700 likes | 866 Views
CAACM’s 7th Annual General Meeting & Conference. David Hall President Institute of Internal Auditors, Jamaica July 29, 2013. “ Demystifying IT Audit Issues and Jargon for More Effective Reporting and Issues Resolution.” . Agenda. IT Jargon
E N D
CAACM’s 7th Annual General Meeting & Conference David Hall President Institute of Internal Auditors, Jamaica July 29, 2013
“Demystifying IT Audit Issues and Jargon for More Effective Reporting and Issues Resolution.”
Agenda IT Jargon What is Information Technology Audit Categories of IT Audit Wireless Network Mobile network System Interface Data Management Segregation of Duties Administrative Access What is IT Governance What should IT Governance Deliver Questions for Executive Management & CEO Questions for the Board
IT What Is It ? Information Technology Jargon
APPLE – it is not a fruit IT IS an American company famous for developing the Macintosh computer and the iPod MP3 player APPLE
APPLICATION – It is not an application form APPLICATION • IT IS a program used to perform a specific task, e.g. a word-processor. Microsoft – Suite of products
BACKUP - IT IS NOT A CAR BACKIN UP IT IS a secondary copy of important documents and data kept as insurance against loss due to a hardware failure or accidental deletion.
ADSL - Asymmetric Digital Subscriber Line.Technology that allows rapid transmission of data over a telephone line. ADSL provides a convenient method of accessing the Internetat broadband speeds without the need for a cable connection. Unlike dial-up, ADSL allows you to make phone calls whilst online.
BIT – IT IS NOT SOMETHING IN A HORSES MOUTH The smallest element of computer data. A bit is a number equal to 1 or 0. The number is represented in digital electronics by a switch that is either On or off. Larger numbers can be stored as groups of several bits. A group of eight bits is known as a byte
BLUETOOTH – IT IS NOT A DECAYING TOOTH IT IS a short-range wireless technology used to transfer data between mobile phones, computers and other devices.
BUG –IT IS NOT A CREEPY INSECTIt is a mistake in the design of a computer program that prevents it from working correctly. The term originates from a malfunction in one of the earliest computers which was caused by a moth Debugging - The process of finding and correcting bugs in a computer program
COOKIE – IT IS NO A CHOCOLATE CHIP A small file created by a browser to store information about a web site. Cookies are typically used to identify previous visitors to the site, remember their user names and passwords, and customize the site to suite their preferences. It is usually safe to delete all the cookies on your computer
THE “MAC” IS NOT A HAMBURGER IT IS A COMPUTER
. FIREWALL - IT IS NOT A WALL ON FIREA program or device that limits access to a computer from an external network for security reasons. A computer connected to the Internet without a firewall is more vulnerable to hackers.
A MOUSE – IS NOT THAT ANNOYING RODENT • A device that controls a pointer on the screen and allows objects to be manipulated by clicking or dragging them.
PHISING • A form of Internet fraud that involves tricking people into revealing confidential information (e.g. credit card details, user names, passwords etc.) by means of a fake e-mail that appears to come from a well-known, legitimate organisation (e.g. a bank).
. PORT
WORM • WORM • A self-replicating program that spreads from one • computer to another, usually causing damage • and compromising security in the process. • They are purposefully written by vandals to cause • as much disruption as possible, or by hackers to compromise the security of a computer. IIA Research Foundation
A type of compression commonly applied to text-based files. A file that has been compressed in Zip format must be extracted (i.e. decompressed) before it can be opened. ZIP Compressed files IIA Research Foundation
CLOUD IIA Research Foundation
There's a good chance you've already used some form of cloud computing. If you have an e-mail account with a Web-based e-mail service like Hotmail, Yahoo! Mail or Gmail, then you've had some experience with cloud computing. Instead of running an e-mail program on your computer, you log in to a Web e-mail account remotely. The software and storage for your account doesn't exist on your computer -- it's on the service's computer cloud
Software as a service (SaaS) Cloud-based applications—or software as a service (SaaS)—run on distant computers “in the cloud” that are owned and operated by others and that connect to users’ computers via the Internet and, usually, a web browser Platform as a service (PaaS) Platform as a service provides a cloud-based environment with everything required to support the complete lifecycle of building and delivering web-based (cloud) applications—without the cost and complexity of buying and managing the underlying hardware, software, provisioning and hosting
An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other forms. What is an Information Technology Audit ?
Further Definition: An information technology audit is an examination of the checks and balances, or controls, within an information technology (IT) group. An IT audit collects and evaluates "evidence" of an organization's information systems, practices, and operations. The evaluation of this evidence determines if the information systems are safeguarding the information assets, maintaining data integrity, and operating effectively and efficiently to achieve the organization's business goals or objectives.
The IT audit aims to evaluate the following:1. Availability - Will the organization's computer systems be available for the business at all times when required? 2. Security and Confidentiality - Will the information in the systems be disclosed only to authorized users? 3. Integrity - Will the information provided by the system always be accurate, reliable, and timely? The audit hopes to assess the risk to the company's valuable asset (its information) and establish methods of minimizing those risks.
Five (5) Categories of IT Audits (1) Systems and Applications: An audit to verify that systems and applications are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity.(2) Information Processing Facilities: An audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions.
—Five (5) Categories of IT Audits (3) Systems Development: An audit to verify that the systems under development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for systems development.(4) Management of IT and Enterprise Architecture: An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing.
—Five (5) Categories of IT Audits (5) Client/Server, Telecommunications, Intranets, and Extranets: An audit to verify that telecommunications controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers.
I. Wireless Networks Wireless networks are proliferating throughout organizations, because they are useful and can support business objectives directly. However, they are also easy to set up (as any person who has set up a home wireless network can likely attest to) and provide a potential entry point into the corporate network. CAEs should be concerned both with the security of wireless networks that are authorized by the organization as well as rogue wireless networks that users have established without authorization
2. Role of the Audit Committee IIA Research Foundation
I. Wireless Network Risks • Intrusion – Wireless networks may allow unauthorized entry into the corporate network. • Eavesdropping – Wireless networks may allow unauthorized personnel to access confidential information that is transmitted across wireless networks. • Hijacking – An unauthorized user may hijack the session of an authorized user connected to a wireless network and use that session to access the corporate network.
I. Wireless Network Risks Radio Frequency (RF) Management – The wireless network may send transmissions into unwanted areas, which may have other impacts. For example, hospitals may have equipment that reacts poorly to radio wave transmissions and therefore should not be exposed to wireless networks.
I. Recommendations for Wireless Networks. Perform a thorough wireless network audit that includes the following two components: The IT function should assess the existence and location of all approved and non-approved networks across all locations. This will entail an IT auditor physically going through business unit locations with an antenna, trying to detect the presence of wireless devices.
I. At a minimum, the IT auditor should obtain and review a listing of all wireless networks approved by the organization. Corporate policies and procedures should be established for wireless networks and should provide guidelines for securing and controlling these networks, including the use of data encryption and authentication to the wireless network. The IT auditor should review the configuration of the known wireless networks to ensure compliance with developed policies and procedures.
II. Mobile Devices Most organizations have recognized the value of wireless devices such as Blackberrys, Personal Digital Assistants (PDAs) or smart phones. However, not all organizations have grasped the risk of using these devices.
II. Mobile Device Risks If the device is not configured in a secure fashion, the confidentially of this data may be impacted if the device is lost or stolen. The transmission of data to the device itself may not be secure, potentially compromising the confidentiality or integrity of that data.
II. Mobile Device Risks Furthermore, these devices may allow remote access into corporate networks. Consider, for example, a beverage distribution company that equips route drivers with wireless devices that are used to book inventory transactions as they deliver product to each customer.
II. Recommendations for Mobile Devices The IT auditor should review mobile device management At a minimum, consideration should be given to: Provisioning – The process for a user to procure a device. Standardization – Are devices standardized? Security Configuration – What policies and procedureshave been established for defining security baselines for devices?
II. Recommendations for Mobile Devices Data Transmission – How is data transmission controlled? Access Into Corporate Networks – Do devices provide access into the corporate network? If so, how is that controlled? Lost or Stolen Devices – How would the company identifylost or stolen devices and terminate service to them? Interface Software – If these devices initiate business transactions, how is that information interfaced into the corporate applications?
III. Interfaces Complex IT environments often require complex interfaces to integrate their critical business applications. These interfaces may be enabled with middleware technology, which acts a central point of communication and coordination for interfaces. This may be because interfaces are difficult to classify. They are similar in function to an infrastructure, or supporting technology, yet they are software applications that may actually process transactions.
III. Interface Risks Interfaces, and middleware in particular, are a critical link in the end-to-end processing of transactions. At a minimum, they move data from one system to another. Interfaces may also pose a single point of failure to the organization. Consider Company XYZ, which is running an ERP system for financial consolidation. The distributed business units all maintain interfaces from a variety of disparate systems up to the central corporate system. of the company
III. Interface Risks There are approximately 200 of these interfaces, all running through a single middleware server and application. That middleware server suddenly stops functioning. This would have a substantial impact on the operations of the company
III. Recommendations for Interfaces The CAE should ensure the IT risk assessment and audit universe considers interfaces and middleware. Specific items that should be considered are: Use of Software to Manage Interfaces – Does the software transform data or merely move it from place to place? Interface IDs – The interface software will probably need access into the systems to/from which it is moving data. How is this access managed? Are generic IDs used? What access are these IDs granted, and who has access to use these IDs?
III. Recommendations for Interfaces Interface Directories – Are all data moved through a single interface directory? Who has access to that directory? How is it secured and controlled? If so, does the directory also contain data used in wire transfers or outbound electronic payments? How is the clerk restricted from these data sets?
Interface Types – What types of interfaces are used? Arethey real-time or batch-oriented? What transactions do they support? Do they initiate the processing of other transactions (e.g. interfaced sales orders initiating the shipment of goods).
IV. Data Management Organizations are automating more and more business processes and functions. At the same time, the cost of data storage is becoming cheaper and cheaper. These issues have led to the proliferation of large corporate data storage solutions. As organizations begin to manage these large repositories of data, many issues emerge.