Presentation on theme: "Information Systems Controls for System Reliability -Information Security-"— Presentation transcript:
Information Systems Controls for System Reliability -Information Security-
Accounting Information System Control COSO’s Enterprise Risk Management – Integrated Framework COBIT
Information for management Effectiveness Information must be relevant and timely. Efficiency Information must be produced in a cost- effective manner. Confidentiality Sensitive information must be protected from unauthorized disclosure. Integrity Information must be accurate, complete, and valid. Availability Information must be available whenever needed. Compliance Controls must ensure compliance with internal policies and with external legal and regulatory requirements. Reliability Management must have access to appropriate information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities.
Components of COSO’s ERM Internal Environment Encompasses the tone of an organization. Includes risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. Objective Setting Objectives must exist before management can identify potential events affecting their achievement. Event Identification Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Risk Assessment Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed.
Components of COSO’s ERM Risk Response Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite. Control Activities Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. Information and Communication Relevant information is identified, captured, and communicated to enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across and up the entity. Monitoring Enterprise risk management is monitored and modifications are made as necessary.
Plan & Organise Acquire & implement Deliver & Support Monitor & Evaluate Management develops plans to organize information resources to provide the information it needs. Management authorizes and oversees efforts to acquire (or build internally) the desired functionality. Management ensures that the resulting system actually delivers the desired information. Management monitors and evaluates system performance against the established criteria. Cycle constantly repeats, as management modifies existing plans and procedures or develops new ones to respond to changes in business objectives and new developments in information technology.
Trust Service Framework Security Access to the system and its data is controlled and restricted to legitimate users. Confidentiality Sensitive organizational information (e.g., marketing plans, trade secrets) is protected from unauthorized disclosure. Privacy Personal information about customers is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure. Processing Integrity Data are processed accurately, completely, in a timely manner, and only with proper authorization. Availability The system and its information are available to meet operational and contractual obligations.
Security – Systems Reliability Foundation of the Trust Service Framework : Management Issue, not a technology issue SOX Section 302—CEOs and CFOs must certify quarterly and annual financial statements. Defense-in-depth and the time-based model of information security Have multiple layers of control
Management’s Role Create security aware culture Inventory and value company information resources Assess risk, select risk response Develop and communicate security: Plans, policies, and procedures Acquire and deploy IT security resources Monitor and evaluate effectiveness
Control Plans Preventive Controls: stop problems from occurring. Ex. Programmed edits reject incorrect data as it is entered. Detective Controls: discover that problems have occurred. Ex. Review and compare totals to determine if processing was carried out correctly. Corrective Controls: rectify problems that have occurred. Ex. Erroneous data is entered in the system and reported on an error and summary report; a clerk re-enters the data.
Other Control Plans Pervasive control plans relate to a multitude of goals and processes, They are broad in scope and apply equally to all business processes. General controls (also known as IT general controls) applied to all IT service activities. Business process control plans applied to a particular business process, such as billing or cash receipts. Application controls automated business process controls contained within IT application systems (i.e., computer programs).