Successfully reported this slideshow.
Your SlideShare is downloading. ×

Controls in Audit.pptx

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 17 Ad
Advertisement

More Related Content

Recently uploaded (20)

Advertisement

Controls in Audit.pptx

  1. 1. SECURITY CONTROLS Controls are a security mechanism, policy, or procedure that can successfully counter attacks, reduce risk, resolve vulnerabilities and otherwise improve security within an organization. Whether an organization is considering a technical or operational control to mitigate risk, or an administrative solution such as training and new procedures or policies, the control needs to focus on the hardware, telecommunications, and software that protect sensitive information in one of the following three states:  Data at rest  Data in transit  Data in process
  2. 2. GOAL-BASED SECURITY CONTROLS
  3. 3. IMPLEMENTATION-BASED CONTROLS
  4. 4. SECURITY CONTROL FORMULATION Any information resource with value to an organization requires some degree of security protection. This provides a starting point for formulation and development of security controls. The wide variety of ICT system components within an organization’s supply chain result in significantly different security requirements, with the potential for equally different corresponding protective mechanisms to satisfy the requirements. Security Categorization of ICT Systems - The first step in the formulation and development of security controls establishes the security categorization for the ICT system. In addition to categorizing each ICT component and the data stored and processed within them, the security team begins the process of developing the system security plan by documenting security categorization and system description information.
  5. 5. SECURITY CONTROL FORMULATION • Identifying Information Types: organizations may group information types into categories defined by guidelines such as FIPS 199 or CNSSI 1253. However, organizations have the flexibility to define or identify their own information types and to select their own impact levels. • Each information system categorization can be represented as SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are LOW, MODERATE, HIGH, or NOT APPLICABLE • The resulting level, is subsequently used to determine overall system security categorization and serve as the basis for selecting a security control baseline.
  6. 6. Setting stage for Control Implementation • Coming out of the security control selection process, the security plan will provide criteria relative to what controls and control enhancements will be implemented for the ICT system. • Prior to engaging in control implementation, functional and technical members of the implementation project group facilitate decisions related to how each control will be implemented and assign responsibility of activities to be performed within the process, to individuals with the appropriate skill level and knowledge of the system; including hardware, software, and associated configurations. • Managers that assign responsibilities need to be mindful that the nature of the work required to implement a control varies considerably across management, operational, and technical controls.
  7. 7. Setting stage for Control Implementation Control Implementation through Security Engineering: • Identify the organizational security risks Define the security needs to counter identified risks • Transform the security needs into activities • Establish confidence and trustworthiness in correctness and effectiveness in a system • Determine that operational impacts due to residual security vulnerabilities in a system or its operation are tolerable (acceptable risks) • Integrate the efforts of all engineering disciplines and specialties into a combined understanding of the trustworthiness of a system
  8. 8. TYPES OF IT AUDITS • Technological position audit : - This audit reviews the technologies that the business currently has and that it needs to add. Technologies are characterized as being either "base", "key", "pacing" or "emerging". • Systemsand ApplicationsAudit :- An audit to verify that systems and applications are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity. System and process assurance audits form a subtype, focussing on business process-centric business IT systems. Such audits have the objective to assist financial auditors. • Information ProcessingAudit :- An audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions.
  9. 9. TYPES OF IT AUDITS • SystemsDevelopment Audit :- An audit to verify that the systems under development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for systems development. • Management of IT and Enterprise Architecture Audit :- An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing. • Client/Server, Intranets, and Extranets Audit :- An audit to verify that telecommunications controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers
  10. 10. Implementing a Multi-tired Governance Making Information Governance Tangible: • The mandate of information governance is to add value to the business as well as to help it achieve its goals. • Therefore, capable information governance will link technology processes, resources, and information to the overall purposes of the enterprise. • Since information is an asset, all organizations have the obligation to assure its uninterrupted confidentiality, integrity, and availability for use. • Therefore, managers have the responsibility to establish a tangible internal control system, which will explicitly protect the everyday functioning of the information processing and retrieval processes of the particular business.
  11. 11. Implementing a Multi-tired Governance There are seven universally desirable characteristics, which an information governance infrastructure should embody: Effectiveness—that is, the organization’s information must be ensured relevant and pertinent to the business process that it serves as well as delivered in a timely, correct, consistent, and usable manner. Efficiency—in the simplest terms information must be made readily available through the most optimal (productive and economical) means possible. Confidentiality—sensitive information must be protected from unauthorized disclosure or access as well as tampering. Integrity—the accuracy and completeness of information as well as its validity must be assured in accordance purpose. .
  12. 12. Implementing a Multi-tired Governance Availability—information must be accessible when required by the business Process Compliance—all information and information processing must comply with those laws, regulations, and contractual arrangements to which the business process is subject, that is, externally imposed business criteria. Reliability—relates to the provision of appropriate information for management to operate the entity and for management to exercise its financial and compliance reporting responsibilities. These generic qualities are operationalized through an explicit set of control behaviors that are executed in a practical, day-to-day systematic fashion.
  13. 13. Establish Real, Working Control Framework • The process of implementing a set of controls entails the identification, prioritization, assurance, and sustainment of an effective response to every plausible threat. • This control deployment function is not a one-shot “front- end” to setting up a static security solution. • It is a constant and organized probing of the environment to sense the presence of and respond appropriately to any potential sources of harm to the organization’s information assets.
  14. 14. AUDIT PROCESS • One of the best practices for an audit function is to have an audit universe.The audit universe is an inventory of all the potential audit areas within an organization. • Basic functional audit areas within an organization include sales,marketing, customer service, operations, research and development,finance, human resource,information technology,and legal. • An audit universeincludes the basic functional audit area, organization objectives,key business processesthat support those organization objectives,specific audit objectives,risks of not achieving those objectives,and controls that mitigate the risks
  15. 15. QUESTIONS ??
  16. 16. THANK YOU !!

×