Professional Documents
Culture Documents
Ch-17 Control and Governance of Information System
Ch-17 Control and Governance of Information System
Ch-17 Control and Governance of Information System
information systems
By Sheetal Thomas
Dean, GIMT
Need for control of information
system
• High cost of loss of data and wrong
decision making
• Possibility of computer abuse
• Risk of computer errors
• Protection of hardware, software, and
personnel
• Data privacy and confidentiality
Objectives of CIS
• Safeguarding of assets
• Maintenance of data integrity
• Effectiveness in achieving organizational
objectives
• Efficient consumption of resources
Information technology governance
• IT infrastructure library
– Service delivery
• Service support
• Planning to implement service management
• Security management
• Infrastructure management
• Business perspective
• Applications management
• Software assets management
Control objectives for information
and related technology
• Planning and organization
• Acquisition and implementation
• Delivery and support
• Monitoring
Management control of information
system
• Top management controls
– Planning
– Organizing
– Leading
– Monitoring
Systems development
management control
• Feasibility study and project initiation
• System analysis and specifying user
requirements
• System design and development
• Acceptance testing
• Implementation and maintenance
• Auditing the systems development management
function
– Concurrent audit
– Post implementation audit
– General audit
Programming Management
Controls
• Planning
• Control
• Design
• Coding
• Testing
• Operation and maintenance
Controls
• Data resource management controls
• Security management controls
– Exposure analysis
• Operations management controls
– Control of computer and network operations
– Maintaining data files, programme files, and
documentation
– Help desk and technical support
– Management of outsourced operations
Quality assurance management
controls
• Capability maturity model
– The initial level
– The repeatable level
– The defined level
– The managed level
– The optimizing level
Application control of information
systems
• Boundary controls
– Access controls
– Cryptographic controls
– Audit trail controls
– Existence controls
• Input controls
– Design of source documents and data entry screens
– Data code controls
– Batch controls
– Validation of data input
– Audit trail controls
– Existence controls
Communication controls
• Transmission impairment
• Component failure
• Subversive threats
• Audit trail controls
• Existence controls
• Processing controls
Database controls
• Access controls
• Integrity controls
• Application software controls
• Concurrency controls
• Cryptographic controls
• File handling controls
• Audit trail controls
• Existence controls
– Roll forward
– Roll back
Output controls
• Inference controls
• Batch report design controls
• Output production and distribution controls
• Audit trail controls
• Existence controls
Information system Audit
• Inf. System audit procedures
– Use of computers in information systems audit
• Business continuity and disaster recovery
– Business continuity management
• Availability
• Reliability
• Recoverability
Business continuity planning
Disaster recovery planning
Categorizing the functions
• Critical functions
• Vital functions
• Sensitive functions
• Non-critical functions
• Components of a disaster recovery plan
– Emergency plan
– Backup plan
– Recovery plan
– Test plan
Testing a disaster recovery plan
• Paper test
• Preparedness test
• Post test