Upload
morgan-stokes
View
220
Download
3
Embed Size (px)
Citation preview
STRUCTURING THE IT FUNCTION
Centralized data processing (as opposed to DDP)
Database administrator Data processing manager/dept.
Data control Data preparation/conversion Computer operations Data library
2
STRUCTURING THE IT FUNCTION
Segregation of incompatible IT functions Systems development & maintenance
ParticipantsEnd usersIS professionalsAuditorsOther stakeholders
3
STRUCTURING THE IT FUNCTION Segregation of incompatible IT functions
Objectives: Segregate transaction authorization
from transaction processing Segregate record keeping from asset
custody Divide transaction processing steps
among individuals to force collusion to perpetrate fraud
Separating systems development from computer operations
4
STRUCTURING THE IT FUNCTION
Segregation of incompatible IT functions Separating DBA from other functions
DBA is responsible for several critical tasks: Database security Creating database schema and
user views Assigning database access authority to users Monitoring database usage Planning for future changes
5
STRUCTURING THE IT FUNCTION Segregation of incompatible IT functions
Alternative 1: segregate systems analysis from programming
Two types of control problems from this approach:
Inadequate documentation Is a chronic problem. Why? Not interesting Lack of documentation provides job security Assistance: Use of CASE tools
Potential for fraud Example: Salami slicing, trap doors
6
STRUCTURING THE IT FUNCTION Segregation of incompatible IT functions
Segregate data library from operations Physical security of off-line data files Implications of modern systems on use of
data library: Real-time/online vs. batch processing Volume of tape files is insufficient to justify full-
time librarian Alternative: rotate on ad hoc basis
Custody of on site data backups Custody of original commercial software and
licenses
7
STRUCTURING THE IT FUNCTION Segregation of incompatible IT functions
Audit procedures: Obtain and review security policy Verify policy is communicated Review relevant documentation (org. chart,
mission statement, key job descriptions) Review systems documentation and
maintenance records (using a sample) Verify whether maintenance programmers are
also original design programmers Observe segregation policies in practice Review operations room access log Review user rights and privileges
8
Computing ModelsCentralized ProcessingClient Server Processing
thin or fat clients2 to n tiered
Distributed Computingusing idle processing time
Distributed Database Computingreplicated or divided
9
STRUCTURING THE IT FUNCTION The distributed model
Risks associated with DDP Inefficient use of resources
Mismanagement of resources by end users
Hardware and software incompatibility Redundant tasks
Destruction of audit trails Inadequate segregation of duties Hiring qualified professionals
Increased potential for errors Programming errors and system failures
Lack of standards
10
STRUCTURING THE IT FUNCTION The distributed model
Advantages of DDP Cost reduction
End user data entry vs. data control group Application complexity reduced Development and maintenance costs
reduced Improved cost control responsibility
IT critical to success then managers must control the technologies
Improved user satisfaction Increased morale and productivity
Backup flexibility Excess capacity for DRP
11
STRUCTURING THE IT FUNCTION Controlling the DDP
environment Audit objectives:
Conduct a risk assessment Verify the distributed IT units
employ entity-wide standards of performance that promotes compatibility among hardware, operating software, applications, and data
12
STRUCTURING THE IT FUNCTION Controlling the DDP environment
Audit procedures: Verify corporate policies and standards are
communicated Review current organization chart, mission
statement, key job descriptions to determine if any incompatible duties exist
Verify compensating controls are in place where incompatible duties do exist
Review systems documentation Verify access controls are properly
established
13
THE COMPUTER CENTER Computer center controls
Physical location Avoid human-made and natural hazards Example: Chicago Board of Trade
Construction Ideally: single-story, underground utilities,
windowless, use of filters If multi-storied building, use top floor (away
from traffic flows, and potential flooding in a basement)
Access Physical: Locked doors, cameras Manual: Access log of visitors
14
THE COMPUTER CENTER Computer center controls
15
Air conditioning Especially mainframes Amount of heat even from a group of PCs
Fire suppression Automatic: usually sprinklers
Gas, such as halon, that will smother fire by removing oxygen can also kill anybody trapped there
Sprinklers and certain chemicals can destroy the computers and equipment
Manual methods Power supply
Need for clean power, at a acceptable level Uninterrupted power supply
THE COMPUTER CENTER Computer center controls
Audit objectives Verify physical security controls are
reasonable Verify insurance coverage is adequate Verify operator documentation is adequate in
case of failure
Audit procedures Tests of physical construction Tests of fire detection Tests of access control Tests of backup power supply Tests for insurance coverage Tests of operator documentation controls
16
PC SYSTEMS Control environment for PCs
Controls Risk assessment Inherent weaknesses Weak access control Inadequate segregation of duties Multilevel password control – multifaceted
access control Risk of physical loss
Laptops, etc. can “walk off” Risk of data loss
Easy for multiple users to access data End user can steal, destroy, manipulate Inadequate backup procedures
Local backups on appropriate medium Dual hard drives on PC External/removable hard drive on PC
17
PC SYSTEMS Control environment for PCs
Risk associated with virus infection Policy of obtaining software Policy for use of anti-virus software Verify no unauthorized software on
PCs
Risk of improper SDLC procedures Use of commercial software Formal software selection
procedures
18
FIGURE 2.8 – Password Policy
Proper Dissemination – Promote it, use it during employee training or orientation, and find ways to continue to raise awareness within the organization.
Proper Length: Use at least 8 characters. The more characters, the more difficult to guess or crack. Eight characters is an effective length to prevent guessing, if combined with below.
Proper Strength: Use alphabet (letters), numbers (at least 1), and special characters (at least 1). The more non-alpha, the harder to guess or crack. Make them case sensitive and mix upper and lower case. A “Strong” password for any critical access or key user. Password CANNOT contain a real word in the content.
Proper Access Levels or Complexity: Use multiple levels of access requiring multiple passwords. Use a password matrix of data to grant read-only, read/write, or no access per data field per user. Use biometrics {such as fingerprints, voice prints}. Use supplemental access devices, such as smart cards, or beeper passwords in conjunction with remote logins. Use user-defined procedures.
Proper Timely Changes: At regular intervals, make employees change their passwords.
Proper Protection: Prohibit the sharing of passwords or “post-its” with passwords located near one’s computer.
Proper Deletion: Require the immediate deletion of accounts for terminated employees, to prevent an employee from being able to perpetrate adverse activities.
SYSTEM-WIDE CONTROLS E-mail risks
Spoofing Spamming Hoax virus warnings Flaming Malicious attachments (e.g., viruses) Phishing Pharming
20
SYSTEM-WIDE CONTROLS Malicious objects risk
Virus Worm Logic bomb Back door / trap door Trojan horse Potential control procedures Audit objective Audit procedures
21
Types of Computer CrimeHackingTheft of Intellectual PropertyTheft of PIIPhishing and PharmingIdentity TheftCyberstalkingViruses
Email Image Spams
Botnets infect up to 10% of all computers
Image spams allow emails to avoid filters
Popular spam – enticing readers to buy a cheap stock in a pump and dump
The Italian JobInfected more than 10,000 web pages on
popular websites including travel agents, hotels, charities and government departments.
Most are in Italy, but also Spain and US.Eastern European based using a $500 kit.Downloads keylogger to steal identities.
SYSTEM-WIDE CONTROLS Controlling electronic audit
trails Keystroke monitoring (keystroke log) Event monitoring (key events log) Audit trail objectives
Detecting unauthorized access Reconstructing events Personal accountability
Implementing an audit trail Transaction logs
25
26
Data Capture
KeyKatcher Records chat, e-mail, internet &
more Is easier to use than parental
control software Identifies internet addresses Uses no system resources Works on all PC operating
systems Undetectable by software
www.lakeshoretechnology.com
SYSTEM-WIDE CONTROLS Disaster recovery planning
Critical applications identified and ranked
Create a disaster recovery team with responsibilities
27
SYSTEM-WIDE CONTROLS Disaster recovery planning
Site backup “Hot site” – Recovery
Operations Center “Cold site” – empty shell Mutual aid pact Internally provided backup Other options
28
Disaster Recovery Plan
1. Critical Applications – Rank critical applications so an orderly and effective restoration of computer systems is possible.
2. Create Disaster Recovery Team – Select team members, write job descriptions, describe recovery process in terms of who does what.
3. Site Backup – a backup site facility including appropriate furniture, housing, computers, and telecommunications. Another valid option is a mutual aid pact where a similar business or branch of same company swap availability when needed.
4. Hardware Backup – Some vendors provide computers with their site – known as a hot site or Recovery Operations Center. Some do not provide hardware – known as a cold site. When not available, make sure plan accommodates compatible hardware (e.g., ability to lease computers).
5. System Software Backup – Some hot sites provide the operating system. If not included in the site plan, make sure copies are available at the backup site.
6. Application Software Backup – Make sure copies of critical applications are available at the backup site
7. Data Backup – One key strategy in backups is to store copies of data backups away from the business campus, preferably several miles away or at the backup site. Another key is to test the restore function of data backups before a crisis.
8. Supplies – A modicum inventory of supplies should be at the backup site or be able to be delivered quickly.
9. Documentation – An adequate set of copies of user and system documentation.
10. TEST! – The most important element of an effective Disaster Recovery Plan is to test it before a crisis occurs, and to test it periodically (e.g., once a year).
SYSTEM-WIDE CONTROLS Disaster recovery planning
Audit objectives Verify management’s DRP is adequate
Audit procedures Verify a second-site backup is adequate Review the critical application list for
completeness Verify backups of application software are
stored off-site Verify that critical data files are backed up and
readily accessible to DRP team Verify resources of supplies, documents, and
documentation are backed up and stored off-site
Verify that members listed on the team roster are current employees and that they are aware of their responsibilities
30
SYSTEM-WIDE CONTROLS Fault tolerance
Definition 44% of IS down-time attributable to system
failures! Controls
Redundant systems or parts RAID
UPS Multiprocessors
Audit objective To ensure the organization is employing an
appropriate level of fault tolerance Audit procedures
Verify proper level of RAID devices Review procedures for recovery from system
failure Verify boot disks are secured 31
32
Client Server Systems
33
Firewalls
34
Demilitarized Zone
35