160 likes | 265 Views
Chapter 16: Audit Method and Techniques for Operations. MBAD 7090. Objectives. Key IT operation areas: Contingency and disaster-recovery planning DBMS recovery Telecommunications End-user computing. Contingency and Disaster-Recovery Planning. Definition:
E N D
Chapter 16: Audit Method and Techniques for Operations IS Security, Audit, and Control (Dr. Zhao) MBAD 7090
Objectives • Key IT operation areas: • Contingency and disaster-recovery planning • DBMS recovery • Telecommunications • End-user computing IS Security, Audit, and Control (Dr. Zhao)
Contingency and Disaster-Recovery Planning • Definition: • Disaster recovery is the process, policies and procedures of restoring operations critical to the resumption of business, including regaining access to data (records, hardware, software, etc.), communications (incoming, outgoing, toll-free, fax, etc.), workspace, and other business processes after a natural or human-induced disaster. • Business recovery • Disaster recovery is a subset of business recovery IS Security, Audit, and Control (Dr. Zhao)
Disaster-Recovery Planning • Management support • Documented • Need a written plan • Updated frequently • Tested frequently • Phase 1: regular inspection and walk-through • Phase 2: planned disaster simulation • Phase 3: disaster simulation without warning. • Varying degrees of “disaster” • A video IS Security, Audit, and Control (Dr. Zhao)
DBMS Recovery • Businesses have increasing reliance on timely and reliable access to central database-management systems. • The ability to recover and continue business operations is critical in today’s 7 day a week, 24 hour a day business environment. IS Security, Audit, and Control (Dr. Zhao)
Transaction properties • Goal: ensure data integrity from transactions • Atomicity: preclusion partially completed transactions • Permanence • Serialization of transactions: do not use inconsistent data from partially completed transactions • Prevention of cascading aborts: an incomplete transaction cannot reveal results to other transactions • Consistency IS Security, Audit, and Control (Dr. Zhao)
DBMS Risks • Transaction failure • System failure: • Bugs, errors, and anomalies from operating system or hardware • Communication failure: • Media failure: • Disk crashes, controller failure, head crashes, or media degradation • Malicious intents IS Security, Audit, and Control (Dr. Zhao)
DBMS Corrective Actions • Restoring the system resources to a usable state • Correcting damages or removing invalid data • Restarting or continuing the interrupted process IS Security, Audit, and Control (Dr. Zhao)
Data Warehouse Application • Data warehouse: is a repository of an organization's electronically stored data. • An application IS Security, Audit, and Control (Dr. Zhao)
Data Warehouse Conversion Control Issues • How stable was the data when it was transferred? • At what point in time should the data migrate to the data warehouse? • Too close to the transaction, and its still in flux, and subject to change. • Too far away, and the detail is lost in an aggregation. • What operational unit holds the keys to the data’s storage and definition? • What is the state of the data value? IS Security, Audit, and Control (Dr. Zhao)
Data Communications Threats • Criminal groups • Foreign intelligence services • Hackers • Hacktivists • Information warfare • Insider threat • Virus writers IS Security, Audit, and Control (Dr. Zhao)
Data Communications Controls • Planning • Testing • Data Communication controls • Prevention • Detection • Correction IS Security, Audit, and Control (Dr. Zhao)
LAN Audit and Security Issues • Threats to the physical security of network • Site control and management • Protect network wires • Unauthorized access and eavesdropping • Firewalls • Encryption • LAN traffic analyzer • Attacks from within the networks’ (authorized) user community IS Security, Audit, and Control (Dr. Zhao)
Wireless Lan • IEEE 802.11 Wired Equivalent Privacy (WEP) protocol • 64-bit key and RC4 encryption algorithm • Challenges: • No group-keyed access control • Interception of radio signals is hard to detect • Virtual Private Network (VPN) • A VPN is a computer network in which some of the links between nodes are carried by open connections in some larger network (e.g., the Internet) instead of by physical wires. • Challenges: poor quality reception, unstable and frequent reconnection IS Security, Audit, and Control (Dr. Zhao)
End-User Computing Controls • Assignment of ownership of data • User accountability • Backup procedures • Physical access controls • Appropriate documentation of end-user-developed applications and related changes • Segregation of duties IS Security, Audit, and Control (Dr. Zhao)
Discussions • For your home PC: • What are the current controls? • What are the remaining risks? IS Security, Audit, and Control (Dr. Zhao)