Presentation is loading. Please wait.

Presentation is loading. Please wait.

EECS 4482 2015 David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.

Published byTamsyn Whitehead Modified over 7 years ago

Similar presentations

Presentation on theme: "EECS 4482 2015 David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance."— Presentation transcript:

1 EECS 4482 2015 David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance

2 David Chan David.c.chan@ontario.ca EECS 4482 2015 David C. Chan2

3 3 What We Will Cover  Nature, types and use of information  System assurance criteria  System assurance responsibilities  System components  Types of systems

4 Enterprise Systems and ERPs  Enterprise systems: Integrate business processes and information from all of an organization’s functional areas. Helps coordinate the operation of business functions and provide a central information resource for the organization.  Enterprise Resource Planning (ERP) Systems: Software packages that can be used for the core systems necessary to support enterprise systems. EECS 4482 2015 David C. Chan4

5 Integrate Business Process Functionality When purchasing office equipment an enterprise system might:  Provide an electronic order form.  Apply business rules.  Route the order for approvals.  Send the order to a buyer.  Connect to the vendor.  Use data to receive goods, project funding requirements, compare to budget, and analyze vendor performance. EECS 4482 2015 David C. Chan5

6 6 Processing Modes  Batch, periodic update, easier to control but less efficient.  Online input but batch update  Online input and update, usually requires a database.

7 EECS 4482 2015 David C. Chan7 Information Ownership and Classification  Each information system and the information should be assigned to a senior manager to own  Owner accountable for information reliability including classifying information based on risk and affording the respective protection

8 EECS 4482 2015 David C. Chan8 Information Assurance  “Information assurance is the bedrock upon which enterprise decision-making is built. Without assurance, enterprises cannot feel certain that the information upon which they base their mission-critical decisions is reliable, confidential, secure and available when needed.” - Information Systems Audit and Control Association (ISACA)

9 EECS 4482 2015 David C. Chan9 System Assurance Criteria  Completeness  Authorization  Accuracy  Timeliness  Occurrence

10 EECS 4482 2015 David C. Chan10 Completeness  All transactions are recorded.  Accounting reports are complete.  Customer statements are complete.  Management information is complete.  Statutory reports are complete.  Applies to input, processing and output.

11 EECS 4482 2015 David C. Chan11 Authorization  Only authorized transactions are processed.  Reports are produced only for authorized users.  Proper authorization for access to information to ensure integrity and confidentiality.

12 EECS 4482 2015 David C. Chan12 Accuracy  Transactions are recorded accurately.  Reports are accurate.  Information in storage is maintained and checked regularly to ensure accuracy.

13 EECS 4482 2015 David C. Chan13 Timeliness  Transactions are recorded on a timely basis.  Reports are current.  Information in storage is regularly checked for currency.

14 EECS 4482 2015 David C. Chan14 Occurrence  Only real transactions are recorded.  Accounting balances reflect real assets, liabilities and equity.  Underlying assumptions can realistically occur, e.g., valuation.

15 EECS 4482 2015 David C. Chan15 Components of System  Infrastructure  Software  People  Procedures  Information

16 EECS 4482 2015 David C. Chan16 IT Infrastructure  Network  Hardware  Real estate

17 EECS 4482 2015 David C. Chan17 Software  System software e.g., operating system, database management system.  Application software.

18 EECS 4482 2015 David C. Chan18 People  Management  Systems developers (analysts and programmers)  Systems administrators who control servers and workstations.  Systems operations staff.  Users

19 EECS 4482 2015 David C. Chan19 IT Organization  Chief Information Officer  Systems development and maintenance  System operations  Quality assurance – may be part of systems development in a small organization  Security- may be part of operation in a small organization.

20 Information System Roles and Responsibilities  Chief information officer (CIO) – Oversees all uses of IT and ensures the strategic alignment of IT with business goals and objectives  Chief knowledge officer (CKO) - Responsible for collecting, maintaining, and distributing the organization’s knowledge  Chief privacy officer (CPO) – Responsible for ensuring the ethical and legal use of information EECS 4482 2015 David C. Chan20

21 Information Systems Roles and Responsibilities  Chief security officer (CSO) – Responsible for ensuring the safety of IT resources including data, hardware, software, and people  Chief technology officer (CTO) – Responsible for ensuring the throughput, speed, accuracy, availability, and reliability of IT 1-2 Learning Outcomes EECS 4482 2015 David C. Chan21

22 Management Responsibilities  Management includes executives and managers in business functions and corporate functions (like CFO).  Define information requirement  Assess significance of information  Take ownership of business and functional systems like enterprise resource planning system. EECS 4482 2015 David C. Chan22

23 Management Responsibilities  Design and implement internal controls (using staff who are control experts).  Review system information for reliability.  Define system reliability criteria in relation to business requirements.  Provide information assurance to senior executives. EECS 4482 2015 David C. Chan23

24 User Responsibilities  Control information under their custody in accordance with corporate policy and procedures.  Inform management of irregularities and exceptions.  Use information systems only for corporate purposes. EECS 4482 2015 David C. Chan24

25 EECS 4482 2015 David C. Chan25 Procedures  System operations procedures  User procedures

26 EECS 4482 2015 David C. Chan26 Information Ownership and Classification  Each information system and the information should be assigned to a senior manager to own  Owner accountable for information reliability including classifying information based on risk and affording the respective protection

27 Management Checklist  Assign business executives to own information systems and infrastructure.  Establish corporate policies and standards for information risk assessment.  Establish a process for periodic risk assessment, internal control formulation and internal control reporting to senior management and the board of directors. EECS 4482 2015 David C. Chan27

28 Management Checklist  Involve the board of directors in IT governance and ensure this is addressed at least twice a year in board meetings.  Establish a policy on the use of I & IT in the organization with respect to how to use IT as a business enabler and the approval process for IT investment. EECS 4482 2015 David C. Chan28

29 Management Checklist  Develop an IT strategy to be congruent with the business strategy. The IT strategy should consider the applicability of new technology.  Develop a process to continuously assess the cost effectiveness of IT applications.  Ensure that the job description and performance contract of each executive includes the appropriate I & IT assurance accountability. EECS 4482 2015 David C. Chan29

30 Management Checklist  Establish an IT steering committee consisting of a cross section of senior executives including the CIO to carry out IT governance. EECS 4482 2015 David C. Chan30

31 MC Question  Who is responsible for ensuring system reliability?  A. Management  B. Auditors  C. CIO  D. Chief risk officer EECS 4482 2015 David C. Chan31

32 MC Question  Which system component is most critical to ensure system availability?  A. Information  B. Infrastructure  C. People  D. Software  E. Procedures EECS 4482 2015 David C. Chan32

33 MC Question  Which reliability concern is increased in cloud computing? Completeness Accuracy Timeliness Authorization EECS 4482 2015 David C. Chan33

34 MC Question  What affects an IT strategy the most? A. Annual doubling of computing power B.Regulatory requirement C.Business strategy D. Systems development plan EECS 4482 2015 David C. Chan34

35 MC Question  Which is the most relevant pair? A. Quantum computing and big data B. CIO and CFO C. Privacy and accuracy D. Peyton Manning and Novak Djokovic EECS 4482 2015 David C. Chan35

Download ppt "EECS 4482 2015 David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance."

Similar presentations

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.
Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,

Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
© Prentice Hall 2002 15.1 CHAPTER 15 Managing the IS Function.

© Prentice Hall CHAPTER 15 Managing the IS Function.
© Pearson Prentice Hall 2009

© Pearson Prentice Hall 2009
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
The Islamic University of Gaza

The Islamic University of Gaza
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.

OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
IT Governance and Management

IT Governance and Management
Principles of Information Systems, Seventh Edition2 An organization’s TPS must support the routine, day-to- day activities that occur in the normal course.

Principles of Information Systems, Seventh Edition2 An organization’s TPS must support the routine, day-to- day activities that occur in the normal course.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.

Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.
Chapter 10 Managing the Delivery of Information Services.

Chapter 10 Managing the Delivery of Information Services.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
1 Introduction Introduction to database systems Database Management Systems (DBMS) Type of Databases Database Design Database Design Considerations.

1 Introduction Introduction to database systems Database Management Systems (DBMS) Type of Databases Database Design Database Design Considerations.
Examine Quality Assurance/Quality Control Documentation

Examine Quality Assurance/Quality Control Documentation

Similar presentations

Ads by Google