Presentation is loading. Please wait.

Presentation is loading. Please wait.

Controlling Computer-Based Information Systems, Part I

Published byCharles McDowell Modified over 6 years ago

Similar presentations

Presentation on theme: "Controlling Computer-Based Information Systems, Part I"— Presentation transcript:

1 Controlling Computer-Based Information Systems, Part I
Chapter 15 Controlling Computer-Based Information Systems, Part I 1

2 Controls, CBIS & SAS 78 Transaction authorization
may be embedded into the programs Segregation of duties Duties that must be separated in a manual system may be combined in a computerized setting. The computer-based functions of programming, processing, and maintenance must be separated. 2 2

3 Segregation of Duties Authorization Processing Control Objective 1
Custody Recording Custody Recording Authorization Task 1 Task 2 Control Objective 3 Task 3 Task 4 TRANSACTION 4

4 General Control Framework for CBIS Exposures
10 control components need to be addressed: operating system data management organizational structure systems development systems maintenance computer center security internet and Intranet EDI personal computer applications 8 8

5 General Control Framework for CBIS Exposures
Organizational Structure Internet & Intranet Data Management Internet & Intranet Operating System Systems Development Systems Maintenance Personal Computers EDI Trading Partners Applications Computer Center Security General Control Framework for CBIS Exposures

6 Operating System Controls
The operating systems performs three main tasks: translates high-level languages into the machine-level language allocates computer resources to user applications manages the tasks of job scheduling and multiprogramming. 10

7 Operating System Security
Log-On Procedure first line of defense--user IDs and passwords Access Token contains key information about the user Access Control List defines access privileges of users Discretionary Access Control allows user to grant access to another user 13

8 Operating System Control Techniques
Access privilege controls determine who can access what data in the system Password controls reusable passwords one-time passwords Malicious and destructive programs controls protection against virus, worms, logic bombs, etc. System audit trail controls keystroke monitoring event monitoring 18

9 Operating System Control Dangers
Browsing looking through memory for sensitive information (e.g., in the printer queue) Masquerading pretend to be an authorized user by getting id and passwords Virus & Worms foreign programs that spread through the system virus must attach to another program, worms are self-contained 12 12

10 Operating System Control Dangers
Trojan Horse foreign program that conceals itself with another legitimately imported program Logic Bomb foreign programs triggered by a specific event Back Door alternative entry into system 12 12

11 Anti-Virus Software can prevent the initial infection by write protecting the file can detect the infection of known viruses can sometimes remove the infection must stay current

12 Data Management Controls
Two crucial control issues: Access controls Backup controls 21 21

13 Subschema Restricting Access

14 Computer Resource Authority Table
List Resource Employee Line Cash Receipts AR File File Printer Program User Read data Change Add Delete Ticket User 1 No Access Use No Access Read code No Access Use Modify Delete Read only User 2 User 3 No Access Read only Use No Access 15

15 Data Management Controls
Backup options: grandparent-parent-child backup - the number of generations to backup is a policy issue direct access file backup - back-up master-file at pre-determined intervals off-site storage - guard against disasters and/or physical destruction 21 21

16 Organizational Structure Controls
The two main CBIS environments have different exposures and IC requirements: Centralized DP Distributed DP 25 25

17 President CENTRALIZED COMPUTER SERVICES FUNCTION VP Marketing VP Computer Services VP Operations VP Finance Systems Development Database Administration Data Processing New Systems Development Data Control Data Preparation Data Library Systems Maintenance Computer Operations DISTRIBUTED ORGANIZATIONAL STRUCTURE President VP Marketing VP Finance VP Administration VP Operations Manager Plant X Manager Plant Y Treasurer Controller IPU IPU IPU IPU IPU IPU

18 Centralized DP Organizational Controls
In centralized IS, need to separate: systems development from computer operations database administrator and other computer service functions especially database administrator (authorizing) and systems development (processing) DBA authorizes access maintenance and new systems development data library and operations 26

19 Distributed DP Organizational Controls
Distributed Data Processing: despite many advantages of this approach, control implications are present incompatible software among the various work centers data redundancy may result consolidation of incompatible tasks difficulty hiring qualified professionals lack of standards 28 28

20 Systems Development Life Cycle
Business Needs and Strategy Legacy Situation Business Requirements 1. Systems Strategy - Assessment - Develop Strategic Plan Feedback: User requests for New Systems System Interfaces, Architecture and User Requirements High Priority Proposals undergo Additional Study and Development 2. Project Initiation - Feasibility Study - Analysis - Conceptual Design - Cost/Benefit Analysis Feedback: User requests for System Improvements and Support Selected System Proposals go forward for Detailed Design NOTE: This is used also as Figure 14-1. 3. In-house Development - Construct - Deliver 4. Commercial Packages - Configure - Test - Roll-out New and Revised Systems Enter into Production 5. Maintenance & Support - User help desk - Configuration Management - Risk Management & Security

21 Systems Development Controls
New systems must be authorized. User needs and requests should be formally documented. Technical design activities should be documented. Internal auditors should participate in the development process. All program modules must be thoroughly tested before they are implemented. Individual modules must be tested by a team of users, internal audit staff, and systems professionals. 30 30

22 Computer Center Controls
Considerations: location away from human-made and natural hazards utility and communications lines underground windows closed and air filtration systems in place access limited to the operators and other necessary workers; others required to sign in and out fire suppressions systems should be installed backup power supplies 36

23 Disaster Recovery Planning
Disaster recovery plan (DRP) all actions to be taken before, during, and after a disaster Disaster Recovery Team (DRT) identified critical applications must be identified restore these applications first Backups & off-site storage procedures databases and applications documentation supplies 37

24 Second-Site Disaster Backups
The Empty Shell - involves two or more user organizations that buy or lease a building and remodel it into a computer site, but without computer equipment The Recovery Operations Center - a completely equipped site; very costly and typically shared among many companies Internally Provided Backup - companies with multiple data processing centers may create internal excess capacity 38

Download ppt "Controlling Computer-Based Information Systems, Part I"

Similar presentations

IT Controls Part I: Sarbanes-Oxley & IT Governance

IT Controls Part I: Sarbanes-Oxley & IT Governance
INTERNAL CONTROL COMPONENT Pertemuan_6 Mata Kuliah: CSP402, IT Governance Tahun Akademik : 2012/2013 SAS 78 / COSO Describes the relationship between the.

INTERNAL CONTROL COMPONENT Pertemuan_6 Mata Kuliah: CSP402, IT Governance Tahun Akademik : 2012/2013 SAS 78 / COSO Describes the relationship between the.
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
Security Part 1: Auditing Operating Systems and Networks

Security Part 1: Auditing Operating Systems and Networks
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
Chapter 6 Database Design

Chapter 6 Database Design
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 Systems Design, Implementation, Maintenance, and Review Chapter 13.

MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 Systems Design, Implementation, Maintenance, and Review Chapter 13.
Factors to be taken into account when designing ICT Security Policies

Factors to be taken into account when designing ICT Security Policies
6 Chapter 6 Database Design Hachim Haddouti. 6 2 Hachim Haddouti and Rob & Coronel, Ch6 In this chapter, you will learn: That successful database design.

6 Chapter 6 Database Design Hachim Haddouti. 6 2 Hachim Haddouti and Rob & Coronel, Ch6 In this chapter, you will learn: That successful database design.
IT Controls Part I: Sarbanes-Oxley & IT Governance 1 Accounting Information Systems, 5 th edition James A. Hall.

IT Controls Part I: Sarbanes-Oxley & IT Governance 1 Accounting Information Systems, 5 th edition James A. Hall.
Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star.

Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star.
Database Administration Chapter 16. Need for Databases  Data is used by different people, in different departments, for different reasons  Interpretation.

Database Administration Chapter 16. Need for Databases  Data is used by different people, in different departments, for different reasons  Interpretation.
Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.

Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.
Picture 1 model: ICT lifecycle in a company 1. business needs & business strategy 2. ICT strategy - ICT assessment - ICT strategic plan - ICT implementation/tactical.

Picture 1 model: ICT lifecycle in a company 1. business needs & business strategy 2. ICT strategy - ICT assessment - ICT strategic plan - ICT implementation/tactical.
Chapter 17: Computer Audits ACCT620 Internal Accounting Otto Chang Professor of Accounting.

Chapter 17: Computer Audits ACCT620 Internal Accounting Otto Chang Professor of Accounting.
Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.

Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.
The Islamic University of Gaza

The Islamic University of Gaza
The Utility Programs: The system programs which perform the general system support and maintenance tasks are known as utility programs. Tasks performed.

The Utility Programs: The system programs which perform the general system support and maintenance tasks are known as utility programs. Tasks performed.

Similar presentations

Ads by Google