Chapter 8-10 Flashcards
COSO
Used for general business process controls
COBIT
Used for general IT Controls
Operational v Financial controls
Control is the same, the impacted system is different
Operational systems
Systems used to support business objectives: Project Management system, CRM, email, etc.
Financial systems
Systems that produce financial data: AIS
IT v Business process controls
-IT controls are broad, over many cycles
-Business process controls are over specific cycle risks
Management of the AIS: IT v Acct dept.
-IT: records
-Acct: Authorizes
Specific IT control categories
-Information security
-Change Management
-Computer Operations
Controls to inappropriate users gaining access to AIS
-Unique User ID’s
-2FA
-delete fired EE’s ID’s
-update/review EE access
AIS user access structure
-Tasks: tasks a user is allowed to perform
-Roles: role determines priviledges
-User ID
Reviewing AIS access
-Acct dept member should review financial related tasks
-Reviewer only reviews people in their dept
-reviewers don’t review themselves
Physical access controls
-Key cards for access
-Security guards/cameras
-lock computer when afk
Security awareness training
remind employees of reporting procedures for compromised appliances and train them to identify viruses
Controls to unauthorized disclosure of financial/private data
-Encryption
-shred important documents
-Network security/VPN
-Virus detection software
-penetration tests
Encryption process
- Public key is automatically used to encrypt document
- Private key used by the company is used to decrypt the encryption algorithm.
Encryption types
- Digital certificates: built into E-docs to certify owners
- E-signatures
Encryption regulations
-PCI: Credit cards
-HIPAA
-Gramm Leach Bliley Act: bank customers
-EEOC: company employee information
Intrusion detection system
Looks for attempted intrusions into the network
Controls to changing AIS code risk
-Don’t work on the live version
-test changes
-restrict who can make changes
IT SOD
-Dev writes code
-Operations implements
-security does security stuff
IT methodologies
-Waterfall
-Agile
Waterfall methodolgy
- request
- coding
- dev test
- vat test
- approve/implement
Agile methodology
1.request
2.code part of it
3. test that part
4. repeat 2/3
5. approval/implementation
Controls to AIS data not available
- Save critical data in more than one place
- Backups/data center controls
*3. Disaster recovery plans and Business continuity plans
Data center controls
- natural disaster proof
- AC
- *Uninterrupted power supply
Incremental v Differential backup
-Differential: Backup everything each day since the last full backup
-Incremental: Backup that days activity only
Which backup is best if?
-Need to recover info ASAP
-Want faster backups
-Want low IT costs
-Paranoid about losing info
-Diff
-Incremental
-Incremental
-Diff
Disaster recovery plan
How company will restore IT functions when the data center fails
Business recovery plan
how a company restores business process functions when the company operations are affected by the disaster.
Disaster recovery location types
-Cold site: cheap, empty, takes longest to set up
-Hot site: expensive, a duplicate data center, backed up 24/7
-Warm site: in between
ISACA
Information systems audit and control association
Who wrote the COBIT framework?
ISACA
Who’s responsible for implementing changes in the AIS?
Operations
