14. CONTROLLING INFORMATION SYSTEMS 14. CONTROLLING INFORMATION SYSTEMS 14.1.

Slides:



Advertisements
Similar presentations
1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
Advertisements

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Control and Accounting Information Systems
14.1 © 2004 by Prentice Hall INFORMATIONSYSTEMS SECURITY AND CONTROL.
Information Technology Control Day IV Afternoon Sessions.
Crime and Security in the Networked Economy Part 4.
Auditing Computer-Based Information Systems
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems
Managing Information Systems Information Systems Security and Control Part 1 Dr. Stephania Loizidou Himona ACSC 345.
Lecture 1: Overview modified from slides of Lawrie Brown.
LEARNING OBJECTIVES DEMONSTRATE WHY INFO SYSTEMS ARE VULNERABLE TO DESTRUCTION, ERROR, ABUSE, QUALITY CONTROL PROBLEMSDEMONSTRATE WHY INFO.
4/15: Security & Controls in IS Systems Vulnerabilities Controls: what to use to guard against vulnerabilities –General controls –Application controls.
Chapter 17 Controls and Security Measures
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Chapter 14 System Controls. A Quote “The factory of the future will have only two employees, a man and a dog. The man will be there to feed the dog. The.
IS Security Control & Management. Overview n Why worry? n Sources, frequency and severity of problems n Risks to computerized vs. manual systems n Purpose.
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 18-1 Accounting Information Systems 9 th Edition Marshall.
14.1 © 2002 by Prentice Hall c h a p t e r 14 INFORMATION SYSTEMS SECURITY & CONTROL.
Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.
Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter
11.1 Copyright © 2005 Pearson Education Canada Inc. Management Information Systems, Second Canadian Edition Chapter 11: Information Systems Security, Quality,
Today’s Lecture application controls audit methodology.
Securing Information Systems
Chapter 17: Computer Audits ACCT620 Internal Accounting Otto Chang Professor of Accounting.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Overview of Systems Audit
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
1 I.Assets and Treats Information System Assets That Must Be Protected People People Hardware Hardware Software Software Operating systems Operating systems.
Chapter 13 Processing Controls. Operating System Integrity Operating system -- the set of programs implemented in software/hardware that permits sharing.
Prepared by: Dinesh Bajracharya Nepal Security and Control.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,
8.1 © 2007 by Prentice Hall Minggu ke 6 Chapter 8 Securing Information Systems Chapter 8 Securing Information Systems.
11.1 Copyright © 2005 Pearson Education Canada Inc. Management Information Systems, Second Canadian Edition Chapter 11: Information Systems Security, Quality,
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Information Systems Security Operational Control for Information Security.
Understanding the IT environment of the entity. Session objectives Defining contours of financial accounting in an IT environment and its characteristics.
S4: Understanding the IT environment of the entity.
1 Chpt. 12: INFORMATION SYSTEM QUALITY, SECURITY, AND CONTROL.
SESSION 14 INFORMATION SYSTEMS SECURITY AND CONTROL.
SECURITY OF DATA By: ADRIAN PERHAM. Issues of privacy; Threats to IT systems; Data integrity; Standard clerical procedures; Security measures taken to.
Learning Objectives Demonstrate why info systems are vulnerable to destruction, error, abuse, quality control problemsDemonstrate why info systems are.
CPS ® and CAP ® Examination Review OFFICE SYTEMS AND TECHNOLOGY, Fifth Edition By Schroeder and Graf ©2005 Pearson Education, Inc. Pearson Prentice Hall.
Today’s Lecture Covers
AUDIT IN COMPUTERIZED ENVIRONMENT
Security Policies. Threats to security and integrity  Threats to information systems include  Human error –keying errors, program errors, operator errors,
Chap1: Is there a Security Problem in Computing?.
The Importance of Proper Controls. 5 Network Controls Developing a secure network means developing mechanisms that reduce or eliminate the threats.
Information Systems Security and Control Chapter 14.
CONTROLLING INFORMATION SYSTEMS
Storage, Communication & Disposal of data & information Threats to data & Information Deliberate, accidental & technical failure.
ANS File Security Chapter # 29 ( Prepared by : Mazhar Javed ) 1 Data Security “Protection against loss, corruption of, or unauthorized access of data”
INFORMATION SYSTEMS SECURITY AND CONTROL.
Chapter 8 – Administering Security
INFORMATION SYSTEMS SECURITY & CONTROL
APPLICATION RISK AND CONTROLS
Processing Integrity and Availability Controls
Managing the IT Function
The Impact of Information Technology on the Audit Process
The Impact of Information Technology on the Audit Process
INFORMATION SYSTEMS SECURITY and CONTROL
Information Systems Security and Control
Presentation transcript:

14. CONTROLLING INFORMATION SYSTEMS 14. CONTROLLING INFORMATION SYSTEMS 14.1

THREATS TO INFORMATION SYSTEMS HARDWARE FAILURE, FIRE SOFTWARE FAILURE, ELECTRICAL PROBLEMS PERSONNEL ACTIONS, USER ERRORS ACCESS PENETRATION, PROGRAM CHANGES THEFT OF DATA, SERVICES, EQUIPMENT TELECOMMUNICATIONS PROBLEMS * 14.2

WHY SYSTEMS ARE VULNERABLE SYSTEM COMPLEXITYSYSTEM COMPLEXITY COMPUTERIZED PROCEDURES NOT ALWAYS READ OR AUDITEDCOMPUTERIZED PROCEDURES NOT ALWAYS READ OR AUDITED EXTENSIVE EFFECT OF DISASTEREXTENSIVE EFFECT OF DISASTER UNAUTHORIZED ACCESS POSSIBLEUNAUTHORIZED ACCESS POSSIBLE* 14.3

VULNERABILITIES RADIATION: Allows Recorders, Bugs to Tap SystemRADIATION: Allows Recorders, Bugs to Tap System CROSSTALK: Can Garble DataCROSSTALK: Can Garble Data HARDWARE: Improper Connections, Failure of Protection CircuitsHARDWARE: Improper Connections, Failure of Protection Circuits SOFTWARE: Failure of Protection Features, Access Control, Bounds ControlSOFTWARE: Failure of Protection Features, Access Control, Bounds Control FILES: Subject to Theft, Copying, Unauthorized AccessFILES: Subject to Theft, Copying, Unauthorized Access* 14.4

VULNERABILITIES USER: Identification, Authentication, Subtle Software ModificationUSER: Identification, Authentication, Subtle Software Modification PROGRAMMER: Disables Protective Features; Reveals Protective MeasuresPROGRAMMER: Disables Protective Features; Reveals Protective Measures MAINTENANCE STAFF: Disables Hardware Devices; Uses Stand-alone UtilitiesMAINTENANCE STAFF: Disables Hardware Devices; Uses Stand-alone Utilities OPERATOR: Doesn’t Notify Supervisor, Reveals Protective MeasuresOPERATOR: Doesn’t Notify Supervisor, Reveals Protective Measures* 14.5

HACKERS & COMPUTER VIRUSES HACKER: Person Gains Access to Computer for Profit, Criminal Mischief, Personal PleasureHACKER: Person Gains Access to Computer for Profit, Criminal Mischief, Personal Pleasure COMPUTER VIRUS: Rouge Program; Difficult to Detect; Spreads Rapidly; Destroys Data; Disrupts Processing & MemoryCOMPUTER VIRUS: Rouge Program; Difficult to Detect; Spreads Rapidly; Destroys Data; Disrupts Processing & Memory* 14.6

ANTIVIRUS SOFTWARE SOFTWARE TO DETECTSOFTWARE TO DETECT ELIMINATE VIRUSESELIMINATE VIRUSES ADVANCED VERSIONS RUN IN MEMORY TO PROTECT PROCESSING, GUARD AGAINST VIRUSES ON DISKS, AND ON INCOMING NETWORK FILESADVANCED VERSIONS RUN IN MEMORY TO PROTECT PROCESSING, GUARD AGAINST VIRUSES ON DISKS, AND ON INCOMING NETWORK FILES* 14.7

EFFECTS OF VIRUSES LOSS OF PRODUCTIVITY LOSS OF PRODUCTIVITY INTERFERENCE, LOCKUP INTERFERENCE, LOCKUP CORRUPTED FILES LOST DATA LOST DATA UNRELIABLE UNRELIABLE APPLICATIONS APPLICATIONS SYSTEM CRASH LOSS OF CONFIDENCE LOSS OF CONFIDENCE LOST LOST CORRUPTED CORRUPTED THREAT OF JOB LOSS THREAT OF JOB LOSS PER CENT EFFECTED BASED ON 600,000 MULTIPLE EFFECTS REPORTS Source: Computerworld (1993) 14.8

CONCERNS FOR BUILDERS & USERS DISASTER BREACH OF SECURITY ERRORS* 14.9

DISASTER LOSS OF HARDWARE, SOFTWARE, DATA BY FIRE, POWER FAILURE, FLOOD OR OTHER CALAMITYLOSS OF HARDWARE, SOFTWARE, DATA BY FIRE, POWER FAILURE, FLOOD OR OTHER CALAMITY FAULT-TOLERANT COMPUTER SYSTEMS: BACKUP SYSTEMS TO PREVENT SYSTEM FAILURE (Particularly On-line Transaction Processing) FAULT-TOLERANT COMPUTER SYSTEMS: BACKUP SYSTEMS TO PREVENT SYSTEM FAILURE (Particularly On-line Transaction Processing)* 14.10

SECURITY POLICIES, PROCEDURES, TECHNICAL MEASURES TO PREVENT UNAUTHORIZED ACCESS, ALTERATION, THEFT, PHYSICAL DAMAGE TO INFORMATION SYSTEMS POLICIES, PROCEDURES, TECHNICAL MEASURES TO PREVENT UNAUTHORIZED ACCESS, ALTERATION, THEFT, PHYSICAL DAMAGE TO INFORMATION SYSTEMS* 14.11

WHERE ERRORS OCCUR DATA PREPARATIONDATA PREPARATION TRANSMISSIONTRANSMISSION CONVERSIONCONVERSION FORM COMPLETIONFORM COMPLETION ON-LINE DATA ENTRYON-LINE DATA ENTRY KEYPUNCHING; SCANNING; OTHER INPUTSKEYPUNCHING; SCANNING; OTHER INPUTS* 14.12

WHERE ERRORS OCCUR VALIDATIONVALIDATION PROCESSING / FILE MAINTENANCEPROCESSING / FILE MAINTENANCE OUTPUTOUTPUT TRANSMISSIONTRANSMISSION DISTRIBUTIONDISTRIBUTION* 14.13

SYSTEM QUALITY PROBLEMS SOFTWARE & DATASOFTWARE & DATA BUGS: Program Code Defects or ErrorsBUGS: Program Code Defects or Errors MAINTENANCE: Modifying a System in Production Use; Can take up to 85% of Analysts’ TimeMAINTENANCE: Modifying a System in Production Use; Can take up to 85% of Analysts’ Time DATA QUALITY PROBLEMS: Finding, Correcting Errors; Costly; TediousDATA QUALITY PROBLEMS: Finding, Correcting Errors; Costly; Tedious* 14.14

COST OF ERRORS DURING SYSTEMS DEVELOPMENT CYCLE COSTS ANALYSIS PROGRAMMING POSTIMPLEMENTATION & DESIGN CONVERSION ANALYSIS PROGRAMMING POSTIMPLEMENTATION & DESIGN CONVERSION 14.15

CREATING A CONTROL ENVIRONMENT CONTROLS: Methods, Policies, Procedures to Protect Assets; Accuracy & Reliability of Records; Adherence to Management Standards CONTROLS: Methods, Policies, Procedures to Protect Assets; Accuracy & Reliability of Records; Adherence to Management Standards GENERALGENERAL APPLICATIONAPPLICATION* 14.16

GENERAL CONTROLS IMPLEMENTATION: Audit System Development to Assure Proper Control, ManagementIMPLEMENTATION: Audit System Development to Assure Proper Control, Management SOFTWARE: Ensure Security, Reliability of SoftwareSOFTWARE: Ensure Security, Reliability of Software PROGRAM SECURITY: Prevent Unauthorized Changes to ProgramsPROGRAM SECURITY: Prevent Unauthorized Changes to Programs HARDWARE: Ensure Physical Security, Performance of Computer HardwareHARDWARE: Ensure Physical Security, Performance of Computer Hardware* 14.17

GENERAL CONTROLS COMPUTER OPERATIONS: Ensure Procedures Consistently, Correctly Applied to Data Storage, ProcessingCOMPUTER OPERATIONS: Ensure Procedures Consistently, Correctly Applied to Data Storage, Processing DATA SECURITY: Ensure Data Disks, Tapes Protected from Wrongful Access, Change, DestructionDATA SECURITY: Ensure Data Disks, Tapes Protected from Wrongful Access, Change, Destruction ADMINISTRATIVE: Ensure Controls Properly Executed, EnforcedADMINISTRATIVE: Ensure Controls Properly Executed, Enforced SEGREGATION OF FUNCTIONS: Divide Tasks to Minimize RisksSEGREGATION OF FUNCTIONS: Divide Tasks to Minimize Risks* 14.18

APPLICATION CONTROLS INPUTINPUT PROCESSINGPROCESSING OUTPUTOUTPUT* 14.19

INPUT CONTROLS INPUT AUTHORIZATION: Record, Monitor Source DocumentsINPUT AUTHORIZATION: Record, Monitor Source Documents DATA CONVERSION: Transcribe Data Properly from one Form to AnotherDATA CONVERSION: Transcribe Data Properly from one Form to Another BATCH CONTROL TOTALS: Count Transactions Prior to and After ProcessingBATCH CONTROL TOTALS: Count Transactions Prior to and After Processing EDIT CHECKS: Verify Input Data, Correct ErrorsEDIT CHECKS: Verify Input Data, Correct Errors* 14.20

PROCESSING CONTROLS ESTABLISH THAT DATA IS COMPLETE, ACCURATE DURING PROCESSING ESTABLISH THAT DATA IS COMPLETE, ACCURATE DURING PROCESSING RUN CONTROL TOTALS: Generate Control Totals Before & After ProcessingRUN CONTROL TOTALS: Generate Control Totals Before & After Processing COMPUTER MATCHING: Match Input Data to Master FilesCOMPUTER MATCHING: Match Input Data to Master Files* 14.21

OUTPUT CONTROLS ESTABLISH THAT RESULTS ARE ACCURATE, COMPLETE, PROPERLY DISTRIBUTED ESTABLISH THAT RESULTS ARE ACCURATE, COMPLETE, PROPERLY DISTRIBUTED BALANCE INPUT, PROCESSING, OUTPUT TOTALSBALANCE INPUT, PROCESSING, OUTPUT TOTALS REVIEW PROCESSING LOGSREVIEW PROCESSING LOGS ENSURE ONLY AUTHORIZED RECIPIENTS GET RESULTSENSURE ONLY AUTHORIZED RECIPIENTS GET RESULTS* 14.22

DEVELOPING A CONTROL STRUCTURE COSTS: Can be Expensive to Build; Complicated to UseCOSTS: Can be Expensive to Build; Complicated to Use BENEFITS: Reduces Expensive Errors, Loss of Time, Resources, Good WillBENEFITS: Reduces Expensive Errors, Loss of Time, Resources, Good Will RISK ASSESSMENT: Determine Frequency of Occurrence of Problem, Cost, Damage if it Were to Occur RISK ASSESSMENT: Determine Frequency of Occurrence of Problem, Cost, Damage if it Were to Occur* 14.23

MIS AUDIT IDENTIFIES CONTROLS OF INFORMATION SYSTEMS, ASSESSES THEIR EFFECTIVENESS IDENTIFIES CONTROLS OF INFORMATION SYSTEMS, ASSESSES THEIR EFFECTIVENESS TRACE FLOW OF SAMPLE TRANSACTIONS; NOTE HOW CONTROLS WORKTRACE FLOW OF SAMPLE TRANSACTIONS; NOTE HOW CONTROLS WORK LIST, RANK WEAKNESSESLIST, RANK WEAKNESSES ESTIMATE PROBABILITIES, IMPACTESTIMATE PROBABILITIES, IMPACT REPORT TO MANAGEMENTREPORT TO MANAGEMENT* 14.24

SOFTWARE QUALITY ASSURANCE USE PROVEN DEVELOPMENT METHODOLOGIESUSE PROVEN DEVELOPMENT METHODOLOGIES RESOURCES ALLOCATION: How are Costs, Time, People Assigned During Development?RESOURCES ALLOCATION: How are Costs, Time, People Assigned During Development? SOFTWARE METRICS: Quantifiable System Measurements for Objective Software AssessmentSOFTWARE METRICS: Quantifiable System Measurements for Objective Software Assessment TESTING: Walkthrough of Design Documentation, Debugging to Discover, Eliminate Defects, Data Quality Audit to Sample, Measure Accuracy, Completeness of DataTESTING: Walkthrough of Design Documentation, Debugging to Discover, Eliminate Defects, Data Quality Audit to Sample, Measure Accuracy, Completeness of Data* 14.25

MANAGEMENT CHALLENGES LARGE MULTI-USER NETWORKS DIFFICULT TO SECURELARGE MULTI-USER NETWORKS DIFFICULT TO SECURE BALANCE DEGREE OF CONTROL, MAIN THREAT IS EXTERNALBALANCE DEGREE OF CONTROL, MAIN THREAT IS EXTERNAL APPLY QUALITY ASSURANCE STANDARDSAPPLY QUALITY ASSURANCE STANDARDS* 14.26