Please enable JavaScript.
Coggle requires JavaScript to display documents.
Part III Sec C, Information Technology and Security, Operational controls,…
Part III Sec C
Information Technology and Security
Intro:
Systems security - ITGC and app ctrl
computer-related fraud
info tech - relevant, reliable, timeliness,
app lv of details
info risks
Risks specific to IT environment
Challenges of IT auditing
Role of CAE
Ethics in IT
Critical IT processes (IT audit focus)
i) Purpose and Use of
Various Info Security Controls
IT General Control (ITGCs)
apply to all system component, processes and data in the org
Types:
Logical access controls
Physical security controls
IT operational controls
Systems development life cycle controls
Program change mgt controls
system data backup and recovery ctrl
IT Operational Controls
planning ctrl, data and program security,
insurance & continuity plannning,
external service providers
Info Protection
Element of info security:
Confidentiality
Integrity
Availability
Aspects of info security:
Data security
only authorized users can access a system
Security infrastructure (security software)
resides at the server, client/ mainframe lv and
provides enhanced security for key applications
Internal audit and
vulnerability mgt
IA:
assessm of info vulnerability
(preventive, detective, mitigate measures against past attacks)
recommend for improvement
comm to the board
Indicator of poor vulnerability mgt
Improve mgt of vulnerability
Examples of various
info security controls
that can be used to
manage IT vulnerabilities
Encryption
uses a mathematical algorithm to scramble data
-> cannot be unscrambled without a numeric key code
Private key encryption (symmetric)
Public key encryption (asymmetric)
IA
-> Evaluating encryption
->Testing policies
Firewalls
hardware/software - block unauthorized users
reduce vulnerability to external attacks
provide a means of monitoring
provide encryption internally
Packet filtering
(enhance stateful inspection &
network address translation (NAT))
Gateways
Intrusion Detection/ Prevention systems
IA
->determine if firewalls can be bypassed/ overrided
Malware (ctrl for Malicious software)
gain access to a computer system
without the owner’s permission
Virware
Virus - execution of some actions
Worms - self-replicating malware -
discrupt networks/ computers
Ransomware - send user encryption key for
requesting payment
Trojan Horse (social engineering)
through emails, msgs, phone contacts
-> install more harmful software
e.g. Trojan-clickers, banker programs, backdoors,
root kits, Trojan-proxies, Piggyback, Logic bombs
Other
e.g. botnets, Spamtools,
adware, spyware
Other external threats
e.g. Hacker, cracker, industrial espionage,
cyberterrorism, phishing or spoofing,
identity thefts, wardriving
Internal threats: illegal program alternations
e.g. asynchronous attacks, data diddling,
data hiding, backdoors/ trapdoors,
"rounding down" & "salami tech"
Server/mainframe malware
e.g. real hackers, script kiddies
Protecting Systems from Malicious Software and Computer Crime
Bugs - create vulnerability -> affect overall system perf
Use of homogeneous operating systems -> wide-scale exploitation of bugs
install update promptly,
running system without admin privileges
antivirus software
self-protection (i.e. VISA CISP, user identification & authentication,
assess authentication mechanism, user pw training)
Operational controls
involves:
ensure adequate audit trails exists
review exceptional report and tran logs
min no. of user with admin privileges
use software tools/ direct observation to monitoring the
activities of users with admin pilvileges
set policy guidelines
seg of duties: custody asset, access records, authorise
(e.g. audit trails, preventive maintenance)
operational data security controls
Std (systems development processes, software configuration, app ctrl, data structure, doc)
end-user training
physical and logical access ctrl
-> computer program library
maintain the integrity of
info assets, processing, mitigate,
remediate vulnerabilities
mgt: responsible for
info protection
including planning controls, data and program security, insurance & continuity planning,
external service providers