In a recent survey of executives by the IT Governance Institute, half of those surveyed indicated that IT is very important to their organization, but yet noted that IT issues were only discussed on an ad hoc basis at the senior management level.
There are six objectives that aim to align the goals of the business with the goals of IT, these goals do not include:Alignment of organizational and IT strategiesEffective management and responsible use of IT resourcesRealization of non-IT related opportunities
Those of you that have been through a financial audit know the topic well.The IT function has its own segregation needs, but can also help with duty segregation in other non-IT areas.
Rights management is what enforces segregation of duties within information systems.Accounting system what good are user credentials unless different users have different rights?
Often turned over to the IT group between HR & ITData owners need to take responsibility IT doesn’t know what department heads doNetwork: Can circumvent application rights interface export locations!Applications: Control and reporting of those who can create users. - change parameters should mirror those of the network.
Problem with having the same person handle both: they could circumvent other segregation of duty controls.Controls should also include documentation between HR, IT & App management groups: forms, email, other tracking mechanismsAnnual audit cannot be an IT Only exercise.
Compensating controls: Requires appropriate use of the mentioned items. If approvals can be overridden through loose rights assignments, then there is no value.Reporting: Only useful if reports are reviewed: system logs, 3rd party applications.Approval & override reporting.
The management and auditing of rights to the network and applications shouldBe handled solely by the IT groupInvolve the data owners and those responsible for implementing the systemsMainly focus on application security which overrides network security
Software applications: same basic intentions of controlling O/S updates. Additional concerns over interfaces with other applications or modifications to basic application.Reporting Systems: Controls and approvals over changes to customized reports – as essential as application changes. Could hide transactions, account groups, etc.
Also referred to within a system development lifecycle.Formalization is key!Reporting – requestor is same as developer – changes outside of production system.Changes at same time of period by same developer.
Which statement is most accurate about companies that should implement change controls?Only companies that have internally developed applications need change controlsChanges to reporting tools are not normally part of the change control processChange controls should cover system update procedures
Internal: Monitoring and understanding of system plans and changes (same for both). Supervisory roles!Physical access to servers, backup media, laptops data or equipment theftCan be influenced by other departments knowingly or unknowingly part of fraudOutsourced: Remote access control (OFF UNLESS REQUESTED!) Access logging reports.Communication is harder – not part of culture, planning meetings, etc. Details on activities not always expressed or understood by organization. Little dialog with data owners to help meet system needs.Consultant storage of credentials, sharing with other consultants, changes in consultant organization (fired employees) could lead to security problems.
These will potentially be people with access to all of the organization’s IT assets – treated like those in finance or HR. Criminal background checks are a necessity.Credit checks not enough.State court system check not always enough – work in other states.Google searches – message board postings, news stories, etc.Social media content – twitter posts, blogs, facebook wall items, etc. 3rd Party Hiring Procedures part of vendor selection - What are the procedures for consultantsDue diligence on consultants assigned to the account.
At the backend of the hiring process is the review process.Equally important for Internal and Outsourced IT Resources.For the internal IT group – who handles the Technical review? The review doesn’t need to be highly technical – are projects getting done? Are the department heads satisfied with the project?
You don’t have to understand the systems to understand the log information.The key is information that is easy to access and easy to understand.
Remote access sessions – could indicate an attempt to hide activities. Look for patterns – always before and after reporting events.Failed login attempts – trying to break other user credentialsChanges to system level rights – temporarily granting access to items
Standardized form to help track from period to period. Helps to divide up the review process – open communication channels with managers.
Communication at all levels – distributed to managers.One group/person in control, but input and help from department heads is key to getting true integration.