Presentation is loading. Please wait.

Presentation is loading. Please wait.

IS Security Control & Management. Overview n Why worry? n Sources, frequency and severity of problems n Risks to computerized vs. manual systems n Purpose.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "IS Security Control & Management. Overview n Why worry? n Sources, frequency and severity of problems n Risks to computerized vs. manual systems n Purpose."— Presentation transcript:

1 IS Security Control & Management

2 Overview n Why worry? n Sources, frequency and severity of problems n Risks to computerized vs. manual systems n Purpose of control mechanisms n Types of controls: General & Application n Developing and managing control systems

3 Why Worry? n Computer Viruses –Rogue software programs that are difficult to detect that spread rapidly through computer systems, destroying data or disrupting processing and memory systems Example: ILOVEYOU virus n Hackers –People who gains unauthorized access

4 Why Worry? n Information System Outages –Studies show that: companies would sustain critical loss of business operations within 15 days of an information system outage At that point, firms would have less than a 25% chance of ever recovering

5 Need for Information System Audits n Continuous improvement in hardware performance and capabilities n Decreasing hardware costs n Availability of application and database software with more functionality n Advances in communication n Sophistication of users n Demand for greater control of information

6 Management’s Concerns Regarding Information Systems n Loss or misstatement of data n Unauthorized access to data n Loss of confidentiality of data n Fraud n Errors and omissions n Computer downtime/damage n Corruption of data

7 Threats to Systems n Natural disasters n Sabotage and theft n Operational errors n Upgrades & conversions (including fixes!)

8 Primary Concerns by Disaster Type

9 Natural Disasters n Broader impact than other types –business and employees both impacted –typically many systems fail at once –often others in the area have the same problems and are therefore seeking the same resources for recovery n Focus on reasonability of backup and recovery plans

10 Sabotage or Theft n Points of risk –Layoffs and firings –Mergers & reorganizations n In Fortune 500 companies with over 1,000 laptops, 14 lost per year n Often not covered by insurance n Data loss worse than equipment loss

11 Operational Errors n Hardware failures –Risks with outdated hardware –Impact for e-commerce activities –Reliance on network connections n User generated failures (32% of all data losses involving disks and tapes are caused by user errors) n Mistakes made in attempts to recover lost or damaged data

12 Upgrades and Conversions n The solution causes the problem! n Problem with suppliers and buyers n Time lost in conversions often not considered in cost of “upgrades”

13 Severity of Problems: The Firm n In 1997, Nations Bank, the 4th largest bank in the U.S. at the time, reviewed their vulnerability, they estimated that their exposure was: –$50 million in financial losses –for an interruption of more than 24 hours –where existing plans would take 2-5 days to restore operations

14 Severity of Problems: The Individual n A Fortune 500 CFO lost five years’ worth of accounting and stockholder data on a Friday afternoon; he needed it Monday for an annual stockholder’s meeting. n Twice daily backups didn’t help: the backup media had never been tested. When it was proven to be faulty, the CFO thought his career was over. n Data recovery specialists managed to rescue the information in time for the CFO’s Monday morning presentation

15 System Vulnerability n Complex IS cannot be easily replicated manually n Once an IS has been built, can be hard to decipher processes again n Probability of disasters is the same, but impact may be greater with IS failures n Security in a networked system is significantly more complicated

16 Quality Assurance vs. Control n Quality assurance as the prevention of errors n Quality control as the identification of errors after they occur n Data vs. system quality –Is the information stored and secured correctly? –Are things processed correctly?

17 Quality Assurance in IS n Use of appropriate methods & documentation n Test plans & testing n Complete the circle with customer & employee feedback n Communication, communication, communication

18 Cost to Fix Mistakes After Implementation versus Before

19 Testing Approaches n Test plans n Manual approaches –Usability tests (handout) –Testers vs. users as guinea pigs! n Automated testing –Main benefits simulation of large volumes of users can be run on many configurations of hardware –Requires tools & expertise

20 Testing and Quality n Types of testing: Unit, System, Acceptance n Inability to prove correctness n At design phase: test with walkthrough –Is it what they want? n During construction: debugging n Pre-implementation: verify goals met

21 Purpose of Control Mechanisms n Reduce risk of loss of business continuity and legal liability through controls n Methods, policies, and organizational procedures that assure: –Safety of organizational assets –Accuracy & reliability of records –Adherence to organizational standards

22 Types of Controls n General controls –Design, security & use of IS –Accomplished through system software and manual procedures n Application controls –Specific to given applications –Accomplished through application software

23 General Controls n Controls over system development processes n Software system level controls n Hardware controls (secure & accurate) n Computer operations controls n Data security controls n Administrative controls (segregation of functions, adherence to policies, etc.)

24 Application Controls n Based on I-P-O model n Input controls –Control totals, data validations, authorization n Processing controls –Run control totals and “Computer matching” of values (redundancy checks) n Output controls –Reconciliation and Appropriate distribution of information

25 Developing Control Systems n Risk analysis and assessment –Financial valuations of business interruptions –Non-financial valuations legal & regulatory compliance Other benefits n Need for upper management support

26 Risk Analysis Steps -Identifying and valuing assets; -Identifying threats (whether caused by people or natural disasters); -Identifying vulnerabilities (i.e., design, configurations, or procedures that make assets subject to threats); -Estimating risks (calculating probabilities); -Calculating statistically expected losses; and -Identifying potential protective measures.

27 Testing & Audits of Control Systems n Backups & recovery plans must be tested to be relied upon –5 - 25% of firms that do not have plans are not in business within a year of a major disaster n Major consulting firms such as Ernst & Young have thriving business sectors in IS auditing –Verify general & application controls –Similar to accounting audits but for information systems

Download ppt "IS Security Control & Management. Overview n Why worry? n Sources, frequency and severity of problems n Risks to computerized vs. manual systems n Purpose."

Similar presentations

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Overview of IS Controls, Auditing, and Security Fall 2005.

Overview of IS Controls, Auditing, and Security Fall 2005.
Auditing Concepts.

Auditing Concepts.
Information Technology Control Day IV Afternoon Sessions.

Information Technology Control Day IV Afternoon Sessions.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Auditing Computer Systems

Auditing Computer Systems
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Managing Information Systems Information Systems Security and Control Part 1 Dr. Stephania Loizidou Himona ACSC 345.

Managing Information Systems Information Systems Security and Control Part 1 Dr. Stephania Loizidou Himona ACSC 345.
The Islamic University of Gaza

The Islamic University of Gaza
4/15: Security & Controls in IS Systems Vulnerabilities Controls: what to use to guard against vulnerabilities –General controls –Application controls.

4/15: Security & Controls in IS Systems Vulnerabilities Controls: what to use to guard against vulnerabilities –General controls –Application controls.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.

Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.
Auditing 81.3550 Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.

Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 1 The Impact of Information Technology on the Audit.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley The Impact of Information Technology on the Audit.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter 10 10-1.

Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Security of Data. Key Ideas from syllabus Security of data Understand the importance of and the mechanisms for maintaining data security Understand the.

Security of Data. Key Ideas from syllabus Security of data Understand the importance of and the mechanisms for maintaining data security Understand the.
Chapter 17: Computer Audits ACCT620 Internal Accounting Otto Chang Professor of Accounting.

Chapter 17: Computer Audits ACCT620 Internal Accounting Otto Chang Professor of Accounting.

Similar presentations

Ads by Google