The World of Access Controls

Slides:

Advertisements

Similar presentations

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.

Advertisements

Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Auditing Concepts.

Auditing Computer-Based Information Systems

Effective Design of Trusted Information Systems Luděk Novák,

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

The Islamic University of Gaza

Information Security Policies and Standards

1 An Overview of Computer Security computer security.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.

The Information Systems Audit Process

Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.

Stephen S. Yau CSE , Fall Security Strategies.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Introduction to Network Defense

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Part 2- An IT Auditing Framework

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.

TIMESHEETS Surviving an Audit Louise M. Peabody, CPA Watkins, Meegan, Drury & Co., L.L.C. Donna Kilbourn Unanet Technologies, Inc.

HIPAA COMPLIANCE WITH DELL

Security Architecture

1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Security Mark A. Magumba. Definitions Security implies the minimization of threats and vulnerabilities A security threat is a harmful event or object.

© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Fundamentals I: Accounting Information Systems McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

Information Security What is Information Security?

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

IMFO Annual Conference – 2015 S21: Good Governance & Oversight B2B.

IT Risks and Controls Revised on Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.

Features Governmental organization Critically important ICT objects Distributed infrastructure Three levels of confidentiality Dozens of subsidiary organizations.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

The Importance of Proper Controls. 5 Network Controls Developing a secure network means developing mechanisms that reduce or eliminate the threats.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

1 Banking and Reconciliation. 2 To Certify As A Cash Handler  Visit the training website  Review the Payment Card Industry (PCI)

Computer Security By Duncan Hall.

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

1 Figure 11-7: Mobilizing Users User Training  Security Awareness  Accountability Training  Self-Defense Training Social engineering threats and correct.

Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc

Cryptography and Network Security Chapter 1. Background  Information Security requirements have changed in recent times  traditionally provided by physical.

July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.

INFORMATION SECURITY AND CONTROL. SECURITY: l Deter l Detect l Minimize l Investigate l Recover.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Information Management System Ali Saeed Khan 29 th April, 2016.

Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.

Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University

Welcome to the ICT Department Unit 3_5 Security Policies.

IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.

Chapter 13 Network Security Auditing Antivirus Firewalls Authentication Authorization Encryption.

Information Security KRISHNAKUMAR RAGHAVAN (KK) NASWA's Information Technology Support Center 1.

Auditing Concepts.

INFORMATION SYSTEMS SECURITY AND CONTROL.

Critical Security Controls

Team 4 – Mack, Josh, Felicia, Kevin and Walter

LAND RECORDS INFORMATION SYSTEMS DIVISION

INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.

Managing the IT Function

NET 311 Information Security

What a non-IT auditor needs to know about IT & IT controls

INFORMATION SYSTEMS SECURITY and CONTROL

Presentation transcript:

The World of Access Controls This layout functions well as a section opener. Kevin Savoy, MBA, CPA, CISA, CISSP Director of Information Technology Audits

Risk Business Risk “The potential that a given threat will exploit vulnerabilities of an asset to cause a loss or damage to an asset.” This is the dominant secondary page.

Controls Controls “The policies, practices and organizational structure designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected” This is the dominant secondary page.

Layers Where IT Controls Exist Application (this is where YOU come in) Database (oracle admin level) Operating System (Unix, Windows) Network (routers, firewalls, switches) This is the dominant secondary page.

Program Integrity (change control) Edit Checks Data Reconciliations Application Controls Program Integrity (change control) Edit Checks Data Reconciliations ACCESS CONTROLS This is the dominant secondary page.

Most Intrusions Statistics continue to show that most unauthorized access to data is from within an organization. You would not know this fact from the press that hackers receive. Therefore your responsibility over ACCESS CONTROLS within applications (Finance, Student System, HR and other supporting systems) is critical. This is the dominant secondary page.

Access Controls Consist of two parts: Authentication (is a user who they say they are) Authorization (what can they do once they “are in”) This is the dominant secondary page.

Authorization YOU are the gatekeeper to UVA data. Should be based on a “least amount of access needed to perform a job function”. Should not allow a user to have conflicting access. For instance, a user should not be allowed to record and approve payments without oversight. The person giving access should be knowledgeable of the individual’s need for data access (can be personal knowledge at the lowest levels and trust of supervisors at the higher levels of approval). This is the dominant secondary page.

Authorization Users should not be able to build up access as they move to different departments, thus all access should be terminated and reapplied for. User access should be reviewed periodically to determine if it is still needed. A standard approach should be taken AND documented. Access should be removed immediately upon termination or change of position except within the same department. This is the dominant secondary page.

ESHARP… Audit was involved and believes automating access requests should make your job easier and more secure. Audit will continue to spot check Access Control procedures, validity of access granted, and approvals during regular audits.

Questions??? Kevin Savoy - savoy@virginia.edu