1 / 61

IT System Controls

IT System Controls. Presented By Steve Cornell and Nadine Kilcullen. Why We’re Here. Roslyn School District CPA Audits Long-term IT Plan. Audit Objectives. Are IT controls appropriately designed (and placed in operation)? Are IT controls operating effectively?

jasony
Download Presentation

IT System Controls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT System Controls Presented By Steve Cornell and Nadine Kilcullen

  2. Why We’re Here. • Roslyn School District • CPA Audits • Long-term IT Plan

  3. Audit Objectives • Are IT controls appropriately designed (and placed in operation)? • Are IT controls operating effectively? • … to safeguard assets from loss or misuse

  4. IT Assets • Data/Information • Software • Hardware • Facilities • Networks

  5. Risk Factors • Organization • Remote Access • Processing/Complexity • Changes

  6. Threats • Errors and Omissions • Fraud and Theft • Employee Sabotage • Loss of Physical/Infrastructure Support • Malicious Hackers • Malicious Code • Threats to Personal Privacy

  7. Control Types • Management Controls • Operational Controls • Technical Controls

  8. Risk Management • Risk is the possibility an adverse result • Risk management is the process of: • Assessing risk • Taking steps to reduce risk to an acceptable level • Maintaining that level of risk.

  9. Life Cycle • Many models exist for the IT system life cycle. Most contain 5 basic phases: • Initiation • Development/Acquisition • Implementation • Operation • Disposal

  10. Certification & Accreditation • Certification and accreditation provides a form of assurance of the security of the system.

  11. System Security Plan • System security plans provide an overview of the security requirements and describe the controls in place or planned for meeting those requirements. • The plan delineates responsibilities and expected behavior of all individuals who access the system.

  12. System Security Plan • Formal Policy and Procedures • System Security Plan • Rules of Behavior • Security-related Activity Planning

  13. Personnel Security • Many important issues in computer security involve human users, designers, implementers, and managers. • A broad range of security issues relate to how individuals interact with computers, and the access and authorities needed to do their jobs.

  14. Personnel Security • Formal Policy and Procedures • Position Categorization • Personnel Screening • Personnel Termination

  15. Personnel Security • Personnel Transfer • Access Agreements • Third-Party Personnel Security • Personnel Sanctions

  16. Physical and Environmental Protection • Physical security and environmental security are the measures taken to protect systems, buildings, and supporting infrastructures against threats to their physical environment.

  17. Physical & Environmental • Formal Policy and Procedures • Physical Access Authorizations • Physical Access Controls • Access Control for Transmission Medium

  18. Physical & Environmental • Access Control for Display Medium • Monitoring Physical Access • Visitor Control • Access Logs

  19. Physical & Environmental • Power Equipment and Cabling • Emergency Shutoff • Emergency Power & Lighting • Fire Protection

  20. Physical & Environmental • Temperature and Humidity Controls • Water Damage Protection • Delivery and Removal • Alternate Work Site

  21. Production, Input/Output Controls • Many aspects to supporting IT operations. • Topics range from a user help desk to procedures for storing, handling and destroying media.

  22. Production, Input/Output Controls • Formal Policy and Procedures • Media Access • Media Labeling • Media Storage

  23. Production, Input/Output Controls • Media Transport • Media Sanitation and Disposal

  24. Contingency Planning • Contingency planning involves more than planning for a move offsite after disaster destroys a facility. • It also addresses how to keep an organization’s critical functions operating in the event of disruptions, large and small.

  25. Contingency Planning • Formal Policy and Procedures • Contingency Plan • Contingency Training • Contingency Plan Testing

  26. Contingency Planning • Contingency Plan Update • Alternate Storage Sites • Alternate Processing Sites • Telecommunication Services

  27. Contingency Planning • IT System Backup • IT System Recovery and Reconstitution

  28. Hardware/Software Maintenance • Controls to monitor the installation of, and updates to, hardware and software • Controls ensure that the system functions as expected and that a historical record is maintained of changes.

  29. Hardware/Software Maint. • Formal Policy and Procedures • Periodic and Timely Maintenance • Maintenance Tools • Remote Maintenance • Maintenance Personnel

  30. Data Integrity • Data integrity controls are used to protect data from accidental or malicious alteration or destruction • Controls provide assurance that the information meets users’ quality and integrity expectations.

  31. Data Integrity • Formal Policy and Procedures • Flaw Remediation • Malicious Code Protection • IT System Monitoring Tools/Techniques

  32. Data Integrity • Security Alerts and Advisories • Security Functionality Verification • Software and Information Integrity • Spam Protection

  33. Data Integrity • Information Input Restrictions • Accuracy, Completeness, Validity, Authenticity • Error Handling • Information Output Handling, Retention

  34. Security Awareness, Training and Education • People are a critical factor in ensuring the security of computer systems and information resources. • Training and education enhance security by improving awareness of the need to protect resources. • Training develops skills and knowledge so computer users can perform their jobs more securely.

  35. Security Awareness, Training and Education • Formal Policy and Procedures • Security Awareness • Security Training (& Records) • Contacts with Security Groups/Associations

  36. Incident Response Capability • Computer security incidents are adverse events in a computer system or network. • Incidents are becoming more common with far-reaching impact.

  37. Incident Response Capability • Formal Policy and Procedures • Incident Response Training • Incident Response Testing • Incident Handling

  38. Incident Response Capability • Incident Monitoring • Incident Reporting • Incident Response Assistance

  39. Configuration Management • Process for controlling modifications to hardware, firmware, software, and documentation. • Controls ensure that IT systems are protected against improper modifications before, during and after implementation.

  40. Configuration Management • Formal Policy and Procedures • Baseline Configuration and System Component Inventory • Configuration Change Control • Monitoring Configuration Changes

  41. Configuration Management • Access Restrictions for Change • Configuration Settings • Least Functionality

  42. Identification/Authentication • Identification and authentication prevents unauthorized people (or unauthorized processes) from entering an IT system. • Access control usually requires the system to identify and differentiate users.

  43. Identification/Authentication • Formal Policy and Procedures • User Identification and Authentication • Device Identification and Authentication • Identifier & Authenticator Management

  44. Logical Access Controls • Logical access controls are the system-based mechanisms used to designate: • Who (or what) can access a specific system resource • The type of transactions and functions that are permitted.

  45. Logical Access Controls • Formal Policy And Procedures • Account Management • Access Enforcement • Information Flow Enforcement

  46. Logical Access Controls • Separation of Duties • Least Privilege • Unsuccessful Login Attempts • Previous Login Notification

  47. Logical Access Controls • Session Lock • Session Termination • Supervision and Review – Access Control • Permitted Actions without I & A

  48. Logical Access Controls • Remote Access • Wireless Access Restrictions • Access Control - Portable/Mobile Devices • Personally Owned IT Systems

  49. Audit Trails • Audit trails maintain a record of system activity by system processes and by user activity. • Using appropriate tools and procedures, audit trails can provide a means to establish individual accountability, reconstruct events, detect intrusions, and identify problems.

  50. Audit Trails • Formal Policy and Procedures • Auditable Events • Content of Audit Records • Audit Storage Capacity & Retention

More Related