SlideShare a Scribd company logo

Auditing information systems

K
Kenya Allmond

Auditing Information Systems

Technology
1 of 92
Download to read offline
Auditing Information Systems First Year Staff Training February 18, 2015 Kenya Allmond kallmond@allmondcpa.com
Course Objectives: • Understand why IT is important to a financial statement audit • Learn the FISCAM control categories • Understand the basics of IS control testing
As computer technology has advanced, federal agencies and other government entities have become dependent on computerized information systems to carry out their operations and to process, maintain, and report essential information. Virtually all federal operations are supported by automated systems and electronic data, and agencies would find it difficult, if not impossible, to carry out their missions and account for their resources without these information assets.
What is an information system? ● Information system, an integrated set of components for collecting, storing, and processing data and for providing information, knowledge, and digital products. Information system, an integrated set of components for collecting, storing, and processing data and for providing information, knowledge, and digital products. – Britannica
Types of Information Systems
Sample Information System Purchasing Payables Inventory General Ledger Asset Management eProcurement
Components of an information system ● Computer Hardware ● Computer Software ● Telecommunications ● Databases and Data Warehouses ● People and Processes Information Technology Business Process
Sample Information Technology ●  
Sample Business Process ● Purchasing Enter a Requisition Approve a Requisition Create a Contract Generate Purchase Order Approve the PO Dispatch the PO Receive against PO Put Away the Items
Protecting an Information System
Information System Audit
What is an information system audit? ● Examination of the management controls within an Information technology (IT) infrastructure ● Information system audit and information technology audit are used interchangeably.
Why audit information systems? ● Organizations employ IT systems in various ways, including using discrete systems that support only particular business units or complex, highly integrated systems that share data and support all of an entity’s financial reporting, operations and compliance objectives. ● An entity may use IT to initiate transactions, as well as to record, process and report them. ● An organization’s procedures may have changed as a result of the shift from using paper documents and records to using automated procedures and records in electronic format. ● The internal controls in most IT systems are a combination of both automated and manual. The manual controls may be independent of the IT system, use information from it or only monitor the system’s effective functioning. AICPA Statement on Auditing Standards (SAS) No. 94, “The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit”
Risk of Ineffective Information System Controls ● Ineffective IS controls can result in significant risk to a broad array of government operations and assets: ○ Resources, such as payments and collections, could be lost or stolen. ○ Computer resources could be used for unauthorized purposes, including the launching of attacks on others. ○ Sensitive information, such as taxpayer data, Social Security records, medical records, other personally identifiable information, and proprietary business information, could be inappropriately added, deleted, read, copied, disclosed, or modified for purposes such as espionage, identity theft, or other types of crime.
Risk of Ineffective Information System Controls (cont’d) ○ Critical operations, such as those supporting national defense and emergency services, could be disrupted. ○ Data could be modified or destroyed for purposes of fraud or disruption. ○ Entity missions could be undermined by embarrassing incidents that result in diminished confidence in an entity’s ability to conduct operations and fulfill its responsibilities.
Relevant Laws and Regulations ● Federal Financial Management Improvement Act of 1996 (FFMIA) ● Federal Managers Financial Integrity Act of 1982 (FMFIA) ● Federal Information Security Modernization Act of 2014 (FISMA) ● Office of Management and Budget Circular A-130, Appendix III, Management of Federal Information Resources Security of Federal Automated Information Resources ● Office of Management and Budget Circular A-123, Management's Responsibility for Internal Control ● Office of Management and Budget Circular A-127, Financial Management Systems ● Federal Information Processing Standards (FIPS) ● NIST Special Publications ● Department of Defense Directives and Instructions
Relevant Guidance from NIST ● NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations ● NIST SP 800-53A, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans ● NIST SP 800-50, Building an Information Technology Security Awareness Program ● NIST SP 800-30, Guide for Conducting Risk Assessments ● NIST SP 800-14, Guide for Developing Security Plans for Federal Information Systems ● NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems ● and more
Relevant Guidance from DoD ● DoD Directive 8500.01E, Information Assurance ● DoD Manual 8570.01-M, Information Assurance Workforce Improvement Program ● DoD Directive 8000.1, Management of DoD Information Resources ● DoD Instruction 8500.2, Information Assurance Implementation ● DoD Instruction 8510.01, DoD Information Assurance Certification and Accreditation Process (DIACAP) ● and more OBSOLETE
Audit Methodology ● General Accountability Office’s (GAO) Federal Information Systems Controls Audit Manual (FISCAM) ○ Consistent with Federal Audit Manual (FAM) ● Divides controls into 2 types: ○ Information technology general controls (ITGC) ○ Application and business process controls
Phases ● Planning Phase ● Internal Control Phase ● Reporting Phase
Planning Phase ● Understand the overall audit objectives and related scope of the information system controls audit ● Understand the entity’s operations and key business processes. ● Obtain a general understanding of the structure of the entity’s networks ● Identify key areas of audit interest ● Assess information system risk on a preliminary basis ● Identify critical control points ● Obtain a preliminary understanding of information system controls
Planning Phase ● Perform Other Audit Planning Procedures ○ Relevant Laws and Regulations ○ Consideration of the Risk of Fraud ○ Previous Audits and Attestation Engagements ○ Audit Resources ○ Multiyear Testing Plans ○ Communication with Entity Management and Those Charged with Governance ○ Service Organizations ○ Using the Work of Others ○ Audit Plan
Internal Control Phase ● Understand information systems relevant to the audit objectives ● Determine which IS control techniques are relevant to the audit objectives ● For each relevant IS control technique determine whether it is suitably designed to achieve the critical activity and has been implemented ● Perform tests to determine whether such control techniques are operating effectively ● Identify potential weaknesses in IS controls and consider compensating controls ● Perform testing of corrective actions taken to address prior-year open recommendations.
Type of IT Controls ● Information Technology General Controls ○ Tested on Entity, Application, and System (Database and Operating System) Levels. ● Application and Business Processing Controls ○ Tested at the Application Level. ○ Testing automated controls that enforce business process. ○ Includes interfaces to other applications.
Internal Controls: Test of Design and Implementation ● Interviews and walkthroughs. ● Examination of policies and procedures. ○ Are they adequate? ○ Are they approved by management? ● Determine if policies and procedures are implemented.
Internal Controls: Test of Operating Effectiveness ● Observation of controls ● Examination of configuration settings ● Examination of transaction logs or other system generated information. ● Sampling in line with FAM.
Reporting Phase ● Develop and deliver Notifications of Findings and Recommendations to management as issues are identified and verified with management and approved by the OIG. ● Report on results of IT testing as appropriate in the internal controls report. ● Prepare management letter reports on the information systems' general and application control environments.
Application and Business Process Controls
Application & Business Process Controls “The overall objectives of business process application level controls are to provide reasonable assurance about the completeness, accuracy, validity and confidentiality of transactions and data during application processing. Each specific business process control technique is designed to achieve one or more of these objectives. The effectiveness of business process controls depends on whether all of these overall objectives are achieved.” ○ GAO FISCAM
Application & Business Process Controls Completeness (C) controls should provide reasonable assurance that all transactions that occurred are input into the system, accepted for processing, processed once and only once by the system, and properly included in output. Completeness controls include the following key elements: ● transactions are completely input, ● valid transactions are accepted by the system, ● duplicate postings are rejected by the system, ● rejected transactions are identified, corrected and re-processed; and ● all transactions accepted by the system are processed completely. The most common completeness controls in applications are batch totals, sequence checking, matching, duplicate checking, reconciliations, control totals and exception reporting.
Application & Business Process Controls Accuracy (A) controls should provide reasonable assurance that transactions are properly recorded, with the correct amount/data, and on a timely basis (in the proper period); key data elements input for transactions are accurate; and data elements are processed accurately by applications that produce reliable results; and output is accurate. Accuracy control techniques include programmed edit checks (e.g., validations, reasonableness checks, dependency checks, existence checks, format checks, mathematical accuracy, range checks, etc.), batch totals and check digit verification.
Application & Business Process Controls Validity (V) controls should provide reasonable assurance (1) that all recorded transactions actually occurred (are real), relate to the organization, and were properly approved in accordance with management’s authorization; and (2) that output contains only valid data. A transaction is valid when it has been authorized (for example, buying from a particular supplier) and when the master data relating to that transaction is reliable (for example, the name, bank account and other details on that supplier). Validity includes the concept of authenticity. Examples of validity controls are one-for-one checking and matching.
Application & Business Process Controls Confidentiality (CF) controls should provide reasonable assurance that application data and reports and other output are protected against unauthorized access. Examples of confidentiality controls include restricted physical and logical access to sensitive business process applications, data files, transactions, and output, and adequate segregation of duties. Confidentiality also includes restricted access to data reporting/extraction tools as well as copies or extractions of data files.
Application & Business Process Controls Availability controls should provide reasonable assurance that application data and reports and other relevant business information are readily available to users when needed. These controls are principally addressed in application security controls (especially contingency planning) and therefore, are not included as specific business process controls.
Application & Business Process Controls Application controls can be automated or manual (sometimes referred to as user controls). The auditor will find that most business processes will have a combination of automated and manual controls that balance resource requirements and risk mitigation. Also, management may use manual controls as effective monitoring controls. It is important to understand how these types of controls inter-relate when assessing application controls. The auditor should evaluate the adequacy of controls, both automated and manual, to determine whether or not management has appropriately mitigated risks and achieved its control objectives.
Application & Business Process Controls Example: A vendor invoice can be blocked for payment automatically if the goods or services are not received or if the payment exceeds a specific threshold and requires additional review and approval. Manual controls, such as the review of reports or payments over a certain amount, could effectively detect an invoice payment without goods receipt, or a high-dollar payment, but may not occur in time to stop the payment.
Application & Business Process Controls The operating effectiveness of an automated application control during the audit period also depends on the operating effectiveness of related general controls (at the entitywide, system and applications levels). For example, effective general controls are necessary to prevent or detect management overrides or other unauthorized changes to computer applications or data that could preclude or impair the operation of the automated control.
Application & Business Process Controls The auditor should perform the following procedures as part of testing and evaluating the effectiveness of application level controls: ● Understand information systems relevant to the audit objectives, building on identification of key areas of audit interest and critical control points. ● Determine which IS control techniques are relevant to the audit objectives. The control categories, critical elements, and control activities in Chapters 3 and 4 of FISCAM are generally relevant to all audits.
Application & Business Process Controls The auditor considers the following in designing the tests of application level controls: • The nature of the control; • The significance of the control in achieving the control objective(s); • The risk of the control not being properly applied. [also see FAM 340]; • All of the key controls that management is relying on to address the risks for a specific business process or a sub-process, which may include automated and manual controls; • The key controls outside the application under audit, as the business process may involve other applications for a downstream or upstream sub-process; and • The strength or weakness of the entity-wide and system level controls. The depth of the testing is based on the level of risk of the entity under review and the audit objectives. In the absence of effective general controls, the auditor may conclude that business process application level controls are not likely to be effective.
Application & Business Process Controls Specific types of business process controls are: • Transaction Data Input relates to controls over data that enter the application (e.g., data validation and edit checks). • Transaction Data Processing relates to controls over data integrity within the application (e.g., review of transaction processing logs). • Transaction Data Output relates to controls over data output and distribution (e.g., output reconciliation and review). • Master Data Setup and Maintenance relates to controls over master data, the key information that is relatively constant and shared between multiple functions or applications (e.g., vendor file).
Sample Business Process ● Purchasing Enter a Requisition Approve a Requisition Create a Contract Generate Purchase Order Approve the PO Dispatch the PO Receive against PO Put Away the Items
Application & Business Process Controls Every business process employs master data, or referential data that provides the basis for ongoing business activities, e.g., customers, vendors, and employees. The data that are generated as a result of these activities are called transaction data, and represent the result of the activity in the form of documents or postings, such as purchase orders and obligations. Examples of master data are: • Organizational structure • G/L Account Structure • Vendor Master • Employee Master
Application & Business Process Controls Questions that may be used to collect information from the user include the following. ● For what purpose do you use the transaction output? ○ initiate transaction, authorize changes to the system, maintain information controls, or other? ● Can the transaction output be used without correction? ● Is the information accurate and reliable, available when needed, current and up-to-date? ● Do you maintain manual records to supplement the transaction output? ● Do you check the information for quality (accuracy completeness, and validity) when you receive it? ● Is the transaction output ever rerun by the data center? ● Are you authorized to make changes to the information and if so, can you override validation and edit checks incorporated into the business process application?
Other Control Categories ● Interface Controls ● Data Management System Controls ○ Segregation of Duties ○ Strong Authentication ○ Restrictive access
Example
Information Technology General Controls
Control Areas ● Security Management ● Access Controls ● Configuration Management ● Segregation of Duties ● Contingency Planning
● Controls provide reasonable assurance that security management is effective
SM Key Terms ● System Security Plan (SSP) ● Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) ● Plan of Action & Milestones (POA&M)
1. Security Management Program 2. Risk Assessments 3. Security Control Policies and Procedures 4. Security Awareness and Other Security-Related Personnel Policies 5. Monitor effectiveness of the security program 6. Remediation of information security weaknesses 7. Activities performed by external third parties are adequately secure
SM Critical Elements 1. Security Management Program ○ Documented, approved, up-to-date (SSP or DIACAP) ○ Security management structure (independence, authority, expertise, resources) ○ Information security responsibilities ○ Subordinate security plans ○ System Inventory
SM Critical Elements 2. Risk Assessments ○ Systems are classified (low, moderate, high) according to the impact threats to confidentiality, integrity and availability would have to organizational operations, organizational assets and individuals, determines type of controls that should be in place ○ Reassessed on periodic basis ○ Changes to system, facilities or other conditions required reassessment of risk. ○ Federal system is certified and accredited before being place in operation and at least every 3 years or when major system changes occur
Potential Impact Security Objective Low Moderate High Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets or individuals. The unauthorized disclosure of information could be expected to have a serious adverse effected on organizational operations, organizational assets or individuals. The authorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets or individuals. Integrity Guarding against improper information modification or destruction, and includes ensuring non-repudiation and authenticity. The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets or individuals. The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets or individuals. The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets or individuals. Availability Ensuring timely and reliable access to and use of information. The disruption of access to or use of information or information system could be expected to have a limited adverse effect on organizational operations, organizational assets or individuals. The disruption of access to or use of information or information system could be expected to have a serious adverse effect on organizational operations, organizational assets or individuals. The disruption of access to or use of information or information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets or individuals.
SM Critical Elements 3. Security Control Policies and Procedures ○ Documented, approved by management ○ Appropriately consider risk ○ Address purpose, scope, roles, responsibilities and compliance ○ Ensure that users can be held accountable for their actions ○ Appropriately consider general and application controls ○ Periodically reviewed and updated
SM Critical Elements 4. Security Awareness and Other Security-Related Personnel Policies ○ Resource owners, system administrators and users are aware of security policies ○ Hiring, transfer, termination and performance policies address security ○ Employees have adequate training and expertise
SM Critical Elements 5. Monitor effectiveness of the security program ○ Appropriate monitoring and testing policies and procedures are documented ○ Management routinely conducts vulnerability assessments and promptly corrects identified control weaknesses, tracked on POA&M ○ Frequency and scope of security control testing is commensurate with risk ○ Independent evaluation of entity’s information security control tests effectiveness of security policies, procedures and practices, results submitted to appropriate oversight bodies
SM Critical Elements 6. Remediation of Information Security Weaknesses ○ Management initiates prompt action to correct deficiencies, action plans and milestones are documented ○ Deficiencies are analyzed in relation to the entire agency/entity, appropriate corrective actions applied entity-wide ○ Corrective actions are tested and are monitored after they have been implemented and monitored on a continuing basis
SM Critical Elements 7. Activities performed by external third parties are adequately secure ○ Appropriate policies and procedures concerning activities of external third parties (vendors, contractors, service bureau) are documented, agreed to, implemented and monitored for compliance. ○ Include provisions for clearances, background checks, confidentiality agreements, monitoring, termination procedures, etc.
● Controls provide reasonable assurance that access to computer resources (data, equipment, and facilities) is reasonable and restricted to authorized individuals
AC Key Terms ● Identification – Who you are (username) ● Authentication – How you prove who you are (passwords, PINs, tokens, fingerprints, etc.) ● Authorization – What you are allowed to do once granted access ● Least privilege – Users only have those privileges which are essential to that user's work
1. Adequately protect information system boundaries 2. Implement effective identification and authentication mechanisms 3. Implement effective authentication controls 4. Adequately protect sensitive system resources 5. Implement an effective audit and monitoring capability 6. Establish adequate physical security controls
AC Critical Elements 1. Adequately protect information system boundaries • Is Defense-in-Depth effectively implemented through multiple security measures among hosts, local area networks and wide area networks, and the Internet?
AC Critical Elements 1. Adequately protect information system boundaries ○ Information system identifies and authenticates specific network devices before establishing a connection ○ Remote access is appropriately controlled and protected ○ Connectivity approved only to perform assigned official duties ○ Session is ended after a period of activity ○ Warning banners
AC Critical Elements 2. Implement effective identification and authentication mechanisms ○ Unique user ID, each user has own and no user IDs are shared ○ Authentication methods are based on risk: passwords, token, biometric ○ Passwords ■ Not displayed when entered ■ Sufficiently complex (length, types of characters) ■ Automatically expire, prohibited from reuse for specific period of time ○ Unsuccessful logon attempts are limited
AC Critical Elements 3. Implement effective authorization controls ○ Resource owners identified authorized users and the access they are authorized to have ○ Security managers review access authorizations and discuss questionable authorizations with resource owners ○ All changes to security access authorizations are automatically logged and periodically reviewed by management independent of the security function ○ Resource owners periodically review access for continuing appropriateness ○ Access is limited to individuals with valid business purpose (least privilege) ○ Inactive accounts and accounting for terminated individuals are disabled or removed in a timely manner
AC Critical Elements 4. Adequately protect sensitive system resources ○ Assess to sensitive/privileged accounts is restricted to individuals having a legitimate business need ○ Use of sensitive/privileged accounts is adequately monitored ○ Passwords/authentication services and directories are appropriately controlled and encrypted ○ Information system partitions or separates user functionality from information system management functionality ○ Information system isolates security functions from non-security functions
AC Critical Elements 5. Implement an effective audit and monitoring capability ○ An effective incident response program has been implemented ○ An effective intrusion detection program has been implemented ○ Events that will be audited have been identified based on risk assessment ○ All auditable events, including access to and modifications of sensitive or critical system resources, are logged. ○ Audit records contain sufficient information to establish what events occurred, when they occurred, the source and outcome of the events. ○ Audit logs are reviewed regularly ○ Audit logs are retained long enough to support after-the-fact investigations ○ Security violates are reported and investigated, results are reported to management
AC Critical Elements 6. Establish adequate physical security controls
AC Critical Elements 6. Establish adequate physical security controls ○ Risk management approach used to identify level of physical security needed ○ Ongoing monitoring of physical security program and independent assessments ○ Critical systems have emergency power ○ Employees are authorized and credentials are issued to allow access, access limited to individuals that routinely need access ○ Employee access reviewed regularly ○ Physical access logs reviewed regularly ○ Entry codes changed periodically ○ Visitors are prescreened, formally signed in, badged and escorted
● Controls provide reasonable assurance that changes to information system resources are authorized and systems are configured and operated securely and as intended
CM Key Terms ● Change Control Board – ● Software Development Lifecycle ● Solutions Delivery Lifecycle
Software/System Development Life Cycle
1. Develop and document CM policies, plans and procedures 2. Maintain current configuration identification information 3. Properly authorize, test, approve, track and control all configuration changes 4. Routinely monitor the configuration 5. Update software on a timely basis to protect against known vulnerability 6. Appropriately document and approve emergency changes to the configuration
CM Critical Elements 1. Develop and document CM policies, plans and procedures ○ An effective CM process is documented and implemented. ○ Includes: ■ A CM plan that identifies roles, responsibilities, procedures and documentation requirements ■ Permitting only essential capabilities and restricting the use of dangerous functions ■ Regular review and approval of changes by management (CCB) ■ Appropriate representation on CCB from across the entity ■ A formal SDLC methodology that includes system-level security engineering principles to be considered in the design, development and operation of an information system ■ Appropriate systems documentation
CM Critical Elements 2. Maintain current configuration identification information ○ Current and comprehensive baseline inventory of hardware, software and firmware is documented, backed up and protected, Information system documentation describes security controls in sufficient detail to permit analyss and testing of controls ○ Hardware, software and firmware are mapped to the application it supports
CM Critical Elements 3. Properly authorize, test, approve, track and control all configuration changes ○ Configuration changes are authorized by management ○ Detailed specifications are prepared by the programmer and reviewed by a programming supervisor for system and application software changes ○ Test plans are documented and approved that define responsibilities for each party involved (users, system analysts, programmers, auditors, quality assurance, library control), include appropriate consideration of security ○ Program changes are moved into production only when approved by management and by persons independent of programmer ○ CM tools produce audit trails of program changes, record and report program changes, maintain copies of previous versions ○ Configuration changes to network devices (i.e. routers, switches, firewalls) are properly controlled and documented
CM Critical Elements 4. Routinely monitor the configuration ○ Routinely validate that the current configuration information is up-to-date and working as intended for networks, operating systems and infrastructure applications
CM Critical Elements 5. Update software on a timely basis to protect against known vulnerabilities ○ Information systems are scanned periodically to detect known vulnerabilities ○ An effective patch management process is documented and implemented, prioritization of patches by category and risk, appropriate installation of patches on a timely basis ○ Software is up-to-date ○ An effective virus, spam and spyware protection process is documented and implemented ○ Noncurrent software releases are adequately secure given the risk
CM Critical Elements 6. Appropriately document and approve emergency changes to the configuration ○ Procedures for emergency changes are documented and implemented. ○ Emergency changes are appropriately documented and approved, Appropriate personnel are notified for analysis and follow-up
● Controls provide reasonable assurance that incompatible duties are effectively segregated
1. Segregate incompatible duties and establish related policies 2. Control personnel activities through formal operating procedures, supervision and review
SD Critical Elements 1. Segregate incompatible duties and establish related policies ○ Policies and procedures for segregating duties exist and are up-to-date ○ Distinct system support function are performed by different individuals (information security management, programming, testing, change management, production control, data security) ○ No individual has complete control over incompatible transition processing functions ○ Data processing personnel are not users of information systems, They and security managers do not initiate, input or correct transactions ○ Access controls enforce segregation of duties ○ Job descriptions accurately reflect assigned duties and responsibilities and segregation of duties principles
SD Critical Elements 2. Control personnel activities through formal operating procedures, supervision and review ○ Access authorizations are periodically reviewed for incompatible functions ○ Management reviews are performed to determine that control techniques for segregating incompatible duties are in place and are maintaining risk with acceptable levels ○ Supervisors routinely review user activity logs for incompatible actions and investigate any abnormalities
● Controls provide reasonable assurance that contingency planning (1) protects information resources and minimizes the risk of unplanned interruptions and (2) provides for recovery of critical operations should interruptions occur
CP Key Terms ● Disaster Recovery Plan (DRP) – Provided detailed procedures to facilitate recovery of capabilities at an alternate site; Often IT focused ● Business Continuity Plan (BCP) – Provide procedures for sustaining essential business operations while recovering from a significant disruption; addresses business processes; IT addressed based on its support for business process ● Continuity of Operations Plan (COOP) – Provide procedures and capabilities to sustain an organization’s essential, strategic functions at an alternate site for up to 30 days; Addresses the subset of an organization’s mission that are deemed most critical; usual written at the headquarters level; not IT focused
CP Critical Elements 1. Assess the criticality and sensitivity of computerized operations and identify supporting resources 2. Take steps to prevent and minimize potential damage and interruption 3. Develop and document a comprehensive contingency plan 4. Periodically test the contingency plan and adjust it as appropriate
1. Assess the criticality and sensitivity of computerized operations and identify supporting resources ○ Critical data and operating are identified and prioritized ○ Resources supporting critical operations are identified and analyzed ○ Emergency processing priorities are established CP Critical Elements
CP Critical Elements 2. Take steps to prevent and minimize potential damage and interruption ○ Data and program backup procedures have been implemented ○ Adequate environmental controls have been implemented ○ Staff have been trained to respond to emergencies ○ Effective hardware maintenance, problem management and change management help prevent unexpected interruptions
CP Critical Elements 3. Develop and document a comprehensive contingency plan ○ An up-to-date contingency plan is documented ○ Arrangements have been made for alternate data processing, storage and telecommunications facilities
CP Critical Elements 4. Periodically test the contingency plan and adjust it as appropriate ○ The plan is periodically tested ○ Test results are analyzed and the contingency plan is adjusted accordingly
Questions

Recommended

Network design
Network designNetwork design
Network designAmir Jafari
 
Internal audit
Internal auditInternal audit
Internal auditiPleaders - Re-engineering Legal education, New Delhi
 
IMS IP multimedia subsystem presentation
IMS IP multimedia subsystem presentationIMS IP multimedia subsystem presentation
IMS IP multimedia subsystem presentationWaldir R. Pires Jr
 
Audit Report Writing
Audit Report WritingAudit Report Writing
Audit Report WritingMira Anuar
 
Surveilance ppt
Surveilance ppt Surveilance ppt
Surveilance ppt AKSHIT KOHLI
 
Base Transceiver Station
Base Transceiver StationBase Transceiver Station
Base Transceiver StationShubham Singhal
 
Structured Cabling Technologies for Networking
Structured Cabling Technologies for NetworkingStructured Cabling Technologies for Networking
Structured Cabling Technologies for NetworkingTharindu Kumara
 
System audit questionnaire
System audit questionnaireSystem audit questionnaire
System audit questionnaireNicholas Kaptingei
 

Recommended

Network design
Network designNetwork design
Network designAmir Jafari
 
Internal audit
Internal auditInternal audit
Internal auditiPleaders - Re-engineering Legal education, New Delhi
 
IMS IP multimedia subsystem presentation
IMS IP multimedia subsystem presentationIMS IP multimedia subsystem presentation
IMS IP multimedia subsystem presentationWaldir R. Pires Jr
 
Audit Report Writing
Audit Report WritingAudit Report Writing
Audit Report WritingMira Anuar
 
Surveilance ppt
Surveilance ppt Surveilance ppt
Surveilance ppt AKSHIT KOHLI
 
Base Transceiver Station
Base Transceiver StationBase Transceiver Station
Base Transceiver StationShubham Singhal
 
Structured Cabling Technologies for Networking
Structured Cabling Technologies for NetworkingStructured Cabling Technologies for Networking
Structured Cabling Technologies for NetworkingTharindu Kumara
 
System audit questionnaire
System audit questionnaireSystem audit questionnaire
System audit questionnaireNicholas Kaptingei
 
Technical Paper: 5G Standalone Architecture
Technical Paper: 5G Standalone ArchitectureTechnical Paper: 5G Standalone Architecture
Technical Paper: 5G Standalone ArchitectureMassimo Talia
 
Proof of Concept Guide for ManageEngine OpManager
Proof of Concept Guide for ManageEngine OpManagerProof of Concept Guide for ManageEngine OpManager
Proof of Concept Guide for ManageEngine OpManagerManageEngine, Zoho Corporation
 
Wimax Technology
Wimax TechnologyWimax Technology
Wimax TechnologyShafaque Ghayas Sattar
 
5G BASIC
5G BASIC5G BASIC
5G BASICKrishan Kumar Singh
 
GSM & UMTS Security
GSM & UMTS SecurityGSM & UMTS Security
GSM & UMTS SecuritySohaib Altaf
 
Cctv presentation
Cctv presentationCctv presentation
Cctv presentationJimuth Dutta Chowdhury
 
5G Network Architecture, Design and Optimisation
5G Network Architecture, Design and Optimisation5G Network Architecture, Design and Optimisation
5G Network Architecture, Design and Optimisation3G4G
 
Internal audit report writing
Internal audit report writingInternal audit report writing
Internal audit report writingNeha Kothari
 
ccna
ccnaccna
ccnaSaimir Ciraku
 
Wi fi / Wireless Fidelity
Wi fi / Wireless FidelityWi fi / Wireless Fidelity
Wi fi / Wireless FidelityChiranjit Adhikary
 
Third generation (3g)wireless technology
Third generation (3g)wireless technologyThird generation (3g)wireless technology
Third generation (3g)wireless technologySardar Kaukaz
 
5G Handover.pptx
5G Handover.pptx5G Handover.pptx
5G Handover.pptxAmardipKumarSingh1
 
Autonomous drone project part 1
Autonomous drone project part 1Autonomous drone project part 1
Autonomous drone project part 1ABIN VARGHESE
 
Revolution of Mobile Communication, from 1G to 5G Communication
Revolution of Mobile Communication, from 1G to 5G CommunicationRevolution of Mobile Communication, from 1G to 5G Communication
Revolution of Mobile Communication, from 1G to 5G CommunicationManash Kumar Mondal
 
IT General Controls
IT General ControlsIT General Controls
IT General ControlsCicero Ray Rufino
 
Video Surveillance System
Video Surveillance SystemVideo Surveillance System
Video Surveillance SystemSheikh Faiyaz
 
Checklist internal audit
Checklist internal auditChecklist internal audit
Checklist internal auditAli Khardani
 
GSM Presentation
GSM PresentationGSM Presentation
GSM PresentationDheeraj Raja
 
Non orthogonal multiple access
Non orthogonal multiple accessNon orthogonal multiple access
Non orthogonal multiple accessShalikramRajpoot
 
Motorola MotoTRBO Firmware Release 2.3 (November 2013)
Motorola MotoTRBO Firmware Release 2.3 (November 2013)Motorola MotoTRBO Firmware Release 2.3 (November 2013)
Motorola MotoTRBO Firmware Release 2.3 (November 2013)TwoWayDigitalRadio.com
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxJoshJaro
 
Accounting System Design and Development-Internal Controls
Accounting System Design and Development-Internal ControlsAccounting System Design and Development-Internal Controls
Accounting System Design and Development-Internal ControlsHelpWithAssignment.com
 

More Related Content

What's hot

Technical Paper: 5G Standalone Architecture
Technical Paper: 5G Standalone ArchitectureTechnical Paper: 5G Standalone Architecture
Technical Paper: 5G Standalone ArchitectureMassimo Talia
 
GSM & UMTS Security
GSM & UMTS SecurityGSM & UMTS Security
GSM & UMTS SecuritySohaib Altaf
 
5G Network Architecture, Design and Optimisation
5G Network Architecture, Design and Optimisation5G Network Architecture, Design and Optimisation
5G Network Architecture, Design and Optimisation3G4G
 
Internal audit report writing
Internal audit report writingInternal audit report writing
Internal audit report writingNeha Kothari
 
Third generation (3g)wireless technology
Third generation (3g)wireless technologyThird generation (3g)wireless technology
Third generation (3g)wireless technologySardar Kaukaz
 
Autonomous drone project part 1
Autonomous drone project part 1Autonomous drone project part 1
Autonomous drone project part 1ABIN VARGHESE
 
Revolution of Mobile Communication, from 1G to 5G Communication
Revolution of Mobile Communication, from 1G to 5G CommunicationRevolution of Mobile Communication, from 1G to 5G Communication
Revolution of Mobile Communication, from 1G to 5G CommunicationManash Kumar Mondal
 
Video Surveillance System
Video Surveillance SystemVideo Surveillance System
Video Surveillance SystemSheikh Faiyaz
 
Checklist internal audit
Checklist internal auditChecklist internal audit
Checklist internal auditAli Khardani
 
Non orthogonal multiple access
Non orthogonal multiple accessNon orthogonal multiple access
Non orthogonal multiple accessShalikramRajpoot
 
Motorola MotoTRBO Firmware Release 2.3 (November 2013)
Motorola MotoTRBO Firmware Release 2.3 (November 2013)Motorola MotoTRBO Firmware Release 2.3 (November 2013)
Motorola MotoTRBO Firmware Release 2.3 (November 2013)TwoWayDigitalRadio.com
 

What's hot (20)

Technical Paper: 5G Standalone Architecture
Technical Paper: 5G Standalone ArchitectureTechnical Paper: 5G Standalone Architecture
Technical Paper: 5G Standalone Architecture
 
Proof of Concept Guide for ManageEngine OpManager
Proof of Concept Guide for ManageEngine OpManagerProof of Concept Guide for ManageEngine OpManager
Proof of Concept Guide for ManageEngine OpManager
 
Wimax Technology
Wimax TechnologyWimax Technology
Wimax Technology
 
5G BASIC
5G BASIC5G BASIC
5G BASIC
 
GSM & UMTS Security
GSM & UMTS SecurityGSM & UMTS Security
GSM & UMTS Security
 
Cctv presentation
Cctv presentationCctv presentation
Cctv presentation
 
5G Network Architecture, Design and Optimisation
5G Network Architecture, Design and Optimisation5G Network Architecture, Design and Optimisation
5G Network Architecture, Design and Optimisation
 
Internal audit report writing
Internal audit report writingInternal audit report writing
Internal audit report writing
 
ccna
ccnaccna
ccna
 
Wi fi / Wireless Fidelity
Wi fi / Wireless FidelityWi fi / Wireless Fidelity
Wi fi / Wireless Fidelity
 
Third generation (3g)wireless technology
Third generation (3g)wireless technologyThird generation (3g)wireless technology
Third generation (3g)wireless technology
 
5G Handover.pptx
5G Handover.pptx5G Handover.pptx
5G Handover.pptx
 
Autonomous drone project part 1
Autonomous drone project part 1Autonomous drone project part 1
Autonomous drone project part 1
 
Revolution of Mobile Communication, from 1G to 5G Communication
Revolution of Mobile Communication, from 1G to 5G CommunicationRevolution of Mobile Communication, from 1G to 5G Communication
Revolution of Mobile Communication, from 1G to 5G Communication
 
IT General Controls
IT General ControlsIT General Controls
IT General Controls
 
Video Surveillance System
Video Surveillance SystemVideo Surveillance System
Video Surveillance System
 
Checklist internal audit
Checklist internal auditChecklist internal audit
Checklist internal audit
 
GSM Presentation
GSM PresentationGSM Presentation
GSM Presentation
 
Non orthogonal multiple access
Non orthogonal multiple accessNon orthogonal multiple access
Non orthogonal multiple access
 
Motorola MotoTRBO Firmware Release 2.3 (November 2013)
Motorola MotoTRBO Firmware Release 2.3 (November 2013)Motorola MotoTRBO Firmware Release 2.3 (November 2013)
Motorola MotoTRBO Firmware Release 2.3 (November 2013)
 

Similar to Auditing information systems

Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxJoshJaro
 
Accounting System Design and Development-Internal Controls
Accounting System Design and Development-Internal ControlsAccounting System Design and Development-Internal Controls
Accounting System Design and Development-Internal ControlsHelpWithAssignment.com
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
Information system audit 2
Information system audit 2 Information system audit 2
Information system audit 2 Jayant Dalvi
 
Auditing Systems Development
Auditing Systems DevelopmentAuditing Systems Development
Auditing Systems Developmentessbaih
 
ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013
ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013
ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013Barun Kumar
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptxdotco
 
Auditing in Computerized Environment
Auditing in Computerized EnvironmentAuditing in Computerized Environment
Auditing in Computerized EnvironmentDr. Sushil Bansode
 
PPT-UEU-Audit-Kendali-Sistem-Informasi-Pertemuan-4.ppt
PPT-UEU-Audit-Kendali-Sistem-Informasi-Pertemuan-4.pptPPT-UEU-Audit-Kendali-Sistem-Informasi-Pertemuan-4.ppt
PPT-UEU-Audit-Kendali-Sistem-Informasi-Pertemuan-4.pptKumarNatarajan24
 
CISA_WK_1.pptx
CISA_WK_1.pptxCISA_WK_1.pptx
CISA_WK_1.pptxdotco
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditingMarc Vael
 
Information 2nd lesson
Information 2nd lessonInformation 2nd lesson
Information 2nd lessonAnne ndolo
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Yasir Khan
 
It implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-briefIt implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-briefVisal Thach
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDITRos Dina
 
IT-Audit-Manual-2017-1st-Edition.pdf
IT-Audit-Manual-2017-1st-Edition.pdfIT-Audit-Manual-2017-1st-Edition.pdf
IT-Audit-Manual-2017-1st-Edition.pdfJacobYeboa1
 

Similar to Auditing information systems (20)

Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptx
 
Accounting System Design and Development-Internal Controls
Accounting System Design and Development-Internal ControlsAccounting System Design and Development-Internal Controls
Accounting System Design and Development-Internal Controls
 
audit_it_250759.pdf
audit_it_250759.pdfaudit_it_250759.pdf
audit_it_250759.pdf
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
 
Information system audit 2
Information system audit 2 Information system audit 2
Information system audit 2
 
Auditing Systems Development
Auditing Systems DevelopmentAuditing Systems Development
Auditing Systems Development
 
ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013
ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013
ICPAS Breakfast Talk Series - Maximising IT Audit 13 Mar 2013
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptx
 
Auditing in Computerized Environment
Auditing in Computerized EnvironmentAuditing in Computerized Environment
Auditing in Computerized Environment
 
PPT-UEU-Audit-Kendali-Sistem-Informasi-Pertemuan-4.ppt
PPT-UEU-Audit-Kendali-Sistem-Informasi-Pertemuan-4.pptPPT-UEU-Audit-Kendali-Sistem-Informasi-Pertemuan-4.ppt
PPT-UEU-Audit-Kendali-Sistem-Informasi-Pertemuan-4.ppt
 
CISA_WK_1.pptx
CISA_WK_1.pptxCISA_WK_1.pptx
CISA_WK_1.pptx
 
PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019
PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019 PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019
PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditing
 
Information 2nd lesson
Information 2nd lessonInformation 2nd lesson
Information 2nd lesson
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1
 
It implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-briefIt implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-brief
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDIT
 
IT-Audit-Manual-2017-1st-Edition.pdf
IT-Audit-Manual-2017-1st-Edition.pdfIT-Audit-Manual-2017-1st-Edition.pdf
IT-Audit-Manual-2017-1st-Edition.pdf
 
6 service operation
6 service operation6 service operation
6 service operation
 
6 service operation
6 service operation6 service operation
6 service operation
 

Recently uploaded

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 

Recently uploaded (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 

Auditing information systems

  • 1. Auditing Information Systems First Year Staff Training February 18, 2015 Kenya Allmond kallmond@allmondcpa.com
  • 2. Course Objectives: • Understand why IT is important to a financial statement audit • Learn the FISCAM control categories • Understand the basics of IS control testing
  • 3. As computer technology has advanced, federal agencies and other government entities have become dependent on computerized information systems to carry out their operations and to process, maintain, and report essential information. Virtually all federal operations are supported by automated systems and electronic data, and agencies would find it difficult, if not impossible, to carry out their missions and account for their resources without these information assets.
  • 4. What is an information system? ● Information system, an integrated set of components for collecting, storing, and processing data and for providing information, knowledge, and digital products. Information system, an integrated set of components for collecting, storing, and processing data and for providing information, knowledge, and digital products. – Britannica
  • 7. Components of an information system ● Computer Hardware ● Computer Software ● Telecommunications ● Databases and Data Warehouses ● People and Processes Information Technology Business Process
  • 9. Sample Business Process ● Purchasing Enter a Requisition Approve a Requisition Create a Contract Generate Purchase Order Approve the PO Dispatch the PO Receive against PO Put Away the Items
  • 12. What is an information system audit? ● Examination of the management controls within an Information technology (IT) infrastructure ● Information system audit and information technology audit are used interchangeably.
  • 13. Why audit information systems? ● Organizations employ IT systems in various ways, including using discrete systems that support only particular business units or complex, highly integrated systems that share data and support all of an entity’s financial reporting, operations and compliance objectives. ● An entity may use IT to initiate transactions, as well as to record, process and report them. ● An organization’s procedures may have changed as a result of the shift from using paper documents and records to using automated procedures and records in electronic format. ● The internal controls in most IT systems are a combination of both automated and manual. The manual controls may be independent of the IT system, use information from it or only monitor the system’s effective functioning. AICPA Statement on Auditing Standards (SAS) No. 94, “The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit”
  • 14. Risk of Ineffective Information System Controls ● Ineffective IS controls can result in significant risk to a broad array of government operations and assets: ○ Resources, such as payments and collections, could be lost or stolen. ○ Computer resources could be used for unauthorized purposes, including the launching of attacks on others. ○ Sensitive information, such as taxpayer data, Social Security records, medical records, other personally identifiable information, and proprietary business information, could be inappropriately added, deleted, read, copied, disclosed, or modified for purposes such as espionage, identity theft, or other types of crime.
  • 15. Risk of Ineffective Information System Controls (cont’d) ○ Critical operations, such as those supporting national defense and emergency services, could be disrupted. ○ Data could be modified or destroyed for purposes of fraud or disruption. ○ Entity missions could be undermined by embarrassing incidents that result in diminished confidence in an entity’s ability to conduct operations and fulfill its responsibilities.
  • 16. Relevant Laws and Regulations ● Federal Financial Management Improvement Act of 1996 (FFMIA) ● Federal Managers Financial Integrity Act of 1982 (FMFIA) ● Federal Information Security Modernization Act of 2014 (FISMA) ● Office of Management and Budget Circular A-130, Appendix III, Management of Federal Information Resources Security of Federal Automated Information Resources ● Office of Management and Budget Circular A-123, Management's Responsibility for Internal Control ● Office of Management and Budget Circular A-127, Financial Management Systems ● Federal Information Processing Standards (FIPS) ● NIST Special Publications ● Department of Defense Directives and Instructions
  • 17. Relevant Guidance from NIST ● NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations ● NIST SP 800-53A, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans ● NIST SP 800-50, Building an Information Technology Security Awareness Program ● NIST SP 800-30, Guide for Conducting Risk Assessments ● NIST SP 800-14, Guide for Developing Security Plans for Federal Information Systems ● NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems ● and more
  • 18. Relevant Guidance from DoD ● DoD Directive 8500.01E, Information Assurance ● DoD Manual 8570.01-M, Information Assurance Workforce Improvement Program ● DoD Directive 8000.1, Management of DoD Information Resources ● DoD Instruction 8500.2, Information Assurance Implementation ● DoD Instruction 8510.01, DoD Information Assurance Certification and Accreditation Process (DIACAP) ● and more OBSOLETE
  • 19. Audit Methodology ● General Accountability Office’s (GAO) Federal Information Systems Controls Audit Manual (FISCAM) ○ Consistent with Federal Audit Manual (FAM) ● Divides controls into 2 types: ○ Information technology general controls (ITGC) ○ Application and business process controls
  • 20. Phases ● Planning Phase ● Internal Control Phase ● Reporting Phase
  • 21. Planning Phase ● Understand the overall audit objectives and related scope of the information system controls audit ● Understand the entity’s operations and key business processes. ● Obtain a general understanding of the structure of the entity’s networks ● Identify key areas of audit interest ● Assess information system risk on a preliminary basis ● Identify critical control points ● Obtain a preliminary understanding of information system controls
  • 22. Planning Phase ● Perform Other Audit Planning Procedures ○ Relevant Laws and Regulations ○ Consideration of the Risk of Fraud ○ Previous Audits and Attestation Engagements ○ Audit Resources ○ Multiyear Testing Plans ○ Communication with Entity Management and Those Charged with Governance ○ Service Organizations ○ Using the Work of Others ○ Audit Plan
  • 23. Internal Control Phase ● Understand information systems relevant to the audit objectives ● Determine which IS control techniques are relevant to the audit objectives ● For each relevant IS control technique determine whether it is suitably designed to achieve the critical activity and has been implemented ● Perform tests to determine whether such control techniques are operating effectively ● Identify potential weaknesses in IS controls and consider compensating controls ● Perform testing of corrective actions taken to address prior-year open recommendations.
  • 24. Type of IT Controls ● Information Technology General Controls ○ Tested on Entity, Application, and System (Database and Operating System) Levels. ● Application and Business Processing Controls ○ Tested at the Application Level. ○ Testing automated controls that enforce business process. ○ Includes interfaces to other applications.
  • 25. Internal Controls: Test of Design and Implementation ● Interviews and walkthroughs. ● Examination of policies and procedures. ○ Are they adequate? ○ Are they approved by management? ● Determine if policies and procedures are implemented.
  • 26. Internal Controls: Test of Operating Effectiveness ● Observation of controls ● Examination of configuration settings ● Examination of transaction logs or other system generated information. ● Sampling in line with FAM.
  • 27. Reporting Phase ● Develop and deliver Notifications of Findings and Recommendations to management as issues are identified and verified with management and approved by the OIG. ● Report on results of IT testing as appropriate in the internal controls report. ● Prepare management letter reports on the information systems' general and application control environments.
  • 28. Application and Business Process Controls
  • 29. Application & Business Process Controls “The overall objectives of business process application level controls are to provide reasonable assurance about the completeness, accuracy, validity and confidentiality of transactions and data during application processing. Each specific business process control technique is designed to achieve one or more of these objectives. The effectiveness of business process controls depends on whether all of these overall objectives are achieved.” ○ GAO FISCAM
  • 30. Application & Business Process Controls Completeness (C) controls should provide reasonable assurance that all transactions that occurred are input into the system, accepted for processing, processed once and only once by the system, and properly included in output. Completeness controls include the following key elements: ● transactions are completely input, ● valid transactions are accepted by the system, ● duplicate postings are rejected by the system, ● rejected transactions are identified, corrected and re-processed; and ● all transactions accepted by the system are processed completely. The most common completeness controls in applications are batch totals, sequence checking, matching, duplicate checking, reconciliations, control totals and exception reporting.
  • 31. Application & Business Process Controls Accuracy (A) controls should provide reasonable assurance that transactions are properly recorded, with the correct amount/data, and on a timely basis (in the proper period); key data elements input for transactions are accurate; and data elements are processed accurately by applications that produce reliable results; and output is accurate. Accuracy control techniques include programmed edit checks (e.g., validations, reasonableness checks, dependency checks, existence checks, format checks, mathematical accuracy, range checks, etc.), batch totals and check digit verification.
  • 32. Application & Business Process Controls Validity (V) controls should provide reasonable assurance (1) that all recorded transactions actually occurred (are real), relate to the organization, and were properly approved in accordance with management’s authorization; and (2) that output contains only valid data. A transaction is valid when it has been authorized (for example, buying from a particular supplier) and when the master data relating to that transaction is reliable (for example, the name, bank account and other details on that supplier). Validity includes the concept of authenticity. Examples of validity controls are one-for-one checking and matching.
  • 33. Application & Business Process Controls Confidentiality (CF) controls should provide reasonable assurance that application data and reports and other output are protected against unauthorized access. Examples of confidentiality controls include restricted physical and logical access to sensitive business process applications, data files, transactions, and output, and adequate segregation of duties. Confidentiality also includes restricted access to data reporting/extraction tools as well as copies or extractions of data files.
  • 34. Application & Business Process Controls Availability controls should provide reasonable assurance that application data and reports and other relevant business information are readily available to users when needed. These controls are principally addressed in application security controls (especially contingency planning) and therefore, are not included as specific business process controls.
  • 35. Application & Business Process Controls Application controls can be automated or manual (sometimes referred to as user controls). The auditor will find that most business processes will have a combination of automated and manual controls that balance resource requirements and risk mitigation. Also, management may use manual controls as effective monitoring controls. It is important to understand how these types of controls inter-relate when assessing application controls. The auditor should evaluate the adequacy of controls, both automated and manual, to determine whether or not management has appropriately mitigated risks and achieved its control objectives.
  • 36. Application & Business Process Controls Example: A vendor invoice can be blocked for payment automatically if the goods or services are not received or if the payment exceeds a specific threshold and requires additional review and approval. Manual controls, such as the review of reports or payments over a certain amount, could effectively detect an invoice payment without goods receipt, or a high-dollar payment, but may not occur in time to stop the payment.
  • 37. Application & Business Process Controls The operating effectiveness of an automated application control during the audit period also depends on the operating effectiveness of related general controls (at the entitywide, system and applications levels). For example, effective general controls are necessary to prevent or detect management overrides or other unauthorized changes to computer applications or data that could preclude or impair the operation of the automated control.
  • 38. Application & Business Process Controls The auditor should perform the following procedures as part of testing and evaluating the effectiveness of application level controls: ● Understand information systems relevant to the audit objectives, building on identification of key areas of audit interest and critical control points. ● Determine which IS control techniques are relevant to the audit objectives. The control categories, critical elements, and control activities in Chapters 3 and 4 of FISCAM are generally relevant to all audits.
  • 39. Application & Business Process Controls The auditor considers the following in designing the tests of application level controls: • The nature of the control; • The significance of the control in achieving the control objective(s); • The risk of the control not being properly applied. [also see FAM 340]; • All of the key controls that management is relying on to address the risks for a specific business process or a sub-process, which may include automated and manual controls; • The key controls outside the application under audit, as the business process may involve other applications for a downstream or upstream sub-process; and • The strength or weakness of the entity-wide and system level controls. The depth of the testing is based on the level of risk of the entity under review and the audit objectives. In the absence of effective general controls, the auditor may conclude that business process application level controls are not likely to be effective.
  • 40. Application & Business Process Controls Specific types of business process controls are: • Transaction Data Input relates to controls over data that enter the application (e.g., data validation and edit checks). • Transaction Data Processing relates to controls over data integrity within the application (e.g., review of transaction processing logs). • Transaction Data Output relates to controls over data output and distribution (e.g., output reconciliation and review). • Master Data Setup and Maintenance relates to controls over master data, the key information that is relatively constant and shared between multiple functions or applications (e.g., vendor file).
  • 41. Sample Business Process ● Purchasing Enter a Requisition Approve a Requisition Create a Contract Generate Purchase Order Approve the PO Dispatch the PO Receive against PO Put Away the Items
  • 42. Application & Business Process Controls Every business process employs master data, or referential data that provides the basis for ongoing business activities, e.g., customers, vendors, and employees. The data that are generated as a result of these activities are called transaction data, and represent the result of the activity in the form of documents or postings, such as purchase orders and obligations. Examples of master data are: • Organizational structure • G/L Account Structure • Vendor Master • Employee Master
  • 43. Application & Business Process Controls Questions that may be used to collect information from the user include the following. ● For what purpose do you use the transaction output? ○ initiate transaction, authorize changes to the system, maintain information controls, or other? ● Can the transaction output be used without correction? ● Is the information accurate and reliable, available when needed, current and up-to-date? ● Do you maintain manual records to supplement the transaction output? ● Do you check the information for quality (accuracy completeness, and validity) when you receive it? ● Is the transaction output ever rerun by the data center? ● Are you authorized to make changes to the information and if so, can you override validation and edit checks incorporated into the business process application?
  • 44. Other Control Categories ● Interface Controls ● Data Management System Controls ○ Segregation of Duties ○ Strong Authentication ○ Restrictive access
  • 47. Control Areas ● Security Management ● Access Controls ● Configuration Management ● Segregation of Duties ● Contingency Planning
  • 48. ● Controls provide reasonable assurance that security management is effective
  • 49. SM Key Terms ● System Security Plan (SSP) ● Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) ● Plan of Action & Milestones (POA&M)
  • 50. 1. Security Management Program 2. Risk Assessments 3. Security Control Policies and Procedures 4. Security Awareness and Other Security-Related Personnel Policies 5. Monitor effectiveness of the security program 6. Remediation of information security weaknesses 7. Activities performed by external third parties are adequately secure
  • 51. SM Critical Elements 1. Security Management Program ○ Documented, approved, up-to-date (SSP or DIACAP) ○ Security management structure (independence, authority, expertise, resources) ○ Information security responsibilities ○ Subordinate security plans ○ System Inventory
  • 52. SM Critical Elements 2. Risk Assessments ○ Systems are classified (low, moderate, high) according to the impact threats to confidentiality, integrity and availability would have to organizational operations, organizational assets and individuals, determines type of controls that should be in place ○ Reassessed on periodic basis ○ Changes to system, facilities or other conditions required reassessment of risk. ○ Federal system is certified and accredited before being place in operation and at least every 3 years or when major system changes occur
  • 53. Potential Impact Security Objective Low Moderate High Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets or individuals. The unauthorized disclosure of information could be expected to have a serious adverse effected on organizational operations, organizational assets or individuals. The authorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets or individuals. Integrity Guarding against improper information modification or destruction, and includes ensuring non-repudiation and authenticity. The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets or individuals. The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets or individuals. The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets or individuals. Availability Ensuring timely and reliable access to and use of information. The disruption of access to or use of information or information system could be expected to have a limited adverse effect on organizational operations, organizational assets or individuals. The disruption of access to or use of information or information system could be expected to have a serious adverse effect on organizational operations, organizational assets or individuals. The disruption of access to or use of information or information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets or individuals.
  • 54. SM Critical Elements 3. Security Control Policies and Procedures ○ Documented, approved by management ○ Appropriately consider risk ○ Address purpose, scope, roles, responsibilities and compliance ○ Ensure that users can be held accountable for their actions ○ Appropriately consider general and application controls ○ Periodically reviewed and updated
  • 55. SM Critical Elements 4. Security Awareness and Other Security-Related Personnel Policies ○ Resource owners, system administrators and users are aware of security policies ○ Hiring, transfer, termination and performance policies address security ○ Employees have adequate training and expertise
  • 56. SM Critical Elements 5. Monitor effectiveness of the security program ○ Appropriate monitoring and testing policies and procedures are documented ○ Management routinely conducts vulnerability assessments and promptly corrects identified control weaknesses, tracked on POA&M ○ Frequency and scope of security control testing is commensurate with risk ○ Independent evaluation of entity’s information security control tests effectiveness of security policies, procedures and practices, results submitted to appropriate oversight bodies
  • 57. SM Critical Elements 6. Remediation of Information Security Weaknesses ○ Management initiates prompt action to correct deficiencies, action plans and milestones are documented ○ Deficiencies are analyzed in relation to the entire agency/entity, appropriate corrective actions applied entity-wide ○ Corrective actions are tested and are monitored after they have been implemented and monitored on a continuing basis
  • 58. SM Critical Elements 7. Activities performed by external third parties are adequately secure ○ Appropriate policies and procedures concerning activities of external third parties (vendors, contractors, service bureau) are documented, agreed to, implemented and monitored for compliance. ○ Include provisions for clearances, background checks, confidentiality agreements, monitoring, termination procedures, etc.
  • 59. ● Controls provide reasonable assurance that access to computer resources (data, equipment, and facilities) is reasonable and restricted to authorized individuals
  • 60. AC Key Terms ● Identification – Who you are (username) ● Authentication – How you prove who you are (passwords, PINs, tokens, fingerprints, etc.) ● Authorization – What you are allowed to do once granted access ● Least privilege – Users only have those privileges which are essential to that user's work
  • 61.
  • 62. 1. Adequately protect information system boundaries 2. Implement effective identification and authentication mechanisms 3. Implement effective authentication controls 4. Adequately protect sensitive system resources 5. Implement an effective audit and monitoring capability 6. Establish adequate physical security controls
  • 63. AC Critical Elements 1. Adequately protect information system boundaries • Is Defense-in-Depth effectively implemented through multiple security measures among hosts, local area networks and wide area networks, and the Internet?
  • 64. AC Critical Elements 1. Adequately protect information system boundaries ○ Information system identifies and authenticates specific network devices before establishing a connection ○ Remote access is appropriately controlled and protected ○ Connectivity approved only to perform assigned official duties ○ Session is ended after a period of activity ○ Warning banners
  • 65. AC Critical Elements 2. Implement effective identification and authentication mechanisms ○ Unique user ID, each user has own and no user IDs are shared ○ Authentication methods are based on risk: passwords, token, biometric ○ Passwords ■ Not displayed when entered ■ Sufficiently complex (length, types of characters) ■ Automatically expire, prohibited from reuse for specific period of time ○ Unsuccessful logon attempts are limited
  • 66. AC Critical Elements 3. Implement effective authorization controls ○ Resource owners identified authorized users and the access they are authorized to have ○ Security managers review access authorizations and discuss questionable authorizations with resource owners ○ All changes to security access authorizations are automatically logged and periodically reviewed by management independent of the security function ○ Resource owners periodically review access for continuing appropriateness ○ Access is limited to individuals with valid business purpose (least privilege) ○ Inactive accounts and accounting for terminated individuals are disabled or removed in a timely manner
  • 67. AC Critical Elements 4. Adequately protect sensitive system resources ○ Assess to sensitive/privileged accounts is restricted to individuals having a legitimate business need ○ Use of sensitive/privileged accounts is adequately monitored ○ Passwords/authentication services and directories are appropriately controlled and encrypted ○ Information system partitions or separates user functionality from information system management functionality ○ Information system isolates security functions from non-security functions
  • 68. AC Critical Elements 5. Implement an effective audit and monitoring capability ○ An effective incident response program has been implemented ○ An effective intrusion detection program has been implemented ○ Events that will be audited have been identified based on risk assessment ○ All auditable events, including access to and modifications of sensitive or critical system resources, are logged. ○ Audit records contain sufficient information to establish what events occurred, when they occurred, the source and outcome of the events. ○ Audit logs are reviewed regularly ○ Audit logs are retained long enough to support after-the-fact investigations ○ Security violates are reported and investigated, results are reported to management
  • 69. AC Critical Elements 6. Establish adequate physical security controls
  • 70. AC Critical Elements 6. Establish adequate physical security controls ○ Risk management approach used to identify level of physical security needed ○ Ongoing monitoring of physical security program and independent assessments ○ Critical systems have emergency power ○ Employees are authorized and credentials are issued to allow access, access limited to individuals that routinely need access ○ Employee access reviewed regularly ○ Physical access logs reviewed regularly ○ Entry codes changed periodically ○ Visitors are prescreened, formally signed in, badged and escorted
  • 71. ● Controls provide reasonable assurance that changes to information system resources are authorized and systems are configured and operated securely and as intended
  • 72. CM Key Terms ● Change Control Board – ● Software Development Lifecycle ● Solutions Delivery Lifecycle
  • 74. 1. Develop and document CM policies, plans and procedures 2. Maintain current configuration identification information 3. Properly authorize, test, approve, track and control all configuration changes 4. Routinely monitor the configuration 5. Update software on a timely basis to protect against known vulnerability 6. Appropriately document and approve emergency changes to the configuration
  • 75. CM Critical Elements 1. Develop and document CM policies, plans and procedures ○ An effective CM process is documented and implemented. ○ Includes: ■ A CM plan that identifies roles, responsibilities, procedures and documentation requirements ■ Permitting only essential capabilities and restricting the use of dangerous functions ■ Regular review and approval of changes by management (CCB) ■ Appropriate representation on CCB from across the entity ■ A formal SDLC methodology that includes system-level security engineering principles to be considered in the design, development and operation of an information system ■ Appropriate systems documentation
  • 76. CM Critical Elements 2. Maintain current configuration identification information ○ Current and comprehensive baseline inventory of hardware, software and firmware is documented, backed up and protected, Information system documentation describes security controls in sufficient detail to permit analyss and testing of controls ○ Hardware, software and firmware are mapped to the application it supports
  • 77. CM Critical Elements 3. Properly authorize, test, approve, track and control all configuration changes ○ Configuration changes are authorized by management ○ Detailed specifications are prepared by the programmer and reviewed by a programming supervisor for system and application software changes ○ Test plans are documented and approved that define responsibilities for each party involved (users, system analysts, programmers, auditors, quality assurance, library control), include appropriate consideration of security ○ Program changes are moved into production only when approved by management and by persons independent of programmer ○ CM tools produce audit trails of program changes, record and report program changes, maintain copies of previous versions ○ Configuration changes to network devices (i.e. routers, switches, firewalls) are properly controlled and documented
  • 78. CM Critical Elements 4. Routinely monitor the configuration ○ Routinely validate that the current configuration information is up-to-date and working as intended for networks, operating systems and infrastructure applications
  • 79. CM Critical Elements 5. Update software on a timely basis to protect against known vulnerabilities ○ Information systems are scanned periodically to detect known vulnerabilities ○ An effective patch management process is documented and implemented, prioritization of patches by category and risk, appropriate installation of patches on a timely basis ○ Software is up-to-date ○ An effective virus, spam and spyware protection process is documented and implemented ○ Noncurrent software releases are adequately secure given the risk
  • 80. CM Critical Elements 6. Appropriately document and approve emergency changes to the configuration ○ Procedures for emergency changes are documented and implemented. ○ Emergency changes are appropriately documented and approved, Appropriate personnel are notified for analysis and follow-up
  • 81. ● Controls provide reasonable assurance that incompatible duties are effectively segregated
  • 82. 1. Segregate incompatible duties and establish related policies 2. Control personnel activities through formal operating procedures, supervision and review
  • 83. SD Critical Elements 1. Segregate incompatible duties and establish related policies ○ Policies and procedures for segregating duties exist and are up-to-date ○ Distinct system support function are performed by different individuals (information security management, programming, testing, change management, production control, data security) ○ No individual has complete control over incompatible transition processing functions ○ Data processing personnel are not users of information systems, They and security managers do not initiate, input or correct transactions ○ Access controls enforce segregation of duties ○ Job descriptions accurately reflect assigned duties and responsibilities and segregation of duties principles
  • 84. SD Critical Elements 2. Control personnel activities through formal operating procedures, supervision and review ○ Access authorizations are periodically reviewed for incompatible functions ○ Management reviews are performed to determine that control techniques for segregating incompatible duties are in place and are maintaining risk with acceptable levels ○ Supervisors routinely review user activity logs for incompatible actions and investigate any abnormalities
  • 85. ● Controls provide reasonable assurance that contingency planning (1) protects information resources and minimizes the risk of unplanned interruptions and (2) provides for recovery of critical operations should interruptions occur
  • 86. CP Key Terms ● Disaster Recovery Plan (DRP) – Provided detailed procedures to facilitate recovery of capabilities at an alternate site; Often IT focused ● Business Continuity Plan (BCP) – Provide procedures for sustaining essential business operations while recovering from a significant disruption; addresses business processes; IT addressed based on its support for business process ● Continuity of Operations Plan (COOP) – Provide procedures and capabilities to sustain an organization’s essential, strategic functions at an alternate site for up to 30 days; Addresses the subset of an organization’s mission that are deemed most critical; usual written at the headquarters level; not IT focused
  • 87. CP Critical Elements 1. Assess the criticality and sensitivity of computerized operations and identify supporting resources 2. Take steps to prevent and minimize potential damage and interruption 3. Develop and document a comprehensive contingency plan 4. Periodically test the contingency plan and adjust it as appropriate
  • 88. 1. Assess the criticality and sensitivity of computerized operations and identify supporting resources ○ Critical data and operating are identified and prioritized ○ Resources supporting critical operations are identified and analyzed ○ Emergency processing priorities are established CP Critical Elements
  • 89. CP Critical Elements 2. Take steps to prevent and minimize potential damage and interruption ○ Data and program backup procedures have been implemented ○ Adequate environmental controls have been implemented ○ Staff have been trained to respond to emergencies ○ Effective hardware maintenance, problem management and change management help prevent unexpected interruptions
  • 90. CP Critical Elements 3. Develop and document a comprehensive contingency plan ○ An up-to-date contingency plan is documented ○ Arrangements have been made for alternate data processing, storage and telecommunications facilities
  • 91. CP Critical Elements 4. Periodically test the contingency plan and adjust it as appropriate ○ The plan is periodically tested ○ Test results are analyzed and the contingency plan is adjusted accordingly