Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.

Slides:

Advertisements

Similar presentations

Privacy, Security, Confidentiality, and Legal Issues

Advertisements

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Information Technology Control Day IV Afternoon Sessions.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.

Auditing Computer Systems

Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.

9 - 1 Computer-Based Information Systems Control.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Security Controls – What Works

Information Security Policies and Standards

Chapter 14 System Controls. A Quote “The factory of the future will have only two employees, a man and a dog. The man will be there to feed the dog. The.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)

Factors to be taken into account when designing ICT Security Policies

Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.

Database Administration Chapter 16. Need for Databases  Data is used by different people, in different departments, for different reasons  Interpretation.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

1 LOGICAL ACCESS FOR University Medical Group Saint Louis University Click the Speaker Icon for Audio.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Discovery Planning steps (1)

Chapter 10: Computer Controls for Organizations and Accounting Information Systems

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.

Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.

HIPAA PRIVACY AND SECURITY AWARENESS.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.

David N. Wozei Systems Administrator, IT Auditor.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

FCS - AAO - DM COMPE/SE/ISE 492 Senior Project 2 System/Software Test Documentation (STD) System/Software Test Documentation (STD)

Today’s Lecture Covers < Chapter 6 - IS Security

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Information Systems Security Operational Control for Information Security.

Auditing Information Systems (AIS)

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Week #3: Configuring and Troubleshooting DHCP

Information Systems Security

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Module 4: Configuring and Troubleshooting DHCP

Service Level Agreements Service Level Statements NO YES The process of negotiating and defining the levels of user service (service levels) required.

Chapter 2 Securing Network Server and User Workstations.

Database Administration

Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &

Network Infrastructure Microsoft Windows 2003 Network Infrastructure MCSE Study Guide for Exam

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.

Chapter 8 Auditing in an E-commerce Environment

1 Information Security Compliance System Owner Training Module 3 Supplement: Analysis of Policy Compliance Checklist Issues Richard Gadsden Information.

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

TEXT BOOK: DATABASE ADMINISTRATION: THE COMPLETE GUIDE TO PRACTICES AND PROCEDURES CRAIG S. MULLINS Database Administration(IS4511) Sana azzam

Computer Security Sample security policy Dr Alexei Vernitski.

By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.

Contingency Management Indiana University of Pennsylvania John P. Draganosky.

Welcome. Contents: 1.Organization’s Policies & Procedure 2.Internal Controls 3.Manager’s Financial Role 4.Procurement Process 5.Monthly Financial Report.

Information Systems Security

Review of IT General Controls

Managing the IT Function

Final HIPAA Security Rule

County HIPAA Review All Rights Reserved 2002.

Neopay Practical Guides #2 PSD2 (Should I be worried?)

Designing IIS Security (IIS – Internet Information Service)

Presentation transcript:

Information Systems Audit Program (cont.)

PHYSICAL SECURITY CONTROLS

Step 5 Assess the adequacy of physical security over the computer system hardware and storage media.

Step 6 Determine whether an adequately trained backup system security administrator has been designated.

Step 7 Assess the adequacy and effectiveness of the written business resumption plan, including the results of mock disaster tests that have been performed. a. Assess the adequacy of backup procedures for system software and data. The procedures should include periodic backups as necessary (daily, weekly, monthly), off-site storage at a secure location, and rotation of backup media. b. Verify that at least one alternative set of processes exists for each key assumption (transportation, communications, staffing, processing facilities, etc.).

Step 8 Assess the adequacy of insurance coverage over the hardware, operating system, application software, and data. Hardware should be covered at replacement cost. The costs of re-creating any lost software and data should be covered. Optimally, coverage should include lost revenues directly resulting from hardware failure and loss of the operating system, application software, and data during covered events.

LOGICAL SECURITY CONTROLS

Step 9 Determine whether the maiden password for the system has been changed and whether controls exist to change it on a periodic basis in conformity with the computing system security policy, standards, or guidelines identified in Step 1.

Step 10 Observe the system security administrator sign on and print a list of current system users and their access capabilities. Alternatively, if you can obtain appropriate system access, you can obtain the list of users independently.

a. Assess the reasonableness of the access capabilities assigned to each user. b. Confirm that user IDs of terminated employees are suspended in a timely manner. c. Confirm that system access capabilities of transferred employees are adjusted accordingly.

Step 11 Document and assess the reasonableness of the default system security parameter settings. The settings should conform to the organization’s computing system security policy, standards, or guidelines tested in Step 1. (Be alert to the fact that in some systems, individual user parameter settings override the default system security parameter settings.)

Step 12 Test the functionality of the logical security controls of the system (e.g., password masking, minimum password length, password expiration, user ID suspended after successive invalid sign-on attempts, log-on times allowed, and session time-outs).

Step 13 Determine whether the file containing user passwords is encrypted and cannot be viewed by anyone, including the system security administrator.

Step 14 Determine whether sensitive data, including passwords, are adequately encrypted throughout their life cycles, including during storage, transmission through any internal or external network or telecommunications devices, and duplication on any backup media.

Step 15 Assess the adequacy of procedures to review the log of system security-related events (e.g., successive invalid sign-on attempts, system restarts, changes to user access capabilities and user parameter settings).

Step 16 Assess the adequacy of remote access controls (e.g., virtual private networks [VPNs], token devices [CRYPTOCard, SecurID, etc.], automatic dial-back, secure sockets layer [SSL]).

INFORMATION SYSTEMS OPERATING CONTROLS

Step 17 Determine whether duties are adequately segregated in the operating areas supporting the information system (e.g., transactions should be authorized only by the originating department, programmers should not have the capability to execute production programs, procedures should be adequately documented, etc.).

Step 18 Determine whether there have been any significant software problems with the system. Assess the adequacy, timeliness, and documentation of resolution efforts.

Step 19 Assess the adequacy of controls that help ensure that IS operations are functioning in an efficient and effective manner to support the strategic objectives and business operations of the organization (e.g., system operators should be monitoring CPU processing and storage capacity utilization throughout each day to ensure that adequate reserve capacities exist at all times).