Presentation is loading. Please wait.

Presentation is loading. Please wait.

Part 2- An IT Auditing Framework

Published byKory Porter Modified over 8 years ago

Similar presentations

Presentation on theme: "Part 2- An IT Auditing Framework"— Presentation transcript:

1 Part 2- An IT Auditing Framework
* 07/16/96 Part 2- An IT Auditing Framework Why do how our systems work matter? Why do how we manage our systems matter? How can systems harm a unit’s ability to accomplish its goals? *

2 What are you hoping to obtain from these courses?
Intro questions What skills are you seeking for completing audits? What skills are you seeking to further your understanding and/or help your career? Example: Familiarize all auditors with general IT Audit concepts and audit steps Enable general auditors to feel more comfortable with IT and IT Audit terminology to provide future audit and career opportunities Show correlation between IT audit steps and the use of IT Template bridge

3 Foundations of System Controls
Lego Blocks Introduction Groups build what they believe is the proper structural sound foundation for controls

4 System Control’s Foundation Blocks
IT Dependent Manual Controls Application Controls (Automated) Job Scheduling and Management Application Security Network Security Change Management Data Security - Database Operating System Physical Security Lego Blocks Introduction Blocks are jumbled with labels. Groups build what they believe is the proper structural sound foundation for controls

5 Proposed Foundation Strategy
IT Dependent Manual Controls Application Controls (Automated) Job Scheduling and Management Application Security Network Security Change Management Data Security - Database Operating System Physical Security Note Physical Security and Network Security argument may be inverted. There is not a single “correct” answer -With movement to cloud technology Network Security may be shifting to the key stone position in our infrastructure -Each block ties to a component of the IT Bridge

6 System Control Pyramid
Network Security Data Security - Database Operating System Change Management Application Security IT Dependent Manual Controls Application Controls (Automated) Staffing Workstation Configuration Disaster Recovery Equipment Management IT General Controls Job Scheduling and Management Physical Security See each foundational control as stacking. Creates Control Dependency Difficulty exists on how to breakdown IT Environment controls (yellow) as they touch/support all ITGCs but are not exactly part of the control foundation

7 High Level Control Framework
Framework provides higher level view of the relationship between business process and IT controls Note that the blue section ties to the area below the line on the above pyramid Note the green section ties to application controls and IT Dependent controls above the ITGC line in the above pyramid

8 IT General Control Definition
* 07/16/96 IT General Control Definition IT General Controls (ITGCs) - Provide assurance that IT-Dependent and Application Controls can be relied upon Include controls over the IT environment, computer operations, access to applications and data (security), and program changes Note most of IT bridge is to cover system ITGCs *

9 Strong ITGC -Prevention and Detection Controls
* Strong ITGC -Prevention and Detection Controls 07/16/96 Prevention controls stop inappropriate items from occurring New user approval process Strong password controls Access termination process Detection controls identify inappropriate items that can then be corrected Periodic Access Review *

10 Strong ITGC Determination
Not all textbook controls must be designed and operating effectively to address significant risks and provide a strong ITGC environment In previous slide if a weak termination process existed this could be compensated for by a frequent strong periodic review. However strong new user, password, and other preventative ITGCs would still be required or require other compensating controls if applicable

11 Business Process Controls
Automated (Application) Controls IT Dependent Manual Controls (Purely) Manual Control Ask for Automated control , IT Dependent Controls then Purely Manual Control examples. Draw Conclusions on the controls Note determination of strong business process controls same as ITGCs – not all required and sometimes overlap can occur

12 ITGC Controls and the Application's House
* ITGC Controls and the Application's House 07/16/96 Sufficient Controls must act in concert Consider securing an application like a house *

13 ITGC Controls and the Application’s House
* ITGC Controls and the Application’s House 07/16/96 How does a front door protect your house? What are the Key Components? Door Frame Door Door Hinges Door Handle Dead Bolt Door Handle Lock *

14 ITGC Controls and the Application's House
House = Application with business processes Door Frame = Physical - Network Door = Data Security - Operating Systems and Database Door Hinges = Job Scheduling Management Door Handle/Metal Casing = Application Security Dead Bolt = Application Controls Door Handle Lock = IT Dependent Manual Controls Tool Box = Code Change Management

15 How (My) Front Door Failed
* 07/16/96 How (My) Front Door Failed Burglar smashed the window on the door and accessed the dead bolt lever Subsequently battered the door handle lock until the frame caved in *

16 How (Application’s) Front Door Could Fail
* 07/16/96 How (Application’s) Front Door Could Fail Internal hacker exploits a vulnerability in the Operating System Vulnerability used to disable application controls Hacker later uses a “brute force” attack to gain access via the network and embezzle from the University *

17 Compensating Control - Detection
For my house’s – A camera For a server –Intrusion monitor that monitors OS activity OS activity monitoring = intrusion monitoring Neither of these controls prevent a breach. They only detect the breech so that the issue can be resolved. Monitoring Camera was added to my living room with inappropriate activity alerts Similar monitoring of Operating System activity could be implemented and reviewed by management

18 Where Should an Audit Start
Where do you believe an audit should start? What initial items should be confirmed? Application or IT Dependent controls must first be identified to confirm further review of IT general controls should occur.

19 IT in the Control Universe Summary
* 07/16/96 IT in the Control Universe Summary Strong ITGCs provide assurance that effective system related controls may be relied upon ITGCs build upon each other Not all textbook controls are always required ITGCs include both Preventative and Detective controls System related controls include application (automated) and IT-dependent (system supported) controls (Purely) Manual Controls do not require system review *

20 Future discussion items
* 07/16/96 Future discussion items Evaluating Code Change Management Processes Evaluating Disaster Recovery Preparations Evaluating Server Configurations/Security Evaluating Network Concerns and Intrusion Risks Evaluating Workstation Management How should we modify our plans for future discussion items? *

21 Future discussion items
* 07/16/96 Future discussion items Evaluating Application Design, Controls, and Integration with the Business Processes Evaluating IT strategies – Strategic vs. Tactical issues Strategies used to build the overall IT audit plan for the department Looking at IT governance frameworks -Cobit *

Download ppt "Part 2- An IT Auditing Framework"

Similar presentations

Chapter 1 - 1 ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.

Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
The World of Access Controls

The World of Access Controls
An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.

An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.

A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Information Security Policies and Standards

Information Security Policies and Standards
Secure Data Transmission James Matheke Information Security Architect Ohio Department of Job and Family Services.

Secure Data Transmission James Matheke Information Security Architect Ohio Department of Job and Family Services.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Unit Outline Information Security Risk Assessment Module 1: Introduction to Risk Module 2: Definitions and Nomenclature Module 3: Security Risk Assessment.

Unit Outline Information Security Risk Assessment Module 1: Introduction to Risk Module 2: Definitions and Nomenclature Module 3: Security Risk Assessment.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Topics in Information Security Prof. JoAnne Holliday Santa Clara University.

Topics in Information Security Prof. JoAnne Holliday Santa Clara University.
INTERNAL CONTROL OVER FINANCIAL REPORTING

INTERNAL CONTROL OVER FINANCIAL REPORTING
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Similar presentations

Ads by Google