Flashcards in Internal Controls & IT General Controls 2(c) and 2(d) Deck (13):
Name 4 "Access Control" Levels/Layers:
(1) Data Level
(2) Application Level
(3) O/S Level
(4) Network Level
What are "Access Controls" at the "Data Level"?
- Most effective layer for logical access control is Data layer
- The closer the access control is to the data, the more effective the access control
- Users can access data through:
(2) O/S admin rights
What are "Access Controls" at the "Application Level"?
- Controls at Application Level are some of the most important controls in IT environment
- Level where most automated controls operate
- Evaluate and Test the following:
(1) Application Controls
(2) Logical SoD
(3) Spreadsheet Controls (test access and accuracy)
What are "Access Controls" at the "O/S Level"?
- O/S provide access to the files it houses
- Access is to raw data, databases, data files, and application files, O/S access has a particularly high inherent risk
(1) Limited Access
(2) Admin Rights
What are "Access Controls" at the "Network Level"?
- Similar to O/S, access rights and admin rights to network are critical aspects to control
- Assessed at a high IR
- Concern for external unauthorized access risk
(1) Firewalls controls (availability, confidentiality and integrity)
(2) Network Access Controls
Name examples of Firewalls Controls at the "Network Level"?
(1) Patch vulnerabilities with due diligence
(2) Encrypt data at rest or in transit if sensitive or if high risk of interception in communications
(3) Put a second firewall between network and back-end systems to filter access to critical systems like financial reporting systems
What is the 3 minimum Policies requirements for "Data Backup"?
(1) Regular backups of data
(2) Offsite storage of data
(3) Testing of recovery
What are some considerations to "Data Backup"?
(1) Backup manual or auto (more reliable),
- At specific time
- With specific criteria
- Test or observe
- Operation (walk-through)
(2) Backup can be physical like tape or disk or remote server
(3) Backup procedures should minimize risk or recovery by using multiple backups
- Traditional grandfather-father-son method illustrates risk minimizing process
(4) Store backup at a reasonable distance from entity
(5) Test recovery of data at least once a yr
What are some items included in a thorough BCP (Business Continuation Plan) or DRP (Disaster recovery Plan)
● Written plan
● Predefined ranked list of apps in order of optimal restoration
● Recovery team, w/ roles and responsibilities ID'd
● Backup facility, including building, power, desks
● Backup of:
- Computers and workstations
- Supplies (checks, invoices, paper)
- Technical and operational manuals
● Backup copy of all apps
● Reliable, relatively current backup of data
● Formal, structured test of the full plan
● Regular test of the plan (at least once a yr)
What is an "Incident Response Plan" and what is involved?
- Ex of "Contingency Planning"
- Purpose to minimize damages that could happen as a result of an incident
(1) Plans to respond to negative event thoroughly developed and tested in advance
(2) Written and part of entity's policies
(3) Include team responsible for
carrying out actual response (like DRP)
(4) Describe investigation process of the incident (who or what dept in charge of incident response investigation, to whom team report)
What is involved in Testing a "Contingency Plan"?
(1) Test plans before needed and thorough
(2) Test should include all relevant aspects of the plan
(3) Perform w/ realism in mind
(4) Test often enough
to be highly reliable
- At least once a yr
What factors should be considered at the "Operating System" Level?
- Application and Data is housed in O/S
- O/S controls who can obtain access to applications
- Data can be accessed directly by O/S "back door"
- Admin w/ unrestricted access to O/S have “keys to the kingdom” bc can access any data anywhere
- O/S Admin and unauth access to O/S presents high IR of access to data