1 / 66

SysTrust Introduction

SysTrust Introduction. SYSTRUST COURSE. February 2001. SysTrust History. SYSTRUST COURSE. February 2001. Agenda. Vision Task Force Membership SysTrust Roll-out Activities Task Force’s Due Diligence Support Tools Successes to Date Feedback to Date Future Enhancements. Vision.

lancelot
Download Presentation

SysTrust Introduction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SysTrust Introduction SYSTRUST COURSE February 2001

  2. SysTrust History SYSTRUST COURSE February 2001

  3. Agenda • Vision • Task Force Membership • SysTrust Roll-out Activities • Task Force’s Due Diligence • Support Tools • Successes to Date • Feedback to Date • Future Enhancements

  4. Vision

  5. Thomas E.Wallace, Chair J. Efrim Boritz Robert Parker Robert J. Reimer George H. Tucker III Miklos A. Vasarhelyi Sander Wexler Dan White CICA Staff Bryan Walker, Principal, Research Studies AICPA Staff Erin P. Mackler, Technical Manager Assurance Services Judith M. Sherinsky, Technical Manager Audit and Attest Standards Task Force Membership

  6. SysTrust Roll-out Activities 1 Issued Development Supporting Tools Exposure 9/99 11/99 7/99

  7. SysTrust Roll-out Activities 2 • SCAS/TFAS 1996 - 1997 • Version 1 - Jan/88 - Nov/89 • Development - Jan/88 - April/99 • Review - April/99 - June/99 • Exposure Draft - July/99 - September/99 • Final issuance - Fall 1999 • Training courses - Fall 1999 • Version 2 - Jan - July 2000 • Version 3 - Jan - ? 2001

  8. Task Force’s Due Diligence • Review of draft conducted by: • Associates - practitioners, academics • Institutes’ technical committees • Ev Johnson - Chair of eComm Committee • Selective members of Institutes’ ASB • Industry - Internal Audit, CFO, CIO • Considered: • market and need, completeness and relevance of principles & criteria, & other comments

  9. Support Tools 1 • Competency Model - • What skills are needed for SysTrust • Training Courses - • SysTrust Overview • How to Perform a SysTrust Engagement • In-Depth Training in SysTrust Principles & Criteria • Information Systems Audit & Control Association (ISACA) courses

  10. Support Tools 2 • Practitioners Aids - • Workplans • Engagement letters • Representation letters • Checklists • Practice guides • Marketing ideas

  11. Support Tools 3 • Marketing • Conceptual Marketing Plan by AICPA • articles/ads e.g. Journal of Accountancy, CA Magazine, ISACA • AICPA and CICA websites • pilot project testimonials by practitioners • conferences and training (UWCISA/JIS) • related organizations; e.g. ISACA • Alliances

  12. Successes to Date • Approx. 40 engagements • Typically $100 - 200,000 range • Many pre-implementation/readiness reviews • Industries: • Government, Banks, Utilities • .Coms: Loudcloud.com, Agillion.com • Adoption by Internal Audit departments

  13. Feedback to Date • Like framework: • Need flexibility in use: • ability to report on less than all principles • ability to issue a point in time report • Clarify privacy’s impact on reliability: • in - confidentiality of private information • out - accuracy of data, consent, individuals’ right to view, remediation, etc

  14. Future Enhancements • Versions 3.0 & 4.0? • enhancements to principles & criteria • enhancements to reporting • point in time, “seal” program, holistic • continuous auditing & reporting • Buy-in by industry • management, internal audit, developers • Buy-in by Practitioners

  15. SysTrust!

  16. SysTrust Overview SYSTRUST COURSE February 2001

  17. Agenda • Systems Reliability in Business • What is SysTrust? • Positioning SysTrust • SysTrust Framework • System • Reliability • Criteria • Controls

  18. IT Running the Business IT Differentiates in the Marketplace IT Demanding more Capital IT Permeating all areas of a Company More Reliance on IT of Partners Systems Reliability in Business GrowthProfitability Mkt Share SPEED, COST& QUALITY

  19. Drivers of Need Like a weak link in a chain, an unreliable system can fail the entire business

  20. Recent Headlines “Rail company’s unreliable system causes rail cars to stack up, shipping delays and shipments gone astray” “Security rated top on-line fear” “eBay waives $3-5 million listing fees after service outage” “Worm.Explore.Zip virus forces shutdown of companies’ systems” “Computer errors decimate managed care company’s stock” “Computer woes halt TSE trading”

  21. Reliability & the Market E*Trade Publicized Network Failures & Resulting Market Cap Decreases $ 2.5b $737m E*Trade Stock Price(EGRP) $767m

  22. Factors of Unreliability • Denial of Service • system failures, crashes, capacity issues • Unauthorized Access • Viruses, hackers, loss of confidentiality • Loss of Data Integrity • corrupted, incomplete, fictitious data • Maintenance problems • unintended impact of system changes • Failure to fulfill commitments

  23. Need for SysTrust What We Found: • No Common Definition of Reliability • e.g. is security in or out? • No Basis for Comparison • at what point is reliability achieved • Differing levels of Objectivity & Rigor • how much and how good is assessment

  24. What is “SysTrust” ? • SysTrust - A CA/CPA’s assurance report on a system’s reliability • US - SSAE #1 • Canada -section 5025 • Opinion on controls using framework of 4 principles & 58 criteria on reliability • To earn SysTrust opinion, a system must meet all criteria for principles reported on

  25. A “SysTrust” Opinion... “ We have audited the assertion by mgmt that... ABC company maintained effective controls...over system availability, security, processing integrity and maintainability...based on SysTrust principles & criteria…” “ In our opinion mgmt’s assertion…is fairly stated in all material respects...”

  26. SysTrust Criteria System Description Mgmt’s Assertions Auditor’s Report Components of “SysTrust”

  27. Continuous Auditing PeriodicAssurance Consulting Services Design ----Implement ---------------Operate Positioning “SysTrust” 1 SysTrust

  28. WebTrust SysTrust S- 5900 SAS/70 Positioning “SysTrust” 2 Non-Financial Financial InternalUsers ExternalUsers

  29. Definitions • “SYSTEM” • “RELIABILITY” • “CRITERIA” • “CONTROLS” (vs. internal control)

  30. Software Infrastructure Data People Procedures “SYSTEM” 1 A SYSTEM is an organized collection of software, infrastructure, people, procedures and data that, together within a business context, produces information SYSTEM

  31. “SYSTEM” 2 • infrastructure (facilities, equipment and networks) • software (systems, applications, utilities) • people (developers, operators, users and managers) • procedures (automated and manual) • data (transaction streams, data bases and tables)

  32. “RELIABILITY” Reliable System defined as: “A system that operates without material error, fault or failure during a specified time in a specified environment.” Four Principles: - Availability - Security - Integrity - Maintainability

  33. RELIABILITY AVAILABILITY MAINTAINABILITY SECURITY INTEGRITY CRITERIA CRITERIA CRITERIA CRITERIA “Reliability” Framework

  34. “CRITERIA” • Each Principle has series of Criteria • Criteria categories: • policies exist and are appropriate • policies are implemented and operate • adherence to policy is monitored • Definition of Criteria:- measurable - relevant - objective - complete

  35. Structure of Criteria 1

  36. Structure of Criteria 2

  37. Example: Availability • Principle: The system is available for operation and use at times set forth in service level statements or agreements. • Criteria Categories: • The entity has defined and communicated performance objectives, policies, and standards for system availability. • The entity utilizes processes, people, software, data, and infrastructure to achieve system availability objectives in accordance with established policies and standards. • The entity monitors the system and takes action to achieve compliance with system availability objectives, policies, and standards.

  38. Example: Availability (cont’d)

  39. “CONTROLS” • primary evidential basis for evaluating whether criteria, hence, reliability principles satisfied • assurance provider assesses controls deemed relevant to concluding whether Criteria met • may supplement with direct tests of Criteria • require judgment to determine nature and extent of evidence required to verify existence, effectiveness and continuity of controls

  40. CICA’s ITCG comprehensive coverage risk management & control, IT planning, IS acquisition, development & maintenance, operations & support, security, business continuity & recovery, etc. Illustrative Controls 1

  41. ISACF’s COBIT also comprehensive planning & organization, acquisition & implementation, delivery & support, monitoring, etc. Illustrative Controls 2

  42. Example: Availability (cont’d)

  43. Principles & Criteria SYSTRUST COURSE February 2001

  44. SysTrust Principles • The system is available for operation and use at times set forth in service level statements or agreements. • The system is protected against unauthorized physical and logical access. • System processing is complete, accurate, timely and authorized. • The system can be updated when required in a manner that continues to provide for system availability, security, and integrity.

  45. Security Principle • Category S1: • The entity has defined and communicated performance objectives, policies, and standards for system security.

  46. Security Principle • S1.1: The system security requirements of authorized users, and the system security objectives, policies and standards are identified and documented. • S1.2: The documented system security objectives, policies, and standards have been communicated to authorized users. • S1.3: Documented system security objectives, policies, and standards are consistent with system security requirements defined in contractual, legal, and other service level agreements and applicable laws and regulations. • S1.4: Responsibility and accountability for system security have been assigned. • S1.5: Documented system security objectives, policies, and standards are communicated to entity personnel responsible for implementing them.

  47. Security Principle • Category S2: • The entity utilizes processes, people, software, data, and infrastructure to achieve system security objectives in accordance with established policies and standards.

  48. Security Principle • S2.1: Acquisition, implementation, configuration and management of system components related to system security are consistent with documented system security objectives, policies, and standards. • S2.2: There are procedures to identify and authenticate all users accessing the system. • S2.3: There are procedures to grant system access privileges to users in accordance with the policies and standards for granting such privileges.

  49. Security Principle (cont.) • S2.4: There are procedures to restrict access to computer processing output to authorized users. • S2.5: There are procedures to restrict access to files on off-line storage media to authorized users. • S2.6: There are procedures to protect external access points against unauthorized electronic access. • S2.7: There are procedures to protect the system against infection by computer viruses, malicious codes, and unauthorized software. • S2.8: Threats of sabotage, terrorism, vandalism and other physical attacks have been considered when locating the system.

  50. Security Principle (cont.) • S2.9: There are procedures to segregate incompatible functions within the system through security authorizations. • S2.10: There are procedures to protect the system against unauthorized physical access. • S2.11: There are procedures to ensure that personnel responsible for the design, development, implementation and operation of system security are qualified to fulfil their responsibilities.

More Related