Chapter 8-10 Flashcards
COSO
Used for general business process controls
COBIT
Used for general IT Controls
Operational v Financial controls
Control is the same, the impacted system is different
Operational systems
Systems used to support business objectives: Project Management system, CRM, email, etc.
Financial systems
Systems that produce financial data: AIS
IT v Business process controls
-IT controls are broad, over many cycles
-Business process controls are over specific cycle risks
Management of the AIS: IT v Acct dept.
-IT: records
-Acct: Authorizes
Specific IT control categories
-Information security
-Change Management
-Computer Operations
Controls to inappropriate users gaining access to AIS
-Unique User ID’s
-2FA
-delete fired EE’s ID’s
-update/review EE access
AIS user access structure
-Tasks: tasks a user is allowed to perform
-Roles: role determines priviledges
-User ID
Reviewing AIS access
-Acct dept member should review financial related tasks
-Reviewer only reviews people in their dept
-reviewers don’t review themselves
Physical access controls
-Key cards for access
-Security guards/cameras
-lock computer when afk
Security awareness training
remind employees of reporting procedures for compromised appliances and train them to identify viruses
Controls to unauthorized disclosure of financial/private data
-Encryption
-shred important documents
-Network security/VPN
-Virus detection software
-penetration tests
Encryption process
- Public key is automatically used to encrypt document
- Private key used by the company is used to decrypt the encryption algorithm.
