Lecture 24 - IT Governance and Controls, IT Security Flashcards
-What questions must Governance-in-general answer?
o How do we organize ourselves? (In order to ensure ownership, objectivity, efficient decision making and action at the appropriate “level”)
o How do we decide? (In order to ensure a common set of guiding principles and the Strategy is reflected in all key decisions)
o How do we operate? (In order to ensure participation, accountability, co-ordination, integration of initiatives, funding, resource allocation, sustainment, evolution, etc.)
Governance is about the… “Rules of the Game”
What are three key responsibilities of IT Governance?
- PLAN: IT’s alignment and use within all activities of the enterprise
- CONTROL: Management of technology related business risks
- MEASURE: Verification of the value delivered by the use of IT across the enterprise
What is IT Governance
IT governance (ITG) is defined as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals.
What is COBIT?
And its domains:
COBIT (Control Objectives for Information & related Tech)
• Measures, Indicators, Processes, Practices:
- Plan and Organize
- Acquire and Implement
- Deliver and Support
- Monitor and Evaluate
What is SOX?
SOX (Sarbanes-Oxley Act in USA)
Prevent and detect fraud
Relies on independent auditors
Relies on correct (T-based) controls
Example of a Control: 3-Way Match
Check before further transactions are allowed: supplier-invoice, purchase order, packing slip
Example of an Audit: 3-Way Match
A check after transactions have concluded
Sales revenue, cash receipts, invoice
Information Security must protect:
o Data (wherever data is physically stored for later retrieval) o Computer (physical access to computers / processors) o Network (connection / authority on network)
Information Security must ensure:
o Confidentiality (no inappropriate disclosure) o Authenticity (data indeed comes from claimed source) o Integrity (no unauthorized modification) o Availability (may degrade confidentiality, authenticity and integrity)
Who/What are the Threats?
Automated threats (having no real-time human director) o Malware: Viruses, Bots, Spyware, Misleading E-mail, Denial-of-Service Attacks
Human-Directed threats: (having a real-time human director)
o Hackers, Crackers, social engineers
What are the threats motivations? (2)
Financial Gain
Political Gain
Stages of Digital Forensics (4)
Collection o Physical access is obtained o Image copy is made Authentication & Preservation o Read contents o Document chain of custody Recovery o Files o Fragments of files Analysis & Interpretation o Build evidence o Put information in context o History of disk activity o Live analysis
ANTI-Forensics
Anti-Forensics Industry: A new branch of digital forensics
Makes it difficult/impossible to track user activity or to access data
- Configuration Settings
- Third Party Tools
- Forensic Defeating Software