EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance
David Chan EECS David C. Chan2
3 What We Will Cover Nature, types and use of information System assurance criteria System assurance responsibilities System components Types of systems
Enterprise Systems and ERPs Enterprise systems: Integrate business processes and information from all of an organization’s functional areas. Helps coordinate the operation of business functions and provide a central information resource for the organization. Enterprise Resource Planning (ERP) Systems: Software packages that can be used for the core systems necessary to support enterprise systems. EECS David C. Chan4
Integrate Business Process Functionality When purchasing office equipment an enterprise system might: Provide an electronic order form. Apply business rules. Route the order for approvals. Send the order to a buyer. Connect to the vendor. Use data to receive goods, project funding requirements, compare to budget, and analyze vendor performance. EECS David C. Chan5
6 Processing Modes Batch, periodic update, easier to control but less efficient. Online input but batch update Online input and update, usually requires a database.
EECS David C. Chan7 Information Ownership and Classification Each information system and the information should be assigned to a senior manager to own Owner accountable for information reliability including classifying information based on risk and affording the respective protection
EECS David C. Chan8 Information Assurance “Information assurance is the bedrock upon which enterprise decision-making is built. Without assurance, enterprises cannot feel certain that the information upon which they base their mission-critical decisions is reliable, confidential, secure and available when needed.” - Information Systems Audit and Control Association (ISACA)
EECS David C. Chan9 System Assurance Criteria Completeness Authorization Accuracy Timeliness Occurrence
EECS David C. Chan10 Completeness All transactions are recorded. Accounting reports are complete. Customer statements are complete. Management information is complete. Statutory reports are complete. Applies to input, processing and output.
EECS David C. Chan11 Authorization Only authorized transactions are processed. Reports are produced only for authorized users. Proper authorization for access to information to ensure integrity and confidentiality.
EECS David C. Chan12 Accuracy Transactions are recorded accurately. Reports are accurate. Information in storage is maintained and checked regularly to ensure accuracy.
EECS David C. Chan13 Timeliness Transactions are recorded on a timely basis. Reports are current. Information in storage is regularly checked for currency.
EECS David C. Chan14 Occurrence Only real transactions are recorded. Accounting balances reflect real assets, liabilities and equity. Underlying assumptions can realistically occur, e.g., valuation.
EECS David C. Chan15 Components of System Infrastructure Software People Procedures Information
EECS David C. Chan16 IT Infrastructure Network Hardware Real estate
EECS David C. Chan17 Software System software e.g., operating system, database management system. Application software.
EECS David C. Chan18 People Management Systems developers (analysts and programmers) Systems administrators who control servers and workstations. Systems operations staff. Users
EECS David C. Chan19 IT Organization Chief Information Officer Systems development and maintenance System operations Quality assurance – may be part of systems development in a small organization Security- may be part of operation in a small organization.
Information System Roles and Responsibilities Chief information officer (CIO) – Oversees all uses of IT and ensures the strategic alignment of IT with business goals and objectives Chief knowledge officer (CKO) - Responsible for collecting, maintaining, and distributing the organization’s knowledge Chief privacy officer (CPO) – Responsible for ensuring the ethical and legal use of information EECS David C. Chan20
Information Systems Roles and Responsibilities Chief security officer (CSO) – Responsible for ensuring the safety of IT resources including data, hardware, software, and people Chief technology officer (CTO) – Responsible for ensuring the throughput, speed, accuracy, availability, and reliability of IT 1-2 Learning Outcomes EECS David C. Chan21
Management Responsibilities Management includes executives and managers in business functions and corporate functions (like CFO). Define information requirement Assess significance of information Take ownership of business and functional systems like enterprise resource planning system. EECS David C. Chan22
Management Responsibilities Design and implement internal controls (using staff who are control experts). Review system information for reliability. Define system reliability criteria in relation to business requirements. Provide information assurance to senior executives. EECS David C. Chan23
User Responsibilities Control information under their custody in accordance with corporate policy and procedures. Inform management of irregularities and exceptions. Use information systems only for corporate purposes. EECS David C. Chan24
EECS David C. Chan25 Procedures System operations procedures User procedures
EECS David C. Chan26 Information Ownership and Classification Each information system and the information should be assigned to a senior manager to own Owner accountable for information reliability including classifying information based on risk and affording the respective protection
Management Checklist Assign business executives to own information systems and infrastructure. Establish corporate policies and standards for information risk assessment. Establish a process for periodic risk assessment, internal control formulation and internal control reporting to senior management and the board of directors. EECS David C. Chan27
Management Checklist Involve the board of directors in IT governance and ensure this is addressed at least twice a year in board meetings. Establish a policy on the use of I & IT in the organization with respect to how to use IT as a business enabler and the approval process for IT investment. EECS David C. Chan28
Management Checklist Develop an IT strategy to be congruent with the business strategy. The IT strategy should consider the applicability of new technology. Develop a process to continuously assess the cost effectiveness of IT applications. Ensure that the job description and performance contract of each executive includes the appropriate I & IT assurance accountability. EECS David C. Chan29
Management Checklist Establish an IT steering committee consisting of a cross section of senior executives including the CIO to carry out IT governance. EECS David C. Chan30
MC Question Who is responsible for ensuring system reliability? A. Management B. Auditors C. CIO D. Chief risk officer EECS David C. Chan31
MC Question Which system component is most critical to ensure system availability? A. Information B. Infrastructure C. People D. Software E. Procedures EECS David C. Chan32
MC Question Which reliability concern is increased in cloud computing? Completeness Accuracy Timeliness Authorization EECS David C. Chan33
MC Question What affects an IT strategy the most? A. Annual doubling of computing power B.Regulatory requirement C.Business strategy D. Systems development plan EECS David C. Chan34
MC Question Which is the most relevant pair? A. Quantum computing and big data B. CIO and CFO C. Privacy and accuracy D. Peyton Manning and Novak Djokovic EECS David C. Chan35