Professional Documents
Culture Documents
Note Reporting in Ais 313
Note Reporting in Ais 313
Virtualization hypervisor – a piece of computer software, firmware or hardware that creates and runs
virtual machine environment normally called the host.
Example : Oracle VM Virtual box - the world’s most popular open source, cross-platform, virtualization
software, enables developers to deliver code faster by running multiple operating systems on a single
device. IT teams and solution providers use VirtualBox to reduce operational costs and shorten the time
needed to securely deploy applications on-premises and to the cloud.
Guest Machine – Virtual environment elements like OS, switches, routers, firewalls (residing on the
computer which a hypervisor has been installed) na naga serve as barrier para katong mga policies na
wala na regulate sa isa ka device is dili sya mag overlap or makasulod sa device.
Example, logging password entry. Antivirus software may not detect this, because the malware
runs below the entire OS.
Can lead to unauthorized access to resources, one guest OS injecting malware or placing
malware code into another guest’s memory.
This functionality can inadvertently provide an attack vector for malware or allow an attacker to
gain access to particular resources
These snapshots pose a greater risk than images because snapshots contain the contents of
random access memory (RAM) at the time that the snapshot was taken, and this might include
sensitive information that was not stored on the drive itself.
Therefore, anyone who can launch an application on the host OS can run the hypervisor. The
only access control is whether someone can log into the host OS.
Business to employee relationship = is the way an employer (either an individual or an entity) and
employees view and treat one another in a work setting.
Business to government relationship - The government most often directly influences organizations by
establishing regulations, laws, and rules that dictate what organizations can and cannot do.
• Confidentiality—Potential consumers are concerned about providing unknown vendors with personal
(sometimes sensitive) information for a number of reasons including the possible theft of credit card
information from the vendor following a purchase.
• Availability—The Internet holds out the promise of doing business on a 24-hour, seven-day-aweek
basis. Hence, high availability is important, with any system’s failure becoming immediately apparent to
customers or business partners.
• Power shift to customers—The Internet gives consumers unparalleled access to market information
and generally makes it easier to shift between suppliers. Firms participating in ebusiness need to make
their offerings attractive and seamless in terms of service delivery. This will involve not only system
design, but also reengineering of business processes. Back-end support processes need to be as efficient
as possible because, in many cases, doing business over the Internet forces down prices (e.g., online
share brokering). To avoid losing their competitive advantage of doing business online, firms need to
enhance their services, differentiate from the competition and build additional value. Hence, the drive
to personalize web sites by targeting content based on analyzed customer behavior and allowing direct
contact with staff through instant messaging technology and other means.
EDI
Communications software moves data from one point to another, flags the start and end of an EDI
transmission and determines how acknowledgments are transmitted and reconciled. Translation
software helps build a map and shows how the data fields from the application correspond to elements
of an EDI standard. Later, it uses this map to convert data back and forth between the application and
EDI formats.
In reviewing EDI, IS auditors need to be aware of the two approaches related to EDI: the traditional
proprietary version of EDI used by large companies and government parties, and the development of
EDI through the publicly available commercial infrastructure offered through the Internet.
• EDI translator—This device translates the data between the standard format (ANSI X12) and a trading
partner’s proprietary format.
• Application interface—This interface moves electronic transactions to or from the application systems
and performs data mapping. Data mapping is the process by which data are extracted from the EDI
translation process and integrated with the data or processes of the receiving company.
3.7.6 POINT-OF-SALE SYSTEMS Point-of-sale (POS) The most common payment instruments to operate
with POS are credit and debit cards, which are associated with bank accounts.
Effective risk management controls for electronic banking include the following 15 controls divided
among three categories:
• Security controls:
4. Authentication of e-banking customers
5. Nonrepudiation and accountability for e-banking transactions
6. Appropriate measures to ensure SoD
7. Proper authorization controls within e-banking systems, databases and applications
8. Data integrity of e-banking transactions, records and information
9. Establishment of clear audit trails for e-banking transactions
10. Confidentiality of key bank information