Presentation is loading. Please wait.

Presentation is loading. Please wait.

Week 9 Accounting Information Systems Romney and Steinbart Linda Batch March 2012.

Published byJordan Holmes Modified over 9 years ago

Similar presentations

Presentation on theme: "Week 9 Accounting Information Systems Romney and Steinbart Linda Batch March 2012."— Presentation transcript:

1 Week 9 Accounting Information Systems Romney and Steinbart Linda Batch March 2012

2 Learning Objectives Chapter 8 is Controls for System Reliability – Chapter 8 COBIT’s four domains – recall that COBIT is the control framework to ensure systems reliability – Preventive, Detective, Corrective Controls We are going to do lots of examples and work from several text book problems Hand back and review the Midterm Exam if we have not done so already Assignment 3 status, questions? Microsoft Access Forms Advanced Queries

3 Chapter 8 – Controls for System Reliability Security is a Management Issue not an IT Issue – SOX requires the CEO and CFO to certify the financial statements fairly present the corporate results – The accuracy of an organization’s financial statements depends on the reliability of the information systems – Information security is the foundation for systems reliability – Therefore security is a management responsibility

4 Chapter 8 – COBIT Framework Information provided to management must satisfy seven key criteria: Effectiveness – information must be relevant and timely Efficiency – information must be produced cost effectively Confidentiality – sensitive information must be protected Integrity – information must be accurate, complete, and valid Availability – information must be available when needed Compliance – controls must ensure compliance with internal policies and with external legal and regulatory requirements Reliability – management must have access to appropriate information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities Tip: Know Three

5 Chapter 8 – Controls for System Reliability The COBIT Framework shows achieving the organization’s business and governance objectives requires adequate control over IT resources Just to recap and to emphasize the difference: – COSO–IC and COSO-ERM address general internal control – COBIT addresses information technology internal control

6 Chapter 8 – COBIT Figure 8-1, pg 220 COBIT addresses control from three vantage points – Business Objectives To satisfy business objectives, information must conform to the seven key criteria – Information Criteria Define for IT the information required by the business – IT Processes Broken into four domains (management processes)

7 Chapter 8 – Holcim Example – Think about this as we go through this material Two companies – Holcim US and Holcim Canada From an international perspective they report through to the North American Regional Manager at the head office. Implement shared service model for manufacturing services, financial shared services, commercial services. The starting point is the following: – Two separate SAP systems with different general ledgers – Different manufacturing processes to produce the same material – Different sales processes to sell to similar customers – Different organizational structure to manage finance and manufacturing – Different financial close process and timing – Identical reporting requirements and timelines (reporting standards are already in place

8 Chapter 8 – Holcim Example – Think about this as we go through this material Implement shared service model for manufacturing services, financial services, commercial services. IT was already a shared service for North America 1.How does this affect the IT strategic plan? 2.What would be the time horizon over which the alignment would occur? 3.Reporting requirements are currently standardized. What would be aligned first, the organizational structure, the business processes, or the systems? Work in four groups and prepare your answer (4 power points) Make your argument!

9 Chapter 8 – COBIT Framework – Plan and Organize (PO) – properly designing and managing information systems – Acquire and Implement (AI) – obtaining and installing technology solutions – Deliver and Support (DS) – effectively and efficiently operating the systems and providing information management requires – Monitor and Evaluate (ME) – essential processes for assessing the operation of an IT system. COBIT processes, to properly manage and control IT resources, are grouped into four basic management activities or domains Plan & Organize Acquire & Implement Deliver & Support Monitor & Evaluate

10 Chapter 8 – COBIT – Plan And Organize PO1 – define a strategic IT plan PO2 – define the information architecture PO3 – determine the technology direction PO4 – define the IT processes, organization, and relationships PO5 – manage the IT investment PO6 – communicate management aims and direction PO7 – manage IT human resources PO8 – manage quality PO9 – assess and manage IT risks PO10 – manage projects Plan & Organize Tip: Know Three Holcim Example

11 Chapter 8 – COBIT – Acquire and Implement (AI) AI1 – identify automated solutions AI2 – acquire and maintain application software AI3 – acquire and maintain technology infrastructure AI4 – enable operations and use AI5 – procure IT resources AI6 – manage changes AI7 – install and accredit solutions and changes Acquire & Implement Tip: Know Three

12 Chapter 8 – COBIT – Deliver and Support (DS) DS1 – define and manage service levels DS2 – manage third party services DS3 – manage performance and capacity DS4 – ensure continuous service DS5 – ensure systems security DS6 – identify and allocate costs DS7 – educate and train users DS8 – manage service desk and incidents DS9 – manage the configuration DS10 – manage problems DS11 – manage data DS12 – manage the physical environment DS13 – manage operations Deliver & Support Tip: Know Three

13 Chapter 8 – COBIT – Monitor and Evaluate (ME) ME1 – monitor and evaluate IT performance ME2 – monitor and evaluate internal control ME3 – ensure compliance with external requirements ME4 – provide IT governance Monitor & Evaluate Tip: Know Three

14 Chapter 8 – Steps in an IT Attack Conduct Reconnaissance Attempt Social Engineering Scan & Map Target ResearchExecute AttackCover Tracks

15 Chapter 8 – Information Security Detective Controls Log analysis Intrusion detection software Security testing and audits Management reports Corrective Controls Computer incident response team (CIRT) Chief Information Security Officer (CISO) Patch management To mitigate risks of an attack use Preventive Controls Detective Controls Corrective Controls Preventive Controls Training User access controls such as authentication and authorization Physical access controls Network access controls Patch management

16 Chapter 8 – Checkpoint What is the difference between authentication and authorization? Authentication: process for verifying the identity of a person accessing the system – Something they know – Something they have – A physical characteristic Authorization: is the process used to restrict the access of authenticated users to specific parts of the system – Often implemented using an access control matrix – This can get very complicated. – It can be simplified by using standard position groups for each job in your organization Used together – multifactor authentication

17 Chapter 8 – Checkpoint – Problem 8.3 Reliability is often included in service level agreements (SLAs) between the business and the IT group. How much reliability is enough? What is the difference between 95%, 99%, 99.99%, and 99.9999% reliability? The differences in promised reliability levels over the course of a year in terms of days when the system may not work are: 95% reliability = 18.25 days 99% reliability = 3.65 days 99.99% reliability =.0365 days or approximately 52.56 minutes 99.9999% reliability =.000365 days or less than one minute

18 Chapter 8 – Problem 8.4 What preventive, detective or corrective controls will best mitigate the following situations? 1.An employees laptop was stolen at the airport. Sensitive employee data was stored on the hard drive. Preventive: – Policies against storing sensitive information on laptops – Requiring that if any such information must exist on the laptop that it be encrypted. – Training on how to protect laptops while travelling to minimize the risk of theft. Corrective: – Installation of “phone home” software might help the organization either recover the laptop or remotely erase the information it contains.

19 Chapter 8 – Problem 8.4 2.A sales person successfully logged into the payroll system by guessing the payroll supervisors password. Preventive: – Strong password requirements such as at least an 8 character length, use of multiple character types, random characters, and require that passwords be changed frequently. Detective: – Locking out accounts after 3-5 unsuccessful login attempts; since this was a “guessing” attack, it may have taken more than a few attempts to login.

20 Chapter 8 – Problem 8.4 3.A criminal remotely accessed a sensitive database using the authentication credentials (user ID and strong password) of an IT manager. At the time the attack occurred, the IT manager was logged into the system at his workstation at company headquarters. Preventive: – Integrate physical and logical security. In this case, the system should reject any user attempts remotely log into the system if that same user is already logged in from a physical workstation. Detective: – Having the system notify appropriate security staff about such an incident.

21 Chapter 8 – Problem 8.4 4.An employee received an email purporting to be from her boss informing her of an important new attendance policy. When she clicked on a link embedded in the email to view the new policy, she infected her laptop with a keystroke logger. Preventive: – Security awareness training is the best way to prevent such problems. Employees should be taught that this is a common example of a sophisticated phishing scam. Detective and Corrective: – Anti-spyware software that automatically checks and cleans all detected spyware on an employee's computer as part of the logon process for accessing a company's information system.

22 Chapter 8 – Problem 8.4 5.A company’s programming staff wrote custom code for the shopping cart feature on its web site. The code contained a buffer overflow vulnerability that could be exploited when the customer typed in the ship-to address. Preventive: – Teach programmers secure programming practices, including the need to carefully check all user input. – Management must support the commitment to secure coding practices, even if that means a delay in completing, testing, and deploying new programs. Detective: – Make sure programs are thoroughly tested before being put into use – Have internal auditors routinely test in-house developed software.

23 Chapter 8 – Checkpoint 1.Which of the following is a preventive control? a.training b.Log analysis c.CIRT d.Patch management 2.What is log analysis? System logs record who accesses the system and what specific actions each user performed. It is an audit trail. – Logs must be analysed – Changes to logs must also be monitored – changes are not normal and may be made to hide unauthorized activities.

24 Chapter 8 – Checkpoint 3.A weakness that an attacker can take advantage of to either disable or take control of a system is called a (an) a.Exploit b.Patch c.Vulnerability d.Attack

25 Chapter 8 – Checkpoint 4.What is a transmission control protocol? Information traverses the internet and internal local area networks in the form of packets. Documents are not sent in their complete state, they are divided into these packets which are recreated at the end point. TCP – transmission control protocol – specifies the procedures for dividing the information into packets and how they are to be reassembled IP – internet protocol – defines the structure of the packets and how to route them to their proper destination Is this a preventive, detective, or corrective control?

26 Chapter 8 – Checkpoint 4.What is deep packet inspection? – Stateful packet filtering looks at IP header which is similar to inspecting the destination and the return address of mail If the information contained there is not on a list of unacceptable sources, or the true nature of the source is disguised, undesirable information may not be appropriately filtered out. – Deep packet inspection effectively opens up the packet to determine the content allowing the firewall to better protect the organization. Is this a preventive, detective, or corrective control?

27 Chapter 8 – Checkpoint 4.What is endpoint configuration? – What is an endpoint? Workstations, servers, printers, and other devices – Many operating systems turn on programs or services that are not really required. These can represent vulnerabilities to your system. – At the system endpoints turn off any services or operating programs that are not really required – This is called hardening

28 Chapter 8 – TIPS for Final Exam Know why IT security is a management concern Information for management must satisfy 7 key criteria (know three) Know what COBIT is and why it is different than COSO IC and COSO ERM Know the three vantage points from which COBIT addresses control For COBIT processes know three examples each of PO – Plan and Organize AI - Acquire and Implement DS - Deliver and Support ME - Monitor and Evaluate Question 8-4 has more parts than we covered today Do not learn the steps in an IT attack Holcim example will not be on the final exam

Download ppt "Week 9 Accounting Information Systems Romney and Steinbart Linda Batch March 2012."

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Control and Accounting Information Systems

Control and Accounting Information Systems
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
TI BISNIS ITG using COBIT &

TI BISNIS ITG using COBIT &
COBIT - II.

COBIT - II.
The Islamic University of Gaza

The Islamic University of Gaza
HAPTER 7 Information Systems Controls for Systems Reliability

HAPTER 7 Information Systems Controls for Systems Reliability
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Similar presentations

Ads by Google