Management is responsible for the accuracy of various internal reports and financial statements produced by the organization’s IS.
SOX Section 302 requires that the CEO and CFO certify the accuracy of the financial statements.
SOX Section 404 requires that the annual report include a report on the company’s internal controls. Within this report, management acknowledges their responsibility for designing and maintaining internal controls and assessing their effectiveness.
Security is a key component of the internal control and systems reliability to which management must attest.
As identified in the COSO model, management’s philosophy and operating style are critical to an effective control environment.
The time-based model of security focuses on implementing a set of preventive, detective, and corrective controls that enable an organization to recognize that an attack is occurring and take steps to thwart it before any assets have been compromised.
Authorization - restricts access of authenticated users to specific portions of the system and specifies what actions they are permitted to perform.
Authorization controls are implemented by creating an access control matrix .
Specifies what part of the IS a user can access and what actions they are permitted to perform.
When an employee tries to access a particular resource, the system performs a compatibility test that matches the user’s authentication credentials against the matrix to determine if the action should be allowed.
Routers and firewalls are designed to protect the network perimeter.
Information security is enhanced by supplementing preventive controls on the network perimeter with additional preventive controls on the workstations, servers, printers, and other devices (collectively referred to as hosts ) that comprise the organization’s network.
The Information Systems Audit and Control Association (ISACA) and the IT Governance Institute have developed a comprehensive framework for information systems controls called Control Objectives for Information and Related Technology (COBIT).
Specifies 34 IT-related control objectives
Management guidelines that identify crucial success factors associated with each objective.
Key performance indicators that can be used to assess their effectiveness.