Académique Documents
Professionnel Documents
Culture Documents
Cs
Agustinus.wijaya@staff.uksw.edu
Information Information
Information
System System Control
Security policy
Controls Techniques
Control over
data integrity, Logical access
User Control control
privacy and
security
Interconnectivity of systems;
Strategic Plans
Business Operations
Finances
Strategic Plans: Most organizations readily
acknowledge that strategic plans are crucial to the
success of a company. But most of the companies
fail to really make an effort to protect these plans.
Although it might have been impossible for the
company to completely prevent its intentions from
being discovered, this situation does illustrate the
real value of keeping strategic plans confidential.
Business Operations: Business operations consist
of an organization’s process and procedures, most
of which are deemed to be proprietary. As such,
they may provide a market advantage to the
organization. This is the case when one company
can provide a service profitably at a lower
price than the competition.
Finances: Financial information, such as salaries
and wages, are very sensitive and should not be
made public. While general salary ranges are known
within industry sectors, precise salary information
can provide a competitive edge. As salaries and
wage-related charges normally comprise the majority
of fixed costs, lower costs in this area contribute
directly to an organization’s profitability.
Definition
Issues to address
IT Operations management,
IT Communications,
Legal Compliances,
Operation Procedures
Segregation of duties
Authorization Procedures
Record Keeping
Categories of Controls
Organizational Controls
Management Controls
SDLC
Audit Trails
The basic purpose is to ensure that the business
objectives are achieved and undesired risk events
are prevented or detected and corrected.
This is achieved by designing and effective
information control framework, which comprise
policies, procedures, practices, and organization
structure that gives reasonable assurances that
the business objectives will be achieved.
The objective of controls is to reduce or
if possible eliminate the causes of the
exposure to potential loss. Exposures are
potential losses due to threats
materializing. All exposures have causes.
Some categories of exposures are:
• Errors or omissions in data, procedure,
processing, judgment and comparison.
• Improper authorizations and improper
accountability with regards to procedures,
processing, judgment and comparison.
Inefficient activity in procedures, processing
and comparison.
Some of the critical control considerations in
a computerized environment are:
Detective control
Corrective controls
Compensatory controls
Preventive controls are those inputs, which are
designed to prevent an error, omission or
malicious act occurring. An example of a
preventive control is the use of passwords
to gain access to a financial system.
The broad characteristics of preventive controls are:
• (i)A clear-cut understanding about the vulnerabilities
of the asset
• (ii) Understanding probable threats
• (iii) Provision of necessary controls for probable
threats from materializing
Examples of preventive control:
Segregation of duties
Access control
Documentation
Hash Totals
Check Points
Rerun procedures
Contingency planning
Backup procedure
Rerun procedures
Segregation of duties.
Each IS function must be clearly defined and
documented, including systems software, application
programming and systems development, database
administration, and operations. The senior manager,
of all these groups, and managers of the individual
groups make up the IS management team
responsible for the effective and efficient utilization of
IS resources.
Providing information to senior management on the IS resources, to
enable senior management to meet strategic objectives.
Authorization
Budgets
Cancellation of documents
Documentation
Dual control
Safekeeping
These controls are hardware and software
related and include procedures exercised in the
IS environmental areas. The environmental areas
include system software programming, on-line
programming, on-line transaction systems,
application program change control, the data center
and the media library.
These controls are personnel; hardware and
software related and include procedures
exercised on access by employees to IT
resources. The controls relate to establishing
appropriate physical security and access control
measures for IT facilities, including off-site use of
information devices in conformance with the
general security policy.
These Physical security and access controls should
address not only the area containing system
hardware, but also locations of wiring used to connect
elements of the system, supporting services, backup media
and any other elements required for the system’s operation.
These controls are software related and include procedures
exercised in the IS software through access controls
through system software and application software. Logical
access controls are implemented to ensure that access to
systems, data and programs is restricted to authorized users
so as to safeguard information against unauthorized use,
disclosure or modification, damage or loss.
These controls relate to having an operational
and tested IT continuity plan, which is in line with
the overall business continuity plan, and its related
business requirements so as to make sure IT
services are available as required and to ensure
a minimum business impact in the
event of a major disruption
The objective of application controls is to ensure
that data remains complete, accurate and valid
during its input, update and storage. The specific
controls could include form design, source
document controls, input, processing and output
controls, media identification, movement and library
management, data back-up and recovery etc.
Boundary controls
Input controls
Processing controls
Output controls
Database controls
The major controls of the boundary system
are the access control mechanisms. Access
controls are implemented with an access
control mechanism and links the authentic
users to the authorized resources they are
permitted to access.
Boundary control techniques are:
Cryptography
Passwords
Identification Cards
These are responsible for ensuring the accuracy
and completeness of data and instruction input
into an application system. Input controls are
important since substantial time is spent on input
of data, involve human intervention and
are therefore error and fraud prone.
Data processing controls perform validation checks
to identify errors during processing of data.
They are required to ensure both the completeness
and the accuracy of data being processed.
Normally the processing controls are enforced
through the database management system
that stores the data.
This ensure that the data delivered to
users will be presented, formatted and
delivered in a consistent and secured
manner. Output can be in any form, it
can either be a printed data report or a
database file in a removable media.
Protecting the integrity of a database when
application software acts as an interface to
interact between the user and the
database are called the update controls
and report controls.
Data Integrity
Data Security
The organization has to decide about various data
integrity controls to be implemented. The primary
objective of data integrity control techniques is to
prevent, detect, and correct errors in transactions
as they flow through the various stages of a specific
date processing program.
Virus signature updating
Software testing
Division of environments
Disaster recovery
Data security encompasses the protection of
data against accidental or intentional disclosure to
unauthorized persons as well as the prevention of
unauthorized modification and deletion of the data.
Many levels of data security are necessary
in an information systems environment; they
include database protection, data integrity etc.
Logical access controls are the system-based
mechanisms used to designate who or what is
to have access to a specific system resource
and the type of transactions and functions
that are permitted.
Logical Access Paths
Security Policies
Online Terminals
Dial-up ports
Telecommunication network
Controls that reduce the risk of misuse (intentional
or unintentional), theft, alteration or destruction
should be used to protect unauthorized and
unnecessary access to computer files. Restricting
and monitoring computer operator activities in a
batch-processing environment provide this control.
Technical exposures
Asynchronous attacks
Authorization
Perpetrations may be because of employees who are:
Discontented
Former employee
Logging on Utilities
Plastic cards
Cryptographic control
Manual logging
Electronic logging
Video Cameras
Security guards
Bonded Personnel
Documentation
Supplies
People
Environmental exposures are primarily due to elements of nature. However,
with proper controls, exposure to these rudiments can be reduced.
Fire
Power spike
Common Occurrences are:
Electrical shock
Equipment failure
Smoke Detectors
Network Scanning
Virus/Malicious code
Spam
Others
Financial Loss
Legal Repercussions
Sabotage
Hacking
Cracking
Data Diddling
Data Leakage
Internet Terrorism
Logic Time Bombs
Masquerading or Impersonation
Password Cracking
Piggybacking
Round Down
Super Zapping