monitor the operation or application of those controls For Risk assessment and response: Estimate likelihood and Impact Identify controls Estimate cost and benefits
a)
b)
c)
ERM evaluations Implement effective supervision Responsibility accounting systems (budgets, schedules etc) Monitor system activities Track purchased software and mobile devices periodic audits
Conduct 4/19/12
Analytical reviews
4/19/12
SOX requires the CEO and CFO to certify the financial statements fairly present the corporate results The accuracy of an organizations financial statements depends on the reliability of the information systems security is the foundation for
Information 4/19/12
COBIT processes, to properly manage and control IT resources, are grouped into four basic management activities or domains
Plan and Organize (PO) properly designing and managing information systems Acquire and Implement (AI) obtaining and installing technology solutions Deliver and Support (DS) effectively and efficiently operating the systems and providing information management requires Monitor and Evaluate (ME) essential processes for assessing the operation of an IT system.
4/19/12
PO1 define a strategic IT plan PO2 define the information architecture PO3 determine the technology direction PO4 define the IT processes, organization, and relationships PO5 manage the IT investment PO6 communicate management aims and direction PO7 manage IT human resources PO8 manage quality PO9 assess and manage IT risks PO10 manage projects
Holcim Example
4/19/12
AI1 identify automated solutions AI2 acquire and maintain application software AI3 acquire and maintain technology infrastructure AI4 enable operations and use AI5 procure IT resources AI6 manage changes AI7 install and accredit solutions and changes
4/19/12
DS1 define and manage service levels DS2 manage third party services DS3 manage performance and capacity DS4 ensure continuous service DS5 ensure systems security DS6 identify and allocate costs DS7 educate and train users DS8 manage service desk and incidents DS9 manage the configuration DS10 manage problems
4/19/12
ME1 monitor and evaluate IT performance ME2 monitor and evaluate internal control ME3 ensure compliance with external requirements ME4 provide IT governance
4/19/12
Effectiveness information must be relevant and timely Efficiency information must be produced cost effectively Confidentiality sensitive information must be protected Integrity information must be accurate, complete, and valid Availability information must be available Tip: Know when needed Three Compliance controls must ensure
4/19/12
Detective Controls
Log analysis Intrusion detection software Security testing and audits Management reports
Preventive Controls
Corrective Controls
Computer incident response team (CIRT) Chief Information Security Officer (CISO) Patch management
Chapter 9 Encryption
Encryption is a preventive control that can be used to protect both the confidentiality and privacy Encryption is the process of transforming normal content called plain text to unreadable gibberish, call ciphertext. Decryption reverses this process
4/19/12
Chapter 9 Encryption
key length longer keys provide stronger encryption by reducing the number of repeating blocks encryption algorithm are designed to resist brute-force guessing techniques policies for managing the cryptographic keys the most vulnerable aspect of the encryption system hence cryptographic keys must be stored very securely
4/19/12
Chapter 9 Encryption
Cryptographic keys must be stored securely and protected with strong access controls. Best practices include not storing cryptographic keys in a browser or any other file that others users of that system can readily access and using a strong and long passphrase to protect the keys Organizations must have a way to decrypt data in the event the employee who encrypted it is no longer with the organization
Use software with a built in master key Use key escrow make copies of all encryption keys and used by employees and store these copies securely
4/19/12
Chapter 9 Encryption
Symmetric Encryption use the same code to encrypt and decrypt (DES and AES are examples) Asymmetric Encryption different system to encrypt an decrypt public key and private key (RSA and PGP) Symmetric encryption is faster but it is less secure Hashing
takes plain text of any length and splits it into a short code called a hash hashing algorithms will not recreate the document in the original plain text format Good for verifying that the contents of a message have not been altered
4/19/12
Chapter 9 Encryption
Digital signatures
Nonrepudiation how to create legally binding agreements that cannot be unilaterally repudiated by either party Use hashing and asymmetric encryption simultaneously Proof that a document has not been altered and proof of who created the file
Digital Certificates
Electronic document that contains and entities public key and certifies the integrity of the owner of that particular public key
Issuing pairs of public and private keys and corresponding digital certificates
4/19/12
Concurrent audit techniques continually monitor the system use embedded audit modules. Types of concurrent techniques are: Integrated test facility (ITF) where a fictitious division is created and transactions are created that will not be included in the corporate results
Snapshot technique where select transactions are tagged with a special code and these are reviewed by internal audit 4/19/12
SDLC
Systems Analysis feasibility study and assess information needs Conceptual Design evaluate design alternatives and deliver conceptual design requirements Physical Design develop input, output, database, programs, procedures, controls, deliver the system Implementation and Conversion develop an implementation and conversion plan, install, train, test, convert, deliver an operational system Operations and Maintenance postimplementation review, operate, modify, ongoing maintenance, and improve
The Players
4/19/12
Physical Design
4/19/12
Aggression behaviour that destroys, cripples, or weakens system effectiveness such as increased error rates, disruptions or sabotage
Projection blaming the new system for everything that goes wrong. The criticisms must be controlled and answered, systems integrity can be damaged or destroyed
Obtain Management Support Meet user needs Involve users users who participate are more knowledgeable, better trained and committed Avoid emotionalism Performance evaluations should be reexamined to ensure they are congruent with the new system Keep communication lines open Test the system Control user expectations by being realistic when describing the merits of the system
4/19/12
The conceptual design is translated into detailed specifications that are used to code and test the computer programs Hardware implementation and upgrades are part of this process
Systems Implementation
The plan consists of implementation tasks, expected completion dates, cost estimates, and who is responsible for each task People must be hired/transferred to meet the business requirements
Prepared systems development documentation, 4/19/12 operations documentation, and user documentation