Learning Objectives Describe the framework for IS control: COBIT framework Explain the factors that influence information systems (IS) reliability. Apply control functions (preventive, detective, and corrective controls) to provide reasonable assurance for an AIS
Vũ Quốc Thông 10/18/2014 HO CHI MINH CITY OPEN UNIVERSITY ACCOUNTING – AUDITING FACULTY ACCOUNTING INFORMATION SYSTEM INFORMATION SYSTEM CONTROL FOR SYSTEM RELIABILITY Lecturer: Vũ Quốc Thông Chapter Learning Objectives Describe the framework for IS control: COBIT framework Explain the factors that influence information systems (IS) reliability Apply control functions (preventive, detective, and corrective controls) to provide reasonable assurance for an AIS 3-2 Vũ Quốc Thông 10/18/2014 Risks on CIS environment Group of student – identify (potential) risks on computerized information system (CIS) environment? Risk 1… Risk 2… Risk 3… … 3-3 Risks on CIS environment (cont.) Information System model… 3-4 Vũ Quốc Thông 10/18/2014 Risks on CIS environment (cont.) Please identify risks can be occur on each phase? Phase Risk identification Data Collection - Dữ liệu dễ bị thay đổi trước nhập vào hệ thống - Dữ liệu khơng xác, khơng đầy đủ không đảm bảo chất lượng thông tin (GIGO: Garbage In Garbage Out) Data Processing and Storage - Gian lận chương trình phần mềm: thay đổi chương trình cho phép truy cập thao tác không hợp lệ liệu; phá hủy chương trình hệ thống Virus - Gian lận hoạt động: sử dụng nguồn lực tin học sai mục đích VD sử dụng máy tính chứa liệu cơng ty cho mục đích cá nhân… - Thay đổi, xóa, phá hủy lấy cắp tập tin liệu lưu hệ thống Information Generation -Lấy cắp, chuyển thông tin đến sai đối tượng, sử dụng thơng tin với mục đích khơng - Các hành động tìm kiếm thơng tin xóa thùng rác (Trash, 8-5 Recycle Bin) máy tính dùng để kết xuất thông tin The framework for IS control: COBIT framework 3-6 Vũ Quốc Thông 10/18/2014 The framework for IS control coso Committee of Sponsoring Organizations COBIT Control Objectives for Information and Related Technology 3-7 The framework for IS control 3-8 Vũ Quốc Thông 10/18/2014 The framework for IS control Refer: document COBIT_4.1.pdf 3-9 The framework for IS control COBIT framework focus on 03 main points: Business requirements IT resources IT processes 3-10 Vũ Quốc Thông 10/18/2014 The framework for IS control COBIT framework – IT processes Refer: document COBIT_4.1.pdf page 12, 13 3-11 Hoạch định tổ chức (plan and organise) Thiết lập tầm nhìn chiến lược ứng dụng CNTT Phát triển chiến thuật hoạch định, liên lạc quản lý việc thực theo tầm nhìn chiến lược 3-12 Vũ Quốc Thơng 10/18/2014 Mua sắm triển khai (acquire and implement) Nhận diện giải pháp khả thi Phát triển hoặc/và mua sắm giải pháp CNTT Tích hợp giải pháp CNTT vào quy trình hoạt động – tùy chỉnh (customize) Quản lý quy trình CNTT hành/đã triển khai 3-13 Chuyển giao hỗ trợ (deliver and support) Chuyển giao dịch vụ CNTT cần thiết Đảm bảo dịch vụ an toàn liên tục Cung cấp dịch vụ hỗ trợ Giám sát đánh giá (monitor and evaluate) Giám sát đánh giá tác vụ thực quy trình hệ thống 3-14 Vũ Quốc Thông 10/18/2014 Factors that influence information systems reliability 3-15 Steps in an IS System Attack 3-16 Vũ Quốc Thông 10/18/2014 Management’s Role in IS Security Create security aware culture Assess risk, select risk response Develop and communicate security: Plans, policies, and procedures Acquire and deploy IT security resources Monitor and evaluate effectiveness 3-17 Apply control functions 3-18 Vũ Quốc Thông 10/18/2014 Mitigate Risk of IS Attack Preventive Control Detective Control Corrective Control 3-19 Preventive Control Training User access controls (authentication and authorization) Physical access controls (locks, guards, etc.) Network access controls (firewalls, intrusion prevention systems, etc.) Device and software hardening controls (configuration options) 3-20 10 Vũ Quốc Thông 10/18/2014 Authentication vs Authorization Authentication—verifies who a person is Something person knows Something person has Some biometric characteristic Combination of all three Authorization—determines what a person can access 3-21 Network Access Control Border router (gateway definition) Connects an organization’s information system to the Internet Firewall Software or hardware used to filter information Intrusion Prevention Systems (IPS) Monitors patterns in the traffic flow, rather than only inspecting individual packets, to identify and automatically block attacks 3-22 11 Vũ Quốc Thông 10/18/2014 Device and Software Hardening (Internal Defense) End-Point Configuration Disable unnecessary features that may be vulnerable to attack on: Servers, printers, workstations, USB gate User Account Management Software Design Programmers must be trained to treat all input from external users as untrustworthy and to carefully check it before performing further actions 3-23 Detective Controls Log Analysis Process of examining logs to identify evidence of possible attacks Intrusion Detection Sensors and a central monitoring unit that create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions Managerial Reports Security Testing 3-24 12 Vũ Quốc Thông 10/18/2014 Corrective Controls Computer Incident Response Team Chief Information Security Officer (CISO) Independent responsibility for information security assigned to someone at an appropriate senior level Patch Management Fix known vulnerabilities by installing the latest updates Security programs Operating systems Applications programs 3-25 Computer Incident Response Team Recognize that a problem exists Containment of the problem Recovery (Backup / Restore mechanism) Follow-up 3-26 13 Vũ Quốc Thông 10/18/2014 New Considerations Virtualization Multiple systems are run on one computer Cloud Computing Remotely accessed resources Risks Increased exposure if breach occurs Reduced authentication standards Opportunities Software applications Data storage Hardware Implementing strong access controls in the cloud or over the server that hosts a virtual network provides good security over all the systems contained therein 3-27 More on reading and practice Reading on textbook Chapter (p 206 – 207) Chapter (p 245 – 260) Doing homework on paper Discussion questions Question 8.4 and 8.6 (p 264) Problem solving Problem 8.4 (p 265, 266) Chapter quiz (focus on relevant parts of the lecture) Quiz of chapter (p 262, 263) 3-28 14 ... The framework for IS control: COBIT framework 3-6 Vũ Quốc Thông 10/18/2014 The framework for IS control coso Committee of Sponsoring Organizations COBIT Control Objectives for Information and... (potential) risks on computerized information system (CIS) environment? Risk 1… Risk 2… Risk 3… … 3-3 Risks on CIS environment (cont.) Information System model… 3-4 Vũ Quốc Thông 10/18/2014... Related Technology 3-7 The framework for IS control 3-8 Vũ Quốc Thông 10/18/2014 The framework for IS control Refer: document COBIT_4.1.pdf 3-9 The framework for IS control COBIT framework focus