Please enable JavaScript.
Coggle requires JavaScript to display documents.
Part III Sec C3, vii) The Purpose and Applications of IT Controls and IT …
Part III Sec C3
vii) The Purpose and Applications
of IT Controls and IT
Control Frameworks
a) IT Controls
Goals:
Compliance with applicable regulations and legislation
Consistency with the enterprise’s business objectives
Continuity with mgt’s governance policies and risk appetite
Control Obj:
Protecting assets/resources/owners’ equity
Protecting customer privacy and identity
Providing support and evidence of employee job performance
Providing an audit trail for all automated and user-initiated transactions
Ensuring that info is available, reliable, and appropriately restricted
Holding users accountable for functions performed
Maintaining data and system authenticity and integrity
Assuring mgt that automated processes are controlled.
Control Classification:
Governance controls - Policies
-> oversight
Mgt controls - Standards, Org and mgt,
Physical and environmental controls
->identifying, prioritizing, mitigating risks to the org
its processes and operations, its assets, its sensitive data
Technical controls - Systems software,
development controls, application-based controls
-> specific controls -must be in place for mgt
and governance controls to be effective.
Automated technical controls implement
and demonstrate compliance with policies
General controls and application control
Preventive, detective, corrective controls
b) Control framework
Selecting an IT Control Framework
COSO Internal Control
-> monitoring, info and comm, control activities,
risk assessment, control environment
COBIT 5
7 enablers
Principles, policies and framework
Processes
Org structures
Culture, ethics, and behavior
Info
Services, infrastructure, and applications
People, skills, and competencies
5 Principles
Meeting stakeholders needs
Covering the enterprise end-to-end
Applying a single integrated framework
Enabling a holistic approach
Separating gov from mgt
Electronic System Assurance and Control (eSAC)
-> allow auditors to express opinions
on the reliability of information created by IT
The center of the model is COSO’s
broad control objectives followed
by IT bus assurance objectives:
Availability
Capability
Functionality
Protectability
Accountability
ISO/IEC 38500
provides a set of guiding principles to ensure that IT at their organizations is acceptable, effective, and efficient.
ISO 27000 Series - info security mgt systems (ISMS)
ensuring that sensitive org info remains secure
IT Infrastructure Library (ITIL)
mgt of IT as a portfolio of out-sourced services using service level agreements (SLA) and ongoing processes
c) IIA Practice Guides
org roles and structure and
how the IT controls fit within
the overall control framework
doc cover specifics such as
change and patch mgt controls
help mgt understand role
and its place in org strategy
are not control frameworks;
but help in selecting the proper
framework for an org