Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Systems Controls for System Reliability -Information Security-

Similar presentations

Presentation on theme: "Information Systems Controls for System Reliability -Information Security-"— Presentation transcript:

1 Information Systems Controls for System Reliability -Information Security-

2 Accounting Information System Control  COSO’s Enterprise Risk Management – Integrated Framework  COBIT

3 Information for management  Effectiveness  Information must be relevant and timely.  Efficiency  Information must be produced in a cost- effective manner.  Confidentiality  Sensitive information must be protected from unauthorized disclosure.  Integrity  Information must be accurate, complete, and valid.  Availability  Information must be available whenever needed.  Compliance  Controls must ensure compliance with internal policies and with external legal and regulatory requirements.  Reliability  Management must have access to appropriate information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities.

4 COSO’s Enterprise Risk Management – Integrated Framework

5 Components of COSO’s ERM Internal Environment Encompasses the tone of an organization. Includes risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. Objective Setting Objectives must exist before management can identify potential events affecting their achievement. Event Identification Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Risk Assessment Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed.

6 Components of COSO’s ERM Risk Response Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite. Control Activities Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. Information and Communication Relevant information is identified, captured, and communicated to enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across and up the entity. Monitoring Enterprise risk management is monitored and modifications are made as necessary.

7 COBIT Framework – Control Objectives

8 Plan & Organise Acquire & implement Deliver & Support Monitor & Evaluate Management develops plans to organize information resources to provide the information it needs. Management authorizes and oversees efforts to acquire (or build internally) the desired functionality. Management ensures that the resulting system actually delivers the desired information. Management monitors and evaluates system performance against the established criteria. Cycle constantly repeats, as management modifies existing plans and procedures or develops new ones to respond to changes in business objectives and new developments in information technology.

9 Trust Service Framework Security Access to the system and its data is controlled and restricted to legitimate users. Confidentiality Sensitive organizational information (e.g., marketing plans, trade secrets) is protected from unauthorized disclosure. Privacy Personal information about customers is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure. Processing Integrity Data are processed accurately, completely, in a timely manner, and only with proper authorization. Availability The system and its information are available to meet operational and contractual obligations.

10 Trust Service Framework

11 Security – Systems Reliability Foundation of the Trust Service Framework :  Management Issue, not a technology issue  SOX Section 302—CEOs and CFOs must certify quarterly and annual financial statements.  Defense-in-depth and the time-based model of information security  Have multiple layers of control

12 Management’s Role  Create security aware culture  Inventory and value company information resources  Assess risk, select risk response  Develop and communicate security:  Plans, policies, and procedures  Acquire and deploy IT security resources  Monitor and evaluate effectiveness

13 Control Plans Preventive Controls: stop problems from occurring. Ex. Programmed edits reject incorrect data as it is entered. Detective Controls: discover that problems have occurred. Ex. Review and compare totals to determine if processing was carried out correctly. Corrective Controls: rectify problems that have occurred. Ex. Erroneous data is entered in the system and reported on an error and summary report; a clerk re-enters the data.

14 Other Control Plans Pervasive control plans relate to a multitude of goals and processes, They are broad in scope and apply equally to all business processes. General controls (also known as IT general controls) applied to all IT service activities. Business process control plans applied to a particular business process, such as billing or cash receipts. Application controls automated business process controls contained within IT application systems (i.e., computer programs).

15  Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall  Copyright © 2011 Cengage Learning. All Rights Reserved.

Download ppt "Information Systems Controls for System Reliability -Information Security-"

Similar presentations

Ads by Google