Information Systems
• Preventive controls
– Deter problems from occurring
• Detective controls
– Discover problems that are not prevented
• Corrective controls
– Identify and correct problems; correct and recover
from the problems
Control Frameworks
• COBIT
– Framework for IT control
• COSO
– Framework for enterprise internal controls
(control-based approach)
• COSO-ERM
– Expands COSO framework taking a risk-based
approach
COBIT Framework
COSO-ERM
• Control activities • Risk assessment
• Information and • Risk response
communication
• Control activities
• Monitoring
• Information and
communication
• Monitoring
Internal Environment
• Management’s philosophy, operating
style, and risk appetite
• Commitment to integrity, ethical
values, and competence
• Internal control oversight by Board of
Directors
• Organizing structure
• Methods of assigning authority and
responsibility
• Human resource standards
Objective Setting
• Strategic objectives
– High-level goals
• Operations objectives
– Effectiveness and efficiency of operations
• Reporting objectives
– Improve decision making and monitor
performance
• Compliance objectives
– Compliance with applicable laws and regulations
Event Identification
Types of risk
• Inherent
▫ Risk that exists before plans are made to control it
• Residual
▫ Risk that is left over after you control it
Risk Response
• Reduce
– Implement effective internal control
• Accept
– Do nothing, accept likelihood and impact of risk
• Share
– Buy insurance, outsource, or hedge
• Avoid
– Do not engage in the activity
Control Activities
Nurul Hidayah
1808700757
The Trust Services Framework
Two Fundamental Information
Security Concepts
1. Security is Management Issue, Not Just a
Technology Issue
Two Fundamental Information
Security Concepts
2. The Time-Based Model of Information
Security
Combination of preventive, detective, and
corrective controls to protect information
assets
Formula : P > D + R
Strategy : Defense-in-Depth
Understanding Targeted Attacks
1. Conduct Reconnaissance
2. Attemp Social Engineering
3. Scan and map the target
4. Research
5. Execute the attack
6. Cover tracks
Protecting Infomation Resources
Protecting Infomation Resources
People
• Security-conscious culture
Lead by example
• Training
Protecting Infomation
Resources
Process : 1. User Access Controls
• Authentication controls
Verify person’s identity:
1. Something the person knows (Password, PIN)
2. Something the person has (smart card, ID Badges)
3. Some physical/behavioral characteristic (Biometric
identifier)
-> multifactor authentication and multimodal
authentication
• Authorization controls
Access control matrix
Protecting Infomation Resources
• Process : 2. Penetration Testing
• Process : 3. Change controls and change management
1. Documentation of all change requests
2. Documentation approval of all change requests
3. Testing of all changes in a separate system
4. Conversion controls
5. Updating of all documentation
6. Special process for timely review
7. Development and documentation of “backout” plans
8. Careful monitoring and review
Protecting Infomation Resources
• IT Solutions: 1. Antimalware Controls
1. Malicious software awareness education
2. Installation of antimalware protection tools
3. Centralized management of patches and
updates of antimalware software
4. Regular review of new malware threats
5. Filtering of incoming traffic to block potential
sources of malware
6. Training employees not to install unapproved
software
Protecting Infomation Resources
• IT Solutions: 2. Network Access Controls
1. Perimeter Defense : Routers, Firewalls, and
Intrusion Prevention Systems. (Fig 8-6)
2. Controlling Access by Filtering Packets
3. Using Defense-in-Depth to Restrict
Network Access
4. Securing Wireless Access
Protecting Infomation Resources
• IT Solutions : 3. Device and Software
Hardening Controls
1. Endpoint Configuration
2. User account management
3. Software Design
• IT Solutions : 4. Encryption
• Physical Security : Access Controls
Detecting Attacks
Log Analysis
Continuous Monitoring
Responding to Attacks
Privacy • Spam
Concerns • Identity Theft
10-49
Processing Integrity: Data Entry
Controls
• Field check • Size check
– Characters in a field are – Input data fits into the field
proper type • Completeness check
• Sign check – Verifies that all required data is
– Data in a field is appropriate entered
sign (positive/negative) • Validity check
• Limit check – Compares data from transaction file
– Tests numerical amount to that of master file to verify
against a fixed value existence
• Range check • Reasonableness test
– Tests numerical amount – Correctness of logical relationship
against lower and upper between two data items
limits • Check digit verification
– Recalculating check digit to verify
data entry error has not been made
10-50
Additional Data Entry Controls
• Batch processing • Online
– Sequence check – Employee Access controls
• Test of batch data in proper – Automatic data entry
numerical or alphabetical
– Prompting
sequence
• System prompts you for input
– Error logs
(online completeness check)
– Batch totals
– Closed-loop verification
• Summarize numeric values
for a batch of input records • Checks accuracy of input data
– Financial total by using it to retrieve and
display other related
– Hash total
information (e.g., customer
– Record count
account # retrieves the
customer name)
– Transaction logs
– Error Messages
Processing Controls
• Data matching • Cross-footing
– Two or more items – Verifies accuracy by comparing
must be matched two alternative ways of
before an action takes calculating the same total
place • Zero-balance tests
• File labels – For control accounts (e.g.,
– Ensures correct and payroll clearing)
most updated file is • Write-protection mechanisms
used – Protect against overwriting or
• Recalculation of batch erasing data
totals • Concurrent update controls
– Prevent error of two or more
users updating the same record
at the same time
Output Controls
• User review of output
• Reconciliation
– Procedures to reconcile to control reports (e.g., general ledger A/R
account reconciled to Accounts Receivable Subsidiary Ledger)
• External data reconciliation
• Data transmission controls
– Check sums
• Hash of file transmitted, comparison made of hash before and after transmission
– Parity checking
• Bit added to each character transmitted, the characters can then be verified for
accuracy
Output Controls
• Message Acknowledgment Techniques for data
transmission (let the sender of an electronic message know
that a message was received)
– Echo Check
• When data are transmitted, the system calculates a
summary statistic , receiving unit performs the same
calculation and sends back to source. If they agree,
accuracy is assumed
– Trailer Record
• sending unit stores control totals in a trailer record
• receiving unit uses that information to verify that the
entire message was received
Processing Integrity Controls(Spreadsheets)
• Documentation
– Plan, responsibilities, procedures to resume
operations should be documented
• Testing
– Test to make sure it works as intended
– Revise as needed
– Should test at least on an annual basis
Virtualization & Cloud Computing
• Virtualization
– Can reduce time to recover from hardware problems
• Install files to new box
– Support real time mirroring
• Cloud Computing
– Use redundant banks of servers in multiple locations
• Reduces risk of system downtime and data loss
– Potential problem
• Data retrieval if public cloud provider goes belly-up
• Policy of making regular back-ups and storing
somewhere other than cloud necessary
– Assess long-run financial viability of cloud provider before
62
taking the plunge
Maturnuwun ☺