Chapter Three Objectives

Slides:

Advertisements

Similar presentations

Internal Control in a Financial Statement Audit

Advertisements

Module 1 Evaluation Overview © Crown Copyright (2000)

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

Chapter 10 Accounting Information Systems and Internal Controls

Internal Control.

Auditing Computer-Based Information Systems

Lecture 1: Overview modified from slides of Lawrie Brown.

IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESS

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Learning Objectives LO1 Distinguish between management and auditor’s responsibilities regarding an auditee organization’s internal controls. LO2 Explain.

Information Assurance and Security: Overview. Information Assurance “Measures that protect and defend information and information systems by ensuring.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

SEC835 Database and Web application security Information Security Architecture.

Storage Security and Management: Security Framework

Evolving IT Framework Standards (Compliance and IT)

Chapter 3 Internal Controls.

Discussing “Risk Analysis in Software Design” 1 FEB Joe Combs.

Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.

Chapter Three IT Risks and Controls.

Overview of COBIT5 and Impact on Local Content for IT By Mrs Tokunbo Martins Director Banking Supervision (Central Bank of Nigeria)

Model For Effective Self-Regulation November 2002 Daniel M. Sibears Senior Vice President & Deputy Member Regulation, NASD.

Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.

The Connection between Risk Management and Internal Control in Organizations Mag. Norbert Wagner Budapest,

Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009.

Eliza de Guzman HTM 520 Health Information Exchange.

Enterprise Risk Management Chapter One Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc

IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.

Everyone’s Been Hacked Now What?. OakRidge What happened?

1 University of Palestine Information Security Principles ITGD 2202 Ms. Eman Alajrami 2 nd Semester

Are you who the computer says you are? Computers surround us. They impact almost every facet of our lives. This causes the risk of too much information.

IT Risks and Controls Revised on Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.

Advanced Accounting Information Systems Day 19 Control and Security Frameworks October 7, 2009.

IT Controls Global Technology Auditing Guide 1.

Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.

SecSDLC Chapter 2.

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

IS 630 : Accounting Information Systems Auditing Computer-based Information Systems Lecture 10.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

Financial Management & Internal Control for Utility Companies Julia Barber, CPA and Sherman, Barber & Mullikin, CPAs Madison, IN

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

IT Security CS5493(74293). IT Security Q: Why do you need security? A: To protect assets.

Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc

Chapter 1: Security Governance Through Principles and Policies

Lecture1.1(Chapter 1) Prepared by Dr. Lamiaa M. Elshenawy 1.

Chapter 5 Evaluating the Integrity and Effectiveness of the Client’s Control Systems.

Chapter 3-Auditing Computer-based Information Systems.

Governance, risk and ethics. 2 Section A: Governance and responsibility Section B: Internal control and review Section C: Identifying and assessing risk.

COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.

Primary Steps for Achieving ISO Certification.

Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

Computer Security Introduction

Security Management in Practice

Internal Control in a Financial Statement Audit

CPA Gilberto Rivera, VP Compliance and Operational Risk

Information Security, Theory and Practice.

ISSeG Integrated Site Security for Grids WP2 - Methodology

What Is ISO ISO 27001, titled "Information Security Management - Specification With Guidance for Use", is the replacement for BS It is intended.

Alia Al-Nujaidi

Service Organization Control (SOC)

Chapter 9 Control, security and audit

Cyber security Policy development and implementation

IS4680 Security Auditing for Compliance

Computer Security Introduction

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Web Information Systems Engineering (WISE)

Chapter 1 Key Security Terms.

Presentation transcript:

Chapter Three Objectives Understand risks faced by information assets. Comprehend the relationship between risk and asset vulnerabilities, and comprehend the nature and types of threats faced by the asset. Understand the objectives of control and security of information assets and how these objectives are interrelated. Understand the building blocks of control and security frameworks for information systems. Apply a controls framework to a financial accounting system.

Protecting Information Assets It is necessary to protect information assets There is a potential for compromises of such assets. There may be attacks on the information assets. There may be unintentional compromises of information assets. Systems are subject to regulatory protection requirements.

Vulnerabilities and Threats Vulnerability: A weakness in the information assets that leads to risk. Threat: The probability of an attack on the information asset. Attack: A series of steps taken by an attacker to achieve an unauthorized result. Threat agent: An entity, typically a person, who triggers a threat. Countermeasure: An antidote or an action that dilutes the potential impact of a known vulnerability.

Framework for Control and Security ISO 17799 Is a standard focused on the protection of information assets. It is broadly applicable across industries, therefore it is a high-level standard. It is a general model that follows from Part I of British Standard 7799 (BS 7799). The standard is organized into ten categories (sections). Each section is divided into subcategories, each of which includes a broad implementation approach (method).

Internal Control and Information Security Objectives Internal control objectives Efficiency of operations Effectiveness of operations Reliability of information Compliance with applicable laws and regulations Information security objectives Information integrity Message integrity Confidentiality User authentication Nonrepudiation Systems availability

A Comparison of Internal Control and Information Security Objectives Objectives of internal controls Objectives of information security Effectiveness of operations Efficiency of operations Reliability of information Compliance with regulations Information integrity X Confidentiality User authentication Non-repudiation Availability

Implementing a Framework

Assurance Considerations Without a framework, no objectives can be achieved with a high degree of assurance. A first step toward assurance is to adopt a holistic framework. Elements of more than one framework can be combined into the framework adopted by an entity, to provide necessary granularity. The framework allows for a systematic approach to the design, implementation, and audit of control and security systems. The business may seek assurance regarding proper implementation of a chosen framework.