SlideShare a Scribd company logo

Isa 2

•Download as PPT, PDF•
•
D
Darshan Kumar

information system and assurance

Technology
1 of 33
Information Security & Assurance Information Security & Assurance – An Overview
Introduction • Decision making process of legacy organization, • Now computerized • The inputs now are not easily available • Depends on certain computer-savvy employees to provide desired information • Now called DATA • Apprehensive about taking decision as doubts creep up like:
Introduction • Do I need to know the technology to justify my role? • How do I know that I am not being misguided by people - who some time takes me for granted?
Introduction • Is power generally to the hands of those who have access to information? What will happen to my domain knowledge that I have painstakingly acquired? • And finally, am I sitting on the fence because of these apprehensions?
Introduction • Picture a situation where you want to purchase a commodity from a website • It requires you to pay through credit card before you receive the goods • A host of apprehensions surface in your mind, like: – Are the goods authentic? – Are they in a working order – If I send the money, what option will I have if I never receive the goods, or if they are not of the standard or quality as represented?
Introduction – Is it safe to disclose my credit card information on the website? – Will my name, credit card information, and other particulars be passed on to telemarketing agencies? • First three reflects your apprehension about the organization, • Last two reflects your conscious as a customer. • There are no any concrete answers to these questions. • What you really need is assurance!
Assurance services • The AICPA’s (American Institute of Certified Public Accountants) special committee on assurance services defines assurance as: – Independent professional services that improve the quality of information, or its context for decision makers – The word Independent – unbiased
Need for Assurance • In general, the need for assurance services arises because of: – Potential bias in providing information; that is the party providing the information may want to convey a better impression than real circumstances merit – Remoteness between a user and the organization or trading partner – Complexity of the transactions, information or processing system – Risk management – Voluminous data
Bias in Providing Information • Let us take example of lending activity – Considerable likelihood that borrower may submit an inaccurate statement to increase the chances of obtaining loan. • Likewise, the seller of goods and services has a vested interest in convincing you that product being sold is worth more than a similar product you could obtain from elsewhere.
Bias in Providing Information • The management of the company can also give misinformation about its financial position to attract investment. • In all the above cases, assurance will help provide reliable information to decision makers.
Remoteness of User • Thanks to Internet • Online buying and selling has certain concomitant disadvantages • For instance, there is a absence of personal interaction with the seller
Remoteness of User • Unable to physically examine the product before its purchase. • This remoteness creates the need for assurance, regarding – Trustworthiness of the individual seller – Quality of the product – Authenticity of the information received
Complexity of the system • The complexity and dynamism of the IT system has undergone a dramatic change during last decade • Today, domain knowledge alone may not be sufficient to understand the various ways in which controls are implemented. • Probably need to have the knowledge of technology that drives the process. • In such scenario, it is comforting to the management to know that they can seek assurance services whenever needed.
Risk Management • Consider a bank manger’s decision to grant a loan to a business concern. • If the bank decides to give the loan, it will charge a rate of interest determined primarily by three factors: – Cost of the fund – Business risk for the borrower – Information risk to the lender
Voluminous Data • As organization grow and the volume of the organizational information and data increases, • The chances of misstating facts also rises • Sometimes, there may be a need to get an independent third party to identify and give an opinion about such misstatements.
Characteristics of Assurance Services • Assurance services have three critical components: – An assurance provider – Information or process on which the assurance is provided – A user or group of users/beneficiaries who derive value from the assurance service provided
Types of Assurance Services • Assurance services can be classified into – Attestation services • Involve the evaluation of an assertion made by one party to a third party. • Traditional statutory audit – Non-attestation services • Do not involve a third party • Internal and control self assessment audits are mainly self-imposed and do not involve any third party.
AAuudditit Compliance Review ISIS A Auudditit Compliance Review Attestation Services InInteternrnaal la auudditit Control self assessment audit Control self assessment audit Management consulting Non-attestation services Management consulting Types of Assurance Services
Evolution of Information System Audit • IS auditing, formerly called Electronic Data Processing (EDP) auditing • Evolved as an extension of traditional auditing • The need for IS Audit arose due to several reasons, some of which are: – Auditors realized that a lack of knowledge of computers had adversely affected their ability to perform attestation functions
Evolution of Information System Audit – The information processing management recognized that using computer systems was vital to compete effectively with other concerns in the business environment and like other valuable business resources within the organization, had a critical need to possess control and audit ability – With the growing digitization of information, it was felt that evidence-collection, evaluation, and entire process of traditional audit needed a paradigm shift.
Evolution of Information System Audit – Professional associations, organizations, government bodies, and regulators recognized the need for IT control and audit.
The IS – Lifecycle in the organization • For any legacy organization, the IS deployment follows three phases – Pervasion • Initial phase where the objective of organization is popularization of IT – Consolidation • Second stage where the organization, widespread use of IT, tries to consolidate the IS • Involve ascertaining who uses what, which technology is popular, any constraint in the use of resources, etc. – Control • Tries to put in a place an appropriate mechanism of control and security
Pervasion Consolidation •Uncontrolled use •No restriction •Popularization •Uncontrolled use •No restriction •Popularization •Consolidation •Standardization •Consolidation •Standardization Control •Restriction •Control •Information Security Framework •Audit •Restriction •Control •Information Security Framework •Audit The lifecycle of IT absorption in an organization
The Knowledge Requirement of an IS professional(Auditor) • Auditor should be a better at business than the client. • IS auditor should be more familiar with the Information System than IS manager in the organization. • To understand the role of IS auditor, it is important to first understand what IS audit is.
The Knowledge Requirement of an IS Auditor • Ron Weber defines it thus: – Information System auditing is the process of collecting and evaluating evidences to determine whether a computer system safeguards assets, maintains data integrity, allows organizational goals to be achieved effectively, and uses resources efficiently.
The Knowledge Requirement of an IS Auditor • According to definition on previous slide, the job of IS auditor is to give assurance to the company that the computer system helps achieve the following objectives: – Safeguarding assets – Maintaining data integrity – Fulfilling the organizational goal effectively – Consuming resources efficiently
The Knowledge Requirement of an IS Auditor • Data integrity has no meaning in the organization if the assets are not safeguarded. • Effectiveness has no meaning unless there is integrity of data and • Efficiency (doing things right) is futile in the absence of efficacy (doing right things)
The Knowledge Requirement of an IS Auditor • Assets Safeguarding – IT Governance Institute (USA), in its Governance model i.e. COBIT (Control Objectives for Information and related Technology) has defined IT resources as being comprised of: • Data: objects in their widest sense – external and internal, structured and non-structured, graphics, sound, etc. • Application Software: Sum of manual or programmed procedures • Technology: Hardware, Operating System, Database Management Systems, Network, Multimedia, etc. • Facilities: Resources to house and support Information System • People: Includes staff skills, awareness and productivity in planning, organizing, acquiring, delivering, supporting and monitoring IS and services.
The Knowledge Requirement of an IS Auditor • Data Integrity – It refers to the accuracy and completeness of data, very important from assurance point of view • Effectiveness – Doing right things – From the IS point of view, it implies possession of knowledge of user needs – Auditor must know the needs of the user and the nature of the decision-making environment
The Knowledge Requirement of an IS Auditor • Efficiency – From auditor’s perspective, is doing a job effectively, using minimum resources or using minimal resources to achieve the desired objectives
Internal Control Project management Philosophy documentation IS Audit Computer Organizational domain behavior Computer Science IS Management Behavioral Science Traditional Auditing The Knowledge requirement for an IS auditor
Benefits of IS Audit For an Organization • Some of the benefits organization receive are: – Mapping business control with IT application – Business Process Re-engineering – The IT Security Policy – Security awareness – Better return on Investment (ROI) – Risk Management
Changing Role of IS Auditors and the Relevance of COBIT • Rapid technology changing. • Development of new business models. • Outsourcing, downsizing, decentralization. Traditional Role New role Detection Prevention Policemen Business partner Focus on audit Focus on business Focus on cost Focus on customer Focus on function Focus on process Auditor Risk manager Hierarchical Team Quill pen Technology

Recommended

Setting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance OfficeSetting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance OfficeCloud Watchmen Inc.
 
Gtag 1 information risk and control
Gtag 1 information risk and controlGtag 1 information risk and control
Gtag 1 information risk and controlYulias Sihombing, Ak, MAk, CIA
 
Information technology risks
Information technology risksInformation technology risks
Information technology riskssalman butt
 
An information management update for in house counsel
An information management update for in house counselAn information management update for in house counsel
An information management update for in house counselDan Michaluk
 
Provider Authentication for Health Information Exchange
Provider Authentication for Health Information ExchangeProvider Authentication for Health Information Exchange
Provider Authentication for Health Information ExchangeBrian Ahier
 
Mis 1
Mis 1Mis 1
Mis 1Md. Mashiur Rahman
 
PMI Event
PMI EventPMI Event
PMI EventComputer Aid, Inc
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and ComplianceBankingdotcom
 

Recommended

Setting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance OfficeSetting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance OfficeCloud Watchmen Inc.
 
Gtag 1 information risk and control
Gtag 1 information risk and controlGtag 1 information risk and control
Gtag 1 information risk and controlYulias Sihombing, Ak, MAk, CIA
 
Information technology risks
Information technology risksInformation technology risks
Information technology riskssalman butt
 
An information management update for in house counsel
An information management update for in house counselAn information management update for in house counsel
An information management update for in house counselDan Michaluk
 
Provider Authentication for Health Information Exchange
Provider Authentication for Health Information ExchangeProvider Authentication for Health Information Exchange
Provider Authentication for Health Information ExchangeBrian Ahier
 
Mis 1
Mis 1Mis 1
Mis 1Md. Mashiur Rahman
 
PMI Event
PMI EventPMI Event
PMI EventComputer Aid, Inc
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and ComplianceBankingdotcom
 
insider threat research
insider threat researchinsider threat research
insider threat researchAsma Al-maskaria
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach CostResilient Systems
 
Mis 3
Mis 3Mis 3
Mis 3Md. Mashiur Rahman
 
It implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-briefIt implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-briefVisal Thach
 
Development of MIS: Information requirement, Designing of MIS, Implementation...
Development of MIS: Information requirement, Designing of MIS, Implementation...Development of MIS: Information requirement, Designing of MIS, Implementation...
Development of MIS: Information requirement, Designing of MIS, Implementation...Ashish Hande
 
Class 2003 05 22
Class 2003 05 22Class 2003 05 22
Class 2003 05 22FNian
 
The Hidden Economics of Business Content - A Revelation by Union Bank
The Hidden Economics of Business Content - A Revelation by Union BankThe Hidden Economics of Business Content - A Revelation by Union Bank
The Hidden Economics of Business Content - A Revelation by Union BankPyramid Solutions, Inc.
 
Automated Decision Making Comes to Age
Automated Decision Making Comes to AgeAutomated Decision Making Comes to Age
Automated Decision Making Comes to AgeComputer Aid, Inc
 
Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Emily2014
 
Securing your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb esSecuring your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb esSonny Hashmi
 
Introduction to Machine Learning
Introduction to Machine Learning Introduction to Machine Learning
Introduction to Machine Learning snehal_152
 
Knowladge management
Knowladge managementKnowladge management
Knowladge managementsnehal_152
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityKarthikeyan Dhayalan
 
Automated Decision Making Comes Of Age
Automated Decision Making Comes Of AgeAutomated Decision Making Comes Of Age
Automated Decision Making Comes Of AgeThakur Shashank
 
How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!Tammy Clark
 
2 Day MOSTI Workshop
2 Day MOSTI Workshop2 Day MOSTI Workshop
2 Day MOSTI WorkshopCondition Zebra (CONZebra)
 
Information,Knowledge,Business intelligence
Information,Knowledge,Business intelligenceInformation,Knowledge,Business intelligence
Information,Knowledge,Business intelligenceHiren Selani
 
Information Management
Information ManagementInformation Management
Information ManagementNadeem Raza
 
Enterprise Information management
Enterprise Information managementEnterprise Information management
Enterprise Information managementThe Open Group SA
 
Sask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySaskSummit
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
CISA_WK_1.pptx
CISA_WK_1.pptxCISA_WK_1.pptx
CISA_WK_1.pptxdotco
 

More Related Content

What's hot

insider threat research
insider threat researchinsider threat research
insider threat researchAsma Al-maskaria
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach CostResilient Systems
 
It implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-briefIt implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-briefVisal Thach
 
Development of MIS: Information requirement, Designing of MIS, Implementation...
Development of MIS: Information requirement, Designing of MIS, Implementation...Development of MIS: Information requirement, Designing of MIS, Implementation...
Development of MIS: Information requirement, Designing of MIS, Implementation...Ashish Hande
 
Class 2003 05 22
Class 2003 05 22Class 2003 05 22
Class 2003 05 22FNian
 
The Hidden Economics of Business Content - A Revelation by Union Bank
The Hidden Economics of Business Content - A Revelation by Union BankThe Hidden Economics of Business Content - A Revelation by Union Bank
The Hidden Economics of Business Content - A Revelation by Union BankPyramid Solutions, Inc.
 
Automated Decision Making Comes to Age
Automated Decision Making Comes to AgeAutomated Decision Making Comes to Age
Automated Decision Making Comes to AgeComputer Aid, Inc
 
Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Emily2014
 
Securing your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb esSecuring your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb esSonny Hashmi
 
Introduction to Machine Learning
Introduction to Machine Learning Introduction to Machine Learning
Introduction to Machine Learning snehal_152
 
Knowladge management
Knowladge managementKnowladge management
Knowladge managementsnehal_152
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityKarthikeyan Dhayalan
 
Automated Decision Making Comes Of Age
Automated Decision Making Comes Of AgeAutomated Decision Making Comes Of Age
Automated Decision Making Comes Of AgeThakur Shashank
 
How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!Tammy Clark
 
Information,Knowledge,Business intelligence
Information,Knowledge,Business intelligenceInformation,Knowledge,Business intelligence
Information,Knowledge,Business intelligenceHiren Selani
 
Information Management
Information ManagementInformation Management
Information ManagementNadeem Raza
 
Enterprise Information management
Enterprise Information managementEnterprise Information management
Enterprise Information managementThe Open Group SA
 

What's hot (19)

insider threat research
insider threat researchinsider threat research
insider threat research
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach Cost
 
Mis 3
Mis 3Mis 3
Mis 3
 
It implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-briefIt implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-brief
 
Development of MIS: Information requirement, Designing of MIS, Implementation...
Development of MIS: Information requirement, Designing of MIS, Implementation...Development of MIS: Information requirement, Designing of MIS, Implementation...
Development of MIS: Information requirement, Designing of MIS, Implementation...
 
Class 2003 05 22
Class 2003 05 22Class 2003 05 22
Class 2003 05 22
 
The Hidden Economics of Business Content - A Revelation by Union Bank
The Hidden Economics of Business Content - A Revelation by Union BankThe Hidden Economics of Business Content - A Revelation by Union Bank
The Hidden Economics of Business Content - A Revelation by Union Bank
 
Automated Decision Making Comes to Age
Automated Decision Making Comes to AgeAutomated Decision Making Comes to Age
Automated Decision Making Comes to Age
 
Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities
 
Securing your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb esSecuring your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb es
 
Introduction to Machine Learning
Introduction to Machine Learning Introduction to Machine Learning
Introduction to Machine Learning
 
Knowladge management
Knowladge managementKnowladge management
Knowladge management
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset Security
 
Automated Decision Making Comes Of Age
Automated Decision Making Comes Of AgeAutomated Decision Making Comes Of Age
Automated Decision Making Comes Of Age
 
How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!
 
2 Day MOSTI Workshop
2 Day MOSTI Workshop2 Day MOSTI Workshop
2 Day MOSTI Workshop
 
Information,Knowledge,Business intelligence
Information,Knowledge,Business intelligenceInformation,Knowledge,Business intelligence
Information,Knowledge,Business intelligence
 
Information Management
Information ManagementInformation Management
Information Management
 
Enterprise Information management
Enterprise Information managementEnterprise Information management
Enterprise Information management
 

Similar to Isa 2

Sask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySaskSummit
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
CISA_WK_1.pptx
CISA_WK_1.pptxCISA_WK_1.pptx
CISA_WK_1.pptxdotco
 
Internet security and privacy issues
Internet security and privacy issuesInternet security and privacy issues
Internet security and privacy issuesJagdeepSingh394
 
GDPR | Cyber security process resilience
GDPR | Cyber security process resilienceGDPR | Cyber security process resilience
GDPR | Cyber security process resilienceRishi Kant
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest riskEvan Francen
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider ThreatPECB
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseCGTI
 
The data quality challenge
The data quality challengeThe data quality challenge
The data quality challengeLenia Miltiadous
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptxdotco
 
Data protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceData protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceEquiGov Institute
 
What to expect from your IT People
What to expect from your IT PeopleWhat to expect from your IT People
What to expect from your IT PeopleJason Caras
 
Anatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyAnatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyResilient Systems
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems Jeffrey Paulette
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
 
Aetna information security assurance program
Aetna information security assurance programAetna information security assurance program
Aetna information security assurance programSiddharth Janakiram
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessCBIZ, Inc.
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxJoshJaro
 

Similar to Isa 2 (20)

Sask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir Fancy
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
CISA_WK_1.pptx
CISA_WK_1.pptxCISA_WK_1.pptx
CISA_WK_1.pptx
 
Internet security and privacy issues
Internet security and privacy issuesInternet security and privacy issues
Internet security and privacy issues
 
GDPR | Cyber security process resilience
GDPR | Cyber security process resilienceGDPR | Cyber security process resilience
GDPR | Cyber security process resilience
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve Howse
 
The data quality challenge
The data quality challengeThe data quality challenge
The data quality challenge
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptx
 
Data protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceData protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure compliance
 
What to expect from your IT People
What to expect from your IT PeopleWhat to expect from your IT People
What to expect from your IT People
 
Anatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyAnatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The Ugly
 
Co3 rsc r5
Co3 rsc r5Co3 rsc r5
Co3 rsc r5
 
Ais section ch1
Ais section ch1Ais section ch1
Ais section ch1
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
 
Aetna information security assurance program
Aetna information security assurance programAetna information security assurance program
Aetna information security assurance program
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security Awareness
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptx
 

Recently uploaded

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

Recently uploaded (20)

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 

Isa 2

  • 1. Information Security & Assurance Information Security & Assurance – An Overview
  • 2. Introduction • Decision making process of legacy organization, • Now computerized • The inputs now are not easily available • Depends on certain computer-savvy employees to provide desired information • Now called DATA • Apprehensive about taking decision as doubts creep up like:
  • 3. Introduction • Do I need to know the technology to justify my role? • How do I know that I am not being misguided by people - who some time takes me for granted?
  • 4. Introduction • Is power generally to the hands of those who have access to information? What will happen to my domain knowledge that I have painstakingly acquired? • And finally, am I sitting on the fence because of these apprehensions?
  • 5. Introduction • Picture a situation where you want to purchase a commodity from a website • It requires you to pay through credit card before you receive the goods • A host of apprehensions surface in your mind, like: – Are the goods authentic? – Are they in a working order – If I send the money, what option will I have if I never receive the goods, or if they are not of the standard or quality as represented?
  • 6. Introduction – Is it safe to disclose my credit card information on the website? – Will my name, credit card information, and other particulars be passed on to telemarketing agencies? • First three reflects your apprehension about the organization, • Last two reflects your conscious as a customer. • There are no any concrete answers to these questions. • What you really need is assurance!
  • 7. Assurance services • The AICPA’s (American Institute of Certified Public Accountants) special committee on assurance services defines assurance as: – Independent professional services that improve the quality of information, or its context for decision makers – The word Independent – unbiased
  • 8. Need for Assurance • In general, the need for assurance services arises because of: – Potential bias in providing information; that is the party providing the information may want to convey a better impression than real circumstances merit – Remoteness between a user and the organization or trading partner – Complexity of the transactions, information or processing system – Risk management – Voluminous data
  • 9. Bias in Providing Information • Let us take example of lending activity – Considerable likelihood that borrower may submit an inaccurate statement to increase the chances of obtaining loan. • Likewise, the seller of goods and services has a vested interest in convincing you that product being sold is worth more than a similar product you could obtain from elsewhere.
  • 10. Bias in Providing Information • The management of the company can also give misinformation about its financial position to attract investment. • In all the above cases, assurance will help provide reliable information to decision makers.
  • 11. Remoteness of User • Thanks to Internet • Online buying and selling has certain concomitant disadvantages • For instance, there is a absence of personal interaction with the seller
  • 12. Remoteness of User • Unable to physically examine the product before its purchase. • This remoteness creates the need for assurance, regarding – Trustworthiness of the individual seller – Quality of the product – Authenticity of the information received
  • 13. Complexity of the system • The complexity and dynamism of the IT system has undergone a dramatic change during last decade • Today, domain knowledge alone may not be sufficient to understand the various ways in which controls are implemented. • Probably need to have the knowledge of technology that drives the process. • In such scenario, it is comforting to the management to know that they can seek assurance services whenever needed.
  • 14. Risk Management • Consider a bank manger’s decision to grant a loan to a business concern. • If the bank decides to give the loan, it will charge a rate of interest determined primarily by three factors: – Cost of the fund – Business risk for the borrower – Information risk to the lender
  • 15. Voluminous Data • As organization grow and the volume of the organizational information and data increases, • The chances of misstating facts also rises • Sometimes, there may be a need to get an independent third party to identify and give an opinion about such misstatements.
  • 16. Characteristics of Assurance Services • Assurance services have three critical components: – An assurance provider – Information or process on which the assurance is provided – A user or group of users/beneficiaries who derive value from the assurance service provided
  • 17. Types of Assurance Services • Assurance services can be classified into – Attestation services • Involve the evaluation of an assertion made by one party to a third party. • Traditional statutory audit – Non-attestation services • Do not involve a third party • Internal and control self assessment audits are mainly self-imposed and do not involve any third party.
  • 18. AAuudditit Compliance Review ISIS A Auudditit Compliance Review Attestation Services InInteternrnaal la auudditit Control self assessment audit Control self assessment audit Management consulting Non-attestation services Management consulting Types of Assurance Services
  • 19. Evolution of Information System Audit • IS auditing, formerly called Electronic Data Processing (EDP) auditing • Evolved as an extension of traditional auditing • The need for IS Audit arose due to several reasons, some of which are: – Auditors realized that a lack of knowledge of computers had adversely affected their ability to perform attestation functions
  • 20. Evolution of Information System Audit – The information processing management recognized that using computer systems was vital to compete effectively with other concerns in the business environment and like other valuable business resources within the organization, had a critical need to possess control and audit ability – With the growing digitization of information, it was felt that evidence-collection, evaluation, and entire process of traditional audit needed a paradigm shift.
  • 21. Evolution of Information System Audit – Professional associations, organizations, government bodies, and regulators recognized the need for IT control and audit.
  • 22. The IS – Lifecycle in the organization • For any legacy organization, the IS deployment follows three phases – Pervasion • Initial phase where the objective of organization is popularization of IT – Consolidation • Second stage where the organization, widespread use of IT, tries to consolidate the IS • Involve ascertaining who uses what, which technology is popular, any constraint in the use of resources, etc. – Control • Tries to put in a place an appropriate mechanism of control and security
  • 23. Pervasion Consolidation •Uncontrolled use •No restriction •Popularization •Uncontrolled use •No restriction •Popularization •Consolidation •Standardization •Consolidation •Standardization Control •Restriction •Control •Information Security Framework •Audit •Restriction •Control •Information Security Framework •Audit The lifecycle of IT absorption in an organization
  • 24. The Knowledge Requirement of an IS professional(Auditor) • Auditor should be a better at business than the client. • IS auditor should be more familiar with the Information System than IS manager in the organization. • To understand the role of IS auditor, it is important to first understand what IS audit is.
  • 25. The Knowledge Requirement of an IS Auditor • Ron Weber defines it thus: – Information System auditing is the process of collecting and evaluating evidences to determine whether a computer system safeguards assets, maintains data integrity, allows organizational goals to be achieved effectively, and uses resources efficiently.
  • 26. The Knowledge Requirement of an IS Auditor • According to definition on previous slide, the job of IS auditor is to give assurance to the company that the computer system helps achieve the following objectives: – Safeguarding assets – Maintaining data integrity – Fulfilling the organizational goal effectively – Consuming resources efficiently
  • 27. The Knowledge Requirement of an IS Auditor • Data integrity has no meaning in the organization if the assets are not safeguarded. • Effectiveness has no meaning unless there is integrity of data and • Efficiency (doing things right) is futile in the absence of efficacy (doing right things)
  • 28. The Knowledge Requirement of an IS Auditor • Assets Safeguarding – IT Governance Institute (USA), in its Governance model i.e. COBIT (Control Objectives for Information and related Technology) has defined IT resources as being comprised of: • Data: objects in their widest sense – external and internal, structured and non-structured, graphics, sound, etc. • Application Software: Sum of manual or programmed procedures • Technology: Hardware, Operating System, Database Management Systems, Network, Multimedia, etc. • Facilities: Resources to house and support Information System • People: Includes staff skills, awareness and productivity in planning, organizing, acquiring, delivering, supporting and monitoring IS and services.
  • 29. The Knowledge Requirement of an IS Auditor • Data Integrity – It refers to the accuracy and completeness of data, very important from assurance point of view • Effectiveness – Doing right things – From the IS point of view, it implies possession of knowledge of user needs – Auditor must know the needs of the user and the nature of the decision-making environment
  • 30. The Knowledge Requirement of an IS Auditor • Efficiency – From auditor’s perspective, is doing a job effectively, using minimum resources or using minimal resources to achieve the desired objectives
  • 31. Internal Control Project management Philosophy documentation IS Audit Computer Organizational domain behavior Computer Science IS Management Behavioral Science Traditional Auditing The Knowledge requirement for an IS auditor
  • 32. Benefits of IS Audit For an Organization • Some of the benefits organization receive are: – Mapping business control with IT application – Business Process Re-engineering – The IT Security Policy – Security awareness – Better return on Investment (ROI) – Risk Management
  • 33. Changing Role of IS Auditors and the Relevance of COBIT • Rapid technology changing. • Development of new business models. • Outsourcing, downsizing, decentralization. Traditional Role New role Detection Prevention Policemen Business partner Focus on audit Focus on business Focus on cost Focus on customer Focus on function Focus on process Auditor Risk manager Hierarchical Team Quill pen Technology