Professional Documents
Culture Documents
013255271X PPT 08
013255271X PPT 08
013255271X PPT 08
Learning Objectives
Discuss how the COBIT framework can be used to develop sound internal control over an organizations information systems.
Explain the factors that influence information systems reliability. Describe how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about information security.
8-2
AIS Controls
COSO and COSO-ERM address general internal control
COBIT addresses information technology internal control
8-3
8-4
COBIT Framework
Information Criteria
8-5
COBIT Cycle
Management develops plans to organize information resources to provide the information it needs.
Management authorizes and oversees efforts to acquire (or build internally) the desired functionality.
Management ensures that the resulting system actually delivers the desired information.
Management monitors and evaluates system performance against the established criteria.
Cycle constantly repeats, as management modifies existing plans and procedures or develops new ones to respond to changes in business objectives and new developments in information technology.
8-6
COBIT Controls
210 controls for ensuring information integrity
Subset is relevant for external auditors IT control objectives for Sarbanes-Oxley, 2nd Edition
8-7
Confidentiality
Sensitive organizational information (e.g., marketing plans, trade secrets) is protected from unauthorized disclosure.
Privacy
Personal information about customers is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure.
Processing Integrity
Data are processed accurately, completely, in a timely manner, and only with proper authorization.
Availability
The system and its information are available to meet operational and contractual obligations.
8-8
8-9
8-10
8-11
Time-Based Model
Combination of detective and corrective controls
P = the time it takes an attacker to break through the organizations preventive controls D = the time it takes to detect that an attack is in progress C = the time it takes to respond to the attack For an effective information security system: P>D+C
8-12
8-13
8-14
Preventive Control
Training
User access controls (authentication and authorization) Physical access controls (locks, guards, etc.)
8-15
8-16
Firewall
Software or hardware used to filter information
8-17
8-18
8-19
Detective Controls
Log Analysis
Process of examining logs to identify evidence of possible attacks
Intrusion Detection
Sensors and a central monitoring unit that create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions
8-20
Corrective Controls
Computer Incident Response Team
Chief Information Security Officer (CISO)
Independent responsibility for information security assigned to someone at an appropriate senior level
Patch Management
Fix known vulnerabilities by installing the latest updates Security programs
Operating systems
Applications programs
8-21
Follow-up
8-22
New Considerations
Virtualization
Multiple systems are run on one computer
Risks
Increased exposure if breach occurs Reduced authentication standards Opportunities
Implementing strong access controls in the cloud or over the server that hosts a virtual network provides good security over all the systems contained therein
8-23
Cloud Computing
Remotely accessed resources
Software applications Data storage Hardware