Upload
darshan-kumar
View
72
Download
1
Embed Size (px)
DESCRIPTION
Information Security Assurance
Citation preview
Internal Control and IS Audit
Control
• “Any input given to a dynamic system to produce a desired output.”
• Here the word dynamic and desired output are very important.
Input Dynamic System
Desired output
Control
• Dynamism of the system and Control Requirement – Static system – control is not required – More dynamism – the greater will be the control requirement of
the system – Computer system – control not required, if it is not being used
for any application or switched off – As complexity increases – its control requirement will also rise.– This implies that
• Lesser control is required for stand-alone system • Greater for one which is connected to network or Internet
Control
• Knowledge of Dynamism of the System Makes Control Effective– The predictability of the complexity of the disease has helped in
development of vaccines to prevent and cure
– Similarly, in computer system – control measures would operate effectively if the dynamism and complexity were known.
Control
• The Input should be Directed towards Achieving the Desired Output– If the inputs are not focused and directed towards specific
outputs – then control mechanism will not be successful.
– There are No thumb rule
– Each input or control measure should be directed towards achieving a specific output.
Control
• The Output Should be Evaluated for Giving further Appropriate Input to the System
– Example: Automobile driving system
– This example shows how input can be effectively altered on the basis of evaluation of actual performance to achieve the desired output.
– The same is true for complex computer system.
Control • The Output Should be Evaluated for Giving further
Appropriate Input to the System– Example: Automobile driving system
– This example shows how input can be effectively altered on the basis of Antivirus software is deployed
• It acts as a detective , or preventive some time corrective control
• The output can be observed by regular scanning
• When the output is not at desired level – system is infected with some viruses
• Based this evaluation patches can be loaded or new anti-virus software deployed
Internal Control
• Basic purpose:– Business objectives are achieved– Undesired risk events are prevented or detected and
corrected
• How this can be achieved– By designing an effective internal control framework,
comprises• Policies, procedures, practices, and organizational structure that gives
reasonable assurance that the business objectives will be achieved• Discrete activities and supporting process• Either manual or automated
Internal Control
• Manual or automated process• Implementation of internal control differs in both, essence
remains the same• It not solely a procedure or policy performed at certain
point of time• Rather this is an ongoing activity, based on
– Risk assessment of the organization
• Role of auditor is very important in evaluating the strength of the control
Internal Control
• Elements of Control – Nature of controls
• Preventive or Detective• Manual or Programmed
– Preventive Control • Those inputs, designed to protect the organization from unlawful
activities• The broad characteristics of preventive controls are:
– A clear cut understanding about the vulnerabilities of the asset
– Understanding the probable threats
– Provision of necessary controls for probable threats from materializing
Internal Control
• Some examples of preventive controls and how the same control is implemented in different environments. – Employ qualified personnel– Access control – Vaccination against diseases – Prescribing appropriate book for a course– Authorization of transaction– Firewalls– Anti-virus software passwords
Internal Controls
Purpose Manual Control Computerized Control
Restrict unauthorized Entry into the premises
Build a gate and post a security guard
Use access control software, smart card, biometrics
Restrict unauthorized entry into software application
Keep the computer in a secured location and allow only authorized persons to use the applications
Use access control, viz. user ID, password, smart card
Detective Control
• Detect and report the occurrences of an error, omission, or malicious act in the IS
• Main characteristics are as follows:– Clear understanding of lawful activities so that anything
which deviates from these is reported as unlawful, malicious, etc.
– An established mechanism to refer the reported unlawful activities to the appropriate person or group
– Interaction with preventive control to prevent such acts from occurring
Detective Control
• Examples of Detective Controls
– Surprise checks by supervisor– Check point in production jobs– Error messages over tape labels – Duplicate checking of calculations– Periodic performance reporting with variances– Past-due accounts report– The internal audit functions – Intrusion detection system– Cash counts and bank reconciliation– Monitoring expenditure against budgeted amount
Corrective Controls
• Are very important • Prevention and detection alone cannot be effective
unless there is an appropriate corrective mechanism in place.
• Main characteristics are:– Minimize the impacts of threat– Identify the cause of the problem– Remedy problems discovered by detective controls – Get feedback from detective and preventive controls – Modify the processing system to minimize future occurrence
of the problem
Compensatory Control
• The cost of the lock should not be more than the cost of the asset it protects.
Corrective Control
• Examples of Corrective Controls– Contingency planning – Backup procedure– Treatment procedures for a diseases – Change input value to an application system – Investigate budget variance and report violations
CISCO Security – Monitoring Analysis & Response System