690 likes | 914 Views
SysTrust Introduction. SYSTRUST COURSE. February 2001. SysTrust History. SYSTRUST COURSE. February 2001. Agenda. Vision Task Force Membership SysTrust Roll-out Activities Task Force’s Due Diligence Support Tools Successes to Date Feedback to Date Future Enhancements. Vision.
E N D
SysTrust Introduction SYSTRUST COURSE February 2001
SysTrust History SYSTRUST COURSE February 2001
Agenda • Vision • Task Force Membership • SysTrust Roll-out Activities • Task Force’s Due Diligence • Support Tools • Successes to Date • Feedback to Date • Future Enhancements
Thomas E.Wallace, Chair J. Efrim Boritz Robert Parker Robert J. Reimer George H. Tucker III Miklos A. Vasarhelyi Sander Wexler Dan White CICA Staff Bryan Walker, Principal, Research Studies AICPA Staff Erin P. Mackler, Technical Manager Assurance Services Judith M. Sherinsky, Technical Manager Audit and Attest Standards Task Force Membership
SysTrust Roll-out Activities 1 Issued Development Supporting Tools Exposure 9/99 11/99 7/99
SysTrust Roll-out Activities 2 • SCAS/TFAS 1996 - 1997 • Version 1 - Jan/88 - Nov/89 • Development - Jan/88 - April/99 • Review - April/99 - June/99 • Exposure Draft - July/99 - September/99 • Final issuance - Fall 1999 • Training courses - Fall 1999 • Version 2 - Jan - July 2000 • Version 3 - Jan - ? 2001
Task Force’s Due Diligence • Review of draft conducted by: • Associates - practitioners, academics • Institutes’ technical committees • Ev Johnson - Chair of eComm Committee • Selective members of Institutes’ ASB • Industry - Internal Audit, CFO, CIO • Considered: • market and need, completeness and relevance of principles & criteria, & other comments
Support Tools 1 • Competency Model - • What skills are needed for SysTrust • Training Courses - • SysTrust Overview • How to Perform a SysTrust Engagement • In-Depth Training in SysTrust Principles & Criteria • Information Systems Audit & Control Association (ISACA) courses
Support Tools 2 • Practitioners Aids - • Workplans • Engagement letters • Representation letters • Checklists • Practice guides • Marketing ideas
Support Tools 3 • Marketing • Conceptual Marketing Plan by AICPA • articles/ads e.g. Journal of Accountancy, CA Magazine, ISACA • AICPA and CICA websites • pilot project testimonials by practitioners • conferences and training (UWCISA/JIS) • related organizations; e.g. ISACA • Alliances
Successes to Date • Approx. 40 engagements • Typically $100 - 200,000 range • Many pre-implementation/readiness reviews • Industries: • Government, Banks, Utilities • .Coms: Loudcloud.com, Agillion.com • Adoption by Internal Audit departments
Feedback to Date • Like framework: • Need flexibility in use: • ability to report on less than all principles • ability to issue a point in time report • Clarify privacy’s impact on reliability: • in - confidentiality of private information • out - accuracy of data, consent, individuals’ right to view, remediation, etc
Future Enhancements • Versions 3.0 & 4.0? • enhancements to principles & criteria • enhancements to reporting • point in time, “seal” program, holistic • continuous auditing & reporting • Buy-in by industry • management, internal audit, developers • Buy-in by Practitioners
SysTrust Overview SYSTRUST COURSE February 2001
Agenda • Systems Reliability in Business • What is SysTrust? • Positioning SysTrust • SysTrust Framework • System • Reliability • Criteria • Controls
IT Running the Business IT Differentiates in the Marketplace IT Demanding more Capital IT Permeating all areas of a Company More Reliance on IT of Partners Systems Reliability in Business GrowthProfitability Mkt Share SPEED, COST& QUALITY
Drivers of Need Like a weak link in a chain, an unreliable system can fail the entire business
Recent Headlines “Rail company’s unreliable system causes rail cars to stack up, shipping delays and shipments gone astray” “Security rated top on-line fear” “eBay waives $3-5 million listing fees after service outage” “Worm.Explore.Zip virus forces shutdown of companies’ systems” “Computer errors decimate managed care company’s stock” “Computer woes halt TSE trading”
Reliability & the Market E*Trade Publicized Network Failures & Resulting Market Cap Decreases $ 2.5b $737m E*Trade Stock Price(EGRP) $767m
Factors of Unreliability • Denial of Service • system failures, crashes, capacity issues • Unauthorized Access • Viruses, hackers, loss of confidentiality • Loss of Data Integrity • corrupted, incomplete, fictitious data • Maintenance problems • unintended impact of system changes • Failure to fulfill commitments
Need for SysTrust What We Found: • No Common Definition of Reliability • e.g. is security in or out? • No Basis for Comparison • at what point is reliability achieved • Differing levels of Objectivity & Rigor • how much and how good is assessment
What is “SysTrust” ? • SysTrust - A CA/CPA’s assurance report on a system’s reliability • US - SSAE #1 • Canada -section 5025 • Opinion on controls using framework of 4 principles & 58 criteria on reliability • To earn SysTrust opinion, a system must meet all criteria for principles reported on
A “SysTrust” Opinion... “ We have audited the assertion by mgmt that... ABC company maintained effective controls...over system availability, security, processing integrity and maintainability...based on SysTrust principles & criteria…” “ In our opinion mgmt’s assertion…is fairly stated in all material respects...”
SysTrust Criteria System Description Mgmt’s Assertions Auditor’s Report Components of “SysTrust”
Continuous Auditing PeriodicAssurance Consulting Services Design ----Implement ---------------Operate Positioning “SysTrust” 1 SysTrust
WebTrust SysTrust S- 5900 SAS/70 Positioning “SysTrust” 2 Non-Financial Financial InternalUsers ExternalUsers
Definitions • “SYSTEM” • “RELIABILITY” • “CRITERIA” • “CONTROLS” (vs. internal control)
Software Infrastructure Data People Procedures “SYSTEM” 1 A SYSTEM is an organized collection of software, infrastructure, people, procedures and data that, together within a business context, produces information SYSTEM
“SYSTEM” 2 • infrastructure (facilities, equipment and networks) • software (systems, applications, utilities) • people (developers, operators, users and managers) • procedures (automated and manual) • data (transaction streams, data bases and tables)
“RELIABILITY” Reliable System defined as: “A system that operates without material error, fault or failure during a specified time in a specified environment.” Four Principles: - Availability - Security - Integrity - Maintainability
RELIABILITY AVAILABILITY MAINTAINABILITY SECURITY INTEGRITY CRITERIA CRITERIA CRITERIA CRITERIA “Reliability” Framework
“CRITERIA” • Each Principle has series of Criteria • Criteria categories: • policies exist and are appropriate • policies are implemented and operate • adherence to policy is monitored • Definition of Criteria:- measurable - relevant - objective - complete
Example: Availability • Principle: The system is available for operation and use at times set forth in service level statements or agreements. • Criteria Categories: • The entity has defined and communicated performance objectives, policies, and standards for system availability. • The entity utilizes processes, people, software, data, and infrastructure to achieve system availability objectives in accordance with established policies and standards. • The entity monitors the system and takes action to achieve compliance with system availability objectives, policies, and standards.
“CONTROLS” • primary evidential basis for evaluating whether criteria, hence, reliability principles satisfied • assurance provider assesses controls deemed relevant to concluding whether Criteria met • may supplement with direct tests of Criteria • require judgment to determine nature and extent of evidence required to verify existence, effectiveness and continuity of controls
CICA’s ITCG comprehensive coverage risk management & control, IT planning, IS acquisition, development & maintenance, operations & support, security, business continuity & recovery, etc. Illustrative Controls 1
ISACF’s COBIT also comprehensive planning & organization, acquisition & implementation, delivery & support, monitoring, etc. Illustrative Controls 2
Principles & Criteria SYSTRUST COURSE February 2001
SysTrust Principles • The system is available for operation and use at times set forth in service level statements or agreements. • The system is protected against unauthorized physical and logical access. • System processing is complete, accurate, timely and authorized. • The system can be updated when required in a manner that continues to provide for system availability, security, and integrity.
Security Principle • Category S1: • The entity has defined and communicated performance objectives, policies, and standards for system security.
Security Principle • S1.1: The system security requirements of authorized users, and the system security objectives, policies and standards are identified and documented. • S1.2: The documented system security objectives, policies, and standards have been communicated to authorized users. • S1.3: Documented system security objectives, policies, and standards are consistent with system security requirements defined in contractual, legal, and other service level agreements and applicable laws and regulations. • S1.4: Responsibility and accountability for system security have been assigned. • S1.5: Documented system security objectives, policies, and standards are communicated to entity personnel responsible for implementing them.
Security Principle • Category S2: • The entity utilizes processes, people, software, data, and infrastructure to achieve system security objectives in accordance with established policies and standards.
Security Principle • S2.1: Acquisition, implementation, configuration and management of system components related to system security are consistent with documented system security objectives, policies, and standards. • S2.2: There are procedures to identify and authenticate all users accessing the system. • S2.3: There are procedures to grant system access privileges to users in accordance with the policies and standards for granting such privileges.
Security Principle (cont.) • S2.4: There are procedures to restrict access to computer processing output to authorized users. • S2.5: There are procedures to restrict access to files on off-line storage media to authorized users. • S2.6: There are procedures to protect external access points against unauthorized electronic access. • S2.7: There are procedures to protect the system against infection by computer viruses, malicious codes, and unauthorized software. • S2.8: Threats of sabotage, terrorism, vandalism and other physical attacks have been considered when locating the system.
Security Principle (cont.) • S2.9: There are procedures to segregate incompatible functions within the system through security authorizations. • S2.10: There are procedures to protect the system against unauthorized physical access. • S2.11: There are procedures to ensure that personnel responsible for the design, development, implementation and operation of system security are qualified to fulfil their responsibilities.