Information Systems Security Review 2004
•Download as PPT, PDF•
0 likes•408 views
Maze & Associates Information Systems Review Process for financial audit IT control evaluation
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Similar to Information Systems Security Review 2004
Similar to Information Systems Security Review 2004 (20)
More from Donald E. Hester
More from Donald E. Hester (20)
Recently uploaded
Recently uploaded (20)
Information Systems Security Review 2004
- 1. Information Systems Security Review Donald E. Hester CISSP, CISA, MCT, MCSE, MCSA, MCDST, Security+, CTT+, HDM
- 2. “Reliability of internal controls and financial reporting depends directly on such technical controls as change management and monitoring for information, systems, programs, and operational configurations.” The Institute of Internal Auditors
- 3. ISR Scope Limited Scope Gain an understanding of the controls around the Financial System Not a risk assessment Benefits include Raise awareness about the importance of controls Highlight managements responsibilities Uncover material risks to financial data Helped improve overall security
- 4. ISR is based on Industry Standards ISO 17799 COBIT (IT Governance Institute) ISACA ITIL (ITPI) NIST Guidelines AICPA Webtrust & Systrust RFCs, SAS, FIPS, COSO, GAO, OMB, CC, OECD, IATF, ISO
- 5. ISR Basics Look at all of the controls of the computer systems where the financial data lives.
- 6. ISR Sections Management Compliance Personnel Business Continuity Physical Security Information Systems Security Application Security (Financial Application) Communications Security (Network & Internet)
- 7. Question Rating IT Governance Maturity Model (IT Governance Institute) 5 – Optimized, continues improvement 4 – Managed and measurable, automated 3 – Defined and documented 2 – Repeatable but intuitive 1 – Ad Hoc, The organization recognizes issues exist and needs to be addressed 0 – There is a complete lack of any recognizable IT Governance process.
- 8. Rating Example: Anti-Virus Software 5 – Optimized, continuous improvement of process and learning from incidents 4 – Automated Anti-Virus deployment, effectiveness is monitored, updated as needed 3 – Documented policy/procedures for Anti- Virus, baseline is set 2 – Anti-virus is installed, there is a global understanding of the need (They do it but it is not documented) 1 – In the process or partial process of implementing Anti-Virus 0 – Don’t know they need Anti-Virus
- 9. Two Levels of Recommendations Management Letter Issues These are weaknesses in internal controls that may be a risk for financial misstatement Given to the Board, City Council or appropriate party Accounting Issues Memo These internal control issues are not high risks for financial misstatement but are industry standards and best practices that are absent Given to the Finance Department Value Added
- 10. Remediation What should you do with the recommendations? Implement the appropriate controls Implement the recommended controls Develop other compensating controls If you do not take action Management should document that the risk is at an acceptable level
- 11. Questions? Call Donald E. Hester at (925) 930-0902 Or email at DonaldH@MazeAssociates.com
Editor's Notes
- Limited Scope Not a full risk assessment – beyond what we can provide Review not an Audit Based on information provided by client - truthfulness Benefits include Gaining better understanding of FS environment – SAS 94 Raise awareness about controls – many clients don’t have a clue what they should be doing Highlight managements responsibilities – management does not know they must be leaders in this area Uncover major risks to Financial data – Big problems, hacking, water dripping on server rack Raise awareness about regulatory requirements – Online bill pay Helped clients improve security – many have implemented our recommendations Dispel client myth that everything is public knowledge – there is still confidential information and they tend to forget integrity is a part of security "Not to know yet to think that one knows will lead to difficulty." Lao-Tzu (6th century B.C.); Legendary Chinese philosopher
- IATF - Information Assurance Technical Framework (IATF) COBIT – Control Objectives for Information and related Technology (IT Governance Institute) ITIL – Information Technology Infrastructure Library (www.itpi.org) (IT Process Institute) NIST – National Institute of Standards and Technology
- We have to look at the entire environment We have to look at compensating controls Each system is unique Each system is dynamic Because each environment is unique, dynamic, and interconnected the risks are also unique, dynamic and interconnected.
- IT Governance Maturity Model (IT Governance Institute) Taken From COBIT which is based on CMM (CMM provides a framework for organizing and assessing the maturity level of IT processes for software development and maintenance.) CMM was developed by the Software Engineering Institute (SEI) in Dec 1984 http://www.sei.cmu.edu/cmm/ In 2000, the SW-CMM was upgraded to CMMI http://www.sei.cmu.edu/cmmi/general/ The SEI continues to advocate the adoption of CMMI models as the best process improvement models available for product and service development and maintenance. These models build on and extend the best practices of the Capability Maturity Model for Software (SW-CMM®), the Systems Engineering Capability Model (SECM), and the Integrated Product Development Capability Maturity Model (IPD-CMM). IT Governance Maturity Model (IT Governance Institute)
- Example: Security Policy Documented Published, Communicated Employee Training – understand, know what is expected and where to find answers Life Cycle Management – updated as needed, reviewed regularly, ownership, audit, change control Part of the organizations culture, senior management support
- Recommendations from our Information Systems Review are based on best practices and industry standards. This report covers common controls for information systems and is divided into seven sections or areas of control. Based on our review, notable points or internal control weaknesses are documented under each section. Recommendations are simple statements that a industry standard control is not in place To determine whether the current control environment is effective requires a risk analysis Should mitigate risk to an acceptable level, management should determine that level and be held accountable for maintaining that level
- First you will need to find them. Generally they are first given to the Finance Director – you may need to ask that person if they don’t come to you Implement the appropriate controls If you intend to accept the risk then you should document the risk and that you accept the current level By document we mean: Risk: Virus infestation to the computer systems or network Control: Anti-Virus software, updated daily Or Risk: Virus infestation to the computer systems or network Control: The risk of infection by virus in minimal given we run terminals and not computers traditionally prone to viruses, management has determined the cost of anti-virus software outweighs the risks and accepts the current risk levels