11/18 Class IT Control Flashcards
IT controls
IT controls prevent problems,
IT GCC’s
information tech general computer controls
application controls
controls that the programmers must follow and document every part of the system and that will stop bad things from happening
Good general computer controls start
at the top,
good lines of authority will stop any fraud or error
segregation of duties -
segregation of duties IT
keeping the programmers separate from the live environment and the development sphere, this makes so that they can't change live data, four people that should be separated in IT developers users security people computer operators
Logical/access/authentication control
what you know - user name and password
who you are - fingerprint, retinal scanner
what you have - token based controls, magnetic cards etc
RSA Card
randomly makes a user name and constantly changes
authentication
anything related to ecommerce, you need to see what is working behind the browser, look at how the browser is working and how it is secured. public key and private key keeps people accountable
the administrators
you must monitor these people
project
if you are doing ecommerce you need to see what the controls are. we don’t care so much about what they do but how they do it and if they have good controls in place,
appendix must include references and screen shots of you testing the controls
Change management
programs are out there that have version control.
Backup/Recovery/Continuity
making so that we have our data backed up and getting data when you lose it
disaster recovery
how do we recover data? have data somewhere else that is easily setup to get going
business continuity
making so that my data pops up somewhere else in the event of a disaster
cold side - all we have is the data offsite
hot side - a site is already running with the other one to work when one fails(business continuity)
warm side - data offsite, arrangement with someone who has a lease on standby ready for a disaster
Network
firewall, IDS, etc.
completeness and accuracy,
intrusion detection software (IDS)
lets you know that someone is trying to break into the system, works with the firewall
Encryption
encrypting your software so that people can’t modify it
external source - internet
internal - onsite
database level - fields and tables of data
VPN virtual private network
an encrypted network where only you and the other side use it, it makes its own key
mainly for private networks
SSL secure socket layer
when there is a closed secure connection with another site, uses a certificate authority to authenticate the communication
example: your site and american express
public networks
Vulnerability
when we hire people to see where we are vulnerable
Penetration
when we allow people to get all the way into your system and show you where you can fraud the company
Physical Security
data center - offsite location to hold data
co location facility (secure location) - separate location that holds the data as a fail safe
lots of locks and verifications
elemental security
air conditioner is running(temperature control), humidity control, above ground against floods, spring to foundation, fire suppression
3 backup generators
network operation center
monitor your network
application control
input- what can go wrong with the input?
programmed edit checks,
field check - checking the format of input/words/numbers
validity check-testing if it is a valid input
limit check-tests if the quantity is reasonable nothing over this
range check-gives it a range, it can be below or above this
reasonableness check - credit check, checking if someone is ordering too much or an abnormal amount
completeness check - making sure data is in a field
sign check - positive or negative number
sequence check - the next invoice has the be the one that is entered
self-checking digit - checks if the credit card is one of the ones we use
control totals and reconciliations
record counts - counts to see if there were more or less than there are supposed to be
batch total - adds the amounts in a batch to see if the main total is right
hash total - random total of the numbers
Other
automated authorization - when they send an authorization to someone to authorize it
auto forced SOD - only sends that authorization to someone who can’t commit fraud
processing controls
run to run totals(internal reconciliation) - tests the transaction table vs the output
checks for duplicate transactions - checking for gaps
Logs - records who is getting in
Exception Reporting - see if something is abnormal and send it to someone to review
Checklists - operator follows a process to insure accuracy
output
testing for completeness and accuracy - test the data and its output, run transactions through
security overviewing - making sure only the right people can see it
