IT APPLICATIONSProfessional Stage Application Level, ICABTeacher: Mohammad Abdul Matin

Chapter 5Controls and Standards

Chapter Outline Information System Security Controls Physical Security Controls Logical Security Controls Control and Standard for Information Integrity Control and Standard for Information Access Control Control and Standard for Computer Audit Control and Standard for System

Implementation Phase Control and Standard for System Maint. and

Evaluation Risks of IT Systems Controls for Personal Systems

Syllabus In the examination, candidates may be required to

a. explain the controls and standards which are applied during the system implementation phases of installation, testing, training, documentation, file conversion and changeover, and post-implementation review

b. explain the controls and standards which are applied to system maintenance and evaluation (system maintenance, evaluation, computer based monitoring, system performance)

c. describe the controls that are applied to personal systems to ensure processing integrity, security and safeguarding of IT resources, and availability/continuity provisions (backup and recovery) for IT resources

Systems’ Purpose & Components• Capital management • Foundation of doing business • Productivity • Strategic opportunity and advantage

Typical Enterprise System

Control & Standards for System Implementation Phases

System Installation System Testing Documentation

TrainingConversion & Change Over

Control in ERP Implementation

Training & Practice

System Tests

Develop To-Be

Phase 2: Business Blueprint

Go Live

Phase 3: Realization

Project Close

Phase 1: Project

Preparation

Project Kickoff

Understand As-Is

Overview Training

Phase 4: Final

Preparation

Configure System

Training Materials

User Support

Phase 5:Go Live & Support

March April May JuneW1 W2 W3 W4 W5 W6 W7 W8 W9 W10 W11 W12 W13 W14 W15 W16 W15 W16

Cutover

System Selection

Implementation ReadinessBusiness Readiness: business PROCESSES are seen through and

documented competent PEOPLE are in right places process CHAMPIONS are identified

Technology Readiness: robust IT INFRASTRUCTURE is in place right HARDWARE is selected, ordered and delivered right SOFTWARE is selected and licenses are ordered competent SYSTEM INTEGRATOR is selected and

engaged An agreed PROJECT PLAN is finalized

Planning (High Level)Broad Activities Sep Oct Nov Dec Jan Feb Apr Jun Jul

BUSINESS READINESS

TECHNOLOGY READINESS :

- Infra. & ERP resources recruitment

- Secured Data Center preparation

- Project Office & Training Facility set up

- Network Review & Redundancy set up

- ERP solution finalization

- Hardware sizing, ordering & delivery

- System Integrator selection

- Scope of Work finalization

- Project Plan finalization

PROJECT KICK OFF (Start)

ERP IMPLEMENTATION (As per Project Plan)

GO LIVE 1st August 2012

1st February 2012

Project Team

System Development Lifecycle

System Implementation

Prepare for System Implementation

Deploy System

SystemInitiation

Requirement Analysis

System Design

System Construction

SystemAcceptance

System Preparation

Transition to Performing Organization

Transition

Control & Standards for System Implementation Phases (cont.)

System Installation– Implementation plan, milestones, stakeholder

engagement, communication, approval, issue handling and back out plan

System Testing– Scheduled, planned testing with defined criteria,

scope, expectation, scenarios and records– User Acceptance Testing (UAT)

Documentation– System / Process Description– System Documentation– System File Layout / Architecture Documentation

Control & Standards for System Implementation Phases (cont.)

Training– Administration / MDM training– User Training– TOT Approach

File Conversion and Change-over– New System Implementation

• Data preparation, go-live

– Manual System to Automation• Data preparation, parallel run, cut-over

– Old System to New System• Data conversion & transfer, cut-over

Risks in Implementation

Expectation & Experience Curve

Risks to IT Systems Computer Viruses

– Protection and Updating– Checking and Cleaning– Awareness of Risks (Internet, removable disks)– Recovery from Losses

Computer Hackers (Intrusion)– Implement Firewall– Develop and Apply Policy– Antivirus, Antispyware and Intrusion Prevention

Software– Address vulnerabilities– Conduct Tests

Controls for Personal Systems Sensitivity of information is much higher

than any other systems in an organization– HRIS– Personal information– Salary information

Needs to be protected from both external and internal users

Sometimes needs separating HRIS and Payroll at Admin levels

Controls for Personal Systems (cont.) General Controls

– Access, data, program, physical security– Software development and change control– Data center operation– Disaster recovery

Application Controls– Input controls– Authorization– Validation– Error notification and correction– Processing controls– Output controls

Questions How the security requirements can be

implemented in developing a new accounting system?

Thank You