1 information system audit essential of is audit for it engineer up-ittc october. 2010
TRANSCRIPT
1
Information System AuditEssential of IS Audit for IT Engineer
UP-ITTCOctober. 2010
2
SummaryInformation system Audit (IS Audit), is needed long experience and lot of skill and knowledge about both Audit and Information Technology. Because of this, This training course and text book include summary of knowledge and skill that IS Auditor needs and especially detail skill and knowledge about IS Audit processes and methods for IT engineers who want to become IS Auditor or conduct audit tasks.
AcknowledgmentsContent of this training and text book is based on Certified Information Systems Auditor (CISA) and Japan Information Technology Engineers Examination- .System Auditor ExaminationContent of this training and text book is copyrighted to JICA (Japan International Cooperation Agency) and UP-ITTC(UP Information Technology Training Center), and developed by Go Ota, PADECO Co., Ltd. and UP-ITTC
Expected TraineesIS Audit is needed wide area of IT skill and knowledge, the training expects the trainees have ,at least, passed FE exam or have had same level of IT experience (at least 5 five years, desirable more than 10 years) and knowledge.
U
4
What is Audit? What is IS Audit?
“An official examination of accounts to see that they are in order” – The Oxford DictionaryAn INDEPENDENT assessment of / opinion on how well
(badly) the financial statements were prepared
IS audit:- A review of the controls within an entity's technology
infrastructure- Official examination of IT related processes to see that
they are in order
U
5
What is IS Audit Activity?Difference Between Audit and Evaluation
U
Policy and Strategy
Organization and Regulation/Standard
Business Activities
Business Infrastructure
Management
Evaluation
Audit
Independent
Evaluation Audit
Activity of Management
Independent Activity
Process and Result Norm
Doing right Managing right
Performance Effeteness and Efficiency
Next action is improvement
Done at the end-of-phase
Done any time
Ex.Checking progress and quality of Project
Ex.Checking a regulation of PM and How to apply it including current situation.
Company
6
Viewpoint of an IS AuditorU
P1: Feasibility Study
P2: Requirement Definition
P3: System Design
P4: Development
P3: System Selection
P4: Configuration
P5: Implementation
Review
P6: Post implementation
P7: Disposal
R
Buy or Make
R
R
R R
R
R
BuyMake (Build)
Scope of General System
Development
SLDC (System Development Lift Cycle)
Evaluate and Performance
Review by an Audit
7
Why IS Audit is needed? Social BackgroundInformation System has been becoming a main function for business.•Supporting business activity•Keeping business information•Main interface to customer
U
Innovation of ICT gave information system major role in business
Problem of business management•Inappropriate IT system to business strategy• Bug investment for IT system and unclear ROI
Problem of security/ risk management• Computer virus/ illegal Access• System trouble and Backup of disaster
Effective and Efficient inter management and operation for Information system should be needed
Independent Information System Audit
8
Why IS Audit is needed? Legal Background (1)
After major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom, the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002•Directs SEC to enact rules protecting shareholders & the economy•Honesty in financial reporting•Responsibility at the Top•Demonstrate Compliance by Audits
U
The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company's internal control over financial reporting
Internal Control must use Information System now. To evaluate internal control should needs audit for Information system
9
Why IS Audit is needed? Legal Background (2)
U
Company Auditor
Financial Audit
SOX
Financial Audit (Result)
Operation Audit (Process)
Internal Control
Financial Audit Report
Financial Audit
Financial Statement
Internal Control
Financial Audit Report
Financial Audit
Financial Statement
Internal Control Statement
Internal Control Audit
Internal Control Audit Report
IntegratedAudit
Operation Audit assure the clearance of financial statement
Effectiveness and efficiency of Operation
Assurance of Financial Statement
Compliance with lows
10
What is Internal Control?U
Internal Control Model by SOCOObjectives
Control Environment
Risk Management
Control Activity
Information and Communication
Monitoring
IT Control
Ope
ratio
n
Rep
ortin
g
Com
plia
nce
Activities
OrganizationEnterprise-level, Division or subsidiary and Business unit
Objective Risk Control
Financial Statement
11
Activities of Internal ControlU
Control Environment
The tone for the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control.
Risk Management The identification and analysis of relevant risks to the achievement of objectives, forming a basis for how the risks should be managed
Control Activity The policies and procedures that help ensure management directives are carried out.Consists of 2 aspects: Policy of what should be and Procedures to accomplish policy
Information and Communication
Support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities
Monitoring Assess the quality of internal control performance over time.
IT Control Procedure or policy that provides a reasonable assurance that the information technology (IT) used by an organization
12
IT Internal Control <= Target of IS AuditU
IT control
ITGC:IT general controls
ITCLC: IT Company Level Control
ITAC: IT Application Control
ITGC:IT general controls•Logical access controls.•System development life cycle controls.•Program change management controls.•Data center physical security controls.•System and data backup and recovery•Computer operation controls.
ITCLC: IT Company Level Control* IT Governance/Policy *IT Risk Management. *Training* Quality Assurance *IT Internal Audit
IT Infrastructure (Network, Server, PC …)
Development Operation
ITAC: IT Application Controlcomplete and accurate •Input Data Control.•Process Control•Output Control
Application Systems
AccountingSystem
Sales System
Company
….
13
What is IS Audit? (Again)
“the process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently.” - Ron Weber
Purpose of IS Audit is to realize IT governance by independent and professional auditors who gave appropriate assurance based on evaluation of risk management and control of information system.- “Information System Audit Standard” Japan Minister of Economy, Trade and Industry
U
14
Case of ITGC : Project ManagementU
User Requirements
Detail Design
Acceptance Test
System Test
Integration Test
Global (Basic) Design
Component Test
System Requirements
Programming
Project Manager
Project Management
Division
Project/ Development
Regulation
Project Document
IS Audit•Is the development method appropriate?•Does the selection of system architecture have appropriate reason?•Was the cost estimated by right procedure and method?• Does the Integrated testing use appropriate data?•Does the project follow the regulation
15
Who becomes an Auditor?U
(Account)Auditor
IT Specialist
With experiences of • Accounting• Audit
With experiences of • IT Strategy• Development• Project Management• IT Security• Service Management…..
Information System Audit
CertificationCISA (Certified Information Systems Auditor) by ISACA (Information Systems Audit and Control Association) From 1978•More than 75,000 professionals in nearly 160 countries•for both (Account) Auditor and IT Specialist
System Auditor by Japan Information Technology Engineers Examination) From 1985• mainly for IT Specialist
If (Account ) Auditor want to become IS auditor, he/she should master as least skill and knowledge of FE exam. Level.
16
Target of IS Audit and IS Auditor's Skill and Knowledge
CISA examination domains (% of num. of question in CISA exam.)
•Domain 1—IS Audit Process (10%) <= Skill and Knowledge for conducting IT Audit
•Domain 2—IT Governance (15%)•Domain 3—Systems and Infrastructure Lifecycle Management (16%)•Domain 4—IT Service Delivery and Support (14%)•Domain 5—Protection of Information Assets (31%)•Domain 6—Business Continuity and Disaster Recovery (14%)
<= Target of IS Audit and Skill and knowledge for IT system and points of audits
U
17
Map of IS Auditor's kill and knowledgeU
IT Technical IT Management IT Governance Audit Process & Method
D3—Systems and Infrastructure Lifecycle Management
D1—IS Audit
Process
D2—IT Governance
D4—IT Service Delivery and Support
D5—Protection of Information Assets
D6—Business Continuity and Disaster Recovery
•IT Strategy•Organization Mng.•Risk Management
•Development method•Software Testing •System/APP Architecture•E-commerce/AP knowledge
•Service Delivery•Service Support•Service Strategy
•H/W, OS, Middle ware•Network & DB•Operation & Maintenance
•APP control•Project Management•SQM
•IT Security Audit
•Logical Security•Physical Security
•Security Policy & Strategy
•Network security•Security Technology
•Operation & Maintenance•Backup & Recovery
•Business contingency Planning
•Process•Method•Communication•Related standards
18
How to become an IS Auditor (case of CISA)
1.Getting CISA certification
a)Pass the CISA examination 500-600 hours of self learning or 150-200 hours of exam school.
b) Minimum of 5 years of Information Systems Audit, Control or Security experience within 10 years of applying and within 5 years of passing exam
c)Compliance with the Information Systems Audit and Control Association Code of Professional Ethics. <= Excellent Job
2. Keeping CISA certification: SISA Continuing Education Policy
a) annually report a minimum of 20 hours of continuing professional education
b) report a minimum of 120 contact hours of continuing education for each fixed three-year periodCertified Information Systems Auditor (CISA)
http://www.isaca.org/
What is meaning of “Keeping CISA certification”?
U
19
Professional Ethics (ISACA Code)
•Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems.• Perform their duties with objectivity, due diligence and professional
care, in accordance with professional standards and best practices.• Serve in the interest of stakeholders in a lawful and honest
manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.•Maintain the privacy and confidentiality of information obtained in
the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.• Maintain competency in their respective fields and agree to
undertake only those activities, which they can reasonably expect to complete with professional competence.• Inform appropriate parties of the results of work performed;
revealing all significant facts known to them.• Support the professional education of stakeholders in enhancing
their understanding of information systems security and control.
U
20
Overview of D1—IS Audit Process Task & ProcessU
Audit Planning
Perform Test
Reporting
Follow-UPActivity
Summary of Audit Process
Example: Small audit for Logical Access Control ( Control for user and program to access data, program and application)
Purpose is to evaluate validity of logical access control (password) in targeted organization
Reviewing regulation of policy, management and usage of passwordInspect and survey of management of password
Reporting whether current regulation and management of password is appropriate or not
How to modify and improve the logical access control for password
Audit mission and planning, Laws and regulations, Standards and guidelines for IS auditing, Risk analysis, Internal controls, Performing an IS audit
21
Overview of D2—IT Governance
To provide assurance that the organization has the structure, policies, accountability, mechanisms, and monitoring practices in place to achieve the requirements of corporate governance of IT.
Examples of target • Planning IT Strategy with IT Steering Committee• Implementation of the IT strategy • Business Process Reengineering• Risk management for IT strategy• Organization and Personnel Management
U
22
Overview of D3—Systems and Infrastructure Lifecycle Management
To provide assurance that the management practices for the development/acquisition, testing, implementation, maintenance, and disposal of systems and infrastructure will meet the organization’s objectives.
Examples of target•Application development process and regulation including needs analysis, including cost estimation and •Quality Management•Validation of computer & system architecture for Application•Application control•Management of outsourcing and vender
U
23
Overview of D4—IT Service Delivery and Support
To provide assurance that the IT service management practices will ensure the delivery of the level of services required to meet the organization’s objectives.
Example of Target• Service level Agreement• Validation of Hardware and software• Validation of network infrastructure• Monitoring of Information System/Infrastructure• Capacity and Configuration Management• Configuration Management of software• Regulation of operation and maintenance • Help (Service) Desk and Incident/Problem management
U
24
Overview of D5—Protection of Information Assets
To provide assurance that the security architecture (policies, standards, procedures, and controls) ensures the confidentiality, integrity, and availability of information assets.
Examples of Target•Policy and regulation of IT Security including risk management•Validation of logical access control such as password and authentication•Validation of physical access control with security technology and devices• Validation of security of network infrastructure• Validation of encryption system• Validation of environmental control against fire, power break down and …
U
25
Overview of D6—Business Continuity and Disaster Recovery
To provide assurance that in the event of a disruption the business continuity and disaster recovery processes will ensure the timely resumption of IT services while minimizing the business impact
Examples of Target•Business Impact Analysis (BIA) and Disaster Recovery Planning (DRP)•Validation of backup and recovery against disasters•Validation of means for continuity against disasters
U
26
Related important lows, regulations and guidelines U
1 2 3 4 5 6
Standards, Guidelines, and Tools and Techniques for Audit/Assurance and Control Professionals by ISACA
X X X X X X
Public Company Accounting Reform and Investor Protection Act of 2002 (SOX)
X X X X
The Control Objectives for Information and related Technology (COBIT) by ISACA
X X X X X X
ISO/IEC 27002: Information technology - Security techniques - Code of practice for information security management
X X X X X X
Information Technology Infrastructure Library (ITIL) X X X X X
Val IT by IT Governance Institute (ITGI) X X
Project Management Body of Knowledge (PMBOK) X X X
COSO (The Committee of Sponsoring Organizations of the Treadway Commission) Control Framework
X X X
CMMI (Capability Maturity Model®Integration) X X X
ISO/IEC 9126 & 25000 Software engineering — Product quality is an international standard for the evaluation of software quality.
X X X x X
27
Where does an IS auditor work?U
Policy and Strategy
Organization and Regulation/Standard
Business Activities
Business Infrastructure
Internal Audit•Assurance•Consulting
Audit Company
External Audit•Accounting Audit•IS Audit
Company & Organization
Consultant Company
IS Consultant
28
New movement of IS Audit : SecurityU
IT Technical IT Management IT Governance Audit Process & Method
D3—Systems and Infrastructure Lifecycle Management
D1—IS Audit
ProcessD2—IT Governance
D4—IT Service Delivery and Support
D5—Protection of Information Assets
D6—Business Continuity and Disaster Recovery
CISM (Certified Information Security Manager)
by ISACA
Information Security Specialistby Japan Information Technology Engineers Examination
29
Study style of this lectureU
Quiz (about 20Q) form CISA exam.
XX Domain of CISA
Explanation of related knowledge
and skill.
Explanation and refraction of Answer
of Quiz
•Checking current your knowledge and skill about IT for IS audit
•Making an anchor to understand and memory new knowledge and skill for IS audit
•To find and understand viewpoint of an IS auditor.
•Start of new Chapter or Section•Skill and knowledge for IS Auditing
•Basic IT skill and knowledge for IS auditor
31
Overview of Tasks for Domain 3
3.1 Evaluate proposed system development/acquisition to ensure that it meets the business goals.3.2 Evaluate the project management framework and project governance practices to ensure that business objectives are achieved in a cost-effective manner 3.3 Perform reviews to ensure that a project is progressing in accordance with project plans and project management regulation.3.4 Evaluate proposed control mechanisms for systems and/or infrastructure during specification, development/acquisition, and testing.3.5 Evaluate the processes by which systems and/or infrastructure are developed/ acquired and tested to ensure that the deliverables meet the organization’s objectives.3.6 Evaluate the readiness of the system and/or infrastructure for implementation and migration into production.3.7 Perform post-implementation review and periodic reviews of systems and/or infrastructure to ensure that they meet the organization’s objectives and are subject to effective internal control.3.8 Evaluate the process by which systems and/or infrastructure are maintained to ensure the continued support of the organization’s objectives and are subject to effective internal control.3.9 Evaluate the process by which systems and/or infrastructure are disposed of to ensure that they comply with the organization’s policies and procedures.
U
32
Overview of skill and knowledge for Domain 3U
3.1 benefits management practices3.2 project governance mechanisms (e.g., steering committee)3.3 project management practices, tools, and control frameworks3.4 risk management practices applied to projects3.5 project success criteria and risks3.6 configuration, change and release management in relation to development and maintenance of systems and/or infrastructure3.7 control objectives and techniques that ensure the completeness, accuracy, validity, and authorization of transactions and data within IT systems applications3.8 enterprise architecture related to data, applications, and technology (e.g., distributed applications, web-based applications, web services, n-tier applications)3.9 requirements analysis and management practices 3.10 acquisition and contract management processes (e.g., evaluation of vendors, preparation of contracts, vendor management, escrow)3.11 system development methodologies and tools and an understanding of their strengths and weaknesses 3.12 quality assurance methods3.13 the management of testing processes 3.14 data conversion tools, techniques, and procedures3.15 system and/or infrastructure disposal procedures3.16 software and hardware certification and accreditation practices3.17 post-implementation review objectives and methods 3.18 system migration and infrastructure deployment practices
33
IS Audit Small Quiz No.1
Domain 3 (1) Systems and Infrastructure Lifecycle Management
Subject: Project Plan, Project Management, Architecture, method and APP
U
Quiz book
34
U
IT control
ITGC:IT general controls
ITCLC: IT Company Level Control
ITAC: IT Application Control
ITGC:IT general controls•Logical access controls.•System development life cycle controls.•Program change management controls.•Data center physical security controls.•System and data backup and recovery•Computer operation controls.
ITCLC: IT Company Level Control* IT Governance/Policy *IT Risk Management. *Training* Quality Assurance *IT Internal Audit
IT Infrastructure (Network, Server, PC …)
Development Operation
ITAC: IT Application Controlcomplete and accurate •Input Data Control.•Process Control•Output Control
Application Systems
AccountingSystem
Sales System
Company
….
35
Overview : SLDC (System Development Lift Cycle) by ISACAU
P1: Feasibility Study
P2: Requirement Definition
P3: System Design
P4: Development
P3: System Selection
P4: Configuration
P5: Implementation
Review
P6: Post implementation
P7: Disposal
R
P3: Buy or Make
R
R
R R
R
R
BuyMake (Build)
Scope of General System
Development
36
Overview of Development OrganizationU
Senior Management
Project Sponsor
User Management
Project ManagementQuality Assurance
Project Development Project Team
UserProject Team
Technical Infrastructure Team Leader
SoftwareSupport
HardwareSupport
NetworkSupport
Application/ system Analysis
Programmer
Tester
Steering Committee
37
Overview of SLDC Phase 1 and 2
Phase 1: Feasibility StudyTo determine the strategic benefit of new information system and analyze possible resolutions to realize needs •Define business case•Define the objectives with supporting evidence.•List up possible resolutions•Perform preliminary risk assessment•Agree upon an initial budget and expected return on investment (ROI)
Phase 2: Requirement definitionTo create detail definition of needs including inputs, output, current environment and proposed interaction.•Collect specifications (requirements) and supporting evidence.•Identify which standard (technology) will be implemented for the specifications.•Create a quality control plan to ensure that the design complaints to the specifications.
U
38
Overview of SLDC Phase 3 and 4
Phase 3: Plan solution and system design/ system selectionTo plan solution (strategy ) whether make (build) or buy based on the objectives from phase 1 and specifications from phase 2.Case of Build •Make design such as user requirement, basic design, detail design and operation design. ( start development process)Case of buy•Make RFP (Request for Proposal) to select best vendor and product based on specification in Phase 2.•Conduct bidding to select the vender and product
Phase 4: Development and configurationCase of Build •Making program and conducting testingCase of buy•Customization is typically limited program configuration settings with a limited number of customized reports.
U
39
Overview of SLDC Phase 5,6 and 7
Phase 5: ImplementationTo install new system and final user acceptance (mainly function testing) test begins. The system undergoes a process of final certification and approval.
Phase 6: post implementationAfter the system has been in production use, it is reviewed for effectiveness to full fill the original objectives. •Compare performance metrics to the original objectives.•Re-review the specifications and requirement annually.•Implement request for new requirement, update or disposal
Phase 7: DisposalFinal phase is the proper disposal of equipment and purging data.
U
40
Overview of Development Models (1)
User Requirements
Detail Design
Acceptance Test
System Test
Integration Test
Global (Basic) Design
Component Test= Debug
System Requirements
Programming
Test
Water-fall model
U
41
Overview of Development Models (2)U
b. Agile Development
Function 1 Function 2 Function 3
Des
ign
codi
ng
Tes
t
Des
ign
codi
ng
Tes
t
Des
ign
codi
ng
Tes
t
42
Overview of Development models (3)U
Water fall Agile Spiral (Prototyping)
Document Document base Minimum Minimum
Confirmation of requirement
By document By software By software
Changing requirement
Difficult Easy Easy
Programmer A few - hundreds A few – 20
1 cycle Months - years Weeks - months Month – a year
Management Initial plan In each cycle
Collaboration Defined by regulation
personal
43
Overview of Design and Development methodsU
Method Summary
SD/SA: Structured Design/ Structured analysis
Structured Design (SD) is concerned with the development of modules and the synthesis of these modules in a so called "module hierarchy"
OOD: Object-oriented design
the process of planning a system of interacting objects for the purpose of solving a software problem
44
Overview of Project ManagementU
PMBOK Knowledge Areas1. Project Integration Management2. Project Scope Management3. Project Time Management4. Project Cost Management5. Project Quality Management6. Project Human Resources Management7. Project Communications Management8. Project Risk Management9. Project Procurement Management
Resources
Performance
Tim
e Cost
Performance
Tim
eResources
Project Managing Triangle
45
Overview of Cost estimation and SchedulingU
Planning
Cost estimation
Scheduling
Function point
Lines of code
WBS (Work Breakdown Structure)
Bottom-up estimate
Parametric modeling
Analogous estimate
PERT
Gantt chart
46
Overview of ProcurementU
Define Specification
Make RFP
Vender Evaluation
Criteria
Vender Long list
Vender short list
Select Vender
Make Contract
Delivery
Install
AcceptantTest
RFP: Request for Proposal
Bidding
47
Overview of RFP (Request for Proposal)U
Qualification of Vender The vender supplying and supporting the product should be reputable and should be able to provide evidence of financial stability
Bidding document To mention about the bidding document the venders submit
Contract Condition Some conditions such as payment, delivery and warrantee In the contract
Bid opening and evaluation
Criteria for selecting the vender
Requested document Clients list, other evidence of product and system
Product and system Requirement
Main content of RFP. Define detail specification of requested product and system . It includes not only functional specifications but also non-functional specifications such as reliability and performance
Installation schedule When will product and system needed.
Test plan Installation test plan
Client support Training, operation support, maintenance, warrantee
Com
mer
cial
Par
tT
echn
ical
Par
t
48
Overview of Business APPU
APP Summary
E-commerce the buying and selling of products or services over electronic systems such as the Internet and other computer networks.
E-banking/Online banking
To conduct financial transactions on a secure website operated by their retail or virtual bank, credit union or building society.
CIM: Computer-integrated manufacturing
Both a method of manufacturing and the name of a computer-automated system in which individual engineering, production, marketing, and support functions of a manufacturing enterprise are organized.
DSS: Decision support system
DSSs serve the management, operations, and planning levels of an organization and help to make decisions, which may be rapidly changing and not easily specified in advance.
SCMS: Supply chain management software
Supply chain transactions, managing supplier relationships and controlling associated business processes. it commonly includes: Customer requirement processing Purchase order processing, Inventory management, Goods receipt and Warehouse management, Supplier Management/Sourcing
CRM: Customer relationship management
Sales force automation, Marketing and Customer Service and Support
49
Overview of Risk of Business APPU
APP Summary of Risk
E-commerce Clear business case, Innovation is so rapid, Certification, Privacy of customer, High reliability and electric signature
E-banking/Online banking
Innovation is so rapid, Security of authentication, Privacy of customer, High reliability and integration to other system.
CIM: Computer-integrated manufacturing
Big system consisting of many systems and software. Clear feasibility study.
DSS: Decision support system
Difficulty of define purpose and usage. Not clear of ROI.
SCMS: Supply chain management software
Changing workflow and business model.
CRM: Customer relationship management
Innovation is so rapid, Security of authentication, Privacy of customer
50
Overview of Technology for Business APPU
APP Summary
EDI: Electronic data interchange
Structured transmission of data between organizations by electronic means. It is used to transfer electronic documents or business data from one computer system to another computer system
Data warehouse To retrieve and analyze data, to extract, transform and load data, and to manage the data dictionary
Cloud computing Internet-based computing, whereby shared resources, software, and information are provided to computers and other devices on demand, like the electricity grid. SaaS
Office suite Office software suite or productivity suite is a collection of programs intended to be used by knowledge workers, Ex. Google Apps
ERP: Enterprise resource planning
Integrated computer-based system used to manage internal and external resources, including tangible assets, financial resources, materials, and human resources.
Smart phone Mobile phone that offers more advanced computing ability and connectivity than a contemporary basic 'feature phone
CTI: Computer telephony integration
technology that allows interactions on a telephone and a computer to be integrated or co-ordinated. As contact channels have expanded from voice to include email, web, and fax, the definition of CTI has expanded to include the integration of all customer contact channels (voice, email, web, fax, etc.) with computer systems.
52
Overview of Development tools (IDE)U
Tools Summary
CASE :Computer-aided software engineering
Set of tools and methods to a software system which is meant to result in high-quality, defect-free, and maintainable software products.
Visual Studio .Net It can be used to develop console and graphical user interface applications along with Windows Forms applications, web sites, web applications, and web services in both native code together with managed code for all platforms supported by Microsoft Windows, Windows Mobile, Windows CE, .NET Framework, .NET Compact Framework and Microsoft Silverlight.
Eclipse It is written primarily in Java and can be used to develop applications in Java and, by means of various plug-ins, other languages including C, C++, COBOL, Python, Perl, PHP, Scala, Scheme and Ruby (including Ruby on Rails framework)
53
Test Frame JUnit
Overview of Actual (Practical) Tools U
Acceptance Test
System Test
Programming
Component Test
Integration Test
Exsample1: OSS for eclipse (Java)
Ecllipse Metrics PlusinCalculate Code metrics such as complexity and dependency
djUnitMake Moc-class for testing/ Coverage
Junit FactoryAutomatically generating Test case
TPTPSupproit Making test code and executing test case including remote host
Automated ContinuousExecuting test case automatically
Checkstyle/ PMDCheck style of Code
FindbugsFind bad cording that seems to make bugs
CAP/Jdepend4eclipseShow dependency
Static Analysis Code Metrics
Test design/ Test case/ Executing
SolexRecod, Replay and edit HTML Session
WSUnitSimulate XML web servise
Test Executing for Web
Extensible Java Profiler/iMechanic/Eclipse profiler plug-inMeasure Nun.Call, Time and Usage of memory
Performance Testing
SeleniumRecord, Re-play and edit Browser action.
JMeterExecuting Web access session automatically
Test Executing for Web / Performance Testing
54
IS Audit Small Quiz No.1 (Answer) (1)1-1 (A)The first concern of an IS Auditor should be to ensure that proposal meets the needs of business, and this should be established by a clear business case.1-2 (B)AS IS auditor should not recommend discontinuing or completing the project before reviewing and updated business case.1-3 (D)Lack of adequate user involvement, especially in the system requirement phase, will usually in a system that does not fully or adequately address the needs of the user.1-4 (A)It is important that the project be planned properly and that specific phase and deliverables be identified during the early stage of the project.1-5 (B)A PERT chart will help determine project duration once all the activities and work involved with those activities are known.1-6 (D)Old (legacy) system that have been corrected, adapted and enhanced extensively require reengineering to remain maintainable. Reengineering is rebuilding activity to incorporate new technology into existing system.1-7 (A)The waterfall model has been best suited to the stable condition like (A).
U
55
IS Audit Small Quiz No.1 (Answer) (2)1-8 (A)If resource allocation is decreased, and increase in quality can be achieved if a delay in delivery time will be accepted.1-9 (A)Cost performance of a project cannot be properly assessed in isolation for schedule performance.1-10 (C)Projects often have a tendency to expand, this expansion often grows to point where the originally anticipated cost-benefit are diminished. When this occur, the project be stopped or frozen to allow review of all the cost –benefits and the payback period.1-11 (C)A project steering committee is responsible for reviewing the project progress to ensure that it will deliver the expected result.1-12(D)In the case of deviation from the predefined procedure, an IS auditor should first ensure the procedure followed for acquiring the software is consistent with business objectives and has been approved by appropriate authorities.1-13 (B)Quality plan is essential element of all projects. It is critical that the contracted supplier be required to produce such test plan.
U
56
IS Audit Small Quiz No.1 (Answer) (3)1-14 (C)Choice A,B and D are not risk, but characteristics of a DDS.1-15 (B)Once the data are in a warehouse, no modification should be made to them and access controls should be in place to prevent data modification.1-16 (C) Best resolution.1-17 (C)When implementing an application software package, incorrect parameter would be the great risk.1-18 (C)The Project portfolio database contains project data such as organization, schedule, objectives status and cost.1-19 (D)Criteria of CMMI show the development organization follows stable and predictable software process, CMMI doesn’t guarantee quality of each project.1-20 (B)A strength of IDE is that it expands the programming resources and aids available.
U
57
IS Audit Small Quiz No.2
Domain 3 (2) Testing, Implementation/Migration and APP control
U
Quiz book
58
Definition of basic terms related bug, error, ….
Bug
Defect
Fault
Flaw in component or system to fail to perform its required function
Error Human action that produces incorrect result
Other Factors・ Malice・ Natural Environment
FailureDeviation of the component or system from its expected delivery, service or result.
Without defect, Human error occurs failure
Sometimes, defect appears as failure
U
Risk A factor that could result in future negative result consequences; usually expressed as impact and likelihood
One of negative result: Attribute: impact and likelihood Factor
59
Overview of Test PhaseU
User Requirements
Detail Design
Acceptance Test
System Test
Integration Test
Global (Basic) Design
Component Test
System Requirements
Programming
a. Water fall model (V-model )
Preparation
Preparation
Preparation
Preparation
60
Cost of Fixing bugs in Test phases
Process
Cost
DesignRequirement Programming Test Operation
U
Principle 3 – Early testing
61
Target of Testing
Functional Testing Non-Functional Testing
suitability accuracy
compliance
interoperability security
reliabilityusability
efficiencymaintainability
Ordinal TestingFunctions of system and/Or software , that are typically described ( implicitly) in a requirements specification, a functional specification , or in use cases.
Performance TestingLoad TestingStress TestingSecurity TestingUsability TestingMaintenance TestingReliability Testing
U
Integration Test(In Test Environment)
System Test(In Real Environment)
62
Overview of Testing Techniques
Static
Document Check
(Review)
Code Check
Formal Review
Walk-through
Technical Review
Inspection
StyleCheck
FlowCheck
BugDetect
Metrics of Code
Dynamic
Structure (Code) -Based
Specification - Based
Experience -Based
Statement
Decision
Condition
MultipleCondition
EquivalencePartitioning
Boundary Value
Analysis
Informal Review
DecisionTable
State Transition
User Case Testing
ErrGuessing
ExploratoryTesting
White BoxTesting
Black BoxTesting
Running ProgramWithout Running Program
U
63
How to Conduct Component Test and Integration Test U
• Component Test
• Integration Test
Target Module
Dummy ModuleStab
Dummy ModuleDriver
Target Module
Target Module3
Target Module4
Driver for 3Driver for 4
Driver for 2
Target Module2
Target Module1
Bottom up Method
Target Module3
Target Module4
Stab for 1
Target Module1
Target Module2
Top down Method
Stab for 2Stab for 2
64
Overview of Quality Management/Monitoring/Reporting•Quality of Testing
CoverageTest Case densityBug density
•Quality of target softwareNum. of bugs in each moduleBug density in each moduleBug history (Num of detect:Open and Num of fixed:Close ) Software reliability growth curve
U
Num of
Bugs
Days
Open
Close
65
Ensample: Useful Metrics U
Project Implementation Program/systemTesting
CostTime
Progress of implementation
Features
LOC: Line of Code Complexity of codeLOC for modificationTime for build
CoverageNum. of test itemMum of test item curried by automated tools
Quality
Expected MTTF (Mean Time to Failure)Expected MTTF (Mean Time to Failure) on stress
Num. of bugs for buildType of problem in build
Num. of bugs in each moduleBug density in each moduleBug historySoftware reliability growth curve
What kind of Metrics Microsoft is using
66
Development Group
Type of Test Organization (Independent Tester)U
Development Group
Programmer = Tester
Development Group
Programmers
TestersDevelopment Team
Programmers
Test team
Testers
Project Manager
Development Group
Programmers
User Group
Testers
Development Group
Programmers
Test Group
Testers for
specific target
Development Group
Programmers
Test Group
Testers Outsourcing
or
SQM dev.
A. No independent Tester
B. Independent Testers within Group C. Independent Tester Team
within Group
D. Independent Tester at User Group
E. Independent test specialists for specific test targets such as usability , security or certification testers
F. Independent testers outsourced or external
67
Activity of Implementation and Migration
U
•Implementation / Migration Planning- Preparation of Planning – To be support structure and functions- User/Operator training Plan- Data Migration Plan- Fallback (Rollback) Scenario
•Changeover (Go-live or Cutover) Techniques
Module 1
Module 2
Module m
Module 1
Module 2
Module n
Rollout Schedule
1. Parallel Change over
Module 1
Module 2
Module m
Module 1
Module 2
Module n
Rollout Schedule
2. Abrupt Change over
Module 1
Module 2
Module n
Module 1
Module 2
Module n
Rollout Schedule
3. Phased Change over
68
Mistake of update master data
Risk of Operation of Information SystemU
E-commerce System
E-commerce DB
CustomerOperator
Even if the system of ABC Company doesn't have bugs, there are many risks and failures
CustomerError Transactions
Criminal
ABC Company
123Company
XYZCompany
Mistake of input
Illegal access
Inappropriate procedure for error data
Throw out reports
Automated transaction without checking
Inconsistency of data between companies
69
Definition of error, failure and risk in Test and Control
BugDefect
FaultFlaw in component or system to fail to perform its required function
Human Error Human action that produces incorrect result
Failure Deviation of the component or system from its expected delivery, service or result.
U
Risk A factor that could result in future negative result consequences; usually expressed as impact and likelihood
Factor Malice Chang of EnvironmentDisaster, New standard
Test
Remaining Bugs Operation error Crime System Break
Appear and/or occur
Risk
Failure
Risk management and Control
Control preventing from failure
70
Test and ITAC (Control ) and Audit in context of risk management
U
•Test
Activity to get rid of factors to make risks and failures before cut-over•ITAC (IT Application Control)
Activity, process and means to prevent from risks and failures and/ or to reduce affect of risks and failures (after cut-over)
Role of Auditors related to ITAC• Propose and suggest activity, process and means for control• Audit (monitor and check ) controls
71
System Development and IT ControlU
Requirement Analysis
OperationDesign & Program
Testing Migration
Maintenance
Changing
Monitoring
Cut - over
Project Management
Software Quality Assurance
Operation Management
IT Control(ITAC)
Control function
Manual & Procedure
Activity
Regulation
Management
All items are targets of IS audit
72
ITGC:IT general controls•Logical access controls.•System development life cycle controls.•Program change management controls.•Data center physical security controls.•System and data backup and recovery•Computer operation controls.
ITGC:IT general controls
U
IT control ITCLC: IT Company Level Control
ITAC: IT Application Control
ITCLC: IT Company Level Control* IT Governance/Policy *IT Risk Management. *Training* Quality Assurance *IT Internal Audit
IT Infrastructure (Network, Server, PC …)
Development Operation
ITAC: IT Application Controlcomplete and accurate •Input Data Control.•Processing Control•Output Control
Application Systems
AccountingSystem
Sales System
Company
….
73
Control Items of ITACU
Input Management
(Control)
Processing Management
(Control)
Output Management
(Control)
ITAC
ITGC Access Management (Control)
User-IDs/Passwords Data SecurityNetwork Security Security AdministrationAccess Authorization
•Data Entry Controls•Input (Transaction) Authorization•Batch control•Segregation of Duties•System Edits•Error Reporting and handling
• Interface Control• Data file control• System Edits• Error Reporting and handling
• Reconciliation• Distribution• Access
Major means of control
74
Overview of Means and TechniqueU
Internal Control
Information System Audit
Human ComputerComputer
&Human
Regulation of Human operation
Working Record
Function of Detecting
Error
Operation Logs
System Logs & Transaction Log
Regulation of Monitoring System
Checking regulations
Checking working Records
Checking System logs
Testing functions
Testing & Monitoring
System
75
Objectives of Control of Input Management (Control)U
Objective Sample of Control Sample of Audit
Organization make a regulation of Input management and complies with it
•Regulation including procedure, method of verification and authorization for input activities
•Checking regulation documents•Inspection of working record of input activity
Operation of input is carried based on the regulation and assures no repeated nor missing
•Procedure that to put stamp on a form sheet after input •System function to check serial No. of input data
•All form sheets has stamp after input•Checking no repeated data in a database
Enough means and function realize preventing from input error and illegal operation.
•System function can detect invalid data input•Operators can use only specific PCs (terminal)
•Review and Testing the system function•Access log of PC
Storing and abolishing data is carried based on the regulation
•Regulation for abolishing report documents.•Only authorized person access (see) past data.
•Checking record of abolishing documents.•Checking access log for database
Controls are both with IT system and without IT system
76
Objectives of Control of Processing Management (Control)U
Objective Sample of Control Sample of Audit
Organization make a regulation of data management and complies with it
•Regulation including procedure, method of verification and authorization for data management
•Checking regulation documents•Inspection of working record of backup
Data access control and monitoring work effectively
•Regulation of access control to update master data
•Checking access log for database
Integrity of data is guaranteed •Regulation of checking data range of master data
•Checking test record of data update
Data transfer complies with its regulation.
•Regulation of data transfer •Checking record of transfer data
Data exchange takes appropriate means to prevent from illegal access and to keep security.
•Function of error correction during data exchange
• Log data of exchange error correction.
Storing , copying and abolishing data prevent from illegal access and keep security
•Regulation for abolishing report documents
•Checking record of abolishing documents
77
Objectives of Control of Output Management (Control)U
Objective Sample of Control Sample of Audit
Organization make a regulation of output management and complies with it
•Regulation including procedure, method of verification and authorization for output activities
•Checking regulation documents•Inspection of working record of output activity
Operation of output is carried based on the regulation and assures no repeated nor missing
•Regulation defines person for output procedure
•Checking access log for output data
Enough means and function realize preventing from output error and illegal operation
Distribution of output is curried based on its regulation.
•Regulation of output distribution
•Checking distribution of output report
Storing and abolishing output is carried based on the regulation
•Regulation for abolishing report documents
•Checking record of abolishing documents.
78
Technique and Means of Control of Input Management (Control)
U
Area Description
Date control preparation
•Good design source document or form- Grouping similar input fields- Providing appropriate code to reduce error- Containing appropriate serial No. and cross-reference No.- Appropriate input filed style to reduce error- Including Appropriate filed for document authorization
Input Authorization
•Signature on form or souse document•Online Access Control (Only authorized individual can access specific information)•Unique password (Don’t share password nor grant password to others)•Usage of specific terminals or specific area.•Segregation of duties
Batch control
•Appropriate batch header form including application name, transaction code, preprinted No., identification data,•Total minatory amount (Verification the total monetary values of items processed equals the total monetary values of batch documents.•Total items ( No. of units ordered in the batch and No. of units processed)•Total num of documents•Hash totals (Verification of total of Hash value: no meaning in the form, but preprinted the fixed numbers)•Reviewing online batching input by manager.
79
Technique and Means of Control of Input ( Processing) Management
U
Area Description
Regulation and Monitoring
•Transaction log ( input process and batch process)•Documented Regulation•Transmittal log•Cancellation of source document ( By pouncing with holes or marking to avoid duplicate entry)
Error Reporting and Handling
•Appropriate error handing- Rejecting only transition with error- Rejecting the whole batch of transition- Holding the batch as suspense- Accepting the batch and flagging error transactions•Appropriate error collection procedure- logging of errors- Timely corrections- Upstream resubmission- Approval of correction- Suspense file- Error file- Validity of corrections
80
Technique and Means of Control of Processing (Input) Management
U
Area Description
Data validation and Editing Procedure
•Sequence check ( to avoid duplicated and missing)•Limit check ( not only input data, but also update of master data)•Range check•Validity check (Checking whether input data is one of date of the set)•Reasonableness check (requested number of order)•Table lookup (validity by using table)•Key verification ( Validity of no duplicated key)•Completeness check (Null checking data in specific field)•Duplication check ( Checking duplication of transaction)•Logical relation check ( ex. If he has wife, his must be over xx old.)
Process validation and verification
•Manual recalculation•Run to run totals ( Checking values among process ex. Sum of middle process and sum of end process)•Limits check of amounts•Reasonableness of amounts•Exception reports•Reconciliation (cross comparison) of file totals
81
Technique and Means of Control of Processing Management
U
Area Description
Data File Control
•Before and after image report ( Difference proves transactions done correctly)•Maintenance error reporting and handling (Checking and reviewing error handing by personnel who did not handle)•Source document retention ( Verification of file and source data)•Internal and external labeling (labeling on physical removable storage such as tapes and disk cartridge.•Version management•Data file security•One for one checking ( Verification by comparison between data and source document)•Transaction log•File updating and maintenance authorization•Parity checking
Type of data files•System control parameter (Configuration parameter)•Master data (Standing data) : Not be changed by transaction•Master data (Balancing data): Be changed by transaction•Transaction file
82
Technique and Means of Control of Output Management
U
Area Description
Outputvalidation Procedure
•Sequence check ( to avoid duplicated and missing)•Balancing and reconciling•Log of online distribution
Output delivery and storage
•Logging and storage of negotiable, sensitive and critical forms in secure place•Computer generation of negotiable instrument, forms and signature including intelligent property.•Appropriate report printing and distribution including electric reporting- Control of printing spool- Authentication of printing- printing in secure and safe room- Delivery and recipient evidence such as a signature•Output report retention•Output error handling
83
Overview of Auditing ITAC (Application Controls)U
Internal Control
Information System Audit
Human ComputerComputer &Human
Observing and testing user performing procedure
Preparation•Checking development document and regulation•Analyzing transition flow•Modeling risk assessment Data integrity Testing in online transition
processing system•To assure tolerance to multi – parallel user accesses
Data integrity Testing•To assure accuracy, completeness, consistency and authorization of data held in a system
Test of Application System•To test the effectiveness of application control
Continuous online Auditing•To collecting evidence from live information system
CAAT (Computer Assisted Audit Tools) GAS (General Audit System)
84
Preparation of Auditing for ITAC
U
Area Description
Checking document and interview
•System methodology documents•Function design documents•User manual/ Operation manual and regulation•Technical reference document•Records of program changes
Analyzing transition flow
•To find important controls•To find week point of transitions and controls
Modeling risk assessment
Factors of risk model•Quality of Internal condition•Economic condition / Regulatory agency impact•Time in existence•Staff turn over•Time elapsed since last audit / Prior audit result•Complexity of operation•Recent account system changes / Recent changes in key position•Transaction volume / Monetary volume•Sensitivity of transition•Impact of application failure
85
Methods and Targets of Observing and testing user performing procedure: Auditing ITAC
U
Area Description
Separation of duties •Ensure that no individual ha the capability of more than one following process: input, authorization, verification and distribution by reviewing job descriptions and authorization levels.
Balancing •Verify run-to-run control totals and other application totals
Error control and correction
•Error and correction reports provide evidence of appropriate review, timely correction and resubmission.
Distribution of reports
•Critical output reports should be produced and maintained in secure area and distributed in an authorized manner.
Review and testing of access authorization and capability
•Access control tables provide information for individual access level, To test appropriate access rule as management intended.•Activity report or access (log-in) log provide detail information of actual access, especially violation log of access should be reviewed.
86
Methods and Targets of Data integrity TestingU
•Data integrity testing is set of substantive tests that examines Accuracy, Completeness, Consistency and Authorization.
•Failure of data integrity is result of failure of input and/ processing. Because of this, data integrity testing uses similar method and technique of testing input control.
•Two type of data integrity- Relational integrity Targets are each record level and/or items in record. Relational integrity is enforced by checking data function of input process and - Reference integrity Targets are existence relationships between entities in deferent tables of a database. It is necessary that references (by primary key and foreign key )be kept consistent in the event of Insert, Delete and Update.
87
Methods and Targets of Data integrity Testing in online transition processing system
U
Importance of data integrity is known as ACID principal.
•AtomicityFrom the user perspective, a transition is either completed or net at all. If an error or interruption occurred, all changed made up to the point are backed out.
•ConsistencyAll integrity conditions in the database are maintained.
•IsolationUnder multi user condition, each transaction is isolated from other transitions.
•DurabilityIf a transaction has been reported to user as complete, the result of changes to database survive subsequent hardware or software failures.
88
Overviews of Methods and Targets of Test of Application System and Continuous online Auditing
U
Input Processing Output
Testing and simulation environment
Real environment (Live System)
Test data
Dump and Tracing
Validation and verification by comparison
among output
Simulated Pressing
Test data
Real data
Checking input and Processing by audit module
89
Methods and Targets of Test of Application System and Continuous online Auditing (1)
U
Method Description Comment
Mapping •To detect code that is not tested. Similar to measuring testing coverage.
•To Need function to measure coverage
Tracing and Tagging
•To trace specific transaction in real or simulated system
•To Need skill for tracing or development of tracing function
Test data /deck •Inputting teat data to real system. The result is expected.
•It doesn’t prove that all the code done.
Base case system evaluation
•Testing by using test cases of integrated testing
•To Need a lot of time and effort to conduct the test
Parallel operation •To compare old system and new system with same data
Parallel Simulation •To check real (live) data by using simulation program that has same process logic as real system
•To Need development of simulation program
Extended Record •To extract specific data and transaction to audit files. (Manual or automatically with audit module)
•When using audit module, to Need development of program
90
Methods and Targets of Test of Application System and Continuous online Auditing (2)
U
Method Description Comment
Embedded Audit Module (System Control Audit Review File) (EAM/SCARF)
•Adding audit functions to extract specific transition into review files.
•To need development of specific alert functions
Integrated testing facility (ITF)
•Inputting teat data/ transaction to live system. The result is expected.
•To need precise plan not to affect real processing
Snapshot •Adding dump modules to system. The dump shows passing specific points and their internal data.
•To prove program logic•To need knowledge of IT development and programming
Continuous and Intermittent simulations (CIS)
•To check processing of each transaction before real processing by using simulation function
•To need development of specific alert functions
Audit hooks •Adding alert functions to detect risk of error or irregularity before serious failure
•To need development of specific alert functions
91
Comparison among methods of Continuous online AuditingU
Method Complexity Useful When
System Control Audit Review File and Embedded Audit Module (SCARF/EAM)
•Very high •Regular Processing cannot be interrupted.
Integrated testing facility (ITF) •High •It is not beneficial to use test data.
Snapshot •Medium •An audit trail is required.
Continuous and Intermittent simulations (CIS)
•Medium •Transactions meeting certain criteria need to be examined.
Audit hooks •Low •Only select transaction or processes need to be examined.
92
Methods and Targets of Observing and testing System development life cycle controls: Auditing ITGC (1)
U
Phase/Task Description
Project Management
•Oversight by project committee/board•Risk management and Problem management•Cost management•Planning process•Reporting process to senior manager•Stakeholder management•Sign – off and authorization process
Feasibility Study
•Identify and determine the criticality of needs•Determine the reasonability of the chosen solution.•Determine the justification and benefit of all the cost
Requirement Definition
•Identify key stakeholders and verify that they have appropriate representation in a project team.•Verify accuracy of requirement document thought interviews with relevant users•Determine whether appropriate number of venders can receive the requirement (some venders can realize a system)•Verify that project start and cost have been approved proper management positions/group.•Review the design to ensure that control specification have been defined.•Survey and design whether a system needs some embedded audit functions
93
Methods and Targets of Observing and testing System development life cycle controls: Auditing ITGC (2)
U
Phase/Task Description
Software Acquisition Process (Procurement)
•Determine reasonability to quire a solution by reviewing feasibility study•Reviewing RFP to ensure that it contains all necessary information as RFP•Ensure the fairness to select a vender based on RFP•Review the vendor contract to ensure that it include the items RFP mentions.•Ensure the contract is reviewed by legal counsel before it is singed
Detail Design and Development
•Review whether appropriate controls of input , processing and output are designed.•Ensure validity of specification of screen design, operation and output format by interviews with main users.•Review whether appropriate audit function are designed.•Review the quality assurance result of design activities.•Review whether design activity follows the regulation appropriately, such as authorization and user review.
Testing
95
Overview of Tasks for Domain 1
•1.1 Develop and implement a risk-based IS audit strategy for the organization in compliance with IS audit standards, guidelines and best practices.•1.2 Plan specific c audits to ensure that IT and business systems are protected and controlled.•1.3 Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives.•1.4 Communicate emerging issues, potential risks and audit results to key stakeholders.•1.5 Advise on the implementation of risk management and control practices within the organization, while maintaining independence.
U
96
Overview of skill and knowledge for Domain 1U
•1.1 ISACA IS Auditing Standards, Guidelines and Procedures and the Code of Professional Ethics
•1.2 IS auditing practices and techniques
•1.3 techniques to gather information and preserve evidence (e.g., observation, inquiry, interview, CAATTs and electronic media)
•1.4 the evidence life cycle (e.g., the collection, protection, chain of custody)
•1.5 control objectives and controls related to IS (e.g., COBIT)
•1.6 risk assessment in an audit context
•1.7 audit planning and management techniques
•1.8 reporting and communication techniques (e.g., facilitation, negotiation and confl ict resolution)
•1.9 control self-assessment (CSA)
•1.10 continuous audit techniques
97
IS Audit Small Quiz No.3
Domain 3 IS Audit Process
Subject: Audit Planning, Risk Management, Methods of Audit and Audit Reporting
U
Quiz book
98
Type of Audits
U
Type Description
Financial audits •Purpose is to assess the correctness of an organization’s financial statement, IT auditors works under Financial suitors and test financial information integrity and reliability.
Operational audits
•Purpose is to evaluate the internal control structure in a specific process and area, such as application controls and logical security system.
Integrated audits
•Combination of financial audits and operational audits
Administrative Audits
•Propose is to evaluate and improve the efficiency of operational productivity within an organization.
IS Audits •Purpose is to evaluate the internal controls for Information system. Targets are ITCC. ITGC and ITAC
Specialize Audits
•Specialize reviews that examine area such as services performed by third party. SAS70 (The statement on Auditing standard) developed by AICPA (American Institute of Certified Public Accountants) is a widely known.
Forensic Audits •Special audit for discovering , disclosing and following up of frauds and crimes.
99
Overview of IS audit ProcessU
IS Audit Charter / Guideline
Audit Process
Audit Planning
Risk Assessment
Perform Test
Inspection & Test Methods and Technique
Evidence
Finding
Report & Follow-up
What you will learn in this Chapter
100
Framework and Guideline of IS audit (1)U
IT Standards, Guidelines, and Tools and Techniques for Audit and Assurance and Control Professionals (330 pages) (http://www.isaca.org/)
IT Audit and Assurance Standards (Framework)S1 Audit CharterS2 IndependenceS3 Professional Ethics and StandardsS4 CompetenceS5 PlanningS6 Performance of Audit WorkS7 ReportingS8 Follow-Up ActivitiesS9 Irregularities and Illegal ActsS10 IT GovernanceS11 Use of Risk Assessment in Audit PlanningS12 Audit Materiality S13 Using the Work of Other ExpertsS14 Audit EvidenceS15 IT ControlsS16 E-commerce
101
Framework and Guideline of IS audit (2)U
Index of IT Audit and Assurance Guidelines (G1-G44)G2 Audit Evidence Requirement G3 Use of Computer Assisted Audit Techniques (CAATs) G5 Audit Charter G6 Materiality Concepts for Auditing Information Systems G8 Audit Documentation G9 Audit Considerations for Irregularities and Illegal Acts G10 Audit Sampling G11 Effect of Pervasive IS Controls G12 Organisational Relationship and Independence G13 Use of Risk Assessment in Audit Planning G15 Audit Planning G18 IT GovernanceG20 Reporting G21 Enterprise Resource Planning (ERP) Systems G23 System Development Life Cycle (SDLC) G28 Computer Forensics G31 Privacy G33 General Considerations on the Use of the Internet G34 Responsibility, Authority and Accountability G35 Follow-up Activities G37 Configuration Management Process G38 Access ControlsG39 IT Organisation G40 Review of Security Management PracticesG42 Continuous Assurance
102
Framework and Guideline of IS audit (3)U
Index of IT Audit and Assurance Tools and TechniquesP1 IS Risk AssessmentP2 Digital Signatures P3 Intrusion DetectionP4 Viruses and other Malicious Code P5 Control Risk Self-assessmentP6 Firewalls P7 Irregularities and Illegal ActsP8 Security Assessment—Penetration Testing and Vulnerability AnalysisP9 Evaluation of Management Controls Over Encryption MethodologiesP10 Business Application Change ControlP11 Electronic Funds Transfer (EFT)
103
Audit RiskU
Inherent Risk
Risk in Audit itself:Risk that is not detected during an audit process
Risk: example Misstatement
without control: ex. Process is
complex
Check & Test
Control
Control failure: ex. Human
makes mistake
Risk
Audit
Control Risk
Audit failure: ex. Inadequate
Test
Detection Risk
Overall Audit Risk
Compliance Test
Substantive Test
104
Flow of Audit ProcessU
Audit Planning & Gathering information
Perform Compliance Tests
Reporting
Follow-UPActivity
Audit Charter
Risk Assessment & Understanding Internal
Control
Perform Substantive Tests
•Audit repot•Creating recommendation
•Analytic procedure•Detailed testing•Other substantive testing
•Identify targeted controls•Compliance tests on reliability, risk prevention, organization policy an procedure
•Survey control functions and procedures•Result of control•Control risk and detective risk assessment
•Knowledge of the business•Regulatory status•Prior audit result•Inherent risk assessment
•Scope with goals and objectives•Authority of an audit•Responsibility and actions among stakeholder
105
(Separate) Audit Plan
Type of Audit PlansU
Long- or Mid term Audit Plan
Audit Plan
•Detail planning for each target of an audit•Define plan of testing method and procedure, reporting and follow-up.
•Define (separate) audits in each year including a financial audit•Define management information to conduct the audits , such as cost , schedule and resources
Audit Master Plan
Annual Audit Plan
Annual Audit Plan
(Separate) Audit Plan
•Usually 3 or 5 year plan•Define scope and priority based on an audit policy•Related IT to system development plan and schedule
Cases of (Separate) Audit•Reviewing security of a financial application for a large company with many branches.•Auditing IT general control to enhance capability of development of a company•Supervising (Auditing) for development and migration of a big ERP system•Consulting to applying Internal control of SOX to the company in order to be listed on the stock market.
106
Example: Summary of Audit PlanU
Separated small Audit Plan for ITAC
No Item Description
1 Objective The payment system is one of important system for financial statement in ABC company. To evaluate the internal control of the system.
2 Scope •Validity and reliability of automated (Embedded) controls in the system.•Validity and Coverage of control functions realized by interaction between the system and human activities.
3 Audit target ABC payment system
4 Audit item •System specification documents &Operation manual •Input form & screen design (input and search/reference)•Data & information stored in the system
5 Audit organization
• Auditor Group: xxxx, xxxx• Auditee: Department of business management and Department of accounting
6 Audit procedure and Schedule
•Preliminary survey for risk assessment (17-30 Oct. 2009)[Method] Interview and questionnaire[Survey item] Summary of the payment system and overview Dept. of business management and Dept. of accounting[Point] Current situation and preparation of controls
• Compliance Testing (No.1) (1-15 Nov. 2009)[Method] Check list, interview and checking the system specification[Audit item] Automation (Embedded) controls in the system[Point] Validity and reliability of design of the controls
• Compliance Testing (No.n)
• Substantive testing (No. 1) (1-20 Jan. 2010)[Method] Comparison between database and printed quotation. Checking transaction log.[Point] Testing of result of control functions.
107
General idea of Risk Assessment (Evaluation)U
Basic element of Evaluating risks•Impact, Effect•Probabilities, likelihood
Big Medium Small
Often Fatal Serious Serious
Sometimes Serious Serious Minor
Rare Serious Minor Minor
Very Simple Risk Evaluation Table (weighting by Impact & Probability)
ImpactProbability
Other (further) Assessment methods•Weighting by dividing detail factorsImpact => Sensitivity of the function to executive management, MaterialityProbability => Extent of system or process change, Complexity•Ranking <- one reason of why auditors use risk assessmentTo multiple weight of business impact to making ranking score.Weight of business impact: example: Financial risk, Strategic risk, Operational risk and Legal compliance
108
Example: Summary of Risk Assessment DocumentU
No Category Risk Description Eva. Control
Covering all payment transaction
Missing invoice by EDI
Invoice by EDI has trouble and missing
1 Checking EDI’s invoice by human
Error transition
Error Transactions are not reported/ detected
3 Module for listing out error transition
Correctness of payment date
Input error Mistake of input for invoice by FAX
4 Cross checking to order transition
Not include inappropriate data
Cancel of invoice
Payment to cancel invoice
2 Procedure of cancellation of invoice
Security of operation xxx xxxx xxxxx
Integrity of payment data
xxx xxxx xxxxx
No authorized DB modification
xxx xxxx xxxxx
Contents of risk assessment document•A description of the risk assessment methodology used•The identification of significant exposures and the corresponding risks•The risks and exposures the audit is intended to address•The audit evidence used to support the IS auditor’s assessment of risk
109
General Idea: Type of Means to Risk and ControlType of Means to Risk
Avoid Stopping activity that occurs risk. Because the impact of risk is very serious
Reduce Appropriate internal controls reduce the impact and probability of risk
Transfer Other external means such as insurance reduce impact of risk
Accept Impact of risk would be accepted, because impact is low or cost of means is so expensive.
U
Type Function Example of Control
Preventive Control
•Prevent errors from happening•Attempt to predict•Monitor both operation and inputs.
•Segregate duties•Programmed edit checks•Using access control software•Suitable procedure for authorization
Detective Control
•Find out errors and malicious •Hash total•Check points in production job•Internal audit function•Echo controls in telecommunications•Reviewing activity logs
Corrective Control
•Remedy problems•Identify cause•Enhance procedures•Minimize the impact of a threat
•Backup procedure•Return procedure
110
Overview of Method and Technique for Survey and Testing U
Audit Planning & Gathering information
Perform Compliance Tests
Risk Assessment & Understanding Internal
Control
Perform Substantive Tests
Survey and Testing
Evidence : Fact
Review
Interview & Observation
Questionnaire
Testing
Method of Statistics
CAAT (Computer Assisted Audit
Techniques
111
Review, Interview and observation for gathering Data (1)
U
Method Description
Reviewing IS organization structures
•Adequate separation and segregation of duty is a key control.•IS Auditor should be able to review organization structure and assess the level of control they provide.
Reviewing IS policy and procedures
•An IT auditor should review whether appropriate policy and procedure are in place, determine whether personnel understand implemented policy and procedure, and ensure that policies and procedures are being followed.•Periodic review of policies and procedures for appropriateness should be carried on
Reviewing IS standard
•An IT auditor should understand the existing standards in place in the organization.
Revising Information System Documentation
•An It auditor should understand functions and controls of the system.•And review whether development activities are following the procedures.•And review the enough documents developed and kept integrity.
112
Review, Interview and observation for gathering Data (1)
U
Point Description
Preparation of interview
•Preparation of checklist and interview form•Selecting appropriate interviewees
Actual Function •To ensure to observe adequate person who is assigned and authorized to perform a particular function and is actually is doing job.
Actual process and procedure
•Performing a walk-through of the process/procedure allows an IT auditor to gain evidence of compliance and observe deviations.
Reporting Relationship
•Reporting relation ship should be observed to ensure assigned responsibility and adequate segregation.
Security Awareness
•Security awareness should be observed to verify an individual's understanding and practice of good preventative and detective security measures.
Related method•Re-performance•Walkthroughs
113
Examples of measures that should be considered to assess materialityU
•Criticality of the business processes supported by the system or operation•Criticality of the information databases supported by the system or operation•Number and type of application developed•Number of users who use the information systems•Number of managers and directors who work with the information systems classified by privileges•Criticality of the network communications supported by the system or operation•Cost of the system or operation (hardware, software, staff, third-party services, overheads or a combination of these)•Potential cost of errors (possibly in terms of lost sales, warranty claims, irrecoverable development costs, cost of publicity•required for warnings, rectification costs, health and safety costs, unnecessarily high costs of production, high wastage, etc.)•Cost of loss of critical and vital information in terms of money and time to reproduce•Effectiveness of countermeasures•Number of accesses/transactions/inquiries processed per period•Nature, timing and extent of reports prepared and files maintained•Nature and quantities of materials handled (e.g., where inventory movements are recorded without values)•Service level agreement requirements and cost of potential penalties•Penalties for failure to comply with legal, regulatory and contractual requirements•Penalties for failure to comply with public health and safety requirements
114
Statistics for IS Audit U
If Auditor detected Number of Input errors of order form is 2 during Substantive testing, Could the Audited think that the internal control is almost good and work?
Sampling (Statistical) Test
All Input formsPopulation
Some of Input forms
SAMPLE
Are two errors acceptable?
115
Sampling U
Even if number of data in samples are same. There are many possibility to select samples
Normal distribution is commonly encountered in practice, and is used throughout statistics, natural sciences, and social sciences as a simple model for complex phenomena. For example, the observational error in an experiment is usually assumed to follow a normal distribution, and the propagation of uncertainty is computed using this assumption.
Population
SAMPLE
116
Factor of Selecting Sample U
feature of population
Size
Distribution
(Expected) Error rate
Accuracy of sample defined by an auditor
(Requested) Similarity of features among population and sample= (Requested) Confident Coefficient
Acceptable range = Precision
OKNG
Need more sampling data whenSize is big ( but ration of sample low ), Error rate is lowConfident coefficient is high, Precision is low
117
Type of Sampling (1) U
Statistical Sampling
Sampling
•(See the previous slide) Objective method to determine sample size and selection criteria
Method of Selection
Non-Statistical Sampling•Judgmental sampling. An auditor design sampling based on importance and risk
Target Data
Attribute sampling
Variable sampling
•Deal with presence or absence of attribute•Mainly applied in compliance testing
•Deal with population characteristics that vary, e.g. dollars and weights•Provide conclusions related variable•Mainly applied in substantive testing
118
Type of Sampling (1) U
•The model uses to estimate total different between audited value and un-audited value.
Target Data
Attribute sampling
Variable sampling
•Provide conclusions expressed in rates of incidence (frequency –estimate sampling)Attribute sampling
Stop or go sampling
Discover sampling
Stratified mean per unit
Uncertified mean per unit
Difference estimation
•The model can be used when the expected occurrence is extreme low. Purpose is detecting
•Auditor can change the size of sampling to get a appropriate result.
•A sample mean is calculated as an estimated total
•Sample means are calculated as each group estimated total
119
Computer-Assisted-Audit Techniques (CAAT)
What is CAAT&GAS?Followings are famous GAS: (General Audit Software)
• ACL: Audit Command LanguageACL Services Ltd.http://www.acl.com/
• IDEA:Interactive Data Extraction and AnalysisCaseWare Internationalhttp://www.caseware.com/
Go to both website
CAAT GAS
Tentative Audit Utility
General Office Tools
•MS-ACCES, MS-EXCEL
Developed Software
Tentative Audit Module
Online Audit system
•ACL, IEDA
U
120
Advantage of CAAT
• Reduced level of audit risk• Greater independence from auditee• Broader and more consistent audit coverage• Faster availability of info• Improved exception identification• Greater flexibility of run times• Greater opportunity to quantify internal control weaknesses• Enhanced sampling• Cost savings in long term
U
121
Overview of function of GAS
Input Processing Output
Business Data
Transaction Data
Log files Master dataSystem B
Input Processing Output
Business Data
Transaction Data
Log files Master dataSystem A
GAS
•Making Reports Statistic Analysis
Test data Audit data
•Generate Test Data
•Extract and Check Log files •Extract and
sampling data •Compare and Calculate
U
122
CAAT Considerations for installation and usage
• Ease of use, both for existing and future audit staff• Training requirements• Complexity of coding and maintenance• Flexibility of uses• Installation requirements• Processing efficiencies• Effort required to bring source data into CAAT• Documentations well-referenced to audit program• Clearly identify audit procedures and objectives• Request for read-only access to production data• Data manipulation should be done to copies of production files in controlled
environment• Reliability of software• Confidential of the data being proceeded
U
123
Type of Evidence
Tow primary Type• Direct Evidence
Existence of fact without inference or presumption.• Indirect Evidence
Hypothesis without direct evidence to make a claim
Examples of Evidence• Business evidence including a business record of transaction, receipts, invoic
es, and logs• Data extraction which mines details from data files by CAAT• Auditee claim in oral or written documents• Analysis of plans, polices, procedures and workflow.• Result of compliance and substantive tests• Auditor’s observation
U
124
Evidence Grading ( What good evidence is)
U
Poor Good Excellent
Material Relevance Unrelated Indirect Direct
Objectivity Subjective Requires few supporting facts to explain the meaning
Needs no explanation
Evidence Source Unrelated third party with no evidence
Indirect involvement by second party
Direct involvement by first party
Competency of Provider
Biased Nonbiased Nonbiased and independent
Evidence Analysis Method
Novice Experienced Experts
Resulting Trustworthiness
Low Medium High
125
Content of ReportingU
Content Description
Introduction •Audit objectives•Limitation of audit and a scope•Period of Audit coverage•Genera statement on nature and extent of audit process
Overall conclusion and opinion
•Adequacy of the controls and or procedures examined•The actual potential risk identified
Detailed and important audit finding and recommendation
•The controls and procedures examined are adequate or in adequate.•Specific finding based on viewpoint of both audit committee and organization•Recommendation for adding and/or modifying controls, procedures and organization.
A variety of finding
•All the finding and recommendations. Some are important, others are trivial.
126
Example Report: summary of RCM (Risk and Control Matrix)U
No
Type Risk Control and Procedure Audit Procedure Result & comment
Covering all payment transaction
Missing invoice by EDI
Sending e-mail when EDIand function to make the list of e-mail
•Program specification•Procedure•Log files•Working record
•GoodReviewing the list is not defined in the procedure
Error transition
Function of error transition
•Program specification•Error transition log•Invoices
•Excellentwork well
Regulation of correct error transition
•Procedure•Working record for correcting error
•GoodNeed more detail correction method
Correctness of payment date
Input error
Appropriate Editing (Checking function)
•Program specification•Record of error input•Observation of input activities
Good• some filed needed more checking functions
Appropriate input form (printed)
•Checking input form•Record of error input•Observation of input activities
•FairCustomer sometimes mistakes
Cross checking to order transition
•Procedure•Program specification
•None (Very poor)
127
Presenting and Communicating Audit ResultsU
Considerations for Presentation to Executive•Understandable for Exceptive. Because usually they doesn’t know IT technology, Don’t use technical terms.•Finding and recommendation should be made form the viewpoint of business
Considerations for communication•Communicate with management of audited entity first if possible•Gain agreement and develop course of corrective action•Communicate to top management and audit committee•Audit committee provides independent route to report sensitive info•Auditor normally is NOT expected to implement recommendations
128
Continuous Audit Approach
• To improve audit efficiency by making greater use of automated tools
• Collect evidence on system reliability while normal processing takes place
• Monitor operations on continuous basis
• Gather selective audit evidence; if not serious, action later
• Cut down needless paperwork
• May report directly through computer on findings
• Especially useful when no paper audit trail
• No disruption to daily operations
• Time lag between misuse and detection is reduced
• Enhance confidence in system’s reliability
U
129
Control Self-Assessment (CSA)
• Management and/work teams are directly involved in checking effectiveness of existing controls
• IS auditor act as control expert and assessment facilitator
• Simple questionnaires; facilitated workshops
• Objectives:
– Enhance audit responsibilities
– Educate line management in control responsibility and monitoring
– Concentrate on areas of high risk
131
Overview of Tasks for Domain 4
•4.1 Evaluate service-level management practices to ensure that the level of service from internal and external service providers is defined and managed.•4.2 Evaluate operations management to ensure that IT support functions effectively meet business needs.•4.3 Evaluate data administration practices to ensure the integrity and optimization of databases.•4.4 Evaluate the use of capacity and performance monitoring tools and techniques to ensure that IT services meet the organization’s objectives.•4.5 Evaluate change, configuration and release management practices to ensure that changes made to the organization’s production environment are adequately controlled and documented.•4.6 Evaluate problem and incident management practices to ensure that incidents, problems and errors are recorded, analyzed and resolved in a timely manner.•4.7 Evaluate the functionality of the IT infrastructure (e.g., network components, hardware and system software) to ensure that it supports the organization’s objectives.
U
132
Overview of skill and knowledge for Domain 4U
•4.1 Knowledge of service-level management practices•4.2 Knowledge of operations management best practices (e.g., workload scheduling, network services management and preventive maintenance)•4.3 Knowledge of system performance monitoring processes, tools and techniques (e.g., network analyzers, system utilization reports and load balancing)•4.4 Knowledge of the functionality of hardware and network components (e.g., routers, switches, firewalls and peripherals)•4.5 Knowledge of database administration practices•4.6 Knowledge of the functionality of system software including operating systems, utilities and database management systems•4.7 Knowledge of capacity planning and monitoring techniques•4.8 Knowledge of processes for managing scheduled and emergency changes to the production systems and/or infrastructure including change, configuration, release and patch management practices•4.9 Knowledge of incident/problem management practices (e.g., help desk, escalation procedures and tracking)•4.10 Knowledge of software licensing and inventory practices•4.11 Knowledge of system resiliency tools and techniques (e.g., fault tolerant hardware, elimination of single point of failure and clustering)
133
IS Audit Small Quiz No.4
Domain 4 IT Service Delivery and Support
Service Level Agreement, IT service support and delivery, DB, Network, System operation, H/W and S/W
U
Quiz book
134
ITGC:IT general controls
U
IT control ITCLC: IT Company Level Control
ITAC: IT Application Control
ITCLC: IT Company Level Control* IT Governance/Policy *IT Risk Management. *Training* Quality Assurance *IT Internal Audit
IT Infrastructure (Network, Server, PC …)
Development Operation
ITAC: IT Application Controlcomplete and accurate •Input Data Control.•Process Control•Output Control
Application Systems
AccountingSystem
Sales System
Company
….
ITGC:IT general controls•Logical access controls.•System development life cycle controls.•Program change management controls.•Data center physical security controls.•System and data backup and recovery•Computer operation controls.
135
Understanding operation of infrastructure Problem of Current IT system and operation * IT system became core of business and social
activities, simultaneously it became bigger and more complicated
* Cost of IT is not clear, sometimes investment to IT development and operation doesn’t realize user needs.
ITIL ( Information Technology Infrastructure Library) is collection of good practices and knowledge/skill for operation of infrastructure and realizes;
- Stable and high quality operation of IT infra. - Providing clear indicator of ROI for IT operation
( Return of Investment)
Note: Quality of Development is usually mentioned by ideas of CMMI and other standards.
136
Overview of ITIL Ver3.0
•Service Strategy- Link IT service strategies to customer value• Service Design- Design services to satisfy business objectives•Service Transition- Implement service designs- Service knowledge management system- Refinement of change, configuration and release
processes• Service Operation- Deliver and manage services- Refinement of incident and problem
management processes- Event and access management• Continual Service Improvement- Never-ending review for opportunities
U
137
Process of ITIL (1)U
Cycle Processes and Functions
Service StrategyFinancial Management
Service Portfolio Management
Demand Management
Service DesignService Catalog Management
Service Level Management
Capacity Management
Availability Management
Service Continuity Management
Information Security Management
Supplier Management
Service TransitionTransition planning and support
Change Management
Service Asset and Configuration Management
Release and configuration Management
Service validation and testing
Evaluation
Knowledge Management
138
Process of ITIL (2)U
Cycle Processes and Functions
Service Operation
Event Management
Incident Management
Request fulfillment
Problem Management
Access Management
Monitoring and control
IT operation
Service Desk
-Technical Management
-IT Operations Management
-Applications Management
Continual Service Improvement
Improvement Process
Service Report
139
Service Level AgreementA service level agreement (frequently abbreviated as SLA) is a part of a service contract where the level of service is formally defined. In practice, the term SLA is sometimes used to refer to the contracted delivery time (of the service) or performance. As an example, internet service providers will commonly include service level agreements within the terms of their contracts with customers to define the level(s) of service being sold in plain language terms (typically the (SLA) will in this case have a technical definition in terms of MTTF, MTTR, various data rates, etc.)
Availability Time hour, percent
Maximum down-time Hardware Hours or percent
Failure frequency Hardware Number
Response time Hardware Duration in minutes
Periods of operation Time
Service times Time
Accessibility in case of problems Yes/no
Backup Time
Processor time Seconds
Instructions per second Number per second
Number of workstations Number
Example : Hardware Performance Metrics on SLA
140
Example: Strategy of reformation of IT Operation
Target Phase
Organization Roles Culture Skills Training Metrics
1 Aligned by Technology
Technology Specialists
Hero-Oriented
Job Titles in Place
Limited — Technical
FTE(M/M), Basic record of work
2 Hierarchical Org. Team system
Service Roles Emerge
Looking at Best Practices
Job Levels (Sill Standard) Defined
Technology by Job Levels
Basic QA, Basic record and monitoring
3 Process/Service -Centric;
Process Role Well-Defined
Working on Best Practices
Employee Skills Tracked
Formal Training, Job Rotations
Ordinary SLA, Data for proactive
4 Process Cycle based
Process Manager and Owner Role Well-Defined
Best Practices Effectively Used
Manage Skills Portfolio
Lifelong Training including management
Detail SLAData related business
FTE: Full Time Equivalent , QA: Quality Assurance, SLA: Service Level Agreement
141
Management and Tools for IT operationManagement
Network Monitoring tools
Service Desk (ITIL) support tools
Other tools
Incident Management X (Detect)
X (Manage)
Problem Management X (Detect)
X (Manage)
Service Management X (Measure) Excel
Capability ManagementX (Measure)
Excel
Configuration Management X (Monitor)
X (Manage)
Change Management X (Manage)
Finance Management Excel
Skill Management Excel or Access
Knowledge Management X (Manage)
Word, Excel
Evaluation and Report X (Data)
X (Data/Report)
Word, Excel
142
Sample: System for IT support (Medium and Small Class)Center
Central Service Desk
NOC
Remote
Local Service Desk/ Remote NOC
Service Desk Management System
Staff Skill / Capacity Management System
Traffic/QoS Monitoring SystemConfiguration
Management System Trouble detecting System
Traffic/QoS Monitoring System
Trouble detecting System
Info. of Configuration
History of Event & Incident
Needs and Request
Knowledge DB
Incident Management (Troubles shooting)
Capacity Development of ICT Staff
Capacity Development of ICT Staff
Info. of Traffic/QoS
Work Procedure
(Document)
Knowledge Management System
Service Catalog/ Service Level Management system
SC/SL DB
144
Tools for IT operation• Service Desk Plus
http://www.manageengine.com/products/service-desk/index.html
Go to both website
U
145
Workflow of Change Management for approvalU
RFC
Why is Change management important ? More than 50% of incident and More than 90% of incident that affect on business are caused by changing.
User Change ManagerCAB
(Chang Advisory Board)
ConfigurationManager
Request For Changing
Review
Reject
ProgrammerOperator
Input RFC
Initial priority Update RFC
Argent Change
ProcedureArgent
Priority &schedule
Type
Approval and Plan
Trivial Impact assessment &
Discussion changing
NoApproval
Report
Serious
Change Procedure
Yes
Update RFC
Update RFC
146
Viewpoint of IS audit (Operation: Change Management)
U
Category Target Description
Testing Testing •Before Changing , Is new module or program tested in appropriate regulation and approved by management.
Procedure Changing procedure
•Is appropriate RFC (Request for Change ) format established and Is change request treated authorized process?•Do personnel follow changing regulations•Is change history recorded?•Is any management that makes decision of changing defined?•If possible, is any automated changing function developed?
Exception ExceptionAnd failure
•Is any urgent change procedure established•When change module/program doesn’t work well, is any recovery method established.•Do controls detect unauthorized changing?
147
Overview of Incident/Problem management and service desk
U
Remaining Bugs Operation error Crime System Break
Appear and/or occur
Risk/ Factor
FailureTrouble
User
Incident Management:to restore a normal service operation as quickly as possible and to minimize the impact on business operations
Monitoring System
Service Desk
Detect risk factor or symptoms
Problem Management:to get red of factor of risk or failure or to resolve the factor that made or will make failure
Request 1st level staff
2nd level staff
escalation
148
Viewpoint of IS audit (Incident & Problem management)
U
Category Target Description
Procedure and situation
Regulation and procedure
•Does the organization have appropriate procedure to resolve the problem, especially escalation root .•Are recording tasks and functions of event, incident and problem developed?
Situation of Incident/ problem Management
•Do problem exist during processing?•Were resolving process resolved in timely manner and was the resolution complete reasonable?•Are all problems identified for verification and resolution?
Help desk (Service desk)
Help desk (Service desk)
•Does the help desk has appropriate staff?•Are there any SLA of the help desk?•Are there any appropriate supporting software for a help desk?•Does the help desk have appropriate regulation and procedures , especially escalation root to resolve the problem.•Does the help desk record appropriate support and working record?
149
Overview of Capacity Management
Reactive activities:•Monitoring and measuring•Responding and reacting to capacity related events (incidents)
Proactive activities:•Predicting future requirement and trends•Budgeting, planning and implementing upgrade.•Seeking ways to improve service performance.•Optimizing the performance of a service
U
150
Viewpoint of IS audit (Hardware)U
Category Target Description
Planning & Acquisition
Planning •Is the plan aligned with business requirements?•Is the plan synchronized with IS plans?•Have criteria for acquisition of hardware been developed and appropriate?•Does new hardware suit the current IT environment?
Acquisition •Is the a acquisition in line with hardware acquisition plan?•Are procurements and document of procurements based on appropriate procedure an regulation?•Are procurements processes approved by appropriate management
Operation& Incident management
Operation & Maintenance
•Is scheduling adequate to meet workload schedules and user requirements?•Is scheduling flexible to accommodate required hardware and preventive maintenance?•Is maintenance done during off-peak workload period?•Is appropriate maintenance the vendors recommend done?
Monitoring &Incident / Problem management
•Have IS management staff reviewed malfunctions, abnormal system termination and operator action?•Is continuous review performed of hardware and system software performance and capacity•Is monitoring adequate in the case of equipment failure?•Is monitoring based on logs, maintenance history and adequate information?
151
Overview of MiddlewareMiddleware is computer software that connects software components or some people and their applications. It usually connects OS and application software.
Message-oriented Middleware•Message-oriented middleware is middleware where transactions or event notifications are delivered between disparate systems or components by way of messages, often via an enterprise messaging system.
Enterprise messaging system•An enterprise messaging system is a type of middleware that facilitates message passing between disparate systems or components in standard formats, often using XML, SOAP or web services.
Transaction processing monitors•Provides tools and an environment to develop and deploy distributed applications.
Application servers•software installed on a computer to facilitate the serving (running) of other applications.
SQL-oriented Data Access•SQL-oriented Data Access is middleware between applications and database servers.
U
152
Viewpoint of IS audit (OS and System software)U
Category Target Description
Planning & Acquisition
Planning •Are the plan aligned with objective of business?•Do they meet the requirements?•Do they include IS controls?•Do the comply with short- and long-range IS plans?
Feasibility study and Acquisition process
•Are the proposed system objectives and purpose consistent with the request?•Has the cost-benefit analysis of system software procedures addressed?
Operation& Incident management
Security and Control
•Has the procedures been established to restrict the ability circumvent logical access.•Have procedures been implemented to manage software update?•Are controls adequate in change, authorization, security, Audit test, ….•Is master console secure?
Operation and documentations
•Have all appropriate levels of software been implemented?•Are there necessary documentations such as access violation, change management, parameter, active logs and reports ….?•Is the latest version with testing?
153
Basic Key word of Network
•LAN/WAN•DNS, DHCP, Web server, FTP and mail server•IPV4, IPV6, Port Number, Global IP Address•ISO architecture, NIC•TCP/IP , UDP•HTTP, ARP, SNMP•NAT, RADUS•SSL, Applet, CGI, .Net, PHP, Java, Cookie•Wireless IEEE802.11abg, WiMAX IEEE 802.16, Ubiquitous computing•WPA (Wifi Protected Access) , WAP (Wireless Application Protocol)•LADP, H32x, VOD, Streaming•QoS•VPN, SSH, DMZ, Proxy, Firewall, Security hole•Intrusion Detection System (IDS),Intrusion Prevention System (IPS)•URL, Serch Engine, SEO•Router, Switch , Hub, Modem , ATM, FR•Optical fiber, ADSL, FDDI, Ethernet•SNS, Blog•ISP•cloud computing, SaaS
U
154
Tools for Network Monitoring
Go to both website
U
Type Category Purpose Example (Recommendation)
Snap shot (Operate by manual)
Command for Network management
Detecting trouble ping, tracert, netstat
Network Analyzer Detecting trouble/ Measuring traffic (packet)
Snuffer, wireshark, ASTEC Eyes,
Daily tool ( Operate automatically)
Traffic Monitor Measuring traffic MRTG
SNMP manager Configuration management/ Detecting trouble
NET-SNMP
Server Monitoring Detecting trouble Nagios
155
Viewpoint of IS audit (Network Infrastructure & implementation)
U
Category Target Description
Physical environment
Physical security for the facility
•Are network devices located in secure facility and restricted to the network administrator?•Are keys to enter the network facility secured?•Is the wiring physically secured?
Server facility •Is environment of servers well-controlled, (temperature, humidity and static electricity guards)•Are there appropriate and sufficient means for fires?•Are there appropriate and sufficient devices for breakdown of electricity?
Logical access control to network devices
Access and Password
•Is there appropriate regulations to manage password? •Are network access change requests authorized by appropriate manager with standard forms? •Are user assigned unique password?
Report and monitoring
•Are all the login processes recorded in log files.•Does any function can detect unauthorized log-in?•Are security reports reviewed adequately and in a timely manner?
156
DB NotarizationFirst Normal Form (1NF)• Eliminate duplicative columns from the same table. • Create separate tables for each group of related data and identify each row with a
unique column or set of columns (the primary key). Second Normal Form (2NF)• Remove subsets of data that apply to multiple rows of a table and place them in
separate tables. • Create relationships between these new tables and their predecessors through the
use of foreign keys. Third Normal Form (3NF)• •Remove columns that are not dependent upon the primary key.
U
Order form:Date 10th, OCT. 2010Customer name: UP company Customer No. 4650
Item Code Category Name Unit Price Qty
1090 201 Device Mouse xx 50 10
2053 204 Parts IC 7xxxx 5 100
3459 201 Device LAN cable 3 30
157
Viewpoint of IS audit (Data Base)U
Category Target Description
Design Logical Schema
•Do all entities in the entity diagram exist?•Are all relations represented through foreign key?•Are constrains specification clearly?
Physical Schema
•Has allocation of initial and extension space been done by the requirements?•Are indexes present?•If the DB is not normalized, is justification accepted?•Is data redundancy minimized by DBMS?
Design an Operation
Reliability and integrity
•Are adequate change procedure to ensure the integrity of DB management software?•Is the integrity of DBMS’s data directory maintained?•Are integrity and confidential of data not affected by data import and export procedures?
Operation •Do backup and disaster recovery procedures exist?
Operation and Security
Security •Are security level of users and their roles appropriate and secure?•Is access to shared data appropriate?
158
Tasks of operation staff
•Executing and monitoring scheduled job•Facilitating timely backup•Monitoring unauthorized access and use of sensitive data•Monitoring and reviewing the extent to adherence to IT operation procedures as established by IS and business management •Participating in test of disaster recovery plans•Monitoring the performance, capacity, availability and failure of information resources•Facilitating troubleshooting and incident handling.
U
159
Viewpoint of IS audit (Operation)
U
Category Target Description
Regulation and Control
Regulation and Control
•Are documented instruction adequate in peripheral , start and shutdown, trouble-shooting and record to be retained.•Have controls been put in place to ensure accuracy and efficiency of operation.•Is appropriate supervisor or supervisor’s function ?•Are controls for input appropriate and enough?
Environment Environment •Are online library facility located away from the computer room•Do all the storage media have appropriate label?
Operation Operation •Have procedures been established to control the storage media?•Are these procedures been followed?•Are the automated operation software and manual contingency procedures documented and tested?•Are all error of automated software notified to operator?
Security •Is access to files and documentation library restricted to operators?•Is access to correcting program and data programs restricted?•Are responsibility for operation of the computer and other devices limited?
161
Overview of Tasks for Domain 6
•6.1 Evaluate the adequacy of backup and restore provisions to ensure the availability of information required to resume processing.•6.2 Evaluate the organization’s disaster recovery plan to ensure that it enables the recovery of IT processing capabilities in the event of a disaster.•6.3 Evaluate the organization’s business continuity plan to ensure its ability to continue essential business operations during the period of an IT disruption.
U
162
Overview of skill and knowledge for Domain 6U
•6.1 Knowledge of data backup, storage, maintenance, retention and restoration processes and practices•6.2 Knowledge of regulatory, legal, contractual and insurance issues related to business continuity and disaster recovery•6.3 Knowledge of business impact analysis (BIA)•6.4 Knowledge of the development and maintenance of the business continuity and disaster recovery plans•6.5 Knowledge of business continuity and disaster recovery testing approaches and methods•6.6 Knowledge of human resources management practices as related to business continuity and disaster recovery (e.g., evacuation planning and•response teams)•6.7 Knowledge of processes used to invoke the business continuity and disaster recovery plans•6.8 Knowledge of types of alternate processing sites and methods used to monitor the contractual agreements (e.g., hot sites, warm sites and cold sites)
163
IS Audit Small Quiz No.5
Domain 6 Business Continuity and Disaster Recovery
Backup/Recovery, Availability, Continuity, Disaster Discovery Planning, Business Continuity Planning
U
Quiz book
164
ITGC:IT general controls
U
IT control ITCLC: IT Company Level Control
ITAC: IT Application Control
ITCLC: IT Company Level Control* IT Governance/Policy *IT Risk Management. *Training* Quality Assurance *IT Internal Audit
IT Infrastructure (Network, Server, PC …)
Development Operation
ITAC: IT Application Controlcomplete and accurate •Input Data Control.•Process Control•Output Control
Application Systems
AccountingSystem
Sales System
Company
….
ITGC:IT general controls•Logical access controls.•System development life cycle controls.•Program change management controls.•Data center physical security controls.•System and data backup and recovery•Computer operation controls.
165
Process of ITIL (1)U
Cycle Processes and Functions
Service StrategyFinancial Management
Service Portfolio Management
Demand Management
Service DesignService Catalog Management
Service Level Management
Capacity Management
Availability Management
Service Continuity Management
Information Security Management
Supplier Management
Service TransitionTransition planning and support
Change Management
Service Asset and Configuration Management
Release and configuration Management
Service validation and testing
Evaluation
Knowledge Management
166
Overview of Disaster Recovery Plan (DRP) U
Headquarters Data center
Backup
Recovery Site
Disaster
Restore
Backup Network
167
Type of Disaster and ThreatsU
Natural Man Made
•Flood & Other water based incidents
•Earthquakes
•Hurricane, Tornadoes, Monsoons
•Thunders, Hail and Ice storms
•Lightning and Electrical storms
•Snow and Winter storms
•Volcanic eruptions, ash fall out
•Large natural fires & smoke residues
•Political
•Fires
•Flood due to equipment, pipes, sprinklers etc.
•Epidemics
•Explosions
•Hazardous / toxic material spills, contamination, access denial
168
Overview of BCP: Business Continuity Plan
BCP: Business Continuity PlanAn ongoing process supported by senior management and funded to insure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and recovery plans, and ensure continuity of services through personnel training, plan testing, and maintenance.
BCP vs. DRP•BCP vs. DRP Business Continuity Plan (BCP) tells us what essential resources are needed to continue business operations.•The Disaster Recovery Plan (DRP) tells us how to bring back those essential resources. The purpose of the DRP is to carry out the BCP
U
169
Flow of of BCP / DRPU
Planning
Risk Assessment & Business Impact Analysis
Developing Plan Strategies & Developing The Plan
Plan Testing & Maintenance
Awareness & Training
170
Flow of of BCP / DRP: PlanningU
•Define BCP vs. DRP for clear understanding by all.•Identify Project Sponsors and Leadership. Defining objectives, policies, critical success factors, scope. Identifying legal and regulatory requirements.•Define standard terms and assumptions.•Develop a Project Plan and Budget. Hard costs and soft costs such as equipment, personnel resources, facilities, etc.
171
Flow of of BCP / DRP: Risk Assessment & Business Impact Analysis
U
•Process of identifying the risks to an organization, assessing the critical functions necessary for an organization to continue business operations, defining the controls in place to reduce organization exposure and evaluating the cost for such controls.•Identify the following: – Risk – Exposure to loss, injury, danger; potential for loss (qualitative or quantitative). – Threats – Event that can cause a risk to become an actual loss (natural or man-made). – Vulnerabilities –Exposure to an event that can cause actual loss.
Quantitative Risk:– Assigns a value to the risk.– Identifies cost of a particular effect, incident or phenomenon.– Can be state in an ALE (Annualized Loss Exposure or Expectancy).Qualitative Risk:– Intangible effects caused by a particular incident.– Descriptive – Usually relates a cause with an effect.
172
Type of Risk to be considered
U
Compliance Financial Operational Strategic Technical
Contractual Lost/Deferred Revenue
People Market Share Cyber crime
Regulatory Opportunity Production Partnerships E-Business
Service Level Agreements
Shareholder Equity
Supply Chain Reputation Infrastructure Failure
Critical assets– People;– Buildings and Facilities;– Computer Equipment (PCs, Servers, mainframes, etc.);– Telecom Equipment (PBX’s);– Communication equipment (Routers, Switches, CSU / DSU etc.);– Inventory and Materials;– Production & Plant Equipment;– Critical Data;– Critical Computer Applications;– Operating Systems and Databases;– Environmental (Power, HVAC, Physical Security); and– Internal & External Customers & Users.
173
Type of Recovery Site Recovery Site
U
Compliance Recovery Time
Cost Infrastructure
Equipment
Data Operators
Redundant (Mirror)
Seconds Double YesSame
YesSame
Same (real-time)
Same
Hot site Hours Very High
Yes Yes Restore Transfer
Warm Site Days High Yes No Restore Transfer
Cold Site Weeks Low No No Restore Transfer
Mobile Site 8 + hours to days
High Need Yes Restore Transfer
174
RTO and RPO
RTO: the duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity.
RPO: the point in time to which you must recover data as defined by your organization. This is generally a definition of what an organization determines is an "acceptable loss" in a disaster situation.
U
- 1day - 2hours - 1hour T =0 + 1hour +2hours + 1day
RTO
disaster
RPO
Tape Backup
Disk Backup Real-time
Transaction Backup
175
Design of new Controls for BCP / DRP
U
Current controls•Physical ControlsFire suppression / sprinkler systemsAccess control systemsSecurity guards•Procedural ControlsHiring and termination policiesClean desk policyDocument receipting•Logical ControlsData storage protectionProtection afforded assets by location in relation to threat
Evaluate the effectiveness •Deter the threat•Lessen the loss•Ability to deter or reduce risks
Improve the effectiveness of controls:• Implementing layers of protection where possible• Training• Documentation• Enforcement
176
Insurance for business including DRP
U
Insurances cover followings:•IS equipment and facilities•Media (software) reconstruction•Extra expense: based on the availability and cost of backup facility and operation.•Business interruption•Errors and omissions: for legal liability protection in financial loss to client.•Fidelity coverage: covering loss from dishonest or fraudulent acts by employees.•Media transportation
177
Organization for BCP/DRP after disaster
Team
Incident Response team
Emergency Acton team ( for first action for such as fire)
Information security team
Damage assessment team
Emergency management team
Offsite Storage team
Software team
Application team
Emergency operation team
Network recovery team ( for Information system)
Communication team
Transportation team
U
Team
User hardware team
Data preparation and records team
Administrative support team
Supplies team
Salvage team (Management of moving a recovery site)
Relocation team (Management of moving from a recovery site)
Coordination team ( for all the sites (branches) and recovery site)
Legal affair team
Recovery test team
Training team
178
Flow of of BCP / DRP: Developing Plan Strategies & Developing The Plan
U
Determine and guide the selection of alternative business recovery operating strategies for recovery of business and information technologies within the recovery time objectives, while maintaining the organization’s critical functions.Identify Requirements for DRP and BCP Strategies•Review business recovery issues from BIA•Review technology recovery issues for each support area•Review non-technology issues for each support areaIdentify Off-Site storage requirements and Alternative facilitiesIdentify Viable Recovery strategies within business functional areas:•Service Degradation•Internal Recovery (Reciprocal Agreement)•Commercial Recovery Center such as Hot site and Warm site.Consolidating Strategies across the Enterprise•Coordination of Technology Recovery•Enterprise Level Crisis Management•Enterprise Level Media Handling•Centralized strategy for interfacing with local
179
RAID: Redundant Array of Independent Disks
U
Level Description Minimum # of disks
Space Efficienc
y
Fault Toleran
ce
Read Benefit
Write Benefit
RAID 0 Block-level striping without parity or mirroring.
2 1 0 (none)
nX nX
RAID 1 Mirroring without parity or striping.
2 1/n n-1 disks
nX 1X
RAID 5 Block-level striping with distributed parity.
3 1 - 1/n 1 disk (n-1)X variable
180
Backup schemesFull + incremental •A full + incremental repository aims to make it more feasible to store several copies of the source data. At first, a full backup (of all files) is made. After that, any number of incremental backups can be made. There are many different types of incremental backups, but they all attempt to only back up a small amount of data (when compared to the size of a full backup). A incremental backup copies everything that changed after the last backup (full, differential or incremental)Differential backup •A differential backup copies files that have been created or changed since the last full backup. It does not mark files as having been backed up (in other words, the archive attribute is not cleared). If you are performing a combination of full and differential backups, restoring files and folders requires that you have the last full as well as the last differential backup.
day1 Day2 Day3 Day4 Day5
File1 F D D D D
File2 F D D
File3 F D D D
File4 F D
U
Day of modified
day1 Day2 Day3 Day4 Day5
File1 F I I
File2 F I
File3 F I
File4 F I
181
Network Disaster Recovery Methods
U
Method for Redundancy•Secondary LAN cable•Providing multiple paths between routers•Dynamic routing protocol such a OSPF•Providing fail over device to avoid single point•Alternative routing including dial-up, cellular phone and microwave•Diverse routing•Lang-haul network diversity•Voice recovery
182
Flow of of BCP / DRP: Developing Plan Strategies & Developing The Plan
U
Content Detail content
Plan Scope and Objective
•Definition of Standard Terms•Selecting the appropriate Methodology•Scope of Project itself
Business Recovery Organization (BRO) and responsibilities
•BCP Planning Coordinator•Disaster Recovery Teams•Business Continuity Management Teams
Major Plan Components
•Reduction•Response•Recovery and Resumption
Escalation, notification and plan activation
•Disaster Declaration Procedures•Mobilization procedures•Damage assessment concepts•Recovery Site Activation
Vital records and off-site storage program
•What goes off-site•Inventory of what is off site•How do you get it back
Detail Plan (1/2)
183
Flow of of BCP / DRP: Developing Plan Strategies & Developing The Plan
U
Content Detail content
Salvage and Reclamation Procedures
•Document extent of damage, items destroyed, items recoverable.•Arrange for removal of recoverable items
Restoration Planning •Preparations of new facility.•Preparations for moving into new facility.•Plans for cutting over from temporary site to new facility.
Provisions for testing and maintenance of the plan
•Procedures for periodic and routine update of plan.•Procedures for periodic and routine testing of plan or plan•components.
Detail Plan (1/2)
184
Flow of of BCP / DRP: Plan Testing & MaintenanceU
A program to periodically and methodically test all major components of the plan to ensure that they are functioning as designed.•Allow for periodic testing of major plan components at least semi-annually.•Identify scope, goals and objectives for each individual test.•Provide for an independent auditing of test performance.•Provide for a post-mortem / report of test results which are communicated to appropriate management levels.•Provide a feedback mechanism into the plan maintenance process.•Provide for the allocation of adequate resources.
185
Flow of of BCP / DRP: Awareness & TrainingU
A program to create corporate awareness and enhance the skills required to develop, implement, maintain, and execute the Plan:
Method and media for awareness & trining•Videos / Films;•Newsletters;•Posters;•Promotional Items;•Brown-Bag Lunch Meetings; and•Budget and resources must be allocated.
186
Overview of viewpoint IS audit for DRP/BCP U
Headquarters Data center
Backup
Recovery Site
Disaster
Restore
Backup Network
BIA (Business Impact Assessment)
DRP/BCP Document
Emergency Team
MovementRecovering
Offsite Storage
187
Offsite Storage
U
Classification Description
Operating Procedure •Application run books, job stream control instructions, operating system manuals.
System and program documentation
•Design document, Program code list, error conditions and user manual
Special Procedure •Any procedure or instructions that are out of the ordinary
Input source documents output document
•Duplication copies of reports and summaries required for auditing, performance of vital work, scarification of legal requirement or expending insurance claims.
BCP •A copy of the latest version
188
Viewpoint of IS audit (Overview of DRP and BRP) U
Category Description
Plan •Reviewing business continuity strategy and its connection to business objectives•Reviewing BIA (Business Impact Assessment) to ensure that they reflect current business priorities and current controls.•Ensuring that the process of maintenance plans are in place and reviewed and modified in appropriate time•Verify the whether BCP support the overrall business continuity strategy•Evaluating BCP to determine their adequacy and currency based on BIA including RTO and RPO.•Reviewing the identification, priorities, and planned support of critical applications.Determining whether the all critical applications have been identified•Determining whether the secondary site has the correct versions of all system software.
Method & means
•Evaluating offsite storages•Verifying the treatment of backup media including transportation•Evaluating whether business continuity manual and procedures are written in simple and easy to understand.
Testing •Verifying that BCP’s effective by reviewing the results of test
Organization
•Evaluating the ability of personal to respond effectively in emergency situation by reviewing emergency procedure, records of training and results of testing•Reviewing the list of business continuity personnel , emergency site and venders. And checking address and phone number by sampling •Interviewing assigned personnel for understanding of their responsibility in case of interruption situation.
189
Viewpoint of IS audit (Detail of DRP and BRP)
U
Category Description
Procedure & method
•Identifying whether transactions reentered are appropriate.•Determining whether all recovery/ continuity are documented and teams have them.•Determine whether the plan adequately address movement to the recovery site and recovering from the recovery site.•Determining whether items necessary for the reconstruction of the information processing facility are stored offsite•Does the plan include procedure for merging master data into pre-disaster data.
Physical preparation
•Were is the backup facility site?•Are regular and systematic backup are taking?•Are telecommunication backup is working will?
191
Overview of Tasks for Domain 5
•5.1 Evaluate the design, implementation and monitoring of logical access controls to ensure the confidentiality, integrity, availability and authorized use of information assets.•5.2 Evaluate network infrastructure security to ensure confidentiality, integrity, availability and authorized use of the network and the information transmitted.•5.3 Evaluate the design, implementation and monitoring of environmental controls to prevent or minimize loss.•5.4 Evaluate the design, implementation and monitoring of physical access controls to ensure that information assets are adequately safeguarded.•5.5 Evaluate the processes and procedures used to store, retrieve, transport and dispose of confidential information assets.
U
192
Overview of skill and knowledge for Domain 5 (1)U
•5.1 Knowledge of the techniques for the design, implementation and monitoring of security (e.g., threat and risk assessment, sensitivity analysis and privacy impact assessment)•5.2 Knowledge of logical access controls for the identification, authentication and restriction of users to authorized functions and data (e.g., dynamic passwords, challenge/response, menus and profiles)•5.3 Knowledge of logical access security architectures (e.g., single sign-on, user identification strategies and identity management)•5.4 Knowledge of attack methods and techniques (e.g., hacking, spoofing, Trojan horses, denial of service and spamming)•5.5 Knowledge of processes related to monitoring and responding to security incidents (e.g., escalation procedures and emergency incident•response teams)•5.6 Knowledge of network and Internet security devices, protocols and techniques (e.g., SSL, SET, VPN and NAT)•5.7 Knowledge of intrusion detection systems and firewall configuration, implementation, operation and maintenance•5.8 Knowledge of encryption algorithm techniques (e.g., AESRSA)•5.9 Knowledge of public key infrastructure (PKI) components (e.g., certification authorities and registration authorities) and digital signature techniques
193
Overview of skill and knowledge for Domain 5 (2)U
•5.10 Knowledge of virus detection tools and control techniques•5.11 Knowledge of security testing and assessment tools (e.g., penetration testing and vulnerability scanning)•5.12 Knowledge of environmental protection practices and devices (e.g., fi re suppression, cooling systems and water sensors)•5.13 Knowledge of physical security systems and practices (e.g., biometrics, access cards, cipher locks and tokens)•5.14 Knowledge of data classification schemes (e.g., public, confidential, private and sensitive data)•5.15 Knowledge of voice communications security (e.g., voiceover IP)•5.16 Knowledge of the processes and procedures used to store, retrieve, transport and dispose of confidential information assets•5.17 Knowledge of controls and risks associated with the use of portable and wireless devices (e.g., PDAs, USB devices and Bluetooth devices)
195
ITGC:IT general controls
U
IT control
ITAC: IT Application Control
IT Infrastructure (Network, Server, PC …)
Development Operation
ITAC: IT Application Controlcomplete and accurate •Input Data Control.•Process Control•Output Control
Application Systems
AccountingSystem
Sales System
Company
….
ITCLC: IT Company Level Control* IT Governance/Policy *IT Risk Management. *Training* Quality Assurance *IT Internal Audit
ITCLC: IT Company Level Control
ITGC:IT general controls•Logical access controls.•System development life cycle controls.•Program change management controls.•Data center physical security controls.•System and data backup and recovery•Computer operation controls.
196
What is “Protection of Information Assets”
Information Assets•all elements of information that either share a common usage, purpose, associated risk and/or form of storage. •Something that is considered of worth to the organization.
Protection of information assets •Protect against loss of nuclear sensitive/classified information,•Protect against the theft of material (both physical and information),•Protect against terrorist action,•Ensure nuclear safety,•Ensure business continuity, •Minimize business risk
U
197
Overview of threats to Information AssetsU
E-commerce System
E-commerce DB
CustomerOperator
Criminal
ABC Company
123Company
Password by interview
clacking
Scavenging
spoofing
Virus
Malice
Intrusion
Eavesdropping
lightning , fire
198
3+3 atomic elements of Information SecurityU
element Description Example
Confidentiality •ensuring that unauthorized people, resources or processes cannot access information
•Access control•Password•cryptogram
Integrity •Protection of information from intentional or accidental unauthorized changes
•Digital signature
Availability •Assurance that information is available whenever needed
•Redundancy of network•RAID
Accountability •Ensuring explanation information are genuine by recoded log or signature.
•Access log
Authenticity •Ensuring that the data, transactions, communications or documents (electronic or physical) are genuine.
•Digital signature•Password
Reliability •Ensuring that system and process work well
•Redundancy of network•RAID•Load monitoring
199
Concept of Protection of Information Assets (Attackers)U
Threats
Attackers
Vulnerabilities
Risks
Assets
Countermeasures
Owner
impose
may be aware of
give rise to
Wish to abuse and/or may damage
To
That increase To
that exploit
Leading to
may be reduced by may possess
to reduce
wish to minimizevalue
200
Type of computer crimesU
Source of Attack Target of Attack Example
A Computer is the objectives of the crimes. (Attackers often use another computer to launch an attack)
•Target may or may not be defined. Attackers launch attack with no specific target in mind.
•Distributed Dos•Virus•Spam
B Computer is the objectives of the crimes. (Attackers often use another computer to launch an attack)
•Special identified computer
•Denial of services (Dos)•Hacking
D Computer is the tools of the crime.Attacker uses computer but the target is not the computer.
•Target is data of information stored on computer or transmitted on network
•Fraud•Unauthorized access•Phishing•Key logger
E Computer symbolized the crime.Attacker lure the user of the computer to get confidential information
•Target is user of computer
•Social engineering- Fake website- Spam- spoofing
F Computer symbolized the crime.Attacker get physical information assets directory.
•Target is physical information asset
•Piggy bag•Scavenging
201
Overview: Common attack methods and techniquesU
Target of Attack Method
B •Attackers launch attack with no specific target in mind.
•Virus•Warm•Interrupt attack
•E-mail bombing•Flooding•Distributed Dos•Spam•Botnets•Virus
A •Special identified computer
•Network analysis•Port scan•Password crack
•Message modification•Race condition•Man in the middle attack•Packet replay•Masquerading•Buffer overflow
•Alternation attack•Malicious code•Clacking•Denial of services (Dos)•SQL injection
D •Target is data of information stored on computer or transmitted on network
•Key logger•War driving•Spy ware•Cross site scripting
•E-mail spoofing•Eavesdropping•Hacking•Remote maintenance•Salami
E •Target is user of computer
•Social engineering- spoofing
•Fake website•Phishing
F •Target is physical information asset
•Scavenging •Piggy bag
Computer Security Institute/FBI and Ernst & Young say nearly 50% of all network attacks come from the inside
202
Security control concept (1)
Access Control •Ability to permit or deny the use of resources by a particular entity•The ability to allow only authorized users, programs or processes system or resource access
Authentication •Who goes there?•Restrictions on who (or what) can access the system•Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources
Authorization •Are you allowed to do that?•Restrictions on actions of authenticated users•The right or a permission that is granted to a system entity to access a system resource
U
203
Security control concept (2)
Need-to-know•Having access to the information that is required to carry out work •ensuring that access to nuclear sensitive assets is limited to only those who have the necessary ‘need to know’ and the appropriate security clearance
Defense-in-depth•places multiple barriers between an attacker and your assets•the deeper an attacker tries to go, the more layers they need to get through undetected
Least privilege and functions•The minimum level of computer access to an asset in order to effectively carry out work•only a minimal set of users have root access•Users can user only minimum functions
U
204
General Idea: Type of Means of controlsExample of Control
Avoid Disconnect from network, stopping services
Reduce Backup site, Duplex system, Monitoring
Transfer Insurance, hosting
Accept Enhancement of customer support
U
Type Example of Control
Preventive Control
Firewall, DMZ , Antivirus software, IPS (Intrude Preventing system)
Detective Control
Log, IDS (Introduce Detecting system), Network monitoring.
Corrective Control
Backup , alternate device, recovery procedure
205
Technical measures of security
type Method P D C C I A
Network Fortress Firewall X x x x
IPS (Intrude Prevention System) X x x x
IDS (Intrude Detection system) X x x x
DMZ X x x x
Encryption PKI / X.509 X X
VPN (Virtual Private Network)/ IPSec X X
SSL X X X
General Signature Digital signature X X
Hash function X X x X
Encryption DES/AES X x X
Authentication Biometrics X X
Token device X X
One time password X X
Test Test Vulnerability testing (SATAN) X x x x
Penetrate testing X x x x
Mail Mail Spam filter X X x x x
S/ MINE X X X
PC PC Antivirus software X X X x x x
Personal firewall X X x x x
Confidentiality/ Integrity/ AvailabilityPreventive/ Detective/ Corrective
206
Information Security Cycle U
Risk Management
Identification of Important Information
Security Plan
Implementation
Follow up Measures
•Information security relies on the identification of information assets which is of worth to the organization and needs to be secured
•overall specification of all security precautions, procedures, and systems that are implemented at a facility to protect material, personnel, information assets, etc. In short, what is the plan to implement our controls
•Assessment of risks associated with protection of the information
•Security Plan & supporting procedures, Clearly defined roles & responsibilities, Training, awareness, & culture, Incident response procedures
•Security tends to degrade during the operational phase of the life cycle•regular audits, assessments, tests, and inspections provides a means of preventing degradation of security operations.
207
Security Audit
Evaluation of the information security status of all assets•Identify assets•Identify vulnerabilities•Identify threats •Determination of likelihood•Determination of consequence•Identify security controls•Risk mitigation
Security assessment areas cover;•Security Policy •Organizational Security •Asset classification and control •Personnel security •Physical and Environmental Security •Communications and Operations Management •Access Control •System development and maintenance •Business Continuity Management •Compliance •other
U
•Security tends to degrade during the operational phase of the system life cycle. Once it is in place it tends to be forgotten•One-time or regular evaluation of security and controls•Examine an entire system or a single anomalous event•Conformity to the requirements of relevant legislation or regulations / managements
208
Group roles and Responsibility for Security ManagementU
Executive manager
IS security steering committee
Security Advisory Group
CPO: Chief privacy Officer
CISO: Chief Information Security
Officer
Process Owners
Information asset Owners Process
Owners
Process Owners
Process Owners
Data Owners
Process Owners
User
Process Owners
Related third Party
Process Owners
Security Administrator Process
Owners
Security Specialist
Process Owners
IT Developer
IS Auditor
209
Key elements of information security managementU
element Description
Senior manager •Commitment and support from senior management are important to successful of information security management
Policy and procedure
•The policy frame work should be established-Standards to develop minimum security baseline-Measurement criteria and methods-Specific guidelines, practices and procedures
Organization •Responsibility for the protection of individual assets should be clearly defined.
Security awareness and education
•All employees and third party users should receive appropriate training and updates to security awareness and compliance with written security polices and procedures.
Monitoring and compliance
•IS auditor are usually charged to assess , on a regular basis, the effectiveness of security program
Incident handling and response
•Because security incident is an event adversely affecting the processing of compute usage, the organization should take the appropriate measures to reduce of incident when it happens.
210
Security baseline recommendationU
Item Objective Recommendations: Example
Inventory for Physical control
•Establish and maintain an inventory
•Users are expected to follow standers to connected network and registered network address.
Antivirus •Install antivirus software with automatic updating
•Database of antivirus software should be updated every day.
Passwords •Recognize the importance of passwords
•The IT department should provide password guidance.
patching •Make it automated •Each machine should be configured to patch automatically.
Minimizing services offered by infrastructure
•Eliminate unnecessary services- reduce security risk
•To improve basic security and minimize effort to maintain systems. Workstations should offer only needed services (software)
Addressing Vulnerabilities
•Eliminate many vulnerabilities with good system administration
•Information form enterprise wide scans helps to identify vulnerabilities on each system
Backups •Allow easy recovery from user mistakes and hardware failure
•Backups should be made offsite for decreasing security.
211
Summary Basic Security Evaluation Check list (1)U
Topics Point
Assets/Inventory •What type of data maintained by the company ?•Is there any confidential information? How do they keep?•Are there any specific requirement to handling data?
Environment •What kind of ICT devices dose the company have?•Are there wireless network? How is its security?•Is there a appropriate network maps for security?•What kind of OS does the company use?•How is remote network access?•How is licenses of software?•How is a configuration management of H/W and S/W?•Are there any physical security means for entering IT room?
Anti-virus •Does the company have anti-virus policy?•Do all workstations and servers have anti-virus software?•Does antivirus software update virus DB automatically?•Does each staff understand when he/she finds virus?
Password •Does the company have policy of using password•Does the company conduct training?•Is there any software detect weak password?•Do staff know that they cannot share password?
212
Summary Basic Security Evaluation Check list (2)U
Topics Point
Patch •Do all device update automatically? How often?•Is there any environment for testing new patch?•Is there any backup before update new patch?
Minimizing services
•Does the company identify necessary services?•Does the IT staff review minimizing services?•Is there any means to prevent new installation by unauthorized personnel?
Vulnerabilities •Is vulnerability testing done?•After testing? Does the company take means to vulnerabilities?•If someone finds vulnerability, who support next? •Are there any firewall an IDS in the network?
Backup and recovery
•Is backup done regularly?•Is backup kept in secure area?•Are there appropriate procedure for backup and recovery?•Can backup is appropriate to recover business in case of disaster?•Does IT staff have experience of recover or test of recover?
213
General Idea of Network SecurityProactive Endpoint Security•Define and deploy a baseline security policy•Provides instant desktop firewall protection•Blocks all unsolicited traffic to/from the PC•Uses stealth technology to make PCs invisible to hackers•Control how, when, and which resources PCs can access on the network•Enables very granular least privilege access of network resources•Safeguards PCs with intrusion prevention with no rule writing•Blocks traffic containing malicious codes•Stops execution of any mal-ware it detects on the PC
Outbound threat protection•Creates inventory of applications that attempt network access•Only allow the required apps for network access•Restrict network access by unrecognized programs•Prevent malicious code from compromising enterprise data•Ensures approved programs against spoofing, tampering,hijacking
Host Intrusion Prevention•Blocks buffer overflow & other attacks on PC apps and OS•Protects hosts against intrusion attempts, unauthorized access•Screens all network traffic at app layer for malicious codes•Requires little admin effort to defend enterprise PCs
U
214
Vulnerability Assessment & Penetration Testing
Vulnerability Assessment•Overall network infrastructure is assessed to determine any exploitable vulnerability•Sophisticated tools are used to identify any potential security weaknesses•Devices assessed include firewalls, routers, servers, etc.•Tests are performed to identify system weaknesses from both internal and external threats•Comprehensive report submitted with vulnerabilities found and corrective actions to be taken•Should be performed at regular intervals or after any major changes
Penetration Testing•Attempt to scrutinize the true strength of an organization’s security infrastructure against a real attack•Assume the role of a real intruder and attempts to breach the network in a controlled and safe way not affecting your services•Launches a series of attacks on the network using commonly used techniques•Various commercial and open source “hacker” tools will be employed during the tests
U
215
Environmental exposure and controls
Exposure•Lightening storm, earthquakes, volcanic eruption, hurricanes, tornados and other type of extreme weather.•Power failures : black out, brownout, sag/spikes and surges and Electromagnetic Interference: EMI.•Water damage/ flooding•Fire•Dust, smoke and other particulate matter including food.•Mouse and other animals and insects•Terrorist Controls•Alarm control panel•Uninterruptible power supply/ Generator•Fireproof walls, floors and cable•Water and fire/smoke detector•Fire extinguishers (handheld or equipment) •Humidity / Temperature control•Monitoring camera
U
217
Overview of Tasks for Domain 2
•2.1 Evaluate the effectiveness of the IT governance structure to ensure adequate board control over the decisions, directions and performance of IT so that it supports the organization’s strategies and objectives.•2.2 Evaluate the IT organizational structure and human resources (personnel) management to ensure that they support the organization’s strategies and objectives.•2.3 Evaluate the IT strategy and the process for its development, approval, implementation and maintenance to ensure that it supports the organization’s strategies and objectives.•2.4 Evaluate the organization’s IT policies, standards and procedures and the processes for their development, approval, implementation and maintenance to ensure that they support the IT strategy and comply with regulatory and legal requirements.•2.5 Evaluate management practices to ensure compliance with the organization’s IT strategy, policies, standard and procedures.•2.6 Evaluate IT resource investment, use and allocation practices to ensure alignment with the organization’s strategies and objectives.•2.7 Evaluate IT contracting strategies and policies and contract management practices to ensure that they support the organization’s strategies and objectives.•2.8 Evaluate risk management practices to ensure that the organization’s IT-related risks are properly managed.•2.9 Evaluate monitoring and assurance practices to ensure that the board and executive management receive sufficient and timely information about IT performance.
U
218
Overview of skill and knowledge for Domain 2U
•2.1 Knowledge of the purpose of IT strategies, policies, standards and procedures for an organization and the essential elements of each•2.2 Knowledge of IT governance frameworks•2.3 Knowledge of the processes for the development, implementation and maintenance of IT strategies, policies, standards and procedures•2.4 Knowledge of quality management strategies and policies•2.5 Knowledge of organizational structure, roles and responsibilities related to the use and management of IT•2.6 Knowledge of generally accepted international IT standards and guidelines•2.7 Knowledge of enterprise IT architecture and its implications for setting long-term strategic goals•2.8 Knowledge of risk management methodologies and tools•2.9 Knowledge of the use of control frameworks (e.g., COBIT, COSO and ISO/IEC 17799)•2.10 Knowledge of the use of maturity and process improvement models (e.g., CMM and COBIT)•2.11 Knowledge of contracting strategies, processes and contract management practices•2.12 Knowledge of practices for monitoring and reporting of IT performance (e.g., balanced scorecards and key performance indicators)•2.13 Knowledge of relevant legislative and regulatory issues (e.g., privacy, intellectual property and corporate governance requirements)•2.14 Knowledge of IT human resources (personnel) management•2.15 Knowledge of IT resource investment and allocation practices (e.g., portfolio management return on investment)
219
IS Audit Small Quiz No.7
Domain 2 IT Governance
IT governance, Governance organization, Governance strategy and policy, Management of security, outsourcing and human resources.
U
Quiz book
220
ITCLC: IT Company Level Control* IT Governance/Policy *IT Risk Management. *Training* Quality Assurance *IT Internal Audit
ITGC:IT general controls
ITCLC: IT Company Level Control
U
IT control
ITAC: IT Application Control
IT Infrastructure (Network, Server, PC …)
Development Operation
ITAC: IT Application Controlcomplete and accurate •Input Data Control.•Process Control•Output Control
Application Systems
AccountingSystem
Sales System
Company
….
ITGC:IT general controls•Logical access controls.•System development life cycle controls.•Program change management controls.•Data center physical security controls.•System and data backup and recovery•Computer operation controls.
221
Framework of IS auditU
ITCLC ITGC ITACActivity
Plan Strategy
COBITInternal Control &IT Governance
ITIL V.3(ISO 20000)
Service Delivery and Operation
Val ITIT investment and
governance
ISO 9000 Quality Management
ISCA/CISA IS audit
ISO 27000 Security
COSO Internal Control
222
Concept of IT Governance: Definition & Summary
Definition•IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives. (CobiT 4.1)•[IT Governance] Consists of the leadership, organizational structures and processes that ensure that the enterprise’s information technology sustains and extends the organization’s strategies and objectives. (IIA International Professional Practices Framework)
Summary
a) Leadership and Clear Business Ownership
b) Aligned Business-Relevant Measures
c) Complete and Accurate Inventories
d) Linking Technical and Business Risk
U
223
Concept of IT Governance:
a) Clear Business Ownership and DirectionAlignment of Business and IT Objectives (CobiT 4.1 ‘Framework’)
U
Category for Objectives Company A Company B
Enterprise Strategy Rapid global expansionExpansion of proven
models
Business Goalsfor IT
Sacrifice standards for speed
Leverage IT standards
IT Goals Buy locally what worksConvert non-standard
systems
Enterprise Architecture for IT
Minimal Central
IT ScorecardNumber of blanches
supported% Standard
Example: Objectives of Two different companies
224
Concept of IT Governance:U
As Is Model
To be Model
Next Model
Enterprise Architecture for IT
An enterprise architecture (EA) is a conceptual blueprint that defines the structure and operation of an organization. The intent of an enterprise architecture is to determine how an organization can most effectively achieve its current and future objectives.
225
Concept of IT Governance:
Balanced ScorecardThe core characteristic of the Balanced Scorecard and its derivatives is the presentation of a mixture of financial and non-financial as well as leading and lagging measures each compared to a 'target' value within a single concise report.
U
Strategic target Measuring method Target Action plan
Person in charge
Financial
Improvement in profits nature Net profit 20% rise
The expansion of a customer Sales growth rate 30% rise
A few air crafts Lease cost 20% down
Customer Orientation
Expansion of a customer loyalty
Repeater ratio 90% or more
Customer rate of increase 30% rise
Keeping a departure time
Departure at the right time 90% or more
Average delay time Less than 10 minutes
Business Process
Keeping a schedule.
Flight cancellation ratio 0%
Customer complaint number of cases
Zero affair/month
Learning & Growth
Improvement of Training
Training cost 10% of sales
Training Time 10% rise
226
Concept of IT Governance:Balanced Scorecard: example of objectives and metrics
U
Viewpoint Objective Example Metrics
Financial
Business/ IT Alignment Operational budget approval
Value Delivery Business Unit Performance
Risk Management Results of Internal Audits
Customer Orientation
Customer Satisfaction Business Unit Survey ratings
Competitive Costs Attainment of unit cost targets
Business Process
Development Process Function Point Measures
Operational process Change Management effectiveness
Process Maturity Level of IT Processes
Enterprise Architecture State of the infrastructure assessment
Learning & Growth
Human Resource Management Staff Turnover
Employee Satisfaction Satisfaction survey scores
Knowledge Management Implementation of learned lessons
Genial Balanced Scorecard, Not IT
227
Concept of IT Governance:
b) Aligned Business-Relevant Measures•Requires translation of traditional IT measures•Performance against Financial goals, either Business or IT•Operational efficiency•Innovation
U
Category for Objectives Measurement
Enterprise Strategy Leverage Scale
Business Goals for IT Take a day out of inventory
IT GoalsShare inventory, orders, safety stock
information with Suppliers
Enterprise Architecture for ITUse existing EDI infrastructure
For New EDI Message
IT ScorecardCash flow
Warehouses not built
Example: Changing supply and inventory system
228
Concept of IT Governance:
c) Complete and Accurate Inventories•IT-dependent Business Processes•Data Repositories and Information Flows•IT Infrastructure•IT Resources and Processes
U
Category for Objectives Information Flows
Enterprise Strategy Influence Trade Customer
Business Goals for IT“Right information, right place, right time”
for Sales
IT GoalsEffectively combine product profitability,
share, store data
Enterprise Architecture for ITLaptops in Shopping Carts
Efficient (Cheap) communications
IT ScorecardSolution cost efficiency
Sales Representative Satisfaction
Example: Information flow of sale
229
Concept of IT Governance:
d) Linking Technical and Business Risk•Risk is most important factor of business.•Management needs to be able to compare IT Risks with other risks.•IT Governance must do an effective job of translating technical risks to business risks.
U
IT Risk Business Exposures
Incidents resulting from Changes
Disruptions to Critical Business Processes (i.e.: Orders to Cash)
Input or output error Compromise Company Reputation
Information Security Incidents Reduce Organizational Capacity
230
IT Governance Focus Area: (ITGI)U
Enterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goal of:
• Providing strategic direction
• Ensuring that objectives are achieved
• Ascertaining that risks are managed appropriately
• Verifying that the enterprise’s resources are used responsibly
231
IT Governance Focus Area: (ITGI)U
Strategic alignment
Focuses on ensuring the linkage of business and IT plans; on defining, maintaining and validating the IT value proposition; and on aligning IT operations with enterprise operations
Value delivery Is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT
Resource management
Is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimization of knowledge and infrastructure.
Risk management
Requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise, and embedding of risk management responsibilities in the organization
Performance measurement
Tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting
232
IT governance flow and cycle (CobiT)U
Business ObjectivesGovernance Objectives
Planning and Organization
Application and Implementation
Delivery & Support
EffectivenessEfficiency
ConfidentialityIntegrity
ComplianceReliability
Information
PeopleApplication Systems
TechnologyFacilities
Data
IT recourses
Monitoring
PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine the technological directionPO4 Determine the IT Processes, …….
AI1 Identify automated solutionsAI2 Acquire and maintain application softwareAI3 Acquire and maintain technology infrastructureAI4 Enable operation and useAI5 Procure IT resourcesAI6 Manage …….
DS1 Define and Manage Service LevelsDS2 Manage third party servicesDS3 Manage performance and capacityDS4 Ensure continuous serviceDS5 Ensure systems securityDS6 Identify and allocate costs…….
M1 Monitor and evaluate IT PerformanceM2 Monitor and evaluate internal control…….
233
IT Management hierarchy (CobiT)U
Domain Domain…..
Process Process…..
Action Action…..
Natural grouping of processes often matching an organizational domain of responsibility
A series of joined activities with natural control breaks
Actions needed to achieve a measurable result—activities have a life cycle, whereas tasks are discrete
234
IT Government : Type of PlanningU
Item Strategic Planning Long-tem Planning Operational Planning
Time Frame
•3 years + •1-3 years •1 year or less
Question •What business are we in? Should we expand and contract?
•What are the major business components?•What we concentrate on now?•What products and services are planned?
•What specific tasks must be done to meet the long term plan?
Output •General broad statement of what business the company is in
•Financial goals•Market opportunities•Management organization•Next review period
•Assumptions for the period•Changes needing to be made•Production times•Responsibility•Budget
235
Organization of steering committeeU
Board of Directors
CEO Office Executive Chairperson
Marketing Sales Legal R&D IT
Admin.Production Finance QC HR
IT Strategy /Steering Committee
IT Strategy (Committee) IT Steering (Committee)
•Advices the board and management of IT strategy•IT delegated by the board to provide input to the strategy and prepare tits approval•Focus on current and future strategic IT issue
•Decides the overall level of IT spending and how costs will be allocated.•Assist executive in the delivery of the IT strategy.•Oversees day-day management of IT service delivery and IT projects•Focus on implementation
236
General role of IS auditor for IT governanceU
An Auditor is well positioned to provide leading practice recommendations to senior management to help the quality and effectiveness of IT governance initiatives implemented.
As an entity that monitors compliance , audit help ensure compliance with IT conversance initiatives implemented within an organization. The continual monitoring, analysis and evaluation of metrics associated with IT governance initiatives require and independent and balanced view to ensure a qualitative assessment that subsequently facilitates the qualitative improvement of IT process and associated IT governance initialtive.
237
Issues and targets of IT governance (1)U
Area Issue Description
Information Security
Information Security
•Institute process to integrate security to with business process•Review and assist security strategy and integration effort.•Ensure that business owners support integration
Risk Management
Risk Management
•Establish risk tolerance.•Ensure regulatory compliance.•Ensure the roles and responsibility include risk management in all activities.
IT strategy Process improvement & assurance
•Provide oversight of all assurance functions and plans for improvement and integration•Identify critical business processes and assurance•Direct assurance integration efforts
IT investment and allocation
•Crate a positive control environment by assuming responsibility for formulating, developing , documenting and controlling polices covering general goals and directives
Enterprise architecture
•Provide oversight of all plans and assurance functions
238
Issues and targets of IT governance (2)U
Area Issue Description
IT Management Practice
Human resource management
•Provide oversight of the strategic plan of hireling and training
Sourcing Practice
•Provide oversight of the strategic plan of sourcing•To ensure the risk for outsourcing and the remaining accountability
Change management
•To ensure the process and technology for change management
Financial Management
•Provide oversight the financial plan for IT investment•To ensure the appropriate management for IT investment
Quality Management
•Provide oversight of the Quality control•To ensure the situation of QCM
IT organization
•Provide oversight of duty and responsibility including segregation
239
Thanks for you joining the lecture!
U
Contact: Go Otae-mail [email protected]
Web www.beyondbb.jp (Japanese)