IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….

Slides:

Advertisements

Similar presentations

An Internal Control Overview

Advertisements

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Control and Accounting Information Systems

Security and Personnel

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

Agenda COBIT 5 Product Family Information Security COBIT 5 content

Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.

Auditing Computer Systems

TI BISNIS ITG using COBIT &

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Security Controls – What Works

1 Pertemuan 6 Internal Control System Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Information Systems Security Officer

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

The Information Systems Audit Process

Overview of IS Auditing n Need for control and Audit of Computers –Org cost of data loss –cost of incorrect decision –Value of hardware, software, personnel.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Session 3 – Information Security Policies

1 Performance Auditing  In IT Environment  Evidence Gathering & Analysis Techniques  Computer Assisted Techniques  Use of IDEA.

Information Systems Controls for System Reliability -Information Security-

Introduction to IT Auditing

SEC835 Database and Web application security Information Security Architecture.

Overview of Systems Audit

Evolving IT Framework Standards (Compliance and IT)

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Presented to President’s Cabinet. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an.

Security Architecture

OVERVIEW OF INFORMATION SYSTEM (IS) AUDITING NORHAFIZAH BINTI ABDUL MUDALIP YAP YONG TECK TAN YUAN JUE TAY QIU JIE GROUP MEMBER:

1. IT AUDITS  IT audits: provide audit services where processes or data, or both, are embedded in technologies.  Subject to ethics, guidelines, and.

7-Oct-15 System Auditing. AUDITING Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic.

INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Roadmap to Maturity FISMA and ISO 2700x. Technical Controls Data IntegritySDLC & Change Management Operations Management Authentication, Authorization.

An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.

Committee of Sponsoring Organizations of The Treadway Commission Formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting “Internal.

Web Security for Network and System Administrators1 Chapter 2 Security Processes.

Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks.

IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.

Fundamentals I: Accounting Information Systems McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

Bank Audit. Internal Audit Internal audit is an independent, objective assurance activity and can give valuable insight in providing assurance that major.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Application Security Business Risk and Data Protection Gregory Neuhaus.

Presented to Managers. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an organization.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

IS 630 : Accounting Information Systems Auditing Computer-based Information Systems Lecture 10.

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

This Lecture Covers Roles of –Management –IT Personnel –Users –Internal Auditors –External Auditors.

Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc

Accounting and Information Systems: a powerful combination.

(2) Organize information processing centers environment, the various functions and details Information technology audit: An information technology audit,

Chapter 3-Auditing Computer-based Information Systems.

Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.

COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.

1 Using CobiT to Enhance IT Security Governance LHS © John Mitchell John Mitchell PhD, MBA, CEng, CITP, FBCS, MBCS, FIIA, CIA, CISA, QiCA, CFE LHS Business.

IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.

Chapter 8 Controlling Information Systems: IT Processes.

Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.

BIL 424 NETWORK ARCHITECTURE AND SERVICE PROVIDING.

Fundamentals of Information Systems, Sixth Edition

APPLICATION RISK AND CONTROLS

Managing the IT Function

Alignment of COBIT to Botswana IT Audit Methodology

Systems Design Chapter 6.

Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.

Good practices for risk assessment and control activities

Presentation transcript:

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….

Welcome! An IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, and operations. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. A control is developed to mitigate a known risk to a level acceptable by Senior Management. The concept of attaining a secure computing environment (ie, an ideal state free from risk or danger) by mitigating the vulnerabilities associated with computer use.

Risks Types  Strategic  Compliance  Market  Operational  Environmental  Reputational  Market

Application Risks  Unauthorized and/or erroneous transactions  Processing inefficiencies due to incomplete data entry  Access control violations  Data entry errors undetected  Breach of system integrity and loss of critical data  Non-compliance with federal and state laws regarding computer and data communications use  Destruction of critical information by unauthorized users  Impairment of the Organization’s reputation

Security Domains  Access Control Systems and Methodology  Telecommunications and Network Security  Business Continuity Planning and Disaster Recovery Planning  Security Management Practices  Security Architecture and Models  Law, Investigation, and Ethics  Application and Systems Development Security  Cryptography  Computer Operations Security  Physical Security

CoBIT Domains  Plan and Organize PO 8 – Manage Quality  Acquire and Implement AI 2 - Acquire and Maintain Application Software AI 6 - Manage Changes AI 7 - Install and Accredit Solutions and Changes  Deliver and Support DS 5 - Ensure Systems Security  Monitor and Evaluate ME 2 - Monitor and Evaluate Internal Control

Internal Controls 101  Primary Objectives of Internal Controls Accurate Financial Information Compliance with Policies and Procedures Safeguarding Assets Efficient Use of Resources Accomplishment of Business Objectives and Goals

Point of View  Security Perspective Security requirements early in SDLC process. Ensure legal, regulatory, contractual, and internal compliance requirements. Follows industry best practices. Testing during development, QA, pre and post production.  Audit Perspective Compliance to legal, regulatory, contractual, and internal compliance requirements. Appropriate evidence is documented. Business objectives and goals are maintained. Each audit point is reached during the SDLC phases.