SlideShare a Scribd company logo

IT General Controls Presentation at IIA Vadodara Audit Club

Kaushal Trivedi
Kaushal Trivedi

My presentation made at IIA - Vadodara Audit Club on August 24, 2018

Technology
1 of 31
Information Technology General Controls August 24, 2018 Kaushal R. Trivedi Director, Management Audit Vadodara Audit Club
Are You a Victim of… FEAR? Laptop Theft Virus Attack Data Theft Data Corruption/ Loss!!
Threats Continue to Grow… • Axis and State Bank of India confirm loss of several Million Credit/ Debit card users in August 2016 data theft • Verizon Enterprise Solutions, which also deals with enterprise security, was hit by a cyber-attack that led to the theft of details about 1.5 million customers • 55M Philippines Commission on Elections data from COMELEC website by Hackers from Anonymous, the entire database was stolen and posted online. • 49.6 M Turkish citizenship data was stolen and posted online • Australia Immigration Department an employee inadvertently send the details of passport numbers, visa details and personal identifiers of all world leaders attending the G20 Brisbane Summit to the Organizers of Asian Cup football tournament. Barack Obama, Vladimir Putin, Angela Merkel, Xi Jinping, Narendra Modi, David Cameroon and many others…
Technological Global Risks & Trends 2018 4 Adverse consequences of technological advances • Intended or unintended adverse consequences of technological advances such as artificial intelligence, geo-engineering and synthetic biology causing human, environmental and economic damage Critical information infrastructure breakdown • Cyber dependency that increases vulnerability to outage of critical information infrastructure (e.g. internet, satellites, etc.) and networks, causing widespread disruption Large-scale Cyberattacks • Large-scale cyberattacks or malware causing large economic damages, geopolitical tensions or widespread loss of trust in the internet Massive incident of data fraud/ theft • Wrongful exploitation of private or official data that takes place on an unprecedented scale Source: World Economic Forum – Global Risk Report 2018
Technological Global Risks & Trends 5 Source: World Economic Form Global Risk 2016 Source: Executive Opinion Survey 2015, World Economic Forum. Note: The darker colour, the higher the concern.
IT Service Frameworks 6
What is ITGC? 7 INFORMATION • Information Technology General Controls (ITGCs) can be defined as internal controls that assure the secure, stable, and reliable performance of computer hardware, software and IT personnel connected to financial systems. • ITGCs affect the ability to rely on application controls and IT dependent manual controls. • Without effective ITGCs, reliance cannot be placed on any application controls or IT dependent manual controls unless additional procedures are performed (e.g., benchmarking). Even these additional procedures limit the ability to rely upon more than one application control at a time. • ITGCs are an integral part of many different operational and regulatory (federal and state) audits, including: o IT operational reviews o HIPAA assessments o SSAE16 assessments/ SOC-2 o PCI-DSS reviews/audits o SOX assessments
Auditing Standards (SA 315) - INDIA 8 EDP/ IT Controls General Controls Admin Controls Discipline in routine Operations and Admin functions Sys. Dev. Controls Usage of updated technology with adequate People support (SOD) Application Controls Procedural Controls (Ensure Timely Processing) Manual Controls Automated Controls *SA 315 - Identifying and Assessing The Risk of Material Misstatement through Understanding the Entity and its Environment
IT Risk Assessment & Scoping 9 INFORMATION ► Significant accounts Business processes Business controls Applications STEP 1: validate understanding STEP 2: perform risk assessment at each layer STEP 3: Conclude: is it REASONABLY POSSIBLE a failure in this IT Process area could impact application controls & result in a material misstatement? Risk is not eliminated; is it reduced to a REASONABLE level. IT Process Controls: Change Mgt, Operations, Security ➢Application ➢Database ➢Operating System ➢Network
Test of Design vs. Test of Effectiveness 10 INFORMATION Test of Design Determines whether the controls, if operating properly, can effectively prevent or detect errors or fraud that could result in material misstatements in the financial statements. • Procedures the auditor performs to test and evaluate design effectiveness include inquiry, observation, and inspection of relevant documentation. The procedures the auditor performs to test and evaluate design effectiveness might also provide evidence that can be used to test the effectiveness of the control. Was the control designed appropriately? Test of Effectiveness Involves evaluating whether internal control is operating as designed. • Procedures the auditor performs to test and evaluate test of operating effectiveness include inquiry, observation, and inspection of relevant documentation. Was the control consistently performed? Was the control performed by a person who had the necessary authority and qualifications to perform the control effectively?
Testing Methodology 11 INFORMATION Testing Method Definition Inquiry The auditor inquires (in writing or verbally) of the responsible individual as to what procedures are in place to address the control being tested. This is typically the first step in each test. Inspection The auditor inspects the evidence provided to ensure that it is accurate. Corroborative Inquiry The auditor inquires with one individual and corroborates the inquiry separately with another individual. System Query The auditor tests that automated controls within an IT application are operating as expected. Examples of these kinds of controls may be:-That a predefined exception will be identified appropriately by the system (this exception may be associated with completeness and/or accuracy of input, processing and output of the application)-That logical access configuration within the application are set in a way that establishes segregation of duties and otherwise provides for the authorization of transactions.
ITGC Focus – Background Info. 12 INFORMATION IT Organization (Employees & Third Party): • IT Steering Committee/ Business Management • IT Management • IT Operations • Security Management • Application Development IT Organization (SOD Examples): First Job Second Job Data Entry Quality Assurance System Administrator Database Administrator Security Administrator Application programmer Systems Programmer Security Administrator Help Desk Network Administrator Combined Yes No No No No
ITGC Focus – Background Info. 13 INFORMATION o Technology Overview – Software (by Key Application) • Application (Name & Version) • Owner/Support (Business & IT Contact Points) • Description (Modules or Business Function) • # Users • Database (Name & Version) • OS (Name & Version) • Hardware (Type & Quantity) • Location (Hardware) o Review of Network Infra (Wired/ Wireless/ WAN) o Remote access capabilities (Business purpose/ Authentication) o Firewalls utilized – Firewall (Hardware/ Software/ Combi?), Analyzer. o Products or Services offered via the Internet?
Network – Which is Better? 14 INFORMATION Solution: Application or Usage will decide the placing or Number of Equipment's
Network – Which is Better? 15 2 - TIER 3 - TIER
Network – VPN 16
Coverage/ Application of ITGC 17 INFORMATION Source: ISACA.org
ITGC – Security Management 18 INFORMATION Security Administration – Application, Database, Platform, Network 1. Users are granted access (business need) 2. Approval process exists (authorize in a timely manner) 3. Access privileges are reviewed and confirmed (periodically) 4. Controls are in place to support appropriate and timely responses (job changes) Security Configuration – Application, Database, Platform, Network 1. Security standards exist for each system or application. 2. Application Configuration (view, add, change, or delete data) 3. Password parameter settings for App/DB/OS/Network 4. Procedures for effectiveness of authentication and access mechanisms. 5. DBMS is appropriately configured (stored procedures) Security Monitoring – Application, Database, Platform, Network 1. Management logs and monitors security activity and security violations are promptly analyzed, reported and/or escalated.
ITGC – Security Management 19 INFORMATION Access related Questions? • Security Policy is Applicable to Employee or Third Party Or Both? • Characteristics of an Ideal Password? • Monitoring of Powerful User IDs (DB Admin/ Backup Admin/ Network Admin) • Users Access Reviews (One Time/ Periodic - Why?) • Physical Security (Guard/ Card Access/ Biometric/ ATM PIN) • Security Monitoring (i.e. left employees, invalid logins, audit trails)
ITGC – Change Management 20 INFORMATION Application Development Lifecycle 1. Organization SDLC considers security, availability, and processing integrity requirements 2. SDLC ensures Application controls that support complete, accurate, authorized, and valid transaction processing. Quality Assurance & Testing – Application, Database, Platform, Network 1. Testing strategy for changes 2. Testing is performed at the unit, system/integration, and user acceptance level 3. Load and stress testing is performed against test standards. 4. Integration test (for Interfaces with other systems/technology) 5. Conversion of data is tested - origin and its destination to confirm that it is complete, accurate, and valid (FA Invoice and FAR) Change Management Process – Application, Database, Platform, Network 1. Procedures for Installation and Maintenance 2. System maintenance, and supplier maintenance - Change Management procedures.
ITGC – Change Management 21 INFORMATION Change Management Process – Application, Database, Platform, Network 3. Procedures for emergency changes exist and are followed. 4. Emergency changes are approved, tested, documented, and monitored. 5. Procedures exist to ensure applications/databases/OS-system software can be returned to a previously known/stable state. 6. Systems are updated with updates/patches in a timely manner.
ITGC – Change Management 22 INFORMATION Change Management related Questions? • Firewall Software has an Update should that be subject to Change Management Process? • Invoicing for FG has stopped and IT Support personal in Night shift suggest a system restart to correct the Problem? • Management is launching a new Product tomorrow, however the new Module tested has not been tested in the Test Environment?
ITGC – Data Management 23 INFORMATION Data Backup, Storage, and Recovery 1. A strategy is defined for data backup type and frequency (including definition of data retention periods). 2. A media management strategy defines media rotation and destruction. 3. Procedures exist to periodically test the effectiveness of the restoration process and quality of backup media. 4. Procedures are defined and implemented to prevent access to sensitive information stored on off-line physical media.
ITGC – Change Management 24 INFORMATION Data Management related Questions? • Backup are Taken on Tape Drives but never tested? However IT Admin ensure the Tape Library does not give any error post Backup completion? • Backup are taken and placed at the Same location in a Dataline Fire proof safe which can with stand temperatures up to 1000 degree C for an hour and is earth-quake proof? • Backup are stored at Managing Director House in Mumbai and the Disaster Recovery Server is at Surat?
ITGC – Computer & Data Centre Operations 25 INFORMATION Incident and Problem Management 1. Defined and implemented an incident management system so that events that are not part of the standard operation are recorded, analyzed, escalated, resolved, and reported in a timely manner. 2. Management has defined and implemented problem management procedures to help ensure that the root cause of operational events that are not part of the standard operation are resolved in a timely manner. Production Monitoring 1. Management has established and documented standard procedures for IT operations, including managing, monitoring, and responding to security, availability, and processing integrity events. 2. Management has established appropriate metrics to effectively manage, monitor, and report on day-to-day operations. 3. System event data are sufficiently retained to provide chronological information and logs to enable the reconstruction, review, and examination of the time sequences of processing.
ITGC – Computer & Data Centre Operations 26 INFORMATION Data Centre related Questions? • Air Conditioning of the Server room is kept at 18 degree Centigrade? • The Server is having an Amber Light alert however is functioning correctly. • What is the above problem is complemented by frequent Restarts? • The Server room UPS system is out of Warranty? • Dell the Server Equipment Manufacturer have denied providing AMC as the Server has in the End of Life support list? • The Server room does not have Rodent Protection
ITGC – Computer & Data Centre Operations 27 INFORMATION Picture 1?
ITGC – Computer & Data Centre Operations 28 INFORMATION Picture 2?
ITGC – Computer & Data Centre Operations 29 INFORMATION Winner!
30 INFORMATION Questions?
Thank You. Kaushal R. Trivedi +91 9825154523 kaushal.trivedi@kcmehta.com

Recommended

IT General Controls
IT General ControlsIT General Controls
IT General ControlsCicero Ray Rufino
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
03.1 general control
03.1 general control03.1 general control
03.1 general controlMulyadi Yusuf
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it auditkinjalmkothari92
 

Recommended

IT General Controls
IT General ControlsIT General Controls
IT General ControlsCicero Ray Rufino
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
03.1 general control
03.1 general control03.1 general control
03.1 general controlMulyadi Yusuf
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it auditkinjalmkothari92
 
Security audit
Security auditSecurity audit
Security auditRosaria Dee
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security AuditMufaddal Nullwala
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
ITGCs.pdf
ITGCs.pdfITGCs.pdf
ITGCs.pdfssuser918e9d1
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
 
The information security audit
The information security auditThe information security audit
The information security auditDhani Ahmad
 
Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...
Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...
Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...Ee Chuan Yoong
 
SOX- IT Perspective
SOX- IT PerspectiveSOX- IT Perspective
SOX- IT PerspectiveNeelabh Srivastava
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About ComplianceDinesh O Bareja
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologiesSalih Islam
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureNetwrix Corporation
 
SOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleySOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleyAmarnath Gupta
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controlsCenapSerdarolu
 
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationCISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationInfosecTrain
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness trainingSAROJ BEHERA
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityEryk Budi Pratama
 
cyber security presentation.pptx
cyber security presentation.pptxcyber security presentation.pptx
cyber security presentation.pptxkishore golla
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxJoshJaro
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docxLynellBull52
 

More Related Content

What's hot

Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
 
The information security audit
The information security auditThe information security audit
The information security auditDhani Ahmad
 
Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...
Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...
Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...Ee Chuan Yoong
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About ComplianceDinesh O Bareja
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologiesSalih Islam
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureNetwrix Corporation
 
SOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleySOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleyAmarnath Gupta
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controlsCenapSerdarolu
 
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationCISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationInfosecTrain
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness trainingSAROJ BEHERA
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityEryk Budi Pratama
 
cyber security presentation.pptx
cyber security presentation.pptxcyber security presentation.pptx
cyber security presentation.pptxkishore golla
 

What's hot (20)

Security audit
Security auditSecurity audit
Security audit
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
 
ITGCs.pdf
ITGCs.pdfITGCs.pdf
ITGCs.pdf
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | Infosectrain
 
The information security audit
The information security auditThe information security audit
The information security audit
 
Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...
Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...
Computer Assisted Audit Tools and Techniques - the Force multiplier in the ba...
 
SOX- IT Perspective
SOX- IT PerspectiveSOX- IT Perspective
SOX- IT Perspective
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologies
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT Infrastructure
 
SOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleySOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-Oxley
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controls
 
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationCISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber Security
 
cyber security presentation.pptx
cyber security presentation.pptxcyber security presentation.pptx
cyber security presentation.pptx
 

Similar to IT General Controls Presentation at IIA Vadodara Audit Club

Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxJoshJaro
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docxLynellBull52
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionPrecisely
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems Jeffrey Paulette
 
CIO IT Audit Survival TNS07
CIO IT Audit Survival TNS07CIO IT Audit Survival TNS07
CIO IT Audit Survival TNS07Thomas Danford
 
Conducting an ITGC Audit in Toronto Key Considerations.pdf
Conducting an ITGC Audit in Toronto Key Considerations.pdfConducting an ITGC Audit in Toronto Key Considerations.pdf
Conducting an ITGC Audit in Toronto Key Considerations.pdfsavassociates1
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDITRos Dina
 
IS Audits and Internal Controls
IS Audits and Internal ControlsIS Audits and Internal Controls
IS Audits and Internal ControlsBharath Rao
 
20 IT Auditor questions.pdf
20 IT Auditor questions.pdf20 IT Auditor questions.pdf
20 IT Auditor questions.pdfinfosec train
 
Threat and Risk Assessment QuestionnaireCompletion da.docx
Threat and Risk Assessment QuestionnaireCompletion da.docx Threat and Risk Assessment QuestionnaireCompletion da.docx
Threat and Risk Assessment QuestionnaireCompletion da.docxMARRY7
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
Federal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider ThreatsFederal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider ThreatsSolarWinds
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceAdrian Dumitrescu
 
Accelerating Regulatory Compliance for IBM i Systems
Accelerating Regulatory Compliance for IBM i SystemsAccelerating Regulatory Compliance for IBM i Systems
Accelerating Regulatory Compliance for IBM i SystemsPrecisely
 

Similar to IT General Controls Presentation at IIA Vadodara Audit Club (20)

Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptx
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
audit_it_250759.pdf
audit_it_250759.pdfaudit_it_250759.pdf
audit_it_250759.pdf
 
Eng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-LatestEng Solutions - Capability Statement-Latest
Eng Solutions - Capability Statement-Latest
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems
 
CIO IT Audit Survival TNS07
CIO IT Audit Survival TNS07CIO IT Audit Survival TNS07
CIO IT Audit Survival TNS07
 
Conducting an ITGC Audit in Toronto Key Considerations.pdf
Conducting an ITGC Audit in Toronto Key Considerations.pdfConducting an ITGC Audit in Toronto Key Considerations.pdf
Conducting an ITGC Audit in Toronto Key Considerations.pdf
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offering
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDIT
 
IS Audits and Internal Controls
IS Audits and Internal ControlsIS Audits and Internal Controls
IS Audits and Internal Controls
 
20 IT Auditor questions.pdf
20 IT Auditor questions.pdf20 IT Auditor questions.pdf
20 IT Auditor questions.pdf
 
Threat and Risk Assessment QuestionnaireCompletion da.docx
Threat and Risk Assessment QuestionnaireCompletion da.docx Threat and Risk Assessment QuestionnaireCompletion da.docx
Threat and Risk Assessment QuestionnaireCompletion da.docx
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
 
Unit Iii
Unit IiiUnit Iii
Unit Iii
 
Federal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider ThreatsFederal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider Threats
 
Orientation in IT Audit
Orientation in IT AuditOrientation in IT Audit
Orientation in IT Audit
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
 
Accelerating Regulatory Compliance for IBM i Systems
Accelerating Regulatory Compliance for IBM i SystemsAccelerating Regulatory Compliance for IBM i Systems
Accelerating Regulatory Compliance for IBM i Systems
 

Recently uploaded

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 

IT General Controls Presentation at IIA Vadodara Audit Club

  • 1. Information Technology General Controls August 24, 2018 Kaushal R. Trivedi Director, Management Audit Vadodara Audit Club
  • 2. Are You a Victim of… FEAR? Laptop Theft Virus Attack Data Theft Data Corruption/ Loss!!
  • 3. Threats Continue to Grow… • Axis and State Bank of India confirm loss of several Million Credit/ Debit card users in August 2016 data theft • Verizon Enterprise Solutions, which also deals with enterprise security, was hit by a cyber-attack that led to the theft of details about 1.5 million customers • 55M Philippines Commission on Elections data from COMELEC website by Hackers from Anonymous, the entire database was stolen and posted online. • 49.6 M Turkish citizenship data was stolen and posted online • Australia Immigration Department an employee inadvertently send the details of passport numbers, visa details and personal identifiers of all world leaders attending the G20 Brisbane Summit to the Organizers of Asian Cup football tournament. Barack Obama, Vladimir Putin, Angela Merkel, Xi Jinping, Narendra Modi, David Cameroon and many others…
  • 4. Technological Global Risks & Trends 2018 4 Adverse consequences of technological advances • Intended or unintended adverse consequences of technological advances such as artificial intelligence, geo-engineering and synthetic biology causing human, environmental and economic damage Critical information infrastructure breakdown • Cyber dependency that increases vulnerability to outage of critical information infrastructure (e.g. internet, satellites, etc.) and networks, causing widespread disruption Large-scale Cyberattacks • Large-scale cyberattacks or malware causing large economic damages, geopolitical tensions or widespread loss of trust in the internet Massive incident of data fraud/ theft • Wrongful exploitation of private or official data that takes place on an unprecedented scale Source: World Economic Forum – Global Risk Report 2018
  • 5. Technological Global Risks & Trends 5 Source: World Economic Form Global Risk 2016 Source: Executive Opinion Survey 2015, World Economic Forum. Note: The darker colour, the higher the concern.
  • 7. What is ITGC? 7 INFORMATION • Information Technology General Controls (ITGCs) can be defined as internal controls that assure the secure, stable, and reliable performance of computer hardware, software and IT personnel connected to financial systems. • ITGCs affect the ability to rely on application controls and IT dependent manual controls. • Without effective ITGCs, reliance cannot be placed on any application controls or IT dependent manual controls unless additional procedures are performed (e.g., benchmarking). Even these additional procedures limit the ability to rely upon more than one application control at a time. • ITGCs are an integral part of many different operational and regulatory (federal and state) audits, including: o IT operational reviews o HIPAA assessments o SSAE16 assessments/ SOC-2 o PCI-DSS reviews/audits o SOX assessments
  • 8. Auditing Standards (SA 315) - INDIA 8 EDP/ IT Controls General Controls Admin Controls Discipline in routine Operations and Admin functions Sys. Dev. Controls Usage of updated technology with adequate People support (SOD) Application Controls Procedural Controls (Ensure Timely Processing) Manual Controls Automated Controls *SA 315 - Identifying and Assessing The Risk of Material Misstatement through Understanding the Entity and its Environment
  • 9. IT Risk Assessment & Scoping 9 INFORMATION ► Significant accounts Business processes Business controls Applications STEP 1: validate understanding STEP 2: perform risk assessment at each layer STEP 3: Conclude: is it REASONABLY POSSIBLE a failure in this IT Process area could impact application controls & result in a material misstatement? Risk is not eliminated; is it reduced to a REASONABLE level. IT Process Controls: Change Mgt, Operations, Security ➢Application ➢Database ➢Operating System ➢Network
  • 10. Test of Design vs. Test of Effectiveness 10 INFORMATION Test of Design Determines whether the controls, if operating properly, can effectively prevent or detect errors or fraud that could result in material misstatements in the financial statements. • Procedures the auditor performs to test and evaluate design effectiveness include inquiry, observation, and inspection of relevant documentation. The procedures the auditor performs to test and evaluate design effectiveness might also provide evidence that can be used to test the effectiveness of the control. Was the control designed appropriately? Test of Effectiveness Involves evaluating whether internal control is operating as designed. • Procedures the auditor performs to test and evaluate test of operating effectiveness include inquiry, observation, and inspection of relevant documentation. Was the control consistently performed? Was the control performed by a person who had the necessary authority and qualifications to perform the control effectively?
  • 11. Testing Methodology 11 INFORMATION Testing Method Definition Inquiry The auditor inquires (in writing or verbally) of the responsible individual as to what procedures are in place to address the control being tested. This is typically the first step in each test. Inspection The auditor inspects the evidence provided to ensure that it is accurate. Corroborative Inquiry The auditor inquires with one individual and corroborates the inquiry separately with another individual. System Query The auditor tests that automated controls within an IT application are operating as expected. Examples of these kinds of controls may be:-That a predefined exception will be identified appropriately by the system (this exception may be associated with completeness and/or accuracy of input, processing and output of the application)-That logical access configuration within the application are set in a way that establishes segregation of duties and otherwise provides for the authorization of transactions.
  • 12. ITGC Focus – Background Info. 12 INFORMATION IT Organization (Employees & Third Party): • IT Steering Committee/ Business Management • IT Management • IT Operations • Security Management • Application Development IT Organization (SOD Examples): First Job Second Job Data Entry Quality Assurance System Administrator Database Administrator Security Administrator Application programmer Systems Programmer Security Administrator Help Desk Network Administrator Combined Yes No No No No
  • 13. ITGC Focus – Background Info. 13 INFORMATION o Technology Overview – Software (by Key Application) • Application (Name & Version) • Owner/Support (Business & IT Contact Points) • Description (Modules or Business Function) • # Users • Database (Name & Version) • OS (Name & Version) • Hardware (Type & Quantity) • Location (Hardware) o Review of Network Infra (Wired/ Wireless/ WAN) o Remote access capabilities (Business purpose/ Authentication) o Firewalls utilized – Firewall (Hardware/ Software/ Combi?), Analyzer. o Products or Services offered via the Internet?
  • 14. Network – Which is Better? 14 INFORMATION Solution: Application or Usage will decide the placing or Number of Equipment's
  • 15. Network – Which is Better? 15 2 - TIER 3 - TIER
  • 17. Coverage/ Application of ITGC 17 INFORMATION Source: ISACA.org
  • 18. ITGC – Security Management 18 INFORMATION Security Administration – Application, Database, Platform, Network 1. Users are granted access (business need) 2. Approval process exists (authorize in a timely manner) 3. Access privileges are reviewed and confirmed (periodically) 4. Controls are in place to support appropriate and timely responses (job changes) Security Configuration – Application, Database, Platform, Network 1. Security standards exist for each system or application. 2. Application Configuration (view, add, change, or delete data) 3. Password parameter settings for App/DB/OS/Network 4. Procedures for effectiveness of authentication and access mechanisms. 5. DBMS is appropriately configured (stored procedures) Security Monitoring – Application, Database, Platform, Network 1. Management logs and monitors security activity and security violations are promptly analyzed, reported and/or escalated.
  • 19. ITGC – Security Management 19 INFORMATION Access related Questions? • Security Policy is Applicable to Employee or Third Party Or Both? • Characteristics of an Ideal Password? • Monitoring of Powerful User IDs (DB Admin/ Backup Admin/ Network Admin) • Users Access Reviews (One Time/ Periodic - Why?) • Physical Security (Guard/ Card Access/ Biometric/ ATM PIN) • Security Monitoring (i.e. left employees, invalid logins, audit trails)
  • 20. ITGC – Change Management 20 INFORMATION Application Development Lifecycle 1. Organization SDLC considers security, availability, and processing integrity requirements 2. SDLC ensures Application controls that support complete, accurate, authorized, and valid transaction processing. Quality Assurance & Testing – Application, Database, Platform, Network 1. Testing strategy for changes 2. Testing is performed at the unit, system/integration, and user acceptance level 3. Load and stress testing is performed against test standards. 4. Integration test (for Interfaces with other systems/technology) 5. Conversion of data is tested - origin and its destination to confirm that it is complete, accurate, and valid (FA Invoice and FAR) Change Management Process – Application, Database, Platform, Network 1. Procedures for Installation and Maintenance 2. System maintenance, and supplier maintenance - Change Management procedures.
  • 21. ITGC – Change Management 21 INFORMATION Change Management Process – Application, Database, Platform, Network 3. Procedures for emergency changes exist and are followed. 4. Emergency changes are approved, tested, documented, and monitored. 5. Procedures exist to ensure applications/databases/OS-system software can be returned to a previously known/stable state. 6. Systems are updated with updates/patches in a timely manner.
  • 22. ITGC – Change Management 22 INFORMATION Change Management related Questions? • Firewall Software has an Update should that be subject to Change Management Process? • Invoicing for FG has stopped and IT Support personal in Night shift suggest a system restart to correct the Problem? • Management is launching a new Product tomorrow, however the new Module tested has not been tested in the Test Environment?
  • 23. ITGC – Data Management 23 INFORMATION Data Backup, Storage, and Recovery 1. A strategy is defined for data backup type and frequency (including definition of data retention periods). 2. A media management strategy defines media rotation and destruction. 3. Procedures exist to periodically test the effectiveness of the restoration process and quality of backup media. 4. Procedures are defined and implemented to prevent access to sensitive information stored on off-line physical media.
  • 24. ITGC – Change Management 24 INFORMATION Data Management related Questions? • Backup are Taken on Tape Drives but never tested? However IT Admin ensure the Tape Library does not give any error post Backup completion? • Backup are taken and placed at the Same location in a Dataline Fire proof safe which can with stand temperatures up to 1000 degree C for an hour and is earth-quake proof? • Backup are stored at Managing Director House in Mumbai and the Disaster Recovery Server is at Surat?
  • 25. ITGC – Computer & Data Centre Operations 25 INFORMATION Incident and Problem Management 1. Defined and implemented an incident management system so that events that are not part of the standard operation are recorded, analyzed, escalated, resolved, and reported in a timely manner. 2. Management has defined and implemented problem management procedures to help ensure that the root cause of operational events that are not part of the standard operation are resolved in a timely manner. Production Monitoring 1. Management has established and documented standard procedures for IT operations, including managing, monitoring, and responding to security, availability, and processing integrity events. 2. Management has established appropriate metrics to effectively manage, monitor, and report on day-to-day operations. 3. System event data are sufficiently retained to provide chronological information and logs to enable the reconstruction, review, and examination of the time sequences of processing.
  • 26. ITGC – Computer & Data Centre Operations 26 INFORMATION Data Centre related Questions? • Air Conditioning of the Server room is kept at 18 degree Centigrade? • The Server is having an Amber Light alert however is functioning correctly. • What is the above problem is complemented by frequent Restarts? • The Server room UPS system is out of Warranty? • Dell the Server Equipment Manufacturer have denied providing AMC as the Server has in the End of Life support list? • The Server room does not have Rodent Protection
  • 27. ITGC – Computer & Data Centre Operations 27 INFORMATION Picture 1?
  • 28. ITGC – Computer & Data Centre Operations 28 INFORMATION Picture 2?
  • 29. ITGC – Computer & Data Centre Operations 29 INFORMATION Winner!
  • 31. Thank You. Kaushal R. Trivedi +91 9825154523 kaushal.trivedi@kcmehta.com