What is data integrity?
- Is the assurance that data is consistent and accurate.
- Spreadsheets with manual inputs carry a higher risk of errors than those produced from automated processes.
What are the roles and characteristics of IT Controls?
Categories of IT Controls
* General Controls
* Application Controls
Nature of IT Controls
* Manaual Controls
* Automated Controls (Accurate, timely, efficiency, secure)
* IT dependent Manual Controls
Effectiveness of IT Controls
Functions of IT Controls
* Preventive Controls
* Detective Controls
* Corrective Controls
When should controls be implemented into the IT System?
Control procedures should be designed and put into place as the controls themselves are being developed.
* General IT controls are designed to ensure that an organizationʹs control environment is stable and well-managed.
* Application controls are built into typical business processes that use computer applications.
* Prevent, detect, and correct transaction error and fraud and are application‑specific, providing reasonable assurance as to system accuracy, completeness, and validity.
What are the functions of IT Controls?
IT control functions can be preventative, detective, or corrective. Preventative controls are designed to stop problems from ever occurring whereas corrective controls address problems once they have occurred and have been identified. A detective control is the mechanism that reveals issues that are not averted by preventative controls.
Preventative Controls
- Hiring qualified and confident personell.
- Security awareness training.
- Segregation of duties is preventative in nature because it is designed to stop problems from ever occurring.
- Physical access controls such as locks and guards.
- Technical Controls:
-Firewalls are preventative because they stop external threats from infecting IT resources or commandeering control of user accounts. - Security configuration Management.
- Automated Patch Management and updating anti-virus software.
- Access control software
Detective Controls
- Bank or Account Reconciliation.
- Physical security such as surveillance cameras.
- Intrusion detective systems.
- anti-virus protection to identify viruses that made it onto the system or nework.
- Change Controls.
- System Monitoring and Log Management.
- Incident alert reporting is detective because it generates reports or alerts if there is a failed transaction or if other predefined criteria are met. This may show up in an audit log report.
- Echo checks
- Hash totals attempts to detect if numbers that are not normally added (such as account numbers) have been processed incorrectly. A batch total is used for numbers, such as dollars, that are normally added.
Corrective Controls
- Applying operating system upgrades and patches are corrective because they repair issues that have caused damage.
- Maintaining data system back-ups.
- Fixing data entry or transaction error.
- Contingency planning
What are the 3 systems access and segregation of duties?
- Logical Access Controls
- Physical Controls
- Segregation of Duties
What are Logical Access Controls?
1 of 3 Systems Access and Segregation of Duties (10 logical controls)
Logical Access Controls: use software and data to monitor and control access to information and computing systems.
- User Access Controls
- Authentication Controls
- Managing passwords
- Access Control List
- Personnel Changes
- Network Security
- Vulnerability controls
- Data Encryption
- Digital Certificates
- Digital Signatures vs. E-Signatures
What are authentication controls?
2 of 10 Logical Access Controls
- Passwords: Combination of characters known only to the user.
- Personal identification numbers (PIN): numeric or alpha act as an identifier.
- Biometric Devices: mitigate the risk of unauthorized access. Capture human biological data in order to ensure that only authorized individuals can access specific data and systems. Biological data includes retinal scans, facial recognition, fingerprint scans, etc.
- Smartcards or physical tokens: embedded chipped user cards or bar code that can be scanned for authentication.
- CAPTCHA: Completely Automated Public Turning test to tell Computers and humans apart.
- Push notification: Verification on a separate device owned by the user
- Multi-factor authentication: A technique that requires more than one form authentication.
What is access control lists?
4 of 10 Logical Access Controls
- Read Only: access allows users to read information, but they cannot add or edit content.
- Create (or Write): access allows users to add or edit content. Once the data has been sent to the corporate office for approval, it should not be changed by the division, therefore access should be changed to read only access for division staff accountant access after sent for approval.
- Update Access: Users can only update existing information.
- Delete: Users can remove information.
What is data encryption?
7 of 10 Logical Controls
- It involves using a password or a digital key to scramble a readable (plaintext) message into an unreadable (ciphertext) message.
- The intended recipient of the message then uses another digital key to decrypt or decipher the ciphertext message back into plaintext.
The two types of encryptions are:
- Symmetric Encryption: sender and recipient uses the same shared key.
- Asymmetric Encryption
- Two keys are used; one is public and the other is private.
- Asymmetric encryption is considered to be more secure.
What are digital certificates?
9 of 10 Logical Access Controls
Digital certificates is, another form of data security. They are electronic documents created and digitally signed by a trusted party that certify the identity of the owners of a particular public key.
What are digital signatures?
10 of 10 Logical Access Controls
- Hashing and asymmetric encryption provide a greater level of assurance than data masking and symmetric encryption used is digital signatures.
- Asymmetric encryption is more appropriate for securing data transfer, but hashing provides a comparable level of assurance for the enforceability of digitally signed transactions.
What are Physical Controls?
2 of 3 Systems Access and Segregtation of Duties (6 Physical controls)
- Any controls to protect the physical outside infrastructure and/or building.
- Protection for things before you even get to the system.
- An uninterrupted power supply is considered a physical control.
- Physical controls monitor and control the environment of the workplace and computing facilities.
- They also monitor and control access to and from such facilities.
Why are segregation of duties important in a computerized environment IT?
- It is important because controls can be overridden if duties are not appropriately segregated.
- It is important for application systems because the controls in the application systems may not provide a sufficient control environment.
- The skills of system programmers and application programmers are different, and it is highly unusual, but not impossible, for the same person to perform both functions, especially in small organizations.
POSITIONS TO SEPERATE
- System Analysts: design information systems.
- Computer Programmers or Operators: uses that design to write computer programs.
- Security Administrators: restrict access to the appropriate persons.
What are the 4 components in Business Resillency?
- Business Continuity
- Systems availability controls
- Crisis Management
- Disaster Recovery Plans
What is a business continuity plan?
1 of 4 Business Resiliency plan
The appropriate order for developing a business continuity plan for disaster recovery is as follows:
1. Assess the key risks ex. business impact analysis.
2. identify mission-critical applications and data ex.critical personell, emergency contact list.
3. develop a plan for handling these applications,
4. determine responsibilities for parties involved in disaster recovery,
5. and test the recovery plan.
What is system availability controls?
2 of 4 Business Resiliency
Availability Controls ensure data will be available in the middle of disaster or uncertainty.
- Physical controls: ensure data will be available in the middle of disaster or uncertainty.
- IT infrastructure controls
- Uninterrupted power supply
- Redundancy
- Backup files: in the cloud or on premise, would serve as a means by which financial records could be restored. In a cloud-based solution, an organization uses virtual computing power to store backup copies of data as opposed to a physical machine stored on a company’s property.
3 types of Back-Ups:
1. An incremental backup involves copying only the data items that have changed since the last backup each containing the results of one day’s transactions.
2. A differential backup copies all changes made since the last full back up each new back-up contains cumulative changes since the last full backup.
3. A full backup is an exact copy of the entire database
What is included in planning for risk management?
3 of 4 Business Resiliency
- The first step in risk assessment is to identify the risks.
- The value of the information.
- How those individuals could obtain the information.
- Planning for risk management includes risk assessment.
- Risk control includes everything that could go wrong throughout the project plan.
- here is a trade-off between risk and reward.
What is reporting risk?
Strategic risk
Includes the risk of choosing inappropriate
technology
Financial risk
Includes the risk of having financial resources lost,
wasted, or stolen.
Information risk
includes the risk of loss of data integrity and that of incomplete transactions.
What are Disaster Recovery plans?
4 of 4 Business Resiliency
- A hot site is a backup facility for a computer center that contains most of the equipment contained in the original computer center.
- A hot site will have hardware that can be configured to be used
for the processing needs of the client. - The client will normally provide its own application software but backup copies of the software and data may be maintained at or near the hot site to expedite the recovery process.
- The warm backup site is the compromise between the hot
backup site and the cold backup site. - This is not a term that is typically used in the area of backup
facilities. - A cold site usually requires one to three days to be made
operational. - Has electrical and telecommunication capabilities but no hardware.
- A client would need to first acquire and install hardware before processing capability would be restored.
What is the objective of data security controls?
- To ensure that storage media are subject to authorization prior to access, change, or destruction.
- The objective is to protect information.
What is a firewall?
User ID’s and uthentication that prevents unauthorized users from gaining access to network resources.
- Network servers are protected by the firewall.
- Uses a default-deny policy
