IT Control Frameworks And Basic Controls Flashcards
Purpose of IT control frameworks
Provide overall guidance to user organizations as a frame of reference for security, governance, and implementation of security-related controls.
Eleven major types of IT control frameworks
1) The Institute of Internal Auditors’ Electronic Systems Assurance and Control
2) The IT Governance Institute’s Control Objectives for Information and Related Technology
3) The Information Systems Audit and Control Foundation’s Control Objectives for Net Centric Technology
4) The SysTrust Principles and Criteria for Systems Reliability from the American Institute of Certified Public Accountants/Canadian Institute of Certified Accountants
5) The International Federation of Accountants’ Managing Security of Information
6) The Information Security Forum’s standard
7) U.S. Department of Homeland Security
8) The European Union’s security directives
9) The Organisation for Economic Co-operation and Development’s Guidelines for the Security of Information Systems
10) International Common Criteria
11) The International Organization for Standardization standards
The Institute of Internal Auditors Electronic Systems Assurance and Control.
- Framework for evaluating the e-business control environment.
- Within the context of an organization’s mission, values, objectives, and strategies, the different eSAC modules will assist in gaining an objective perspective on the organization’s IT culture. This knowledge will then aid in providing assurance to customers, regulators, management, and boards that IT risks are understood and managed.
- It examines and assesses risks that accompany each organizational component, including customers, competitors, regulators, the community at large, and owners and investors.
The Institute of Internal Auditors’ Electronic Systems Assurance and Control - Name the technology challenge of components.
1) Open systems
2) Technology complexity
3) Information security
4) Privacy concerns
5) Development and distribution of processes
Institute of IA Elec. Sys Ass & Ctrl - Open Systems
- Internet-based distributed systems have very diff characteristics from internally focuses, closed private computer systems.
- Open systems are exposed to more and different risks.
Institute of IA Elec. Sys Ass & Ctrl - Technology Complexity
- Dispersion of technology into every department, division or business unit provides new challenges to control and assurance
- Organisational systems boundaries blur between allies, suppliers, partners, end users
Institute of IA Elec. Sys Ass & Ctrl - Information Security
- Access to a computer system is not an issue; rather the issue is how much access is enough.
- When access exists, there is the potential for inappropriate access, introduction of errors, possible disclosure, corruption, and destruction of information.
- Since security is a moving target, there must be a continual risk assessment and management process to examine changing vulnerabilities and consequences and to prioritize risks and probabilities.
Institute of IA Elec. Sys Ass & Ctrl - Privacy Concerns
- Countries treat privacy matters differently based on their cultures, treaties, and practices.
- Globalization of business due to the Internet has meant many new laws and regulations to address concerns over specific rights to control personal information.
- Privacy provisions range from confidentiality of communications to specific access rights.
Institute of IA Elec. Sys Ass & Ctrl - Development and distribution of processes
- Formerly, systems were developed to facilitate existing business operations, but today they are frequently seen as a new line of business.
- E-business and the need to get to market faster often mean expansion of the IT infrastructure outside the organization. - Hardware and software, telecommunications, and web hosting are often outsourced to ISPs.