PH
Uploaded byPriyank Hada
PPTX, PDF504 views

Compliance

Compliance measures adherence to defined policies and procedures through auditing, monitoring, and investigating at multiple organizational levels. Level one focuses on component owners ensuring appropriate access controls. Level two involves auditing functions assessing internal controls. Level three is the security team responsible for organization-wide implementation of security. Effective compliance requires coordination across these levels.

Embed presentation

Downloaded 28 times
Compliance
Compliance • Compliance measures the extent to which defined policies, standards, and procedures are being followed. • Compliance includes auditing, monitoring, and investigating at several different levels of the organization.
First level • Detection of security violations minimizes the damage done to the organization. • The information owner or individual assigned responsibility for the component must ensure that appropriate preventative and detective controls are in place and are being utilized effectively. • Controls at this level include establishing and maintaining access, implementing monitoring and alert tools, administration of audit trail reports, management review of log-in attempts, implementing security parameters, and investigation of lockouts.
Second level • Audit function. • The audit function can be performed by the internal audit department, external auditors, or a combination of both according to industry standards. • Audit objectives include ensuring compliance with corporate policies, standards, and procedures as well as developing programs to understand the control environment, perform risk assessment, and establish control procedures.
Third level • Security Team or Committee level. • This is investigative in nature and, instead of focusing on a particular application or component, the Security Team is responsible for ensuring that security is implemented organization wide.
LEVEL ONE COMPLIANCE: THE COMPONENT OWNER • To ensure appropriate access, a procedure should be established to have component owners, network and application administrators run a listing of specified access by user on a quarterly basis, at a minimum. • These reports are then submitted to the security liaison of each business function to review for appropriateness.
Additional responsibilities of the security coordinators/ liaisons are to: • Ensure that application access forms are initiated for existing and new users within the respective departmental area • Ensure that access is modified or deleted when employees and nonemployees (consultants, contractors, business partners) operating within their business function or site are transferred or terminated
• Conduct user security awareness within their departmental function • Ensure that the enterprise Confidentiality Agreement and exit interview forms are signed by all users operating within their department or area of responsibility • Actively participate as a member of the Security Team • Coordinate with the Security Officer on all security-related matters
• Network and application administrators are technically responsible for the operation of the network or application. • The administrators set security defaults on the system and establish the baseline control standards upon completion of a risk assessment and identification of vulnerabilities.
LEVEL TWO COMPLIANCE: THE AUDIT FUNCTION • The audit function is concerned with obtaining an understanding of and evaluating an organization’s internal control. • Internal control refers to the processes established by an organization’s board of directors, management, and technical staff to provide effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations.
The components of internal control include: • The control environment • Risk assessment • Control procedures • Monitoring activities • Information and communication
• The integrity, ethical values, and fitness of the people within the organization establish the control environment. • Audit seeks to ensure that the control environment is effective by assessing the stability and consistency of the factors mentioned above. The control environment
Risk assessment • Risk assessment provides identification and analysis of realistic and associated risks in achieving the organization’s business objectives. • The audit function seeks to establish information security controls that are proportionate to the value, sensitivity, and criticality of the systems and information being protected. • This includes the probability, frequency, and severity of loss or damage that can occur.
Control procedures • Control procedures ensure that management directives are implemented. • Control procedures include authorization, verification, approval, reconciliation, analysis of the efficiency of operations, implementation of access controls, physical security of assets, and segregation of duties.
Monitoring activities • Monitoring activities include well-defined and scheduled management and supervisory activities to determine whether control procedures are performed effectively and consistently. • Auditors monitor the control processes and procedures for indications of weakness in the control environment that has been established, while security, network, and application administrators monitor specific implementations for errors, damage, or indications of unauthorized access to systems and applications.
Information and communication • Information and communication in the audit environment includes the timely processing and dissemination of operational, financial, and compliance- related information to manage the business effectively.
• Auditing is most often coupled with the reliability of financial reporting.
• The second portion of a computer audit encompasses understanding and evaluating the general computer controls for an operating environment.
• When testing general computer controls, there are four areas of consideration: – Information security – System acquisition, development, and maintenance – Computer operations – Information systems support
• Information security includes testing for logical security of online and batch access controls. • System acquisition, development, and maintenance include the quality of new systems design and implementation, as well as program change control. • Computer operations entail media library management, job scheduling, physical control of devices, information and data, report distribution, backup, and recovery.
• Information systems support includes all of the peripherals that support an application and processing environment such as controls related to operating system software, database administration, network operations, and end-user computing.
Financial audit • The auditors must determine what level of reliance they place on key controls. • When reliance is high — which means that they trust the output data to be true and correct — a test of the key controls must be performed for completeness, accuracy, validity, and restricted access.
• Controls are a combination of monitoring controls, and both manual and automated application controls. • Application controls and related control objectives are procedures designed to ensure the integrity of the accounting records.
Control objectives include: • Completeness : all transactions are recorded, entered into the system, and accepted for processing once and only once. All transactions input are updated to the appropriate files, and once updated remain correct and current.
• Accuracy : data and information are recorded and accurately input to the computer. Changes made to data files are accurately input, and all input transactions are accepted for processing and updated to the appropriate data files. • Validity: transactions are authorized and represent true and valid transactions related to the appropriate client. Changes to existing data are not made without appropriate authorization.
• Restricted access : only individuals by virtue of their job function can access data files for changes or updates. Controls protect the confidentiality of the data and physical controls protect cash and inventory.
• When testing the general computer controls, the auditor is looking for potential errors in completeness, accuracy, validity, and restricted access. • Tests of validity ensure that for a process that is taking place, whether it is a calculation or allowing a user to gain access to a system, it is a relevant and legitimate process.
• A risk-based approach to auditing determines how often a particular application or operating system is audited and will depend on the assessed risk to the organization as well as the strength of the control environment for a particular application or operating system.
LEVEL THREE COMPLIANCE: THE SECURITY TEAM • The Security Team or Committee is responsible for ensuring that security is implemented organization wide. • An ISA that has been developed and implemented needs to be continuously assessed for effectiveness, changes to the environment that will require changes to the ISA, and modifications for improvement to the overall architecture.
• The Security Team is looking for something different than that of the system auditors. • The Security Team is looking for implementation of the policies, standards, and procedures that have been developed under its direction. • Auditors are looking for the effectiveness of controls as they are implemented for critical programs and applications. • The network administrator is concerned with the specific implementation details for a particular component.
How does the Security Team assess the effectiveness of the ISA? • The Security Team should be involved in reviewing the results of all audit, control, or security reviews that occur within the organization. • The Security Team is tasked with understanding why the results may not have been so spectacular and what was the systemic reason for lax or ineffective controls.
• The Security Team also acts as the investigative arm to security issues and incidences.
LINE OF BUSINESS (LOB) SECURITY PLAN • The LOB Security Plan should provide an overview of the operational environment, identify key controls within the organization, and provide the basis for measuring compliance to the corporate security policies, standards, and procedures.
• The LOB Security Plan is designed to provide a baseline document for understanding the processing environment, performing baseline security assessments of that environment, and seeking to make improvements to meet the corporate goals and objectives for security.
ENTERPRISE MANAGEMENT TOOLS • Account integrity : to identify and prevent users from having security privileges that exceed the security policy • Backup integrity : to identify files that are not being backed up • File access : to examine files to verify security settings that are established in the security policy • File attributes : to identify files whose attributes have changed from the baseline
• File find : to check files for viruses and other corruption that could lead to data loss • Log-in parameters : to scan for log-in parameters that fall outside the security policy • Object integrity : to identify changes in ownership and permissions for software objects • Password strength : to check the password parameters for validation against the security policy
• Startup files : to examine startup files for potential security breaches • System auditing : to monitor audit trails and system accounts • System mail : to check known problem areas for security lapses
Pitfalls to an Effective ISA Program • Lack of project sponsorship and executive management support • Executive management’s lack of understanding of realistic risk • Lack of resources • Impact of mergers and acquisitions on disparate systems • Independent operations throughout business units • Discord between mainframe versus distributed computing cultures
• Corporate cultures with the objective to foster trust in the organization that contradict an environment requiring more stringent controls • Fortune 500 enterprises that have grown from mom-and-pop shop beginnings and do not completely support the constraints conducive to secure operations • Third-party and remote network management • The rate of change in technology

More Related Content

PDF
It Security Audit Process
byRam Srivastava
 
PPT
5.4 it security audit (mauritius)
byCorporate Registers Forum
 
PPT
Chapter005
byJeanie Delos Arcos
 
PPTX
Information system audit 2
byJayant Dalvi
 
PPT
Security audit
byRosaria Dee
 
PPTX
Security Audit View
byPLN9 Security Services Pvt. Ltd.
 
PPTX
Conducting an Information Systems Audit
bySreekanth Narendran
 
PPT
Chapter008
byJeanie Delos Arcos
 
It Security Audit Process
byRam Srivastava
 
5.4 it security audit (mauritius)
byCorporate Registers Forum
 
Chapter005
byJeanie Delos Arcos
 
Information system audit 2
byJayant Dalvi
 
Security audit
byRosaria Dee
 
Security Audit View
byPLN9 Security Services Pvt. Ltd.
 
Conducting an Information Systems Audit
bySreekanth Narendran
 
Chapter008
byJeanie Delos Arcos
 

What's hot

PPTX
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
bySreekanth Narendran
 
PPT
Security Audit Best-Practices
byMarco Raposo
 
PPTX
Information Systems Audit & CISA Prep 2010
byDonald E. Hester
 
PPTX
Security Audit Information – Physical
byPLN9 Security Services Pvt. Ltd.
 
PPTX
Auditing in Computerized Environment
byDr. Sushil Bansode
 
PPTX
Security and Audit Report Sign-Off—Made Easy
byHelpSystems
 
PPTX
Safe audit
byPLN9 Security Services Pvt. Ltd.
 
PPTX
IT Audit For Non-IT Auditors
byEd Tobias
 
DOCX
Cisa exam mock test questions-1
byHemang Doshi
 
PPT
Auditing by CIS . Chapter 6
bySharah Ayumi
 
PPTX
Security Baselines and Risk Assessments
byPriyank Hada
 
PPTX
IT General Controls
byCicero Ray Rufino
 
PPT
Ch2 2009 cisa
byasrulsani09
 
DOCX
Audit Checklist for Information Systems
byAhmad Tariq Bhatti
 
PPT
IT System & Security Audit
byMufaddal Nullwala
 
PPTX
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
bySreekanth Narendran
 
PDF
Steps in it audit
bykinjalmkothari92
 
PPTX
Control and Audit Information System
byarif prasetyo
 
PDF
Presentation 11, Test of controls of the system, Workshop on System-based aud...
bySupport for Improvement in Governance and Management SIGMA
 
PDF
Computer Audit an Introductory
byMNorazizi HM
 
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
bySreekanth Narendran
 
Security Audit Best-Practices
byMarco Raposo
 
Information Systems Audit & CISA Prep 2010
byDonald E. Hester
 
Security Audit Information – Physical
byPLN9 Security Services Pvt. Ltd.
 
Auditing in Computerized Environment
byDr. Sushil Bansode
 
Security and Audit Report Sign-Off—Made Easy
byHelpSystems
 
Safe audit
byPLN9 Security Services Pvt. Ltd.
 
IT Audit For Non-IT Auditors
byEd Tobias
 
Cisa exam mock test questions-1
byHemang Doshi
 
Auditing by CIS . Chapter 6
bySharah Ayumi
 
Security Baselines and Risk Assessments
byPriyank Hada
 
IT General Controls
byCicero Ray Rufino
 
Ch2 2009 cisa
byasrulsani09
 
Audit Checklist for Information Systems
byAhmad Tariq Bhatti
 
IT System & Security Audit
byMufaddal Nullwala
 
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
bySreekanth Narendran
 
Steps in it audit
bykinjalmkothari92
 
Control and Audit Information System
byarif prasetyo
 
Presentation 11, Test of controls of the system, Workshop on System-based aud...
bySupport for Improvement in Governance and Management SIGMA
 
Computer Audit an Introductory
byMNorazizi HM
 

Viewers also liked

PDF
Me Myself and I
byAna Car
 
PPT
Teori antrian
byDyena Wucruen
 
PPT
Introduzione al web marketing
byAlessandro Germano
 
PDF
What Others Are Saying Pelino
bydrloreleypelino
 
PDF
0108ゲーミフィケーションインタレストレポート
byYuri Nakayama
 
PPTX
Security Architecture
byPriyank Hada
 
PDF
ZGeoportal upute za korištenje
byAna Car
 
PPT
Fail
byHarin Sagar
 
DOCX
Biology
byAsif Khan
 
PPT
World on your Finger Tips - IT
byHarin Sagar
 
PDF
Omnik solar-inverter-product-portfolio
byOmnik Solar
 
PDF
GIS Day @ APIS IT 2012
byAna Car
 
PDF
Pv-inverter-efficiency-photon-test
byOmnik Solar
 
Me Myself and I
byAna Car
 
Teori antrian
byDyena Wucruen
 
Introduzione al web marketing
byAlessandro Germano
 
What Others Are Saying Pelino
bydrloreleypelino
 
0108ゲーミフィケーションインタレストレポート
byYuri Nakayama
 
Security Architecture
byPriyank Hada
 
ZGeoportal upute za korištenje
byAna Car
 
Fail
byHarin Sagar
 
Biology
byAsif Khan
 
World on your Finger Tips - IT
byHarin Sagar
 
Omnik solar-inverter-product-portfolio
byOmnik Solar
 
GIS Day @ APIS IT 2012
byAna Car
 
Pv-inverter-efficiency-photon-test
byOmnik Solar
 

Similar to Compliance

PDF
Course Session Outline - Internal control in Information System
byTheodore Le
 
PPTX
CONTROL AND AUDIT
byRos Dina
 
PDF
Auditing information systems
byKenya Allmond
 
DOC
Internal control.. control env
byPhillys Sebastiane
 
PPTX
Domain 1 - Security and Risk Management
byMaganathin Veeraragaloo
 
PPTX
TOTLEKELIvxcvxdfsdfsdfsdfsdfqqefewrwerwervesfdfsdfefsdsfds
bysrizvi9
 
DOCX
Chapter 5
bybugbuster123
 
PPTX
Tugas control & audit sistem informasi
byNur Fatrianti
 
PPT
1auditconcepts
byShubham Raj
 
PDF
Presentation 6, Steps of system based auditing, Workshop on System-based audi...
bySupport for Improvement in Governance and Management SIGMA
 
PPTX
Agile in a highly regulated organization: part 2 2014
byTami Flowers
 
PPT
Project_Paper_Presentation_ISSC471_Intindolo
byJohn Intindolo
 
PPTX
Infosec policies to appsec standards ed final
byeadams2330
 
PPTX
D1 security and risk management v1.62
byAlliedConSapCourses
 
ODP
CISSP Week 9
byjemtallon
 
PDF
Chapter 7
byEasyStudy3
 
PDF
Chapter 7
byEasyStudy3
 
PDF
ISACA Cybersecurity Audit course brochure
byThilak Pathirage -Senior IT Gov and Risk Consultant
 
PDF
Short Handbook for CISSP Learners with all domains
byarpitmags1
 
PPTX
Dancyrityshy 1foundatioieh
byAnne Starr
 
Course Session Outline - Internal control in Information System
byTheodore Le
 
CONTROL AND AUDIT
byRos Dina
 
Auditing information systems
byKenya Allmond
 
Internal control.. control env
byPhillys Sebastiane
 
Domain 1 - Security and Risk Management
byMaganathin Veeraragaloo
 
TOTLEKELIvxcvxdfsdfsdfsdfsdfqqefewrwerwervesfdfsdfefsdsfds
bysrizvi9
 
Chapter 5
bybugbuster123
 
Tugas control & audit sistem informasi
byNur Fatrianti
 
1auditconcepts
byShubham Raj
 
Presentation 6, Steps of system based auditing, Workshop on System-based audi...
bySupport for Improvement in Governance and Management SIGMA
 
Agile in a highly regulated organization: part 2 2014
byTami Flowers
 
Project_Paper_Presentation_ISSC471_Intindolo
byJohn Intindolo
 
Infosec policies to appsec standards ed final
byeadams2330
 
D1 security and risk management v1.62
byAlliedConSapCourses
 
CISSP Week 9
byjemtallon
 
Chapter 7
byEasyStudy3
 
Chapter 7
byEasyStudy3
 
ISACA Cybersecurity Audit course brochure
byThilak Pathirage -Senior IT Gov and Risk Consultant
 
Short Handbook for CISSP Learners with all domains
byarpitmags1
 
Dancyrityshy 1foundatioieh
byAnne Starr
 

Recently uploaded

PPTX
API Gateway Architecture - Technical Report 2026
byPowersoft2026
 
PPTX
AI in Marine Insurance Future of Smarter Risk, Faster Claims & Safer Shipping...
byAutomationEdge Technologies
 
PPTX
Single Cell Protein from Methane or Methanol - Process development research c...
byJohn Downs
 
PPTX
apidays Australia 2025 | Building AI RAG Applications with No Code.pptx
byapidays
 
PPTX
Strategic Shelf Planning for the New Year Turning Resolutions into Revenue .pptx
byAnoop Ashok
 
PDF
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
PPTX
CRM for the Insurance Industry Lessons for Insurance CIOs and Digital Leaders...
byKerry Millar
 
PDF
Router-DHCP-Printer-SharingRouter-DHCP-Printer-Sharing
byarbendi2160
 
PPTX
Code Like Bro -A guide for better Coding
byMadan Panthi
 
PDF
apidays Australia 2025 | The Strategic Role of APIs in Digital Transformation
byapidays
 
PDF
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
PPTX
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
PPTX
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
PDF
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
PDF
Introduction to Linux and Basic Commands
byiDev Semarang
 
PDF
Safer’s Picks: Recent FME Enhancements with Big Everyday Impact
bySafe Software
 
PPTX
Advance Computer Architecture Lecture 4.pptx
byBottshikanBottshikan
 
PDF
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
API Gateway Architecture - Technical Report 2026
byPowersoft2026
 
AI in Marine Insurance Future of Smarter Risk, Faster Claims & Safer Shipping...
byAutomationEdge Technologies
 
Single Cell Protein from Methane or Methanol - Process development research c...
byJohn Downs
 
apidays Australia 2025 | Building AI RAG Applications with No Code.pptx
byapidays
 
Strategic Shelf Planning for the New Year Turning Resolutions into Revenue .pptx
byAnoop Ashok
 
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
CRM for the Insurance Industry Lessons for Insurance CIOs and Digital Leaders...
byKerry Millar
 
Router-DHCP-Printer-SharingRouter-DHCP-Printer-Sharing
byarbendi2160
 
Code Like Bro -A guide for better Coding
byMadan Panthi
 
apidays Australia 2025 | The Strategic Role of APIs in Digital Transformation
byapidays
 
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
Introduction to Linux and Basic Commands
byiDev Semarang
 
Safer’s Picks: Recent FME Enhancements with Big Everyday Impact
bySafe Software
 
Advance Computer Architecture Lecture 4.pptx
byBottshikanBottshikan
 
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 

Compliance

  • 1.
  • 2.
    Compliance • Compliance measuresthe extent to which defined policies, standards, and procedures are being followed. • Compliance includes auditing, monitoring, and investigating at several different levels of the organization.
  • 3.
    First level • Detectionof security violations minimizes the damage done to the organization. • The information owner or individual assigned responsibility for the component must ensure that appropriate preventative and detective controls are in place and are being utilized effectively. • Controls at this level include establishing and maintaining access, implementing monitoring and alert tools, administration of audit trail reports, management review of log-in attempts, implementing security parameters, and investigation of lockouts.
  • 4.
    Second level • Auditfunction. • The audit function can be performed by the internal audit department, external auditors, or a combination of both according to industry standards. • Audit objectives include ensuring compliance with corporate policies, standards, and procedures as well as developing programs to understand the control environment, perform risk assessment, and establish control procedures.
  • 5.
    Third level • SecurityTeam or Committee level. • This is investigative in nature and, instead of focusing on a particular application or component, the Security Team is responsible for ensuring that security is implemented organization wide.
  • 6.
    LEVEL ONE COMPLIANCE:THE COMPONENT OWNER • To ensure appropriate access, a procedure should be established to have component owners, network and application administrators run a listing of specified access by user on a quarterly basis, at a minimum. • These reports are then submitted to the security liaison of each business function to review for appropriateness.
  • 7.
    Additional responsibilities ofthe security coordinators/ liaisons are to: • Ensure that application access forms are initiated for existing and new users within the respective departmental area • Ensure that access is modified or deleted when employees and nonemployees (consultants, contractors, business partners) operating within their business function or site are transferred or terminated
  • 8.
    • Conduct usersecurity awareness within their departmental function • Ensure that the enterprise Confidentiality Agreement and exit interview forms are signed by all users operating within their department or area of responsibility • Actively participate as a member of the Security Team • Coordinate with the Security Officer on all security-related matters
  • 9.
    • Network andapplication administrators are technically responsible for the operation of the network or application. • The administrators set security defaults on the system and establish the baseline control standards upon completion of a risk assessment and identification of vulnerabilities.
  • 10.
    LEVEL TWO COMPLIANCE:THE AUDIT FUNCTION • The audit function is concerned with obtaining an understanding of and evaluating an organization’s internal control. • Internal control refers to the processes established by an organization’s board of directors, management, and technical staff to provide effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations.
  • 11.
    The components ofinternal control include: • The control environment • Risk assessment • Control procedures • Monitoring activities • Information and communication
  • 12.
    • The integrity,ethical values, and fitness of the people within the organization establish the control environment. • Audit seeks to ensure that the control environment is effective by assessing the stability and consistency of the factors mentioned above. The control environment
  • 13.
    Risk assessment • Riskassessment provides identification and analysis of realistic and associated risks in achieving the organization’s business objectives. • The audit function seeks to establish information security controls that are proportionate to the value, sensitivity, and criticality of the systems and information being protected. • This includes the probability, frequency, and severity of loss or damage that can occur.
  • 14.
    Control procedures • Controlprocedures ensure that management directives are implemented. • Control procedures include authorization, verification, approval, reconciliation, analysis of the efficiency of operations, implementation of access controls, physical security of assets, and segregation of duties.
  • 15.
    Monitoring activities • Monitoringactivities include well-defined and scheduled management and supervisory activities to determine whether control procedures are performed effectively and consistently. • Auditors monitor the control processes and procedures for indications of weakness in the control environment that has been established, while security, network, and application administrators monitor specific implementations for errors, damage, or indications of unauthorized access to systems and applications.
  • 16.
    Information and communication •Information and communication in the audit environment includes the timely processing and dissemination of operational, financial, and compliance- related information to manage the business effectively.
  • 17.
    • Auditing ismost often coupled with the reliability of financial reporting.
  • 18.
    • The secondportion of a computer audit encompasses understanding and evaluating the general computer controls for an operating environment.
  • 19.
    • When testinggeneral computer controls, there are four areas of consideration: – Information security – System acquisition, development, and maintenance – Computer operations – Information systems support
  • 20.
    • Information securityincludes testing for logical security of online and batch access controls. • System acquisition, development, and maintenance include the quality of new systems design and implementation, as well as program change control. • Computer operations entail media library management, job scheduling, physical control of devices, information and data, report distribution, backup, and recovery.
  • 21.
    • Information systemssupport includes all of the peripherals that support an application and processing environment such as controls related to operating system software, database administration, network operations, and end-user computing.
  • 22.
    Financial audit • Theauditors must determine what level of reliance they place on key controls. • When reliance is high — which means that they trust the output data to be true and correct — a test of the key controls must be performed for completeness, accuracy, validity, and restricted access.
  • 23.
    • Controls area combination of monitoring controls, and both manual and automated application controls. • Application controls and related control objectives are procedures designed to ensure the integrity of the accounting records.
  • 24.
    Control objectives include: •Completeness : all transactions are recorded, entered into the system, and accepted for processing once and only once. All transactions input are updated to the appropriate files, and once updated remain correct and current.
  • 25.
    • Accuracy :data and information are recorded and accurately input to the computer. Changes made to data files are accurately input, and all input transactions are accepted for processing and updated to the appropriate data files. • Validity: transactions are authorized and represent true and valid transactions related to the appropriate client. Changes to existing data are not made without appropriate authorization.
  • 26.
    • Restricted access: only individuals by virtue of their job function can access data files for changes or updates. Controls protect the confidentiality of the data and physical controls protect cash and inventory.
  • 27.
    • When testingthe general computer controls, the auditor is looking for potential errors in completeness, accuracy, validity, and restricted access. • Tests of validity ensure that for a process that is taking place, whether it is a calculation or allowing a user to gain access to a system, it is a relevant and legitimate process.
  • 28.
    • A risk-basedapproach to auditing determines how often a particular application or operating system is audited and will depend on the assessed risk to the organization as well as the strength of the control environment for a particular application or operating system.
  • 30.
    LEVEL THREE COMPLIANCE:THE SECURITY TEAM • The Security Team or Committee is responsible for ensuring that security is implemented organization wide. • An ISA that has been developed and implemented needs to be continuously assessed for effectiveness, changes to the environment that will require changes to the ISA, and modifications for improvement to the overall architecture.
  • 31.
    • The SecurityTeam is looking for something different than that of the system auditors. • The Security Team is looking for implementation of the policies, standards, and procedures that have been developed under its direction. • Auditors are looking for the effectiveness of controls as they are implemented for critical programs and applications. • The network administrator is concerned with the specific implementation details for a particular component.
  • 32.
    How does theSecurity Team assess the effectiveness of the ISA? • The Security Team should be involved in reviewing the results of all audit, control, or security reviews that occur within the organization. • The Security Team is tasked with understanding why the results may not have been so spectacular and what was the systemic reason for lax or ineffective controls.
  • 33.
    • The SecurityTeam also acts as the investigative arm to security issues and incidences.
  • 34.
    LINE OF BUSINESS(LOB) SECURITY PLAN • The LOB Security Plan should provide an overview of the operational environment, identify key controls within the organization, and provide the basis for measuring compliance to the corporate security policies, standards, and procedures.
  • 35.
    • The LOBSecurity Plan is designed to provide a baseline document for understanding the processing environment, performing baseline security assessments of that environment, and seeking to make improvements to meet the corporate goals and objectives for security.
  • 36.
    ENTERPRISE MANAGEMENT TOOLS •Account integrity : to identify and prevent users from having security privileges that exceed the security policy • Backup integrity : to identify files that are not being backed up • File access : to examine files to verify security settings that are established in the security policy • File attributes : to identify files whose attributes have changed from the baseline
  • 37.
    • File find: to check files for viruses and other corruption that could lead to data loss • Log-in parameters : to scan for log-in parameters that fall outside the security policy • Object integrity : to identify changes in ownership and permissions for software objects • Password strength : to check the password parameters for validation against the security policy
  • 38.
    • Startup files: to examine startup files for potential security breaches • System auditing : to monitor audit trails and system accounts • System mail : to check known problem areas for security lapses
  • 39.
    Pitfalls to anEffective ISA Program • Lack of project sponsorship and executive management support • Executive management’s lack of understanding of realistic risk • Lack of resources • Impact of mergers and acquisitions on disparate systems • Independent operations throughout business units • Discord between mainframe versus distributed computing cultures
  • 40.
    • Corporate cultureswith the objective to foster trust in the organization that contradict an environment requiring more stringent controls • Fortune 500 enterprises that have grown from mom-and-pop shop beginnings and do not completely support the constraints conducive to secure operations • Third-party and remote network management • The rate of change in technology