Upload
wendy-bradford
View
224
Download
2
Tags:
Embed Size (px)
Citation preview
Part 3 E – 1V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Section Topics
1. Control frameworks2. Data and network
communications/connections 3. Electronic funds transfer (EFT)4. E-commerce5. Electronic data interchange
(EDI)6. Functional areas of IT
operations7. Encryption8. Information protection9. Evaluate investment in IT
10. Enterprise-wide resource planning (ERP) software
11. Operating systems12. Application
development13. Voice communications14. Contingency planning15. Systems security16. Databases17. Software licensing18. Web infrastructure
Part 3, Section E
Part 3 E – 2V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Risks Specific to IT Environment
Physical audit trail replaced by data trail
Hardware/software failure
Systematic errors
Fewer human inputs
Less segregation of duties
Access authorization
Automated transaction authorization
Deliberate harmful acts
Part 3, Section E, Introduction
Part 3 E – 3V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Pervasive and Specific Risks
Pervasive risks
• Affect whole enterprise
• More costly effects
Specific risks
• May be attributed to specific processes
Part 3, Section E, Introduction
Part 3 E – 4V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Challenges of IT Auditing
• Appreciating their importance
• Assigning roles and responsibilities
• Determining risk
• Controlling and monitoring
• Assessing effectiveness
• Understanding IT controls
Part 3, Section E, Introduction
Part 3 E – 5V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
CAE Role
Identify: Organization’s IT control environment. Legal and regulatory compliance requirements. Roles and responsibilities throughout organization. Risk assessment process. Monitoring process. Appropriate information and communication
processes.
Part 3, Section E, Introduction
Part 3 E – 6V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Provide:• Compliance with laws
and regulations• Consistency with
business objectives• Continuity with
governance policies and risk appetite
Goals of IT Controls and Control Frameworks
Part 3, Section E, Topic 1
Part 3 E – 7V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Protect assets/owners’ equity.• Data is available, reliable, and restricted.• Users accountable.• Protect privacy and identity.• Protect employees’ jobs.• Ensure system integrity.• Control automated processes.• Audit trail exists for all transactions.
Specific IT Control Objectives
Part 3, Section E, Topic 1
Part 3 E – 8V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
What is an example of an organizational activity that would indicate that effective IT controls are in place?
Answers:
Discussion Question
Part 3, Section E, Topic 1
• Projects come in on time and within budget.
• Organization can plan and execute new work to support activities.
• Resources can be allocated predictably.
• Consistent information and service are available across the organization.
• Management knows when and what IT controls are in place.
• Organization can protect itself from attacks and recover quickly.
• Customer support and help desks are used efficiently.
• Entire organization is aware of security issues.
Part 3 E – 9V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Control Classification
Governance controlsManagement controlsTechnical controls
General
Application
Co
rrective con
trols
Detective co
ntro
ls
Preven
tive con
trols
controls
controls
Source: Global Technology Audit Guide 1—Information Technology Controls.
Part 3, Section E, Topic 1
Part 3 E – 10V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
IT Control Frameworks
Set IT control objectives and logically group IT processes
Business strategy IT strategy
Performance goals and metrics + continuous assurance
Objectives Requirements Actual performance
Identifies need for controls but
doesn’t show how to apply
them
IT Control FrameworkOverall
control frameworks
and business processes
+
Align organizational structures
Part 3, Section E, Topic 1
Part 3 E – 11V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
CONTROL ENVIRONMENT
RISK ASSESSMENT
CONTROL ACTIVITIES
COSO Model for Internal Control Frameworks
INFORMATION AND COMMUNICATION
MONITORING
Part 3, Section E, Topic 1
Source: Global Technology Audit Guide 1—Information Technology Controls.
Monthly metrics for technology performance
EXAMPLES
IT and security training
Technology standards compliance enforcement
IT internal audit assessment
Corporate Technology Governance Committee
Part 3 E – 12V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Control Objectives for Information and related Technology
COBIT®
Business orientation
Process-driven
Business orientation is the primary driver:• Business requirements drive IT needs.• Management must understand IT.• It defines primary and secondary
governance elements.– Alignment to strategy– Delivery of value– Management of resources– Management of risk– Performance measures
Standard
Measurement systemControl
350° = Cake
temperature
Process
Measurement-driven
Control-driven
Part 3, Section E, Topic 1
Part 3 E – 13V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Focus less on execution, more on controls• Standard terminology• Standard methods
COBIT—Process-Driven
34 processes
Monitor and
evaluate
Acquire and
implement
Plan and organize
Deliver and
support
Part 3, Section E, Topic 1
Part 3 E – 14V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• High-level control objective• Detailed control objectives• Management guidelines
– RACI chart– Goals and metrics
COBIT—Process-Driven
Box 1: Activity goalsBox 1: Activity goals Box 2: Activity goal metricsBox 2: Activity goal metrics
Box 3: Primary activitiesBox 3: Primary activities Box 4: Primary activity metricsBox 4: Primary activity metrics
Box 5: IT goalsBox 5: IT goals Box 6: IT goal metricsBox 6: IT goal metrics
Part 3, Section E, Topic 1
Part 3 E – 15V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
A new organization decides to use the COBIT® control framework. Which of the following is true of this decision? The frameworkA. is a best practice and should be used as is.B. includes detailed implementation guidelines.C. should be modified to reflect risk appetite and risk
tolerance.D. includes overall organizational controls
in its guidance.
Answer: C. Frameworks should be adapted to suit the needs of the organization.
Discussion Question
Part 3, Section E, Topic 1
Part 3 E – 16V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Servers fill specialized needs, e.g., Web server
Controls: Secure data center, HVAC, electrostatic, trained personnel
Computers, Servers, Client/Server Architecture
• Mainframes primarily for large amounts of data, many concurrent users
ClientsServer
Dumb terminals
Mainframe
No PCs or PCs with terminal emulation software
PCs
Part 3, Section E, Topic 2
Part 3 E – 17V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Supply the proper term for each definition listed below.
Answers:
Discussion Question
Geographical isolation of IT centers with no communication among centers; harder to control.
Commonly uses a mainframe computer;provides the highest level of control.
Each region has its own data center but all centers are networked together; provides some redundancy against catastrophic events.
Decentralized processing
Centralized processing
Distributed processing
Part 3, Section E, Topic 2
Part 3 E – 18V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Network Types
Peer-to-peer
LANPAN
WAN
PDN
MAN
Consortium networks
VAN
Part 3, Section E, Topic 2
Part 3 E – 19V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
All of the following are true regarding the Open Systems Interconnection (OSI) reference model exceptA. The first three layers are common to a network; the
last four are specific to a computer.B. The first two layers are the only ones to contain
hardware; the rest are software.C. Unrelated objects can communicate
using OSI protocols.D. The first layer is the closest one to the user.
Answer: D. The last layer is closest to the user.
Discussion Question
Part 3, Section E, Topic 2
Part 3 E – 20V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
OSI Reference Model
OSI Layer Description Related Controls
Layer 1: Physical Electrical/mechanical Wiring; physical protection
Layer 2: Data link Synchronizes; compresses Encryption
Layer 3: Network Routes, forwards data Track IP address; firewalls
Layer 4: Transport End-to-end control, error checking, e.g., TCP/IP and IP networks
Logical control layer; firewalls
Layer 5: Session Starts, ends conversations
Layer 6: Presentation O/S; applies syntax, format O/S controls
Layer 7: Application Constraints on data, e.g., partner authentication
Configurable data constraints; intrusion detection/prevention
Part 3, Section E, Topic 2
Part 3 E – 21V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Network Hardware
Port
Hub
Switch
Router external, e.g., ISPinternal (LAN)
internalTo internal (sent to all ports)Slower, congested
internalTo internal (sent to address)Fast, intelligent
Gateway Dissimilar network Dissimilar network
Bridge Similar network Similar network
Often integrated into a router
Multiplexer• Time division• Frequency division
OSI Layer1
3
1
2
2
3
Physical connection point
From
From
From
To
Part 3, Section E, Topic 2
REPEATER
Part 3 E – 22V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Network Hardware Example
Router/gateway
Internet
Servers
Workstations (PCs)
Firewall/gateway
Switch LAN #2
LAN #1
Switch
Hub
Printer
Printers
Bridge (wireless)
Wireless network
Phone system
Phone company
Part 3, Section E, Topic 2
Part 3 E – 23V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Improve security by blocking access from certain servers or applications.
• Reduce vulnerability and ensure efficiency by limiting user access to certain sites.
• Support detection of internal sabotage and external intrusion.
• Provide encryption internally.
Purpose of Firewalls
Internal users
Intruders
Part 3, Section E, Topic 2
Part 3 E – 24V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Hardware/software at OSI layers 3 (network), 4 (transport), and 7 (application)
• Packet filtering– Stateful inspection– Network address translation (NAT)
• Gateways– Application gateway/proxy server
• DMZs
• Intrusion detection/prevention systems (IDS/IPS)
Firewalls
Private network
areas
Firewall (DMZ)
Access router
To Internet Firewall
Web server (host or proxy server)
IDS/IPS
Part 3, Section E, Topic 2
Part 3 E – 25V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Bank-to-bank (only) transfer of value or financial data.
EFT risks and controls:• FEDI (financial electronic data interchange) used to
initiate EFT.– Password and physical restriction of FEDI terminal– Dual approval, credit checking– Test keys or codes for validation, error catching– Encryption
• Prior consent by paying party, in writing if automatic.
EFT methods:• Fedwire, TARGET, CHAPS.• ACH for high-volume, low-value transfers.
Electronic Funds Transfer (EFT)
Part 3, Section E, Topic 3
Part 3 E – 26V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Internal Auditing of EFTIA must assess:• Logic controls to restrict access to
system.• Change management controls to ensure
that all program changes are approved.• Physical controls to restrict access to
transactions.• System data backup and recovery
controls to safeguard transaction history.
• Operation controls to ensure that system components operate as designed.
• Application controls to ensure transaction accuracy.
Part 3, Section E, Topic 3
Part 3 E – 27V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
All of the following are true of e-commerce exceptA. E-commerce risk analyses should be done
frequently, especially if operations change.B. Mobile e-commerce, if properly encrypted, has no
other major control issues.C. Evaluating middleware is a valid part of
an e-commerce risk analysis.D. E-commerce may be defined as
“conducting commercial activities over the Internet.”
Answer: B. Authentication of both parties is the second major control issue for mobile e-commerce.
Discussion Question
Part 3, Section E, Topic 4
Part 3 E – 28V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Personalization: cookies, registration, behavior tracking
• Customization: tailored products• Lower cost per transaction• XML: new tags, interactive, interapplication
communication• ebXML: list services or needs on automated
directory, automated trading, collaboration
Factors Promoting E-Commerce
Part 3, Section E, Topic 4
Part 3 E – 29V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Costs• Hardware, software, training, skilled labor.• Mail still common payment method (mail float).
Risks• Competitors could access valuable information.• Exchange auctions go to lowest bidder, higher
quality ignored.• Security is constantly threatened.• Perception of security is even lower.
Factors Slowing Growth of E-Commerce
Part 3, Section E, Topic 4
Part 3 E – 30V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
E-Commerce Security Policy Goals
Authenticity Integrity
Nonrepudiation
ConfidentialityPrivacy
Availability Continuous auditing
Part 3, Section E, Topic 4
Part 3 E – 31V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Internal Auditing of E-CommerceIA must assess:• Network security controls.• User ID systems.• Privacy and confidentiality controls.• Listing of all e-commerce applications.• Maintenance activities.• Automated failure detection and repair.• Application change management
controls.• Business continuity plans in the event of
failure.
Part 3, Section E, Topic 4
Part 3 E – 32V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Match each EDI risk with the proper control.
Discussion Question
EDI Risk Internal Control
A. Unauthorized user access
B. Data integrity loss
C. Transactions incomplete
D. EDI system unavailable
E. Cannot transmit transactions
F. Lack of legal evidence
1.___ Acknowledgment
2.___ Fault-tolerant systems
3.___ Access control
4.___ Authentication
5.___ Consensus on legal definitions, responsibilities, obligations
6.___ Standardized data format, use of ANSI/EDIFACT protocol
CDABF
E
Part 3, Section E, Topic 5
Answers:
Part 3 E – 33V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
EDI Software
2. File Conversion1. Initiation
3. Destination
For example, send invoice
810 invoice 810 invoiceTransmission, for example, over WAN
Invoice received and acknowledged
ERP SystemEDI
Software ERP SystemEDI
Software
Part 3, Section E, Topic 5
Part 3 E – 34V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
IT Organizational Chart
CEO
CIO
Security & Quality
Apps & Systems
Data Tech Support
Ops
Part 3, Section E, Topic 6
Part 3 E – 35V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Which of the following is responsible for capacity planning and focuses on efficiency?
A. Technical support
B. Applications and systems
C. Operations
Answer: C. Operations supports all business units, with a focus on efficiency.
Discussion Question
Part 3, Section E, Topic 6
Part 3 E – 36V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Which of the following is true of IT operational roles?A. Programmers should be the primary pool for testing
code, especially if they wrote it.B. Data entry personnel minimize manual data entry by
capturing data at the point of transaction.C. Systems developers develop end-user applications.D. The chief technology officer develops
IT security policy, controls IT resources, and oversees IT security.
Answer: B. Data entry personnel format data for computer use.
Discussion Question
Part 3, Section E, Topic 6
Part 3 E – 37V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Which of the following management roles has oversight of the compliance aspects of IT?A. Board of DirectorsB. Chief Executive OfficerC. Chief Legal CounselD. Chief Information Officer
Answer: A. The Board of Directors is responsible for governance, which includes compliance.
Discussion Question
Part 3, Section E, Topic 6
Part 3 E – 38V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Private (Symmetric) Key Encryption
Advantages• Simplicity• Requires less processing power• Difficult to crack
A sends private key to B
Private keyPrivate key
Encryption via algorithm
#%*#1234
Firm A
1234
Firm B
Part 3, Section E, Topic 7
Risks• Interception of private key• Poor controls at receiver end
Part 3 E – 39V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Public (Asymmetric) Key Encryption
B’s public key
Encryption via algorithm
#%*#
B’s private key
1234
Firm A
1234
Firm B
A’s public keyA’s private key
Part 3, Section E, Topic 7
Advantage• High degree of security
Disadvantages• Processing intensive• Difficult to communicate changes
to all users
Part 3 E – 40V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Other Encryption Tools
• Quantum cryptography– Uses uncertainty– Can detect eavesdropping
• Digital envelope– Layers both symmetric and
asymmetric encryption
• Cryptographic module/system– Packaged encryption application
Part 3, Section E, Topic 7
Part 3 E – 41V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Internal Auditing of Encryption
• Are physical controls over computers with keys adequate?
• Are encryption policies being followed?
• Are logic controls implemented and effective?
• Are domain internal directories secure?
• Are keys sufficiently complex?
• Are creation rules applied to passwords used to create keys?
Part 3, Section E, Topic 7
Part 3 E – 42V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Information Protection
IT general controls,e.g., segregation of duties
IT application controls,e.g., security software
sets terminal-specific
rightsInformation security
Confidentiality
Integrity Availability
Data security Infrastructure security
Part 3, Section E, Topic 8
Part 3 E – 43V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Discussion Question
Provide an example of a warning sign that information in an IT system may be vulnerable.
From GTAG 6: Managing and Auditing IT Vulnerabilities:
• Higher number of security incidents
• Inability to identify vulnerabilities systematically
• Inability to assess risks and prioritize mitigation efforts
• Poor working relations between IT management and IT security
• No asset management system
• No configuration management process
Part 3, Section E, Topic 8
Answer:
Part 3 E – 44V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Managing IT Vulnerabilities
Enlist management support.
Inventory assets/vulnerabilities.
Prioritize mitigation/remediation.
Remediate vulnerabilities.
Continually update processes.
Automate patch management
and ID of vulnerabilities.
Part 3, Section E, Topic 8
Source: Global Technology Audit Guide 6—Managing and Auditing IT Vulnerabilities.
Part 3 E – 45V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Lucrative, organized crime• VirWare
– Viruses, e.g., macro viruses
– Worms, e.g., IM worms
• Trojan horses– Social engineering– Require user to initiate, but
therefore smaller, easier to transmit
– Types include Trojan-clickers, banker programs, backdoors, root kits, piggybacking, logic bombs
• Other malware– Bot nets– Key logger– Adware– Spyware
• Hackers/crackers– Industrial espionage– Cyberterrorism– Phishing/pharming– Identity theft– Wardriving
Malware
Part 3, Section E, Topic 8
Part 3 E – 46V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Company executives are worried that data regarding their new product launch currently on their intranet site could be compromised by hackers or inadvertent errors. Assuming that the site has appropriate information security controls, which of the following would be the best course of action?
A. Make no changes and assure management that the data is safe.
B. Increase the level of intranet security through investments insecurity software upgrades.
C. Remove the data from the intranet site until after thelaunch goes public.
Answer: C. Taking sensitive data offline provides the best assurance of security.
Discussion Question
Part 3, Section E, Topic 8
Part 3 E – 47V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Right to be left alone and free from surveillance byindividuals, organizations, or the government.
• Personal information is data that links back to an individual.
• IT makes invasions of privacy easy and inexpensive.
• Monitoring of employees:– Control vs. morale.
– Clearly communicate privacy policy.
Privacy
Part 3, Section E, Topic 8
Part 3 E – 48V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Privacy—Fair Information Practices (FIPs)
Individuals have right to privacy but must prove identity.
Organizations have responsibilities over collection and use of data.
Notice
Choice
AccessSecurity
Enforcement
Part 3, Section E, Topic 8
Part 3 E – 49V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
What is the longest-term estimate of ROI that can be made given the following details on a CRM system project?
Answer: 3 years
Return = 3 [($6/unit 60,000) – ($5/unit 50,000)] + [3 ($50,000 + $40,000)] = $600,000
Investment = [$200,000 + ($10,000 3) + $100,000] 1.1 = $363,000
3-year ROI = $600,000/$363,000 = 1.65
Discussion Question
Tangible benefits (for next 3 years) Tangible costs
Sales price increase from $5 to $6/unit Software + installation = $200,000 in Y1
Expected sales increase from 50,000 to 60,000 units
Maintenance + ongoing training = $10,000/year for 5 years
Intangible benefits (for next 4 years) Intangible costs
Greater customer loyalty saves $50,000/year in customer acquisition
Work disruption and learning curves = $100,000 in Y1
Customer service time reduced, saving $40,000/year
Opportunity costs of investment = +10% of total cost per year
Part 3, Section E, Topic 9
Part 3 E – 50V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Use defined IT portfolio selection process– Must provide service at a
cost comparable to alternatives
• Feasibility study– Clear objectives linked to
outcome measures– End-user interviews– Users of system outputs
• Subdivisions– Scheduling feasibility – Operational feasibility– Technical feasibility– Economic feasibility
• Cost accounting– Compare final budget
against actual costs – Measure and transfer
costs to units– Performance measure
Efficiency and Usefulness of IT Systems
Part 3, Section E, Topic 9
Part 3 E – 51V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Single-repository modular suites of business applications
• Batch processing vs. OLTP• Core modules: transaction processing
systems (TPS) for finance, HR, manufacturing, etc.
• Management information systems (MIS) • Collaborative toolsets, e.g., customer
relationship management (CRM)
ERP Systems
Part 3, Section E, Topic 10
Part 3 E – 52V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Auditors should be involved in systems development life cycle.– For example, review implementation team credentials.– Monitor conversion and implementation.
• Single point of entry for data, automated approvals.– Focus audits on logic controls and any overrides.
• Configure rather than customize.– Reengineer business processes and streamline first.– Show cost of organizational resistance to change.– Preserve vital controls.
Internal Auditing for ERP
Part 3, Section E, Topic 10
Part 3 E – 53V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Web-based Enterprise Management (WBEM)
Supplier
Manufacturer
WholesalerCollaboration
WBEMWBEM
WBEM
Audit collaboration, e.g., could a partner plus an employee collude to commit fraud?
WBEM: Browser-based formats, XML, Java, and Web services for universal compatibility with other WBEM systems
Part 3, Section E, Topic 10
Part 3 E – 54V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
What does an O/S do?
User interface
Hardware operation
System recovery
Access control
Communication with apps
Networking
Resource scheduling
Memory management
File management
Part 3, Section E, Topic 11
Part 3 E – 55V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
A company used internal O/S programmers to make someadjustments to their O/S. The system seemed to be working fine,but when some computers are multiprogramming, one or moreapplications sometimes fail. Auditing this issue should involveall of the following EXCEPT
A. Audit should determine if O/S programmers have sufficienttraining.
B. Audit should focus on memory management.
C. The auditor should be an IT specialist.
D. Audit should focus on job scheduling.
Answer: D. Job scheduling relates to batch processing,
not multiprogramming/multitasking.
Discussion Question
Part 3, Section E, Topic 11
Part 3 E – 56V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Documentation of user requirements and measurement of how well those requirements have been met
• Use of a formal process to ensure that user requirements and controls are reflected in design and development
• Testing with actual users• Planned application maintenance• Controlled change management
IT Controls in Application Development
Part 3, Section E, Topic 12
GTAG 1:
IT Controls
Part 3 E – 57V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Systems Development Life Cycle (SDLC)
Systems planning
Systems analysis
Systems design
Systems selection
Programming
Testing
Conversion and implementation
Systems operation and refinement
Customization/configuration
Feedback
Part 3, Section E, Topic 12
A formal process that involves management and stakeholders
Part 3 E – 58V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Feasibility Studies1. Identify needs of all related parties and develop
metrics for later use.
2. Analyze proposed system against needs, resources, costs, technology trends, and strategic alignment.
3. Perform cost-benefit analysis.
4. Identify best risk-based alternative.
Part 3, Section E, Topic 12
Part 3 E – 59V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Which of the following is the result of the systems analysis phase of the SDLC?
A. Long-term technology strategy
B. Detailed system blueprint
C. Written request for systems design
D. Unit testing and system testing
Answer: C. The result of systems analysis is a written request for systems design or selection.
Discussion Question
Part 3, Section E, Topic 12
Part 3 E – 60V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Systems Design/Selection: IA Concerns
• User approval• Authorization procedures for program
changes and new code • Software testing and quality control• Staff proficiency• Controls on selection criteria
Part 3, Section E, Topic 12
Part 3 E – 61V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Overview of IT Application Controls
SDLC Process
Input controls
Processing controls
Output controls
Integrity controls
Audit trail
Part 3, Section E, Topic 12
Part 3 E – 62V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Control data as it enters system• GIGO• Manual input controls, e.g., authorizations• Electronic aids for manual inputs
– Screen formats, entry fields, drop-down menus– Keystroke verification– Labeling conventions and completeness checks
• Batch controls for items that can be batched• Visual verification for items that cannot be
batched
IT Application Controls—Input Controls
Part 3, Section E, Topic 12
Part 3 E – 63V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Format checks• Edit checks
– Control totals– Range tests– Numerical checks– Sequence checks– Limit checks– Check digits– Record count– Historical comparison– Overflow checking
• Reconciliation and balancing
• Inquiry logs• Automated inputs
– OCR– MICR– Scanners– Bar codes– RFID
• Manual review
IT Application Controls—Input Controls
Part 3, Section E, Topic 12
Part 3 E – 64V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
All of the following are true of processing controlsexceptA. Data center operators need to be able to override file names
or device errors.B. Auditors should verify that reconstructed files have accuracy
checks.C. Date and file total checks flag exact duplicate entries as
errors.D. Control totals are gathered when an
application generates temporary files.
Answer: A. The opposite is true.
Discussion Question
Part 3, Section E, Topic 12
Part 3 E – 65V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Automated controls• Date and file total checks• Completeness tests• Control totals
Other processing controls• Reasonableness checks• Suspense file• Activity logging• Processing logic tests (e.g.,
cross-footing check)• Run-to-run totals• End-of-file procedures• Primary and secondary key
integrity check• Access control list (ACL)
IT Application Controls—Processing Controls
Part 3, Section E, Topic 12
Part 3 E – 66V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Detective controls• Require users to review work immediately• Record retention• Error listings• Reference documents• Spooling controls• Working documents• Reports• Exception reporting
IT Application Controls—Output Controls
System inputs System outputs
Auditor’s control total samples
Reconcile
Part 3, Section E, Topic 12
Part 3 E – 67V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Online programming is performed at workstations and has both advantages and risks. What are they?
Discussion Question
Part 3, Section E, Topic 12
Advantages Risks
Programmers can use real code.
Programming is faster.
Multiple versions of programs can be created.
Unauthorized access to program may be allowed.
Valid code may be overwritten.
Answer:
Part 3 E – 68V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Programming Languages
110100101000111011010010
Compiling
Computers read only object code (binary)
Source code
Access to source = ability to change program
#include <stdio.h> main() { int fib[24];
int i;
fib[0] = 0; fib[1] = 1;
for(i = 2; i < 24; i++) fib[i] = fib[i-1] + fib[i-2];
for (i = 0; i < 24; i++) printf("%3d %6d\n", i, fib[i]);
}
Object code
Part 3, Section E, Topic 12
Part 3 E – 69V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Application Testing:Fill in the blanks
Type of Test Test Description
Testing system in its intended environment (same users, hardware, concurrent applications)
Conducted by developers
Validates ability of system to process specified number of transactions within specified time
Confirms revisions have corrected problems and not introduced new problems
Conducted by users
Sociability testing
Throughput testing
Regression testing
Beta test
Alpha test
Part 3, Section E, Topic 12
Part 3 E – 70V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Document– Software– Related business processes– Security features and backup procedures
• Clear and concise, structured methodology• Early audit involvement and designated reviewer can ensure
that documentation duties are performed
Documentation
Vast documentationProject scope change,
e.g., from version 1.1 to just released 1.2
Update documentation
freeze specifications Less-useful results
or
Part 3, Section E, Topic 12
Part 3 E – 71V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Fill in the blanks:
High-performing organizations perform ______ patches than low-performing ones.
__________________ includes code revisions, system upgrades, and infrastructure changes such as cabling.
The number of emergency or unauthorized changes allowed per year should be _____.
fewer
Discussion Question
Change management
zero
Part 3, Section E, Topic 12
Part 3 E – 72V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Adhere to development methodology (e.g., SDLC)• Objective audit tasks: routine changes that have low
risk of management override• Subjective audit tasks: e.g., software controls that
monitor if controls are overridden• Development should report to high enough level to
avoid pet projects• Supervisory controls
– Preventive (e.g., enforce change management policy)– Detective (e.g., measuring and correcting performance)
Reducing Change Risks
Part 3, Section E, Topic 12
Part 3 E – 73V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Change and Patch Management MetricsRisk Control Metric
Unauthorized changes
• Policy: 0 unplanned changes
• Proactive management
• Detective software
• # of unplanned changes
• # of unplanned outages
• # of changes authorized
• # of changes implemented
Changes fail to be implemented or are late
• Change management process
• > 70% change success rate
• New work created by change
Unplanned work displaces planned work
• Perform triage
• Bundle planned changes
• Treat patches as a process to expect
• < 5% work unplanned
• % of time on unplanned work
• % of projects late
• % of patches as planned release
Part 3, Section E, Topic 12
Part 3 E – 74V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Methodologies and tools forfast development• PERT• Module-by-module • Reusable code• RAD
– Reduces documentation– User participation– Automated code generation
• JAD• Agile development• Object-oriented
development• End-user self-development
Auditing RAD projects• Emphasis on speed—lower
quality?• Does it fulfill business
needs?• Gold plating?• Naming conventions?• Scalability?• Does project push harder
tasks toward last phase?
Rapid Application Development (RAD)
Part 3, Section E, Topic 12
Part 3 E – 75V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Thin client Fat client• Legacy systems• Data cleansing (Topic 16)• Debugging• Enterprise application integration (EAI)
– Middleware– Web services (Topic 18)– Business process management (BPM)
Application Development Terminology
Part 3, Section E, Topic 12
Part 3 E – 76V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Which of the following describes an advanced application that is capable of reviewing every receiving record, applying the same audit tests to each record, and highlighting records that warrant further scrutiny?A. Decision support systems (DSS)B. Expert systemsC. Cross-enterprise collaboration and
optimization tools
Answer: B. Expert systems use a series of decision points.
Discussion Question
Part 3, Section E, Topic 12
Part 3 E – 77V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Auditors: callback procedures• Standard telephone systems
– Automated voice mail– Inoperability has high opportunity cost– Should be part of contingency plan– Problems include wiretapping and third party fraudulently
representing self
• VoIP– Encryption vs. backdoor for wiretapping– Exploiting VoIP opens access to network overall
• Virtual private networks (VPNs)
Voice Communications
Part 3, Section E, Topic 13
Part 3 E – 78V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Business Continuity Management
“process by which an organization prepares for future incidents that could jeopardize the organization’s core mission and its long-term viability”
Part 3, Section E, Topic 14
Source: Global Technology Audit Guide 10—Business Continuity Management.
Part 3 E – 79V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
BCM Process
Gain management commitment.
Conduct risk assessment and mitigation analysis.
Conduct business impact analysis.
Define recovery and continuity strategies.
Deploy, verify, and maintain program.
Establish disaster recovery for IT.
Part 3, Section E, Topic 14
Source: Global Technology Audit Guide 10—Business Continuity Management.
Part 3 E – 80V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Planning team– Team leader– Delegate roles to those closest to each risk
• Can out-source forming and testing but not incident handling
• Integrate with risk framework• Educate management
Developing a Contingency Plan
Part 3, Section E, Topic 14
Part 3 E – 81V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Determine order of restoration of services:
• Categorize by severity + likelihood + restoration priority (each has appropriate response)
• Evacuation plans• Business interruption and
property insurance• Recovery methods: off-site
facilities– Hot– Cold– Warm– Reciprocal agreements
Risk-based Priorities and Making a Plan
Vital systems,
e.g., HR, budgeting
Sensitive systems,
Noncritical systems,
e.g., finance,
customer service
Critical
systems,
e.g.,
telecommunications,
shippinge.g., payroll, end-user data
Part 3, Section E, Topic 14
Part 3 E – 82V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Critical Systems for IT BCM
IT SystemsData center
Applications and data
Servers and other hardware
Communication devices
Networks
IT infrastructure
Remote access services
Manufacturing process control systems
Information Management SystemsFile rooms
Document management systems
Part 3, Section E, Topic 14
Source: Global Technology Audit Guide 10—Business Continuity Management.
Part 3 E – 83V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Clear, simple introduction• Team responsibilities,
emergency contact information
• Backup schedules, location of facilities
• Escalation procedure• Action plans with recovery
time frames, strategy, and subplans
• Insurance documentation
• Best evidence of plan adequacy is testing the plan (e.g., fire drill)
• Current disaster recovery capacity
• Variance vs. internal benchmarks
Documenting and Testing the Plan
Part 3, Section E, Topic 14
Part 3 E – 84V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
BCM Plan Testing:Fill in the blanks
Type of Test Description
Participants walk through announced or unannounced simulation and execute system recovery procedures.
BCM team members meet to review their roles.
Team participates in brief simulation of a scenario.
Written plan is reviewed and updated.
All stakeholders participate; demonstrates ability to perform key processes at an agreed level.
IT environment walkthrough
Tabletop exercise
Desk check or plan audit
End-to-end testing
Orientation or plan walkthrough
Part 3, Section E, Topic 14
Part 3 E – 85V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
An IT auditor discovers a weakness in the general controls that encompass more than just IT. The auditor should do which of the following? (Select all that apply.)
I. Communicate the issue to management.
II. Explain the risk exposure created by the deficiency.
III. Recommend the best system to address the issue.
IV. Set a deadline for implementation of controls.
V. Oversee implementation of controls.
Answer: I, II, and III.
Discussion Question
Part 3, Section E, Topic 15
Part 3 E – 86V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
COBIT System Security Objectives
1. Manage IT security.
2. Implement IT security plan.
3. Implement identity management processes.
4. Manage user accounts.
5. Ensure security testing.
6. Ensure security incident definition.
7. Protect security technology.
8. Manage the cryptographic key.
9. Prevent, detect, and correct malware.
10. Implement network security to ensure authorized access.
11. Ensure transmission of sensitive data over trusted paths or secure media.
Part 3, Section E, Topic 15
Part 3 E – 87V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Software-based rules for error checking or access • Password authentication
– Digitally enforcing alphanumerics, regular changes, provisioning, etc.
• Least privilege: are roles too broad?• Audit trails
– Keep secure from as many users as possible
• Others– Automated log-off of inactive users– Monitoring computers with remote control privileges– Access logs– Contractor access codes that expire
IT General Controls—Logic Controls
Part 3, Section E, Topic 15
Part 3 E – 88V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
IAM ProcessProvisioning
Creating, changing, or terminating an identity that grants access to a system
Identity Management
Strategies, policies, and processes for monitoring, auditing, and reporting
Enforcement of Policies
Automatic processes or mechanisms
Part 3, Section E, Topic 15
Part 3 E – 89V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Physical access controls– Key card with security computer database– Role-based subdivisions within a building– Biometrics– Data centers: not on exterior wall; slab-to-slab construction
• Environmental hazard controls– Surge suppression, grounding, UPSs– HVAC, air cleaning– Regular maintenance logs
• Fire and flood protection– Fire alarms, moisture detectors
IT General Controls—Physical Controls
Part 3, Section E, Topic 15
Part 3 E – 90V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Detect and report hardware errors but need process in place to fix errors• Redundant character check• Equipment check• Duplicate process check• TEMPEST• Echo check• Fault-tolerant components
General Controls—Hardware Controls
Part 3, Section E, Topic 15
Part 3 E – 91V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Consistent data structure standards• Data security controls
– While on site, in transmission, or stored in third-party systems
– End-user training – Physical and logical controls over data
• Backing up data– Grandfather-father-son– Off-site vaulting + electronic journaling = electronic vaulting– Storage methodology and labeling
Data Storage and Security
Part 3, Section E, Topic 15
Part 3 E – 92V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Hard drive• RAID• Storage area network
(SAN)• Tape/tape libraries• Magnetic disk• Network-attached
storage (NAS)
• Online (FTP) storage• CD-ROM• DVD• USB storage (small
amount of data only)
Backup Data Storage Media
Part 3, Section E, Topic 15
Part 3 E – 93V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Planning controls• Policies, standards, and procedures
– IT segregations: access only if job necessity
• Data security– Minimize users with administrative privileges– End-user training to reduce password risks, etc.
• Insurance and continuity planning• External provider controls
General Controls—IT Operational Controls
Part 3, Section E, Topic 15
Part 3 E – 94V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Cost of security should be commensurate with level of risk mitigation required.
Security Levels
Security Level Impact Example
Low • Moderate impact on reputation or productivity
• Still must be safeguarded
• Data on public servers such as Web sites
Moderate • Serious impact on firm’s mission
• Potential market losses
• ERP data
• Data needed for government agency reporting
• Medical records
High • If compromised, could destroy reputation, productivity, market share
• Contingency plan with off-site storage locations
• Evidence for trial
Part 3, Section E, Topic 15
Part 3 E – 95V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Reinforcing Activity 3-11Part 3, Section E, Topics 8, 12, and 15
Information Technology
Part 3, Section E, Topics 8, 12, and 15
Part 3 E – 96V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Which of the following is true of a centrally located, multiple-application, relational database and database management system (DBMS)?A. Standards must be set up in several ways to
accommodate all attached applications.B. The database is more expensive and complex and
could cause overall system failure.C. File redundancies cannot be completely eliminated.D. Applications are more difficult to program
but function better once made.
Answer: B. The answer lists some of the drawbacks/ risks involved with a centralized DBMS.
Discussion Question
Part 3, Section E, Topic 16
Part 3 E – 97V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Data definition language
• Schema and subschema
• Data dictionary
• Data manipulation language
• Data query language, e.g., SQL
Database Terminology
Bit0 or 1
CharacterA
RecordAddress
FileSUPPLIER_TABLE
DatabaseERP system
14 W. Addison St. Field
Part 3, Section E, Topic 16
Part 3 E – 98V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Relational Databases
CUSTOMER_NO CUST_NAME ADDRESS ZIP
23423 Al’s Outfitters 14 Wallaby Way 33432
56456 Journeyman 42 Driftwood Rd. 39323
SALES_NO CUSTOMER_NO PART_NO DESC QTY DATE
234 23423 A239-3 Piton 900 2/14/Y1
235 56456 B567-9 Carabineer 500 2/14/Y1
PART_NO DESC PRICE TERMS SUPPLIER_NO SUPPLIER
A239-3 Piton US $1.25 2/10 n30 983892 Steel, Inc.
B567-9 Carabineer US $2.15 2/10 n30 394003 Alumco.
CUSTOMER_TABLE
PARTS_TABLE
SALES_TABLE
To SUPPLIER Table
Link
Link
Entity (row)
Attribute (column)
Key field
Part 3, Section E, Topic 16
Part 3 E – 99V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Database Controls• Enforcing attribute standards and
ensuring accuracy of data elements and relationships
• Managing concurrent access without sacrificing data integrity or availability
• Protecting against data loss during processing and restarts
• Protecting against loss of stored data• Optimizing database size and
efficiency• Managing access• Monitoring and reporting on
performance
Part 3, Section E, Topic 16
Part 3 E – 100V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
A database manager suggests to an auditor that to improve the security of the payroll area of the database, it should have checkpoints and fine-grained access control. The former restricts _____, while the latter restricts _____.A. access by job role; the data itself.B. the data itself; access by job role.C. access by key card; by unique ID.D. by unique ID; access by key card.
Answer: A. Database areas can be segregated by checkpoints based on job role; fine-grained access control restricts the data itself.
Discussion Question
Part 3, Section E, Topic 16
Part 3 E – 101V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Concatenation• Standardization• Taxonomy• Normalization• Deduping• Categorization• Enhancement
Data Cleansing
Part 3, Section E, Topic 16
Part 3 E – 102V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Data Warehouses, OLAP, Data Mining
Transactional, real-time
databases
Data warehouse
Not real time Data mining
OLAP Manipulate results without
making new query
Sales items
ActualPlanned
Sales regions
2
1
A B
Hidden patterns
Rotate
Drill up, drill down
Part 3, Section E, Topic 16
Part 3 E – 103V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Software license agreement– By server, computer, site, concurrent users, etc.
• Rights of organization– Source code license – Right to make backup copies?
• Software piracy– Illegal copies– Installation of more copies than agreed to
• Clearly communicate copyright policy– Personal consequences– Consequences to organization
Software Copyright
Part 3, Section E, Topic 17
Part 3 E – 104V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Software Licensing Controls• Implement copyright protection/piracy
policies.• Review all software contracts and secure
site/concurrent user contracts if possible.
• Compile list of all approved and licensed applications (and allowable number of copies).
• Prevent downloading illegal copies.• Prevent installation from PC.• Centralize software purchasing and
installation.
®
©
Part 3, Section E, Topic 17
Part 3 E – 105V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Which of the following is true of purchased software as opposed to internally developed software? (Select all that apply.)I. The application is usually better documented.II. A “patch deck” allows customization to migrate
between versions.III. Purchased software often costs more than
internally developed software. IV. Application testing is not as robust.
Answer: I and II.
Discussion Question
Part 3, Section E, Topic 17
Part 3 E – 106V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Make or buy decision.• Simple off-the-shelf applications use internal
evaluation.• Complex systems involve RFQ or RFP:
– Get nondisclosure agreements before submitting.– Review responses, invite some to make
presentation.– Should see functioning model, preferably using
the organization’s data and volume levels.– Primary factor: Does it meet requirements?
Software Purchasing Steps
Part 3, Section E, Topic 17
Part 3 E – 107V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Internet: network of networks
• WWW: largest subset• Intranet• Extranet• HTTP/HTTPS
• Internet protocol (IP) address
• Domain name system (DNS)
• FTP• Uniform Resource
Locator (URL)
Web Terminology
http://www.theiia.org/itaudit/index.cfm?catid=29&iid=509
Protocol Domain name Directory path Document name
Part 3, Section E, Topic 18
Part 3 E – 108V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Internet Structure
Internet backbonePhysical infrastructure owned by network service providers (e.g., telecom companies, governments)
Network access points (NAPs)
Metropolitan access points (MAPs)
Data on Internet neither owned nor managed
World Wide Web Consortium (W3C) sets protocols
ISP or VPN
• TCP/IP• Broadband/narrowband
Part 3, Section E, Topic 18
Part 3 E – 109V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Which of the following would be the best policy for safeguarding of a confidential e-mail once the user has downloaded the message to their computer?A. Permanently maintain copies on the server.B. Maintain copies on the server for three years.C. Automatically delete the message once
downloaded.
Answer: C. Prompt deletion of confidential e-mail after downloading reduces the risk of compromise.
Discussion Question
Part 3, Section E, Topic 18
Part 3 E – 110V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Disable unnecessary features.– Plain HTML best.
• ActiveX or Java could conceal malicious code.– Java’s sandbox environment could be compromised.
• Treat plug-ins with suspicion.• Disallow most cookies; allow for only trusted sites.• Pop-up blocker.• Browser security: set to “high.”
– Define “trusted” sites (HTTPS, SSL, or other verifiable sites).
– Cross-site scripting: 3rd-party trusted sites compromised.
Browser Security
Part 3, Section E, Topic 18
Part 3 E – 111V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Loose coupling: • Includes real dependencies,
omits artificial dependencies.• Separates data from
application.• Service request says what it
needs done, not how to do it.
Web Services, Service-Oriented Architecture
Message content
SOAP wrapperSOA
Service A Service B
4. Service AB
1. Service consumer
2. Service consumer and provider or UDDI registry 3. Service
provider
AB?
B? Web service
Part 3, Section E, Topic 18
Part 3 E – 112V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• All ERP modules such as finance or A/R can be Web services.
• SOA acts as trunk line for service attached to Web.
• Direct link, automated trading:– Customer’s ERP system
becomes a service consumer.
– Omits some segregation of duties.
• Compensating controls:– Make other ERP systems,
etc., users in own right.
– Actual persons logged in also need verifying as proper sub-users.
– Avoid port 80.
– Emphasize application level controls.
– Implement in stages, with nonfinancial modules first.
Audit Concerns with SOA
Part 3, Section E, Topic 18
Part 3 E – 113V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Questions?
End of Section E
Part 3, Section E