EECS 4482 2015 David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.

Slides:



Advertisements
Similar presentations
OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.
Advertisements

Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
© Prentice Hall CHAPTER 15 Managing the IS Function.
© Pearson Prentice Hall 2009
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems
The Islamic University of Gaza
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
IT Governance and Management
Principles of Information Systems, Seventh Edition2 An organization’s TPS must support the routine, day-to- day activities that occur in the normal course.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.
Chapter 10 Managing the Delivery of Information Services.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
1 Introduction Introduction to database systems Database Management Systems (DBMS) Type of Databases Database Design Database Design Considerations.
Examine Quality Assurance/Quality Control Documentation
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.
Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.
Information Technology Audit
Peer Information Security Policies: A Sampling Summer 2015.
Auditing Information Systems (AIS)
Information Systems Planning
Organizing Information Technology Resources
Audit Commission Presentation Salford City Council Consideration of the financial statements.
Audit objectives, Planning The Audit
INTERNAL CONTROL OVER FINANCIAL REPORTING
Chapter 5 Internal Control over Financial Reporting
BusinessAllstars.com 1 BusinessAllstars.com Presents Copyright © 2004 by Gainbridge Associates All right reserved This material may not be used or reproduced.
Roles and Responsibilities
Internal Control in a Financial Statement Audit
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Introduction to Computers Lesson 12A. home Information System A mechanism that helps people collect, store, organize and use information.
Alter – Information Systems © 2002 Prentice Hall 1 The Process of Information System Planning.
Business Driven Technology Unit 1 Achieving Business Success Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution.
SMS Planning.  Safety management addresses all of the operational activities of the entire organization.  The four (4) components of an SMS are: 1)
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 6-1 Chapter Six Internal Control in a Financial Statement Audit.
Chapter 9: Introduction to Internal Control Systems
DATA IT Senate Data Governance Membership IT Senate Data Governance Committee Membership Annie Burgad, Senior Programmer, Central IT Julie Cannon, Director.
ORGANIZING IT SERVICES AND PERSONNEL (PART 1) Lecture 7.
Role of Montana State Fund. Montana State Fund is committed to the health and economic prosperity of Montana through superior service, leadership and.
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
AUDIT OF INTERNAL CONTROL Day V Sessions I & II. Session Overview Periodical audit of existence of internal control in order to examine its effectiveness.
Chapter 8 Auditing in an E-commerce Environment
Pertemuan 15 Business and Information Process Rules, Risks, and Controls Matakuliah: M0034 /Informasi dan Proses Bisnis Tahun: 2005 Versi: 01/05.
State of Georgia Release Management Training
Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
Board Financial Oversight Governing Board Online Training Module.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Lecture Outline 12 Other ways of obtaining systems IS Department in a Business Organization The Future of IS.
8 INTERNAL CONTROL. Definition Duty  mgt (CEO)  Board  Internal auditor  Employee  External person.
Computer Security Management
Auditing Concepts.
Week 11 Organizing Information Technology Resources
Managing the Delivery of Information Services
Session 11 Other Assurance Services
Using MIS 2e Chapter 11 Information Systems Management
Service Organization Control (SOC)
© Pearson Prentice Hall 2009
CORPORATE & ACADEMIC GOVERNANCE STRUCTURE
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Presentation transcript:

EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance

David Chan EECS David C. Chan2

3 What We Will Cover  Nature, types and use of information  System assurance criteria  System assurance responsibilities  System components  Types of systems

Enterprise Systems and ERPs  Enterprise systems: Integrate business processes and information from all of an organization’s functional areas. Helps coordinate the operation of business functions and provide a central information resource for the organization.  Enterprise Resource Planning (ERP) Systems: Software packages that can be used for the core systems necessary to support enterprise systems. EECS David C. Chan4

Integrate Business Process Functionality When purchasing office equipment an enterprise system might:  Provide an electronic order form.  Apply business rules.  Route the order for approvals.  Send the order to a buyer.  Connect to the vendor.  Use data to receive goods, project funding requirements, compare to budget, and analyze vendor performance. EECS David C. Chan5

6 Processing Modes  Batch, periodic update, easier to control but less efficient.  Online input but batch update  Online input and update, usually requires a database.

EECS David C. Chan7 Information Ownership and Classification  Each information system and the information should be assigned to a senior manager to own  Owner accountable for information reliability including classifying information based on risk and affording the respective protection

EECS David C. Chan8 Information Assurance  “Information assurance is the bedrock upon which enterprise decision-making is built. Without assurance, enterprises cannot feel certain that the information upon which they base their mission-critical decisions is reliable, confidential, secure and available when needed.” - Information Systems Audit and Control Association (ISACA)

EECS David C. Chan9 System Assurance Criteria  Completeness  Authorization  Accuracy  Timeliness  Occurrence

EECS David C. Chan10 Completeness  All transactions are recorded.  Accounting reports are complete.  Customer statements are complete.  Management information is complete.  Statutory reports are complete.  Applies to input, processing and output.

EECS David C. Chan11 Authorization  Only authorized transactions are processed.  Reports are produced only for authorized users.  Proper authorization for access to information to ensure integrity and confidentiality.

EECS David C. Chan12 Accuracy  Transactions are recorded accurately.  Reports are accurate.  Information in storage is maintained and checked regularly to ensure accuracy.

EECS David C. Chan13 Timeliness  Transactions are recorded on a timely basis.  Reports are current.  Information in storage is regularly checked for currency.

EECS David C. Chan14 Occurrence  Only real transactions are recorded.  Accounting balances reflect real assets, liabilities and equity.  Underlying assumptions can realistically occur, e.g., valuation.

EECS David C. Chan15 Components of System  Infrastructure  Software  People  Procedures  Information

EECS David C. Chan16 IT Infrastructure  Network  Hardware  Real estate

EECS David C. Chan17 Software  System software e.g., operating system, database management system.  Application software.

EECS David C. Chan18 People  Management  Systems developers (analysts and programmers)  Systems administrators who control servers and workstations.  Systems operations staff.  Users

EECS David C. Chan19 IT Organization  Chief Information Officer  Systems development and maintenance  System operations  Quality assurance – may be part of systems development in a small organization  Security- may be part of operation in a small organization.

Information System Roles and Responsibilities  Chief information officer (CIO) – Oversees all uses of IT and ensures the strategic alignment of IT with business goals and objectives  Chief knowledge officer (CKO) - Responsible for collecting, maintaining, and distributing the organization’s knowledge  Chief privacy officer (CPO) – Responsible for ensuring the ethical and legal use of information EECS David C. Chan20

Information Systems Roles and Responsibilities  Chief security officer (CSO) – Responsible for ensuring the safety of IT resources including data, hardware, software, and people  Chief technology officer (CTO) – Responsible for ensuring the throughput, speed, accuracy, availability, and reliability of IT 1-2 Learning Outcomes EECS David C. Chan21

Management Responsibilities  Management includes executives and managers in business functions and corporate functions (like CFO).  Define information requirement  Assess significance of information  Take ownership of business and functional systems like enterprise resource planning system. EECS David C. Chan22

Management Responsibilities  Design and implement internal controls (using staff who are control experts).  Review system information for reliability.  Define system reliability criteria in relation to business requirements.  Provide information assurance to senior executives. EECS David C. Chan23

User Responsibilities  Control information under their custody in accordance with corporate policy and procedures.  Inform management of irregularities and exceptions.  Use information systems only for corporate purposes. EECS David C. Chan24

EECS David C. Chan25 Procedures  System operations procedures  User procedures

EECS David C. Chan26 Information Ownership and Classification  Each information system and the information should be assigned to a senior manager to own  Owner accountable for information reliability including classifying information based on risk and affording the respective protection

Management Checklist  Assign business executives to own information systems and infrastructure.  Establish corporate policies and standards for information risk assessment.  Establish a process for periodic risk assessment, internal control formulation and internal control reporting to senior management and the board of directors. EECS David C. Chan27

Management Checklist  Involve the board of directors in IT governance and ensure this is addressed at least twice a year in board meetings.  Establish a policy on the use of I & IT in the organization with respect to how to use IT as a business enabler and the approval process for IT investment. EECS David C. Chan28

Management Checklist  Develop an IT strategy to be congruent with the business strategy. The IT strategy should consider the applicability of new technology.  Develop a process to continuously assess the cost effectiveness of IT applications.  Ensure that the job description and performance contract of each executive includes the appropriate I & IT assurance accountability. EECS David C. Chan29

Management Checklist  Establish an IT steering committee consisting of a cross section of senior executives including the CIO to carry out IT governance. EECS David C. Chan30

MC Question  Who is responsible for ensuring system reliability?  A. Management  B. Auditors  C. CIO  D. Chief risk officer EECS David C. Chan31

MC Question  Which system component is most critical to ensure system availability?  A. Information  B. Infrastructure  C. People  D. Software  E. Procedures EECS David C. Chan32

MC Question  Which reliability concern is increased in cloud computing? Completeness Accuracy Timeliness Authorization EECS David C. Chan33

MC Question  What affects an IT strategy the most? A. Annual doubling of computing power B.Regulatory requirement C.Business strategy D. Systems development plan EECS David C. Chan34

MC Question  Which is the most relevant pair? A. Quantum computing and big data B. CIO and CFO C. Privacy and accuracy D. Peyton Manning and Novak Djokovic EECS David C. Chan35

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.