account management
4. Types of Attacks
5. Countermeasures -- Intrusion Detection Systems (IDS)
a. If an organizations computer system has external connections, an IDS is needed to
respond to security breaches
1) The IDS complements the computer systems firewalls. It responds to attacks on
a) The network infrastructure (protected by the network IDS component)
i) Routers
ii) Switches
iii) Bandwidth
b) Servers (protected by the host IDS component)
i) Operating systems
ii) Applications
6. Information Integrity and Reliability
a. The IIA provides guidance on this topic in Practice Advisory 2130.A1-1, Information
Reliability and Integrity:
1) Internal auditors determine whether senior management and the board have a
clear understanding that information reliability and integrity is a management
responsibility. This responsibility includes all critical information of the
organization regardless of how the information is stored. Information reliability
and integrity includes accuracy, completeness, and security (para. 1).
2) The chief audit executive (CAE) determines whether the internal audit activity
possesses, or has access to, competent audit resources to evaluate information
reliability and integrity and associated risk exposures. This includes both
internal and external risk exposures, and exposures relating to the
organizations relationships with outside entities (para. 2).
3) Internal auditors assess the effectiveness of preventive, detective, and
mitigation measures against past attacks, as appropriate, and future attempts
or incidents deemed likely to occur. Internal auditors determine whether the
board has been appropriately informed of threats, incidents, vulnerabilities
exploited, and corrective measures (para. 4).
4) Internal auditors periodically assess the organizations information reliability and
integrity practices and recommend, as appropriate, enhancements to, or
implementation of, new controls and safeguards. Such assessments can either
be conducted as separate stand-alone engagements or integrated into other
audits or engagements conducted as part of the internal audit plan (para. 5).
7. Privacy
a. Management is responsible for ensuring that an organizations privacy framework is in
place. Internal auditors primary role is to ensure that relevant privacy laws and other
regulations are being properly communicated to the responsible parties.
b. The IIA provides guidance on this topic in Practice Advisory 2130.A1-2, Evaluating an
Organizations Privacy Framework:
1) Risks associated with the privacy of information encompass personal privacy
(physical and psychological); privacy of space (freedom from surveillance); privacy of
communication (freedom from monitoring); and privacy of information (collection, use,
and disclosure of personal information by others) (para. 2).
a) Personal information is information associated with a specific individual.
2) Effective control over the protection of personal information is an essential
component of the governance, risk management, and control processes of an
organization. The board is ultimately accountable for identifying the principal risks to the
3) The auditors should determine that EUC applications contain controls that allow users to
rely on the information produced.
a) The first concern is to discover their existence and their intended functions.
b) The next step is risk assessment
c) The third step is to review the controls included in the applications chosen in the
risk assessment
b. In a personal computer setting, the user is often the programmer and operator. Thus the
protections provided by segregation of duties are eliminated
c. The audit trail is diminished because of the lack of history files, incomplete printed output
d. In general, available security features for stand-alone machines are limited compared with
those in a network
2. Three Basic Architectures for Desktop Computing
Client-server
divides processing of an application between a client machine on a network
model
and a server
Dummy
lack stand-alone processing power have access to remote computers in
terminal model
a network
Application
a three-tiered or distributed network application. EX. the users (front-end)
server model
server middle (application) Load balancing database (back-end) server
11.5 PROGRAM CHANGE CONTROL
1. Program Change Control Process
a. Once a change to a system has been approved, the programmer should save a copy of the
production program in a test area of the computer
b. The programmer makes the necessary changes to this copy of the program (source code)
c. The programmer transforms the changed program into a form that the computer can
execute (executable code) by a compiler
d. Once the executable version of the changed program is ready, the programmer tests it to
see if it performs the new task as expected (not actual data test data)
e. The programmer demonstrates the new functionality for the user who made the request.
(accept or go futher)
f. Once the program is in a form acceptable to the user, the programmer moves it to a
holding area. (Programmers (except in emergencies) should never be able to put programs
directly into production)
g. The programmers supervisor reviews the new program, approves it, and authorizes its
move into production, generally carried out by operations personnel.
11.6 APPLICATION DEVELOPMENT
1. Build or Buy
2. Systems Development Life Cycle (SDLC)
a. The feedback gathered during the maintenance of a system provides information for
developing the next generation of systems, hence the name life cycle.
b. The phases and component steps of the traditional SDLC:
Definition
The need for the application and the business function(s) that it will affect.
(Systems analysts)
Design
Data flow diagrams (DFDs) and structured flowcharts are commonly used
(Systems analysts)
Development
The actual program code and database structures that will be used in the
(programmers)
new system (test each new program module of the system) TEST DATA
Implementation
converting to the new system can be used
Maintenance
3. Prototyping
a. Prototyping is an alternative approach to application development