Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 16 IT Controls, Asset Protection, and Security.

Published byMarcus Blair Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 16 IT Controls, Asset Protection, and Security."— Presentation transcript:

1 Chapter 16 IT Controls, Asset Protection, and Security

2 Introduction  Managers who own or use IT assets are responsible for securing them  With interconnected enterprises (B2B), intrusion at a partner may result in business compromise locally  Security is an integrated, continuous process that takes place at all levels

3 The Meaning and Importance of Control  Control is a primary management responsibility  Managers must have routine methods for comparing actual and planned performance  “Planning and control are inseparable”  IT controls are critical because other parts of the organization use computer generated reports as the basis of their control activities

4 Why Controls are Important to Managers 1.Control is a primary management responsibility 2.Uncontrolled events can be very damaging 3.The firm relies on IT for many control processes 4.U.S. law requires certain control measures in public corporations 5.Controls assist organizations in protecting assets 6.Technology introduction requires controlled processes

5 Business Control Principles  The primary job of all managers is to take charge of the assets entrusted to them, capitalize on these assets to advance their part of the business, and grow, develop, or add value to them  managers entrusted with information assets must control and protect them  implementing business controls is an ethical responsibility

6 Asset Identification and Classification  Managers must know what assets they own or control, and their value  Tangible – Physical assets – routers, PCs servers, telephones  Intangible – Intellectual assets – operating systems, databases, applications  Managers must inventory and value items

7 Separation of Duties  Several individuals are involved in transaction processing  In order for fraud to occur, several individuals must work together  Control can be made even more effective by routinely changing job duties of these transaction tasks  Must validate output with input

8 Efficiency and Effectiveness of Controls  Controls are best when they are simple and are easily understood  They are most effective when they are part of the routine and produce action in a timely manner  Control cost and overhead must be balanced vs. risk and magnitude of loss  Managers must analyze the application and use good judgment

9 Control Responsibilities 1.The application program owner (almost always a manager) 2.Application users (some applications have many) 3.The application’s programming manager 4.The individual providing the computing environment 5.The IT manager (in either the line or staff role)

10 Owner and User Responsibilities  Owners are responsible for providing business direction for their applications  authorizes the program’s use  classifies the associated data  stipulates program and data access controls  Users are individuals or groups authorized by owners to use applications according to owners’ specifications  They are required to protect the data in accordance with the owners’ classification

11 IT Managers’ Responsibilities  All IT managers have control responsibilities in conjunction with their operating responsibilities  The responsibility of organizing and managing application development, maintenance, or enhancement resides with IT programming managers  The supplier of computing services is responsible for providing the computing environment within which the application is processed

12 Application Controls  Necessary to ensure that applications function properly on a regular basis  These controls are most effective when they are built into the applications and generate documentation validating proper operation  Automated and manual control mechanisms should be classified as confidential information  Separation of duties principle applies to an application and its associated data handling

13 Application Processing Controls  Application control and protection consist of two duties:  Ensuring that application programs perform according to management-established specifications  Maintaining program and data integrity  To support these requirements, applications must have auditability features and control points built in

14 System Control Points  Control points are locations in program or process flow where control exposures exist and control actions and auditing activities can be done  Transaction origination is one of the most critical points  It is a manual activity and can be subject to human error or fraud  Online operations make the system more complex and require even greater controls

15 System Control Points

16 Control Actions at Transaction Origination

17 Input Data Controls

18 Processing, Storage, and Output Controls  Operating systems and the applications themselves enhance the validation processes of program processing  Program execution is accompanied by subroutines that validate that processing is complete and that program execution occurred correctly  Application program source code and executables must be treated as classified information

19 Program Processing Controls

20 Data Output Handling

21 Application Program Audits  An application system is auditable if the application owner can establish easily and with high confidence that the system continually performs specified functions  Auditable systems contain functions and features that let owners determine if applications are processing data correctly  Program testing that ensures auditability is vital  Test data should be archived

22 Controls in Production Operations  Well-disciplined production operations maintain sound control over performance objectives  They ensure sufficient system capacity for application operations  They allow batch and online systems processing to function as designed  Accurate scheduling and rigorous online management provide controlled environments for application processing

23 Controls in Client/Server Operations  Organizations that move applications from secured centralized systems to distributed systems must understand the different exposures and vulnerabilities  Client/server systems and e-business systems have more points of vulnerability, so control and asset protection are more difficult  Special effort must be taken to design in controls and continuously assess vulnerabilities in the system over time

24 Network Controls and Security  Networks face passive threats and active threats  Passive threats are attempts to monitor network data transmission in order to read messages or obtain information about network traffic  Active threats are attempts to alter, destroy, or divert message data, or to pose as network nodes

25 Network Controls and Security  Network managers must control system and data access and must secure data in transit  The first step in controlling system access is physical security  Rooms containing controllers, routers, or servers must be tightly secured

26 Network Controls and Security  Managers must establish user identification and verification processes  This usually means that users sign on to the system with a name followed by a password  Some firms require “two-factor identification”  The two factors are usually something you have and something you know – fingerprint, token or smartcard + PIN  The two-factor system only erects higher barriers to entry

27 Data Encryption  It is often necessary to protect critical data in transit  Before transmission, encryption programs use an algorithm and a key to change the message character stream into a different character stream  When received, the algorithm and key decode or decipher the message  Encryption changes the risk of data loss to risk of key loss

28 Firewalls and Other Security Considerations  A firewall is a specialized computer inserted between internal and external networks and through which all incoming and outgoing traffic must pass  Intended to screen incoming and outgoing messages and prohibit any traffic deemed illegitimate  Firewalls are only the first line of defense against external intrusion

29 Network Security Measures

30 Additional Control and Protection Measures 1.Only people who work in the data center should be allowed routine access to the facility 2.Data center workers must wear special badges that identify them on sight 3.Physical access should be controlled by electronic code locks rather than mechanical key locks; this simplifies key management and hastens key changes

31 Additional Control and Protection Measures 4.The identity and authorization of all visitors to the center must be validated, and they must sign in and out 5.Duties within the center should be separated so that operators who initiate or control programs cannot access data stores

32 Managing Sensitive Programs  IT managers must, with help from other department managers, identify and maintain an inventory of these applications.  The owner must prescribe protection and security conditions covering storage, operation, and maintenance  Program source code, load modules, and test data must be classified as sensitive information and protected accordingly  Datasets must be protected as well

33 Controls for E-Business Applications  Due to the integrated nature of e- business, security is a shared concern  All the partners must have documented security policies, secure application development practices, and satisfactory access control and user authorization procedures  Partners must establish encryption standards, develop responses to security breaches, and schedule compliance audits

34 Keys to Effective Control  Managers must understand their control responsibilities and know:  The assets for which they are responsible  The value of those assets and protect the assets accordingly  Managers must be involved in the control processes  Involvement must be timely and responsive  Must follow through to ensure effectiveness

35 Summary  No organization is safe from computer crime  Business controls, asset protection, and security are fundamental to business operations  Managers must know what their assets are and each asset’s estimated value  Assets must be classified and protected in accordance with their relative worth

Download ppt "Chapter 16 IT Controls, Asset Protection, and Security."

Similar presentations

Module 3: Business Information Systems

Module 3: Business Information Systems
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Overview of IS Controls, Auditing, and Security Fall 2005.

Overview of IS Controls, Auditing, and Security Fall 2005.
Auditing Concepts.

Auditing Concepts.
Information Technology Control Day IV Afternoon Sessions.

Information Technology Control Day IV Afternoon Sessions.
Auditing Computer Systems

Auditing Computer Systems
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
The Islamic University of Gaza

The Islamic University of Gaza
Information Security Policies and Standards

Information Security Policies and Standards
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Principles of Information Systems, Seventh Edition2 An organization’s TPS must support the routine, day-to- day activities that occur in the normal course.

Principles of Information Systems, Seventh Edition2 An organization’s TPS must support the routine, day-to- day activities that occur in the normal course.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?

Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.

Similar presentations

Ads by Google