Internal Controls & IT General Controls 3 & CDLC Flashcards
What Physical Controls should be considered with a “Computer Center”?
- Computer Center houses main servers and other sensitive IT
- Controlling physical access is high risk
- Purpose is to make it difficult to gain unauth entrance
- Check for physical controls:
(1) Locked doors
(2) Cameras
(3) Monitor incoming traffic - Electronically, manually, and/or by security guards
What Physical Controls should be considered with a “Server Room”?
- Main objective to provide physical access controls at same level as risk and sensitivity, which is very high for servers
(1) Servers s/b in separate room w/ separate physical controls - 2nd set of controls
(2) Have glass walls around server room so auth personnel in the Computer Center could see an unauth person in server room
Name the 3 basic InfoSec “triangle”
primary areas of concern:
CIA
(1) Confidentiality
- Data stored and also in transit
- Objective to
ensure confidentiality of systems, processes, and data created, transported and stored
(2) Integrity (data and processing)
- Focus on accuracy and reliability of data, systems and processes that generate it and info produced from data
(3) Availability
- Data avail when needed for business operations
What is Authorization vs. Authentication?
Authorization:
- Login credentials and restricts user access
- Authorization controls by themselves not adequate for higher risks
- Hacker can obtain or guess login and if
successful able to gain access to network, but still unauthorized access
Authentication:
- Objective is the person using credentials is who s/he claims to be
- Authentication controls ex: additional credentials,
temporary PINs, security questions, and biometrics (ultimate and control is person (fingerprint))
What is Encryption and its 3 characteristics?
- Scrambles data using algorithm to
prevent translation if intercepted - Encryption strength is combo of these 3 aspects:
(1) Methods: public keys, private keys
(2) Engines: 128, 192, 256-bit (highest)
(3) Types of authentication: encrypting and decrypting methods
What are the 5 Phases in a Control Development Life Cycle (CDLC)?
DIOEM
(1) Design
(2) Implementation
(3) Operational
(4) Effectiveness
(5) Monitoring
Under the Control Development Life Cycle (CDLC), what is involved in the “Design” Phase?
Design Phase is 1 (of 5) phases
(1) Begins w/ formal, structured approach to Control Development by mgmt
- Mgmt must ensure expert input consistently applied to the development
- Ensure controls developed as needed and designed effectively
(2) ID controls needed
- ID key business processes associated w/ material items related to financial reporting or critical business processes
- Determine what controls s/b in place to prevent, detect and correct material misstatements
(3) Assess controls for design effectiveness
- Control’s ability to mitigate risk and/or prevent, detect and correct material misstatements, errors or failures related to Policies
(4) Document controls
- Include control objectives, how control operates, and location of entity’s systems and business processes
Under the Control Development Life Cycle (CDLC), what is involved in the “Effectiveness” Phase?
- Effectiveness is related to the control objective, likely the mitigation of business or financial reporting risk (RMM)
- Effectiveness also associated w/ consistent application of the control
- Ultimate assurance is a ToC, only perform ToCs if plan to rely on the control
- Cannot rely on control if ITGCs have a SD or MW
- ITGC need to be reliable as a whole before external CITP can rely upon an automated control
