Ch. 8

burpfancyΗλεκτρονική - Συσκευές

8 Νοε 2013 (πριν από 3 χρόνια και 5 μήνες)

107 εμφανίσεις


1

CH.
8

Controlling Info Sys:

IT Processes

IT

Resources



Data



Application systems



Technology



Facilities



People


Control Environment,
Pervasive,

and
Application Controls

Preventive, detective, and corrective controls


A Typical Computer Configuration:


a mainframe computer


terminals and PCs through a LAN


PCs located outside the

HQ thru a WAN


Linkage to the external environment



2

Goals:
-

protect the computer and facilities
from interntional or unintentional misuse,
from within and outside the org.

(refer to 9

business exposures in ch 7

(p.7
-
5)


-

contingency plan


-

policies and procedures

-

competent and honest people


IT Control Processes & Domains



Planning & Organization



1.
Establish strategic vision



2.
Develop tactics to realize stra
tegic
vision



Acquisition & Implementation



3.
Identify automated solutions



4.
Develop & acquire IT solutions



5.
Integrate IT solutions into operations



6.
Manage change to existing IT systems




Delivery & Support


3

7.
Deliver required IT services



8.
Ensure secur
ity & continuous service



9.
Provide support services



Monitoring



10. Monitor operations


F
OUR PERVASIVE CONTROL PLANS


1. PERSONNEL CONTROL PLANS:
selecting, hiring, retaining, developing, and
managing employees



letters of recommendation



creative and challenging work
opportunities



channels to mgmt
-
level positions



regular training



performance rev
iew



rotation of duties



forced vacation



fidelity bond


4


2. ORGANIZATIONAL CONTROL PLANS

separate the incompatible functions
,
protect from
erroneous record

keeping by

IA or UA
, and help to
ensure security of resources


Segregation of duties



authorize transactions



execute







record







safeguard resources


Two types of authorization

General authorization:

-

relates to a whole class of tr
ansactions

e.g. Cash sales transactions



Specific






:

-

applies to only to a single, specific
transactions.

e.g. A large amount of sales transactions to
be paid by a check



5

Segregation of duties for the info sys
functions

e.g.
sys development, technical services, and

operations



3. RESOURCE SECURITY CONTROL
PLANS

protect business assets and computing
resources


5 basic types of plans:

(1)

restricting acce
ss to computing resources

(2)

restricting access to business assets

(3) physical security: physical, mechanical
and environmental risks and damages

(4) production backup and recovery

(5) disaster backup and recovery



6

(1) restricting access to computing resources


a. physical access


the use of locks, guards, badges,

magnetic cards, etc



b. access to programs, data and

documents


security module: access control s/w



* password, security module log (audit

trail)


auto
-
locking


(4) production backup and recovery


* The grandfather
-
father
-
son backup:
Retain previous versions of transaction files
and matser files


(5) disaster backup and recovery


Hot site: a fully equipped data center.


Cold site: a space with tel
ephone and

computer connections



7

4.POLICY/DOCUMENTATION CONTROL
PLANS


define a sys, acceptable procedures and


permit analysis of the sys,


protect from inefficient and ineffective
operation of the sys


Standards manuals: specify normal,
acceptable methods of operation for routine
functions and tasks.


Application Documemtation



systems docmentation: overall description



program






: an application



operations run manuals: detailed

instructions



user manuals: user procedures