1 Information System Audit Essential of IS Audit for IT Engineer UP-ITTC October. 2010

1

Information System AuditEssential of IS Audit for IT Engineer

UP-ITTCOctober. 2010

http://www.padeco.co.jp/index1.htm

2

SummaryInformation system Audit (IS Audit), is needed long experience and lot of skill and knowledge about both Audit and Information Technology. Because of this, This training course and text book include summary of knowledge and skill that IS Auditor needs and especially detail skill and knowledge about IS Audit processes and methods for IT engineers who want to become IS Auditor or conduct audit tasks.

AcknowledgmentsContent of this training and text book is based on Certified Information Systems Auditor (CISA) and Japan Information Technology Engineers Examination- .System Auditor ExaminationContent of this training and text book is copyrighted to JICA (Japan International Cooperation Agency) and UP-ITTC(UP Information Technology Training Center), and developed by Go Ota, PADECO Co., Ltd. and UP-ITTC

Expected TraineesIS Audit is needed wide area of IT skill and knowledge, the training expects the trainees have ,at least, passed FE exam or have had same level of IT experience (at least 5 five years, desirable more than 10 years) and knowledge.

U

3

Chapter 0.Introduction

What is IS Audit

How to become IS Auditor &

Task and role of IS Auditor

U

4

What is Audit? What is IS Audit?

“An official examination of accounts to see that they are in order” – The Oxford DictionaryAn INDEPENDENT assessment of / opinion on how well

(badly) the financial statements were prepared

IS audit:- A review of the controls within an entity's technology

infrastructure- Official examination of IT related processes to see that

they are in order

U

5

What is IS Audit Activity?Difference Between Audit and Evaluation

U

Policy and Strategy

Organization and Regulation/Standard

Business Activities

Business Infrastructure

Management

Evaluation

Audit

Independent

Evaluation Audit

Activity of Management

Independent Activity

Process and Result Norm

Doing right Managing right

Performance Effeteness and Efficiency

Next action is improvement

Done at the end-of-phase

Done any time

Ex.Checking progress and quality of Project

Ex.Checking a regulation of PM and How to apply it including current situation.

Company

6

Viewpoint of an IS AuditorU

P1: Feasibility Study

P2: Requirement Definition

P3: System Design

P4: Development

P3: System Selection

P4: Configuration

P5: Implementation

Review

P6: Post implementation

P7: Disposal

R

Buy or Make

R

R

R R

R

R

BuyMake (Build)

Scope of General System

Development

SLDC (System Development Lift Cycle)

Evaluate and Performance

Review by an Audit

7

Why IS Audit is needed? Social BackgroundInformation System has been becoming a main function for business.•Supporting business activity•Keeping business information•Main interface to customer

U

Innovation of ICT gave information system major role in business

Problem of business management•Inappropriate IT system to business strategy• Bug investment for IT system and unclear ROI

Problem of security/ risk management• Computer virus/ illegal Access• System trouble and Backup of disaster

Effective and Efficient inter management and operation for Information system should be needed

Independent Information System Audit

8

Why IS Audit is needed? Legal Background 　(1)

After major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom, the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002•Directs SEC to enact rules protecting shareholders & the economy•Honesty in financial reporting•Responsibility at the Top•Demonstrate Compliance by Audits

U

The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company's internal control over financial reporting

Internal Control must use Information System now. To evaluate internal control should needs audit for Information system

9

Why IS Audit is needed? Legal Background 　(2)

U

Company Auditor

Financial Audit

SOX

Financial Audit (Result)

Operation Audit (Process)

Internal Control

Financial Audit Report

Financial Audit

Financial Statement

Internal Control

Financial Audit Report

Financial Audit

Financial Statement

Internal Control Statement

Internal Control Audit

Internal Control Audit Report

IntegratedAudit

Operation Audit assure the clearance of financial statement

Effectiveness and efficiency of Operation

Assurance of Financial Statement

Compliance with lows

10

What is Internal Control?U

Internal Control Model by SOCOObjectives

Control Environment

Risk Management

Control Activity

Information and Communication

Monitoring

IT Control

Ope

ratio

n

Rep

ortin

g

Com

plia

nce

Activities

OrganizationEnterprise-level, Division or subsidiary and Business unit

Objective Risk Control

Financial Statement

11

Activities of Internal ControlU

Control Environment

The tone for the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control.

Risk Management The identification and analysis of relevant risks to the achievement of objectives, forming a basis for how the risks should be managed

Control Activity The policies and procedures that help ensure management directives are carried out.Consists of 2 aspects: Policy of what should be and Procedures to accomplish policy

Information and Communication

Support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities

Monitoring Assess the quality of internal control performance over time.

IT Control Procedure or policy that provides a reasonable assurance that the information technology (IT) used by an organization

12

IT Internal Control <= Target of IS AuditU

IT control

ITGC:IT general controls

ITCLC: IT Company Level Control

ITAC: IT Application Control

ITGC:IT general controls•Logical access controls.•System development life cycle controls.•Program change management controls.•Data center physical security controls.•System and data backup and recovery•Computer operation controls.

ITCLC: IT Company Level Control* IT Governance/Policy *IT Risk Management. *Training* Quality Assurance *IT Internal Audit

IT Infrastructure (Network, Server, PC …)

Development Operation

ITAC: IT Application Controlcomplete and accurate •Input Data Control.•Process Control•Output Control

Application Systems

AccountingSystem

Sales System

Company

….

13

What is IS Audit? (Again)

“the process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently.” 　　 - Ron Weber

Purpose of IS Audit is to realize IT governance by independent and professional auditors who gave appropriate assurance based on evaluation of risk management and control of information system.- “Information System Audit Standard” Japan Minister of Economy, Trade and Industry

U

14

Case of ITGC : Project ManagementU

User Requirements

Detail Design

Acceptance Test

System Test

Integration Test

Global (Basic) Design

Component Test

System Requirements

Programming

Project Manager

Project Management

Division

Project/ Development

Regulation

Project Document

IS Audit•Is the development method appropriate?•Does the selection of system architecture have appropriate reason?•Was the cost estimated by right procedure and method?• Does the Integrated testing use appropriate data?•Does the project follow the regulation

15

Who becomes an Auditor?U

(Account)Auditor

IT Specialist

With experiences of • Accounting• Audit

With experiences of • IT Strategy• Development• Project Management• IT Security• Service Management…..

Information System Audit

CertificationCISA (Certified Information Systems Auditor) by ISACA (Information Systems Audit and Control Association) From 1978•More than 75,000 professionals in nearly 160 countries•for both (Account) Auditor and IT Specialist

System Auditor by Japan Information Technology Engineers Examination) From 1985• mainly for IT Specialist

If (Account ) Auditor want to become IS auditor, he/she should master as least skill and knowledge of FE exam. Level.

16

Target of IS Audit and IS Auditor's Skill and Knowledge

CISA examination domains (% of num. of question in CISA exam.)

•Domain 1—IS Audit Process (10%) <= Skill and Knowledge for conducting IT Audit

•Domain 2—IT Governance (15%)•Domain 3—Systems and Infrastructure Lifecycle Management (16%)•Domain 4—IT Service Delivery and Support (14%)•Domain 5—Protection of Information Assets (31%)•Domain 6—Business Continuity and Disaster Recovery (14%)

<= Target of IS Audit and Skill and knowledge for IT system and points of audits

U

17

Map of IS Auditor's kill and knowledgeU

IT Technical IT Management IT Governance Audit Process & Method

D3—Systems and Infrastructure Lifecycle Management

D1—IS Audit

Process

D2—IT Governance

D4—IT Service Delivery and Support

D5—Protection of Information Assets

D6—Business Continuity and Disaster Recovery

•IT Strategy•Organization Mng.•Risk Management

•Development method•Software Testing •System/APP Architecture•E-commerce/AP knowledge

•Service Delivery•Service Support•Service Strategy

•H/W, OS, Middle ware•Network & DB•Operation & Maintenance

•APP control•Project Management•SQM

•IT Security Audit

•Logical Security•Physical Security

•Security Policy & Strategy

•Network security•Security Technology

•Operation & Maintenance•Backup & Recovery

•Business contingency Planning

•Process•Method•Communication•Related standards

18

How to become an IS Auditor (case of CISA)

1.Getting CISA certification

a)Pass the CISA examination 500-600 hours of self learning or 150-200 hours of exam school.

b) Minimum of 5 years of Information Systems Audit, Control or Security experience within 10 years of applying and within 5 years of passing exam

c)Compliance with the Information Systems Audit and Control Association Code of Professional Ethics. <= Excellent Job

2. Keeping CISA certification: SISA Continuing Education Policy

a) annually report a minimum of 20 hours of continuing professional education

b) report a minimum of 120 contact hours of continuing education for each fixed three-year periodCertified Information Systems Auditor (CISA)

http://www.isaca.org/

What is meaning of “Keeping CISA certification”?

U

19

Professional Ethics (ISACA Code)

•Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems.• Perform their duties with objectivity, due diligence and professional

care, in accordance with professional standards and best practices.• Serve in the interest of stakeholders in a lawful and honest

manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.•Maintain the privacy and confidentiality of information obtained in

the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.• Maintain competency in their respective fields and agree to

undertake only those activities, which they can reasonably expect to complete with professional competence.• Inform appropriate parties of the results of work performed;

revealing all significant facts known to them.• Support the professional education of stakeholders in enhancing

their understanding of information systems security and control.

U

20

Overview of D1—IS Audit Process Task & ProcessU

Audit Planning

Perform Test

Reporting

Follow-UPActivity

Summary of Audit Process

Example: Small audit for Logical Access Control ( Control for user and program to access data, program and application)

Purpose is to evaluate validity of logical access control (password) in targeted organization

Reviewing regulation of policy, management and usage of passwordInspect and survey of management of password

Reporting whether current regulation and management of password is appropriate or not

How to modify and improve the logical access control for password

Audit mission and planning, Laws and regulations, Standards and guidelines for IS auditing, Risk analysis, Internal controls, Performing an IS audit

21

Overview of D2—IT Governance

To provide assurance that the organization has the structure, policies, accountability, mechanisms, and monitoring practices in place to achieve the requirements of corporate governance of IT.

Examples of target • Planning IT Strategy with IT Steering Committee• Implementation of the IT strategy • Business Process Reengineering• Risk management for IT strategy• Organization and Personnel Management

U

22

Overview of D3—Systems and Infrastructure Lifecycle Management

To provide assurance that the management practices for the development/acquisition, testing, implementation, maintenance, and disposal of systems and infrastructure will meet the organization’s objectives.

Examples of target•Application development process and regulation including needs analysis, including cost estimation and •Quality Management•Validation of computer & system architecture for Application•Application control•Management of outsourcing and vender

U

23

Overview of D4—IT Service Delivery and Support

To provide assurance that the IT service management practices will ensure the delivery of the level of services required to meet the organization’s objectives.

Example of Target• Service level Agreement• Validation of Hardware and software• Validation of network infrastructure• Monitoring of Information System/Infrastructure• Capacity and Configuration Management• Configuration Management of software• Regulation of operation and maintenance • Help (Service) Desk and Incident/Problem management

U

24

Overview of D5—Protection of Information Assets

To provide assurance that the security architecture (policies, standards, procedures, and controls) ensures the confidentiality, integrity, and availability of information assets.

Examples of Target•Policy and regulation of IT Security including risk management•Validation of logical access control such as password and authentication•Validation of physical access control with security technology and devices• Validation of security of network infrastructure• Validation of encryption system• Validation of environmental control against fire, power break down and …

U

25

Overview of D6—Business Continuity and Disaster Recovery

To provide assurance that in the event of a disruption the business continuity and disaster recovery processes will ensure the timely resumption of IT services while minimizing the business impact

Examples of Target•Business Impact Analysis (BIA) and Disaster Recovery Planning (DRP)•Validation of backup and recovery against disasters•Validation of means for continuity against disasters

U

26

Related important lows, regulations and guidelines U

1 2 3 4 5 6

Standards, Guidelines, and Tools and Techniques for Audit/Assurance and Control Professionals by ISACA

X X X X X X

Public Company Accounting Reform and Investor Protection Act of 2002 (SOX)

X X X X

The Control Objectives for Information and related Technology (COBIT) by ISACA

X X X X X X

ISO/IEC 27002: Information technology - Security techniques - Code of practice for information security management

X X X X X X

Information Technology Infrastructure Library (ITIL) X X X X X

Val IT by IT Governance Institute (ITGI) X X

Project Management Body of Knowledge (PMBOK) X X X

COSO (The Committee of Sponsoring Organizations of the Treadway Commission) Control Framework

X X X

CMMI (Capability Maturity Model®Integration) X X X

ISO/IEC 9126 & 25000 Software engineering — Product quality is an international standard for the evaluation of software quality.

X X X x X

27

Where does an IS auditor work?U

Policy and Strategy

Organization and Regulation/Standard

Business Activities

Business Infrastructure

Internal Audit•Assurance•Consulting

Audit Company

External Audit•Accounting Audit•IS Audit

Company & Organization

Consultant Company

IS Consultant

28

New movement of IS Audit : SecurityU

IT Technical IT Management IT Governance Audit Process & Method

D3—Systems and Infrastructure Lifecycle Management

D1—IS Audit

ProcessD2—IT Governance

D4—IT Service Delivery and Support

D5—Protection of Information Assets

D6—Business Continuity and Disaster Recovery

CISM (Certified Information Security Manager)

by ISACA

Information Security Specialistby Japan Information Technology Engineers Examination

29

Study style of this lectureU

Quiz (about 20Q) form CISA exam.

XX Domain of CISA

Explanation of related knowledge

and skill.

Explanation and refraction of Answer

of Quiz

•Checking current your knowledge and skill about IT for IS audit

•Making an anchor to understand and memory new knowledge and skill for IS audit

•To find and understand viewpoint of an IS auditor.

•Start of new Chapter or Section•Skill and knowledge for IS Auditing

•Basic IT skill and knowledge for IS auditor

30

Chapter 1.Domain 3

Systems and Infrastructure Lifecycle Management

U

31

Overview of Tasks for Domain 3

3.1 Evaluate proposed system development/acquisition to ensure that it meets the business goals.3.2 Evaluate the project management framework and project governance practices to ensure that business objectives are achieved in a cost-effective manner 3.3 Perform reviews to ensure that a project is progressing in accordance with project plans and project management regulation.3.4 Evaluate proposed control mechanisms for systems and/or infrastructure during specification, development/acquisition, and testing.3.5 Evaluate the processes by which systems and/or infrastructure are developed/ acquired and tested to ensure that the deliverables meet the organization’s objectives.3.6 Evaluate the readiness of the system and/or infrastructure for implementation and migration into production.3.7 Perform post-implementation review and periodic reviews of systems and/or infrastructure to ensure that they meet the organization’s objectives and are subject to effective internal control.3.8 Evaluate the process by which systems and/or infrastructure are maintained to ensure the continued support of the organization’s objectives and are subject to effective internal control.3.9 Evaluate the process by which systems and/or infrastructure are disposed of to ensure that they comply with the organization’s policies and procedures.

U

32

Overview of skill and knowledge for Domain 3U

3.1 benefits management practices3.2 project governance mechanisms (e.g., steering committee)3.3 project management practices, tools, and control frameworks3.4 risk management practices applied to projects3.5 project success criteria and risks3.6 configuration, change and release management in relation to development and maintenance of systems and/or infrastructure3.7 control objectives and techniques that ensure the completeness, accuracy, validity, and authorization of transactions and data within IT systems applications3.8 enterprise architecture related to data, applications, and technology (e.g., distributed applications, web-based applications, web services, n-tier applications)3.9 requirements analysis and management practices 3.10 acquisition and contract management processes (e.g., evaluation of vendors, preparation of contracts, vendor management, escrow)3.11 system development methodologies and tools and an understanding of their strengths and weaknesses 3.12 quality assurance methods3.13 the management of testing processes 3.14 data conversion tools, techniques, and procedures3.15 system and/or infrastructure disposal procedures3.16 software and hardware certification and accreditation practices3.17 post-implementation review objectives and methods 3.18 system migration and infrastructure deployment practices

33

IS Audit Small Quiz No.1

Domain 3 (1) Systems and Infrastructure Lifecycle Management

Subject: Project Plan, Project Management, Architecture, method and APP

U

Quiz book

34

U

IT control









Application Systems

AccountingSystem

Sales System

Company

….

35

Overview : SLDC (System Development Lift Cycle) by ISACAU

P1: Feasibility Study

P2: Requirement Definition

P3: System Design

P4: Development

P3: System Selection

P4: Configuration

P5: Implementation

Review

P6: Post implementation

P7: Disposal

R

P3: Buy or Make

R

R

R R

R

R

BuyMake (Build)

Scope of General System

Development

36

Overview of Development OrganizationU

Senior Management

Project Sponsor

User Management

Project ManagementQuality Assurance

Project Development Project Team

UserProject Team

Technical Infrastructure Team Leader

SoftwareSupport

HardwareSupport

NetworkSupport

Application/ system Analysis

Programmer

Tester

Steering Committee

37

Overview of SLDC Phase 1 and 2

Phase 1: Feasibility StudyTo determine the strategic benefit of new information system and analyze possible resolutions to realize needs •Define business case•Define the objectives with supporting evidence.•List up possible resolutions•Perform preliminary risk assessment•Agree upon an initial budget and expected return on investment (ROI)

Phase 2: Requirement definitionTo create detail definition of needs including inputs, output, current environment and proposed interaction.•Collect specifications (requirements) and supporting evidence.•Identify which standard (technology) will be implemented for the specifications.•Create a quality control plan to ensure that the design complaints to the specifications.

U

38

Overview of SLDC Phase 3 and 4

Phase 3: Plan solution and system design/ system selectionTo plan solution (strategy ) whether make (build) or buy based on the objectives from phase 1 and specifications from phase 2.Case of Build •Make design such as user requirement, basic design, detail design and operation design. ( start development process)Case of buy•Make RFP (Request for Proposal) to select best vendor and product based on specification in Phase 2.•Conduct bidding to select the vender and product

Phase 4: Development and configurationCase of Build •Making program and conducting testingCase of buy•Customization is typically limited program configuration settings with a limited number of customized reports.

U

39

Overview of SLDC Phase 5,6 and 7

Phase 5: ImplementationTo install new system and final user acceptance (mainly function testing) test begins. The system undergoes a process of final certification and approval.

Phase 6: post implementationAfter the system has been in production use, it is reviewed for effectiveness to full fill the original objectives. •Compare performance metrics to the original objectives.•Re-review the specifications and requirement annually.•Implement request for new requirement, update or disposal

Phase 7: DisposalFinal phase is the proper disposal of equipment and purging data.

U

40

Overview of Development Models (1)

User Requirements

Detail Design

Acceptance Test

System Test

Integration Test


Component Test= Debug

System Requirements

Programming

Test

Water-fall model

U

41

Overview of Development Models (2)U

b. Agile Development

Function 1 Function 2 Function 3

Des

ign

codi

ng

Tes

t

Des

ign

codi

ng

Tes

t

Des

ign

codi

ng

Tes

t

42

Overview of Development models (3)U

Water fall Agile Spiral (Prototyping)

Document Document base Minimum Minimum

Confirmation of requirement

By document By software By software

Changing requirement

Difficult Easy Easy

Programmer A few - hundreds A few – 20

1 cycle Months - years Weeks - months Month – a year

Management Initial plan In each cycle

Collaboration Defined by regulation

personal

43

Overview of Design and Development methodsU

Method Summary

SD/SA: Structured Design/ Structured analysis

Structured Design (SD) is concerned with the development of modules and the synthesis of these modules in a so called "module hierarchy"

OOD: Object-oriented design

the process of planning a system of interacting objects for the purpose of solving a software problem

44

Overview of Project ManagementU

PMBOK Knowledge Areas1. Project Integration Management2. Project Scope Management3. Project Time Management4. Project Cost Management5. Project Quality Management6. Project Human Resources Management7. Project Communications Management8. Project Risk Management9. Project Procurement Management

Resources

Performance

Tim

e Cost

Performance

Tim

eResources

Project Managing Triangle

45

Overview of Cost estimation and SchedulingU

Planning

Cost estimation

Scheduling

Function 　 point

Lines of code

WBS (Work Breakdown Structure)

Bottom-up estimate

Parametric modeling

Analogous estimate

PERT

Gantt chart

46

Overview of ProcurementU

Define Specification

Make RFP

Vender Evaluation

Criteria

Vender Long list

Vender short list

Select Vender

Make Contract

Delivery

Install

AcceptantTest

RFP: Request for Proposal

Bidding

47

Overview of RFP (Request for Proposal)U

Qualification of Vender The vender supplying and supporting the product should be reputable and should be able to provide evidence of financial stability

Bidding document To mention about the bidding document the venders submit

Contract Condition Some conditions such as payment, delivery and warrantee In the contract

Bid opening and evaluation

Criteria for selecting the vender

Requested document Clients list, other evidence of product and system

Product and system Requirement

Main content of RFP. Define detail specification of requested product and system . It includes not only functional specifications but also non-functional specifications such as reliability and performance

Installation schedule When will product and system needed.

Test plan Installation test plan

Client support Training, operation support, maintenance, warrantee

Com

mer

cial

Par

tT

echn

ical

Par

t

48

Overview of Business APPU

APP Summary

E-commerce the buying and selling of products or services over electronic systems such as the Internet and other computer networks.

E-banking/Online banking

To conduct financial transactions on a secure website operated by their retail or virtual bank, credit union or building society.

CIM: Computer-integrated manufacturing

Both a method of manufacturing and the name of a computer-automated system in which individual engineering, production, marketing, and support functions of a manufacturing enterprise are organized.

DSS: Decision support system

DSSs serve the management, operations, and planning levels of an organization and help to make decisions, which may be rapidly changing and not easily specified in advance.

SCMS: Supply chain management software

Supply chain transactions, managing supplier relationships and controlling associated business processes. it commonly includes: Customer requirement processing Purchase order processing, Inventory management, Goods receipt and Warehouse management, Supplier Management/Sourcing

CRM: Customer relationship management

Sales force automation, Marketing and Customer Service and Support

49

Overview of Risk of Business APPU

APP Summary of Risk

E-commerce Clear business case, Innovation is so rapid, Certification, Privacy of customer, High reliability and electric signature

E-banking/Online banking

Innovation is so rapid, Security of authentication, Privacy of customer, High reliability and integration to other system.

CIM: Computer-integrated manufacturing

Big system consisting of many systems and software. Clear feasibility study.

DSS: Decision support system

Difficulty of define purpose and usage. Not clear of ROI.

SCMS: Supply chain management software

Changing workflow and business model.

CRM: Customer relationship management

Innovation is so rapid, Security of authentication, Privacy of customer

50

Overview of Technology for Business APPU

APP Summary

EDI: Electronic data interchange

Structured transmission of data between organizations by electronic means. It is used to transfer electronic documents or business data from one computer system to another computer system

Data warehouse To retrieve and analyze data, to extract, transform and load data, and to manage the data dictionary

Cloud computing Internet-based computing, whereby shared resources, software, and information are provided to computers and other devices on demand, like the electricity grid. SaaS

Office suite Office software suite or productivity suite is a collection of programs intended to be used by knowledge workers, Ex. Google Apps

ERP: Enterprise resource planning

Integrated computer-based system used to manage internal and external resources, including tangible assets, financial resources, materials, and human resources.

Smart phone Mobile phone that offers more advanced computing ability and connectivity than a contemporary basic 'feature phone

CTI: Computer telephony integration

technology that allows interactions on a telephone and a computer to be integrated or co-ordinated. As contact channels have expanded from voice to include email, web, and fax, the definition of CTI has expanded to include the integration of all customer contact channels (voice, email, web, fax, etc.) with computer systems.

51

Overview of CMMIU

52

Overview of Development tools (IDE)U

Tools Summary

CASE :Computer-aided software engineering

Set of tools and methods to a software system which is meant to result in high-quality, defect-free, and maintainable software products.

Visual Studio .Net It can be used to develop console and graphical user interface applications along with Windows Forms applications, web sites, web applications, and web services in both native code together with managed code for all platforms supported by Microsoft Windows, Windows Mobile, Windows CE, .NET Framework, .NET Compact Framework and Microsoft Silverlight.

Eclipse It is written primarily in Java and can be used to develop applications in Java and, by means of various plug-ins, other languages including C, C++, COBOL, Python, Perl, PHP, Scala, Scheme and Ruby (including Ruby on Rails framework)

53

Test Frame JUnit

Overview of Actual (Practical) Tools U

Acceptance Test

System Test

Programming

Component Test

Integration Test

Exsample1: OSS for eclipse (Java)

Ecllipse Metrics PlusinCalculate Code metrics such as complexity and dependency

djUnitMake Moc-class for testing/ Coverage

Junit FactoryAutomatically generating Test case

TPTPSupproit Making test code and executing test case including remote host

Automated ContinuousExecuting test case automatically

Checkstyle/ PMDCheck style of Code

FindbugsFind bad cording that seems to make bugs

CAP/Jdepend4eclipseShow dependency

Static Analysis Code Metrics

Test design/ Test case/ Executing

SolexRecod, Replay and edit HTML Session

WSUnitSimulate XML web servise

Test Executing for Web

Extensible Java Profiler/iMechanic/Eclipse profiler plug-inMeasure Nun.Call, Time and Usage of memory

Performance Testing

SeleniumRecord, Re-play and edit Browser action.

JMeterExecuting Web access session automatically

Test Executing for Web / Performance Testing

54

IS Audit Small Quiz No.1 (Answer) (1)1-1 (A)The first concern of an IS Auditor should be to ensure that proposal meets the needs of business, and this should be established by a clear business case.1-2 (B)AS IS auditor should not recommend discontinuing or completing the project before reviewing and updated business case.1-3 (D)Lack of adequate user involvement, especially in the system requirement phase, will usually in a system that does not fully or adequately address the needs of the user.1-4 (A)It is important that the project be planned properly and that specific phase and deliverables be identified during the early stage of the project.1-5 (B)A PERT chart will help determine project duration once all the activities and work involved with those activities are known.1-6 (D)Old (legacy) system that have been corrected, adapted and enhanced extensively require reengineering to remain maintainable. Reengineering is rebuilding activity to incorporate new technology into existing system.1-7 (A)The waterfall model has been best suited to the stable condition like (A).

U

55

IS Audit Small Quiz No.1 (Answer) (2)1-8 (A)If resource allocation is decreased, and increase in quality can be achieved if a delay in delivery time will be accepted.1-9 (A)Cost performance of a project cannot be properly assessed in isolation for schedule performance.1-10 (C)Projects often have a tendency to expand, this expansion often grows to point where the originally anticipated cost-benefit are diminished. When this occur, the project be stopped or frozen to allow review of all the cost –benefits and the payback period.1-11 (C)A project steering committee is responsible for reviewing the project progress to ensure that it will deliver the expected result.1-12(D)In the case of deviation from the predefined procedure, an IS auditor should first ensure the procedure followed for acquiring the software is consistent with business objectives and has been approved by appropriate authorities.1-13 (B)Quality plan is essential element of all projects. It is critical that the contracted supplier be required to produce such test plan.

U

56

IS Audit Small Quiz No.1 (Answer) (3)1-14 (C)Choice A,B and D are not risk, but characteristics of a DDS.1-15 (B)Once the data are in a warehouse, no modification should be made to them and access controls should be in place to prevent data modification.1-16 (C) Best resolution.1-17 (C)When implementing an application software package, incorrect parameter would be the great risk.1-18 (C)The Project portfolio database contains project data such as organization, schedule, objectives status and cost.1-19 (D)Criteria of CMMI show the development organization follows stable and predictable software process, CMMI doesn’t guarantee quality of each project.1-20 (B)A strength of IDE is that it expands the programming resources and aids available.

U

57


Domain 3 (2) Testing, Implementation/Migration and APP control

U

Quiz book

58

Definition of basic terms related bug, error, ….

Bug

Defect

Fault

Flaw in component or system to fail to perform its required function

Error Human action that produces incorrect result

Other Factors・ Malice・ Natural Environment

FailureDeviation of the component or system from its expected delivery, service or result.

Without defect, Human error occurs failure

Sometimes, defect appears as failure

U

Risk A factor that could result in future negative result consequences; usually expressed as impact and likelihood

One of negative result: Attribute: impact and likelihood Factor

59

Overview of Test PhaseU

User Requirements

Detail Design

Acceptance Test

System Test

Integration Test


Component Test

System Requirements

Programming

a. Water fall model (V-model )

Preparation

Preparation

Preparation

Preparation

60

Cost of Fixing bugs in Test phases

Process

Cost

DesignRequirement Programming Test Operation

U

Principle 3 – Early testing

61

Target of Testing

Functional Testing Non-Functional Testing

suitability accuracy

compliance

interoperability security

reliabilityusability

efficiencymaintainability

Ordinal TestingFunctions of system and/Or software , that are typically described ( implicitly) in a requirements specification, a functional specification , or in use cases.

Performance TestingLoad TestingStress TestingSecurity TestingUsability TestingMaintenance TestingReliability Testing

U

Integration Test(In Test Environment)

System Test(In Real Environment)

62

Overview of Testing Techniques

Static

Document Check

(Review)

Code Check

Formal Review

Walk-through

Technical Review

Inspection

StyleCheck

FlowCheck

BugDetect

Metrics of Code

Dynamic

Structure (Code) -Based

Specification - Based

Experience -Based

Statement

Decision

Condition

MultipleCondition

EquivalencePartitioning

Boundary Value

Analysis

Informal Review

DecisionTable

State Transition

User Case Testing

ErrGuessing

ExploratoryTesting

White BoxTesting

Black BoxTesting

Running ProgramWithout Running Program

U

63

How to Conduct Component Test and Integration Test U

• Component Test

• Integration Test

Target Module

Dummy ModuleStab

Dummy ModuleDriver

Target Module

Target Module3

Target Module4

Driver for 3Driver for 4

Driver for 2

Target Module2

Target Module1

Bottom up Method

Target Module3

Target Module4

Stab for 1

Target Module1

Target Module2

Top down Method

Stab for 2Stab for 2

64

Overview of Quality Management/Monitoring/Reporting•Quality of Testing

CoverageTest Case densityBug density

•Quality of target softwareNum. of bugs in each moduleBug density in each moduleBug history (Num of detect:Open and Num of fixed:Close ) Software reliability growth curve

U

Num of

Bugs

Days

Open

Close

65

Ensample: Useful Metrics U

Project Implementation Program/systemTesting

CostTime

Progress of implementation

Features

LOC: Line of Code Complexity of codeLOC for modificationTime for build

CoverageNum. of test itemMum of test item curried by automated tools

Quality

Expected MTTF (Mean Time to Failure)Expected MTTF (Mean Time to Failure) on stress

Num. of bugs for buildType of problem in build

Num. of bugs in each moduleBug density in each moduleBug historySoftware reliability growth curve

What kind of Metrics Microsoft is using

66

Development Group

Type of Test Organization (Independent Tester)U

Development Group

Programmer = Tester

Development Group

Programmers

TestersDevelopment Team

Programmers

Test team

Testers

Project Manager

Development Group

Programmers

User Group

Testers

Development Group

Programmers

Test Group

Testers for

specific target

Development Group

Programmers

Test Group

Testers Outsourcing

or

SQM dev.

A. No independent Tester

B. Independent Testers within Group C. Independent Tester Team

within Group

D. Independent Tester at User Group

E. Independent test specialists for specific test targets such as usability , security or certification testers

F. Independent testers outsourced or external

67

Activity of Implementation and Migration

U

•Implementation / Migration Planning- Preparation of Planning – To be support structure and functions- User/Operator training Plan- Data Migration Plan- Fallback (Rollback) Scenario

•Changeover (Go-live or Cutover) Techniques

Module 1

Module 2

Module m

Module 1

Module 2

Module n

Rollout Schedule

1. Parallel Change over

Module 1

Module 2

Module m

Module 1

Module 2

Module n

Rollout Schedule

2. Abrupt Change over

Module 1

Module 2

Module n

Module 1

Module 2

Module n

Rollout Schedule

3. Phased Change over

68

Mistake of update master data

Risk of Operation of Information SystemU

E-commerce System

E-commerce DB

CustomerOperator

Even if the system of ABC Company doesn't have bugs, there are many risks and failures

CustomerError Transactions

Criminal

ABC Company

123Company

XYZCompany

Mistake of input

Illegal access

Inappropriate procedure for error data

Throw out reports

Automated transaction without checking

Inconsistency of data between companies

69

Definition of error, failure and risk in Test and Control

BugDefect

FaultFlaw in component or system to fail to perform its required function

Human Error Human action that produces incorrect result

Failure Deviation of the component or system from its expected delivery, service or result.

U

Risk A factor that could result in future negative result consequences; usually expressed as impact and likelihood

Factor Malice Chang of EnvironmentDisaster, New standard

Test

Remaining Bugs Operation error Crime System Break

Appear and/or occur

Risk

Failure

Risk management and Control

Control preventing from failure

70

Test and ITAC (Control ) and Audit in context of risk management

U

•Test

Activity to get rid of factors to make risks and failures before cut-over•ITAC (IT Application Control)

Activity, process and means to prevent from risks and failures and/ or to reduce affect of risks and failures (after cut-over)

Role of Auditors related to ITAC• Propose and suggest activity, process and means for control• Audit (monitor and check ) controls

71

System Development and IT ControlU

Requirement Analysis

OperationDesign & Program

Testing Migration

Maintenance

Changing

Monitoring

Cut - over

Project Management

Software Quality Assurance

Operation Management

IT Control(ITAC)

Control function

Manual & Procedure

Activity

Regulation

Management

All items are targets of IS audit

72



U

IT control ITCLC: IT Company Level Control





ITAC: IT Application Controlcomplete and accurate •Input Data Control.•Processing Control•Output Control

Application Systems

AccountingSystem

Sales System

Company

….

73

Control Items of ITACU

Input Management

(Control)

Processing Management

(Control)

Output Management

(Control)

ITAC

ITGC Access Management (Control)

User-IDs/Passwords Data SecurityNetwork Security Security AdministrationAccess Authorization

•Data Entry Controls•Input (Transaction) Authorization•Batch control•Segregation of Duties•System Edits•Error Reporting and handling

• Interface Control• Data file control• System Edits• Error Reporting and handling

• Reconciliation• Distribution• Access

Major means of control

74

Overview of Means and TechniqueU

Internal Control


Human ComputerComputer

&Human

Regulation of Human operation

Working Record

Function of Detecting

Error

Operation Logs

System Logs & Transaction Log

Regulation of Monitoring System

Checking regulations

Checking working Records

Checking System logs

Testing functions

Testing & Monitoring

System

75

Objectives of Control of Input Management (Control)U

Objective Sample of Control Sample of Audit

Organization make a regulation of Input management and complies with it

•Regulation including procedure, method of verification and authorization for input activities

•Checking regulation documents•Inspection of working record of input activity

Operation of input is carried based on the regulation and assures no repeated nor missing

•Procedure that to put stamp on a form sheet after input •System function to check serial No. of input data

•All form sheets has stamp after input•Checking no repeated data in a database

Enough means and function realize preventing from input error and illegal operation.

•System function can detect invalid data input•Operators can use only specific PCs (terminal)

•Review and Testing the system function•Access log of PC

Storing and abolishing data is carried based on the regulation

•Regulation for abolishing report documents.•Only authorized person access (see) past data.

•Checking record of abolishing documents.•Checking access log for database

Controls are both with IT system and without IT system

76

Objectives of Control of Processing Management (Control)U


Organization make a regulation of data management and complies with it

•Regulation including procedure, method of verification and authorization for data management

•Checking regulation documents•Inspection of working record of backup

Data access control and monitoring work effectively

•Regulation of access control to update master data

•Checking access log for database

Integrity of data is guaranteed •Regulation of checking data range of master data

•Checking test record of data update

Data transfer complies with its regulation.

•Regulation of data transfer •Checking record of transfer data

Data exchange takes appropriate means to prevent from illegal access and to keep security.

•Function of error correction during data exchange

• Log data of exchange error correction.

Storing , copying and abolishing data prevent from illegal access and keep security

•Regulation for abolishing report documents

•Checking record of abolishing documents

77

Objectives of Control of Output Management (Control)U


Organization make a regulation of output management and complies with it

•Regulation including procedure, method of verification and authorization for output activities

•Checking regulation documents•Inspection of working record of output activity

Operation of output is carried based on the regulation and assures no repeated nor missing

•Regulation defines person for output procedure

•Checking access log for output data

Enough means and function realize preventing from output error and illegal operation

Distribution of output is curried based on its regulation.

•Regulation of output distribution

•Checking distribution of output report

Storing and abolishing output is carried based on the regulation

•Regulation for abolishing report documents

•Checking record of abolishing documents.

78

Technique and Means of Control of Input Management (Control)

U

Area Description

Date control preparation

•Good design source document or form- Grouping similar input fields- Providing appropriate code to reduce error- Containing appropriate serial No. and cross-reference No.- Appropriate input filed style to reduce error- Including Appropriate filed for document authorization

Input Authorization

•Signature on form or souse document•Online Access Control (Only authorized individual can access specific information)•Unique password (Don’t share password nor grant password to others)•Usage of specific terminals or specific area.•Segregation of duties

Batch control

•Appropriate batch header form including application name, transaction code, preprinted No., identification data,•Total minatory amount (Verification the total monetary values of items processed equals the total monetary values of batch documents.•Total items ( No. of units ordered in the batch and No. of units processed)•Total num of documents•Hash totals (Verification of total of Hash value: no meaning in the form, but preprinted the fixed numbers)•Reviewing online batching input by manager.

79

Technique and Means of Control of Input ( Processing) Management

U

Area Description

Regulation and Monitoring

•Transaction log ( input process and batch process)•Documented Regulation•Transmittal log•Cancellation of source document ( By pouncing with holes or marking to avoid duplicate entry)

Error Reporting and Handling

•Appropriate error handing- Rejecting only transition with error- Rejecting the whole batch of transition- Holding the batch as suspense- Accepting the batch and flagging error transactions•Appropriate error collection procedure- logging of errors- Timely corrections- Upstream resubmission- Approval of correction- Suspense file- Error file- Validity of corrections

80

Technique and Means of Control of Processing (Input) Management

U

Area Description

Data validation and Editing Procedure

•Sequence check ( to avoid duplicated and missing)•Limit check ( not only input data, but also update of master data)•Range check•Validity check (Checking whether input data is one of date of the set)•Reasonableness check (requested number of order)•Table lookup (validity by using table)•Key verification ( Validity of no duplicated key)•Completeness check (Null checking data in specific field)•Duplication check ( Checking duplication of transaction)•Logical relation check ( ex. If he has wife, his must be over xx old.)

Process validation and verification

•Manual recalculation•Run to run totals ( Checking values among process ex. Sum of middle process and sum of end process)•Limits check of amounts•Reasonableness of amounts•Exception reports•Reconciliation (cross comparison) of file totals

81

Technique and Means of Control of Processing Management

U

Area Description

Data File Control

•Before and after image report ( Difference proves transactions done correctly)•Maintenance error reporting and handling (Checking and reviewing error handing by personnel who did not handle)•Source document retention ( Verification of file and source data)•Internal and external labeling (labeling on physical removable storage such as tapes and disk cartridge.•Version management•Data file security•One for one checking ( Verification by comparison between data and source document)•Transaction log•File updating and maintenance authorization•Parity checking

Type of data files•System control parameter (Configuration parameter)•Master data (Standing data) : Not be changed by transaction•Master data (Balancing data): Be changed by transaction•Transaction file

82

Technique and Means of Control of Output Management

U

Area Description

Outputvalidation Procedure

•Sequence check ( to avoid duplicated and missing)•Balancing and reconciling•Log of online distribution

Output delivery and storage

•Logging and storage of negotiable, sensitive and critical forms in secure place•Computer generation of negotiable instrument, forms and signature including intelligent property.•Appropriate report printing and distribution including electric reporting- Control of printing spool- Authentication of printing- printing in secure and safe room- Delivery and recipient evidence such as a signature•Output report retention•Output error handling

83

Overview of Auditing ITAC (Application Controls)U

Internal Control


Human ComputerComputer &Human

Observing and testing user performing procedure

Preparation•Checking development document and regulation•Analyzing transition flow•Modeling risk assessment Data integrity Testing in online transition

processing system•To assure tolerance to multi – parallel user accesses

Data integrity Testing•To assure accuracy, completeness, consistency and authorization of data held in a system

Test of Application System•To test the effectiveness of application control

Continuous online Auditing•To collecting evidence from live information system

CAAT (Computer Assisted Audit Tools) GAS (General Audit System)

84

Preparation of Auditing for ITAC

U

Area Description

Checking document and interview

•System methodology documents•Function design documents•User manual/ Operation manual and regulation•Technical reference document•Records of program changes

Analyzing transition flow

•To find important controls•To find week point of transitions and controls

Modeling risk assessment

Factors of risk model•Quality of Internal condition•Economic condition / Regulatory agency impact•Time in existence•Staff turn over•Time elapsed since last audit / Prior audit result•Complexity of operation•Recent account system changes / Recent changes in key position•Transaction volume / Monetary volume•Sensitivity of transition•Impact of application failure

85

Methods and Targets of Observing and testing user performing procedure: Auditing ITAC

U

Area Description

Separation of duties •Ensure that no individual ha the capability of more than one following process: input, authorization, verification and distribution by reviewing job descriptions and authorization levels.

Balancing •Verify run-to-run control totals and other application totals

Error control and correction

•Error and correction reports provide evidence of appropriate review, timely correction and resubmission.

Distribution of reports

•Critical output reports should be produced and maintained in secure area and distributed in an authorized manner.

Review and testing of access authorization and capability

•Access control tables provide information for individual access level, To test appropriate access rule as management intended.•Activity report or access (log-in) log provide detail information of actual access, especially violation log of access should be reviewed.

86

Methods and Targets of Data integrity TestingU

•Data integrity testing is set of substantive tests that examines Accuracy, Completeness, Consistency and Authorization.

•Failure of data integrity is result of failure of input and/ processing. Because of this, data integrity testing uses similar method and technique of testing input control.

•Two type of data integrity- Relational integrity Targets are each record level and/or items in record. Relational integrity is enforced by checking data function of input process and - Reference integrity Targets are existence relationships between entities in deferent tables of a database. It is necessary that references (by primary key and foreign key )be kept consistent in the event of Insert, Delete and Update.

87

Methods and Targets of Data integrity Testing in online transition processing system

U

Importance of data integrity is known as ACID principal.

•AtomicityFrom the user perspective, a transition is either completed or net at all. If an error or interruption occurred, all changed made up to the point are backed out.

•ConsistencyAll integrity conditions in the database are maintained.

•IsolationUnder multi user condition, each transaction is isolated from other transitions.

•DurabilityIf a transaction has been reported to user as complete, the result of changes to database survive subsequent hardware or software failures.

88

Overviews of Methods and Targets of Test of Application System and Continuous online Auditing

U

Input Processing Output

Testing and simulation environment

Real environment (Live System)

Test data

Dump and Tracing

Validation and verification by comparison

among output

Simulated Pressing

Test data

Real data

Checking input and Processing by audit module

89

Methods and Targets of Test of Application System and Continuous online Auditing (1)

U

Method Description Comment

Mapping •To detect code that is not tested. Similar to measuring testing coverage.

•To Need function to measure coverage

Tracing and Tagging

•To trace specific transaction in real or simulated system

•To Need skill for tracing or development of tracing function

Test data /deck •Inputting teat data to real system. The result is expected.

•It doesn’t prove that all the code done.

Base case system evaluation

•Testing by using test cases of integrated testing

•To Need a lot of time and effort to conduct the test

Parallel operation •To compare old system and new system with same data

Parallel Simulation •To check real (live) data by using simulation program that has same process logic as real system

•To Need development of simulation program

Extended Record •To extract specific data and transaction to audit files. (Manual or automatically with audit module)

•When using audit module, to Need development of program

90

Methods and Targets of Test of Application System and Continuous online Auditing (2)

U

Method Description Comment

Embedded Audit Module (System Control Audit Review File) (EAM/SCARF)

•Adding audit functions to extract specific transition into review files.

•To need development of specific alert functions

Integrated testing facility (ITF)

•Inputting teat data/ transaction to live system. The result is expected.

•To need precise plan not to affect real processing

Snapshot •Adding dump modules to system. The dump shows passing specific points and their internal data.

•To prove program logic•To need knowledge of IT development and programming

Continuous and Intermittent simulations (CIS)

•To check processing of each transaction before real processing by using simulation function


Audit hooks •Adding alert functions to detect risk of error or irregularity before serious failure


91

Comparison among methods of Continuous online AuditingU

Method Complexity Useful When

System Control Audit Review File and Embedded Audit Module (SCARF/EAM)

•Very high •Regular Processing cannot be interrupted.

Integrated testing facility (ITF) •High •It is not beneficial to use test data.

Snapshot •Medium •An audit trail is required.

Continuous and Intermittent simulations (CIS)

•Medium •Transactions meeting certain criteria need to be examined.

Audit hooks •Low •Only select transaction or processes need to be examined.

92

Methods and Targets of Observing and testing System development life cycle controls: Auditing ITGC (1)

U

Phase/Task Description

Project Management

•Oversight by project committee/board•Risk management and Problem management•Cost management•Planning process•Reporting process to senior manager•Stakeholder management•Sign – off and authorization process

Feasibility Study

•Identify and determine the criticality of needs•Determine the reasonability of the chosen solution.•Determine the justification and benefit of all the cost

Requirement Definition

•Identify key stakeholders and verify that they have appropriate representation in a project team.•Verify accuracy of requirement document thought interviews with relevant users•Determine whether appropriate number of venders can receive the requirement (some venders can realize a system)•Verify that project start and cost have been approved proper management positions/group.•Review the design to ensure that control specification have been defined.•Survey and design whether a system needs some embedded audit functions

93

Methods and Targets of Observing and testing System development life cycle controls: Auditing ITGC (2)

U

Phase/Task Description

Software Acquisition Process (Procurement)

•Determine reasonability to quire a solution by reviewing feasibility study•Reviewing RFP to ensure that it contains all necessary information as RFP•Ensure the fairness to select a vender based on RFP•Review the vendor contract to ensure that it include the items RFP mentions.•Ensure the contract is reviewed by legal counsel before it is singed

Detail Design and Development

•Review whether appropriate controls of input , processing and output are designed.•Ensure validity of specification of screen design, operation and output format by interviews with main users.•Review whether appropriate audit function are designed.•Review the quality assurance result of design activities.•Review whether design activity follows the regulation appropriately, such as authorization and user review.

Testing

94

Chapter 2.Domain1:

IS Audit Process

U

95


•1.1 Develop and implement a risk-based IS audit strategy for the organization in compliance with IS audit standards, guidelines and best practices.•1.2 Plan specific c audits to ensure that IT and business systems are protected and controlled.•1.3 Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives.•1.4 Communicate emerging issues, potential risks and audit results to key stakeholders.•1.5 Advise on the implementation of risk management and control practices within the organization, while maintaining independence.

U

96


•1.1 ISACA IS Auditing Standards, Guidelines and Procedures and the Code of Professional Ethics

•1.2 IS auditing practices and techniques

•1.3 techniques to gather information and preserve evidence (e.g., observation, inquiry, interview, CAATTs and electronic media)

•1.4 the evidence life cycle (e.g., the collection, protection, chain of custody)

•1.5 control objectives and controls related to IS (e.g., COBIT)

•1.6 risk assessment in an audit context

•1.7 audit planning and management techniques

•1.8 reporting and communication techniques (e.g., facilitation, negotiation and confl ict resolution)

•1.9 control self-assessment (CSA)

•1.10 continuous audit techniques

97


Domain 3 IS Audit Process

Subject: Audit Planning, Risk Management, Methods of Audit and Audit Reporting

U

Quiz book

98

Type of Audits

U

Type Description

Financial audits •Purpose is to assess the correctness of an organization’s financial statement, IT auditors works under Financial suitors and test financial information integrity and reliability.

Operational audits

•Purpose is to evaluate the internal control structure in a specific process and area, such as application controls and logical security system.

Integrated audits

•Combination of financial audits and operational audits

Administrative Audits

•Propose is to evaluate and improve the efficiency of operational productivity within an organization.

IS Audits •Purpose is to evaluate the internal controls for Information system. Targets are ITCC. ITGC and ITAC

Specialize Audits

•Specialize reviews that examine area such as services performed by third party. SAS70 (The statement on Auditing standard) developed by AICPA (American Institute of Certified Public Accountants) is a widely known.

Forensic Audits •Special audit for discovering , disclosing and following up of frauds and crimes.

99

Overview of IS audit ProcessU

IS Audit Charter / Guideline

Audit Process

Audit Planning

Risk Assessment

Perform Test

Inspection & Test Methods and Technique

Evidence

Finding

Report & Follow-up

What you will learn in this Chapter

100

Framework and Guideline of IS audit (1)U

IT Standards, Guidelines, and Tools and Techniques for Audit and Assurance and Control Professionals (330 pages) (http://www.isaca.org/)

IT Audit and Assurance Standards (Framework)S1 Audit CharterS2 IndependenceS3 Professional Ethics and StandardsS4 CompetenceS5 PlanningS6 Performance of Audit WorkS7 ReportingS8 Follow-Up ActivitiesS9 Irregularities and Illegal ActsS10 IT GovernanceS11 Use of Risk Assessment in Audit PlanningS12 Audit Materiality S13 Using the Work of Other ExpertsS14 Audit EvidenceS15 IT ControlsS16 E-commerce

101


Index of IT Audit and Assurance Guidelines (G1-G44)G2 Audit Evidence Requirement G3 Use of Computer Assisted Audit Techniques (CAATs) G5 Audit Charter G6 Materiality Concepts for Auditing Information Systems G8 Audit Documentation G9 Audit Considerations for Irregularities and Illegal Acts G10 Audit Sampling G11 Effect of Pervasive IS Controls G12 Organisational Relationship and Independence G13 Use of Risk Assessment in Audit Planning G15 Audit Planning G18 IT GovernanceG20 Reporting G21 Enterprise Resource Planning (ERP) Systems G23 System Development Life Cycle (SDLC) G28 Computer Forensics G31 Privacy G33 General Considerations on the Use of the Internet G34 Responsibility, Authority and Accountability G35 Follow-up Activities G37 Configuration Management Process G38 Access ControlsG39 IT Organisation G40 Review of Security Management PracticesG42 Continuous Assurance

102


Index of IT Audit and Assurance Tools and TechniquesP1 IS Risk AssessmentP2 Digital Signatures P3 Intrusion DetectionP4 Viruses and other Malicious Code P5 Control Risk Self-assessmentP6 Firewalls P7 Irregularities and Illegal ActsP8 Security Assessment—Penetration Testing and Vulnerability AnalysisP9 Evaluation of Management Controls Over Encryption MethodologiesP10 Business Application Change ControlP11 Electronic Funds Transfer (EFT)

103

Audit RiskU

Inherent Risk

Risk in Audit itself:Risk that is not detected during an audit process

Risk: example Misstatement

without control: ex. Process is

complex

Check & Test

Control

Control failure: ex. Human

makes mistake

Risk

Audit

Control Risk

Audit failure: ex. Inadequate

Test

Detection Risk

Overall Audit Risk

Compliance Test

Substantive Test

104

Flow of Audit ProcessU

Audit Planning & Gathering information

Perform Compliance Tests

Reporting

Follow-UPActivity

Audit Charter

Risk Assessment & Understanding Internal

Control

Perform Substantive Tests

•Audit repot•Creating recommendation

•Analytic procedure•Detailed testing•Other substantive testing

•Identify targeted controls•Compliance tests on reliability, risk prevention, organization policy an procedure

•Survey control functions and procedures•Result of control•Control risk and detective risk assessment

•Knowledge of the business•Regulatory status•Prior audit result•Inherent risk assessment

•Scope with goals and objectives•Authority of an audit•Responsibility and actions among stakeholder

105

(Separate) Audit Plan

Type of Audit PlansU

Long- or Mid term Audit Plan

Audit Plan

•Detail planning for each target of an audit•Define plan of testing method and procedure, reporting and follow-up.

•Define (separate) audits in each year including a financial audit•Define management information to conduct the audits , such as cost , schedule and resources

Audit Master Plan

Annual Audit Plan

Annual Audit Plan

(Separate) Audit Plan

•Usually 3 or 5 year plan•Define scope and priority based on an audit policy•Related IT to system development plan and schedule

Cases of (Separate) Audit•Reviewing security of a financial application for a large company with many branches.•Auditing IT general control to enhance capability of development of a company•Supervising (Auditing) for development and migration of a big ERP system•Consulting to applying Internal control of SOX to the company in order to be listed on the stock market.

106

Example: Summary of Audit PlanU

Separated small Audit Plan for ITAC

No Item Description

1 Objective The payment system is one of important system for financial statement in ABC company. To evaluate the internal control of the system.

2 Scope •Validity and reliability of automated (Embedded) controls in the system.•Validity and Coverage of control functions realized by interaction between the system and human activities.

3 Audit target ABC payment system

4 Audit item •System specification documents &Operation manual •Input form & screen design (input and search/reference)•Data & information stored in the system

5 Audit organization

• Auditor Group: xxxx, xxxx• Auditee: Department of business management and Department of accounting

6 Audit procedure and Schedule

•Preliminary survey for risk assessment (17-30 Oct. 2009)[Method] Interview and questionnaire[Survey item] Summary of the payment system and overview Dept. of business management and Dept. of accounting[Point] Current situation and preparation of controls

• Compliance Testing (No.1) (1-15 Nov. 2009)[Method] Check list, interview and checking the system specification[Audit item] Automation (Embedded) controls in the system[Point] Validity and reliability of design of the controls

• Compliance Testing (No.n)

• Substantive testing (No. 1) (1-20 Jan. 2010)[Method] Comparison between database and printed quotation. Checking transaction log.[Point] Testing of result of control functions.

107

General idea of Risk Assessment (Evaluation)U

Basic element of Evaluating risks•Impact, Effect•Probabilities, likelihood

Big Medium Small

Often Fatal Serious Serious

Sometimes Serious Serious Minor

Rare Serious Minor Minor

Very Simple Risk Evaluation Table (weighting by Impact & Probability)

ImpactProbability

Other (further) Assessment methods•Weighting by dividing detail factorsImpact => Sensitivity of the function to executive management, MaterialityProbability => Extent of system or process change, Complexity•Ranking <- one reason of why auditors use risk assessmentTo multiple weight of business impact to making ranking score.Weight of business impact: example: Financial risk, Strategic risk, Operational risk and Legal compliance

108

Example: Summary of Risk Assessment DocumentU

No Category Risk Description Eva. Control

Covering all payment transaction

Missing invoice by EDI

Invoice by EDI has trouble and missing

1 Checking EDI’s invoice by human

Error transition

Error Transactions are not reported/ detected

3 Module for listing out error transition

Correctness of payment date

Input error Mistake of input for invoice by FAX

4 Cross checking to order transition

Not include inappropriate data

Cancel of invoice

Payment to cancel invoice

2 Procedure of cancellation of invoice

Security of operation xxx xxxx xxxxx

Integrity of payment data

xxx xxxx xxxxx

No authorized DB modification

xxx xxxx xxxxx

Contents of risk assessment document•A description of the risk assessment methodology used•The identification of significant exposures and the corresponding risks•The risks and exposures the audit is intended to address•The audit evidence used to support the IS auditor’s assessment of risk

109

General Idea: Type of Means to Risk and ControlType of Means to Risk

Avoid Stopping activity that occurs risk. Because the impact of risk is very serious

Reduce Appropriate internal controls reduce the impact and probability of risk

Transfer Other external means such as insurance reduce impact of risk

Accept Impact of risk would be accepted, because impact is low or cost of means is so expensive.

U

Type Function Example of Control

Preventive Control

•Prevent errors from happening•Attempt to predict•Monitor both operation and inputs.

•Segregate duties•Programmed edit checks•Using access control software•Suitable procedure for authorization

Detective Control

•Find out errors and malicious •Hash total•Check points in production job•Internal audit function•Echo controls in telecommunications•Reviewing activity logs

Corrective Control

•Remedy problems•Identify cause•Enhance procedures•Minimize the impact of a threat

•Backup procedure•Return procedure

110

Overview of Method and Technique for Survey and Testing U

Audit Planning & Gathering information

Perform Compliance Tests

Risk Assessment & Understanding Internal

Control

Perform Substantive Tests

Survey and Testing

Evidence : Fact

Review

Interview & Observation

Questionnaire

Testing

Method of Statistics

CAAT (Computer Assisted Audit

Techniques

111

Review, Interview and observation for gathering Data (1)

U

Method Description

Reviewing IS organization structures

•Adequate separation and segregation of duty is a key control.•IS Auditor should be able to review organization structure and assess the level of control they provide.

Reviewing IS policy and procedures

•An IT auditor should review whether appropriate policy and procedure are in place, determine whether personnel understand implemented policy and procedure, and ensure that policies and procedures are being followed.•Periodic review of policies and procedures for appropriateness should be carried on

Reviewing IS standard

•An IT auditor should understand the existing standards in place in the organization.

Revising Information System Documentation

•An It auditor should understand functions and controls of the system.•And review whether development activities are following the procedures.•And review the enough documents developed and kept integrity.

112

Review, Interview and observation for gathering Data (1)

U

Point Description

Preparation of interview

•Preparation of checklist and interview form•Selecting appropriate interviewees

Actual Function •To ensure to observe adequate person who is assigned and authorized to perform a particular function and is actually is doing job.

Actual process and procedure

•Performing a walk-through of the process/procedure allows an IT auditor to gain evidence of compliance and observe deviations.

Reporting Relationship

•Reporting relation ship should be observed to ensure assigned responsibility and adequate segregation.

Security Awareness

•Security awareness should be observed to verify an individual's understanding and practice of good preventative and detective security measures.

Related method•Re-performance•Walkthroughs

113

Examples of measures that should be considered to assess materialityU

•Criticality of the business processes supported by the system or operation•Criticality of the information databases supported by the system or operation•Number and type of application developed•Number of users who use the information systems•Number of managers and directors who work with the information systems classified by privileges•Criticality of the network communications supported by the system or operation•Cost of the system or operation (hardware, software, staff, third-party services, overheads or a combination of these)•Potential cost of errors (possibly in terms of lost sales, warranty claims, irrecoverable development costs, cost of publicity•required for warnings, rectification costs, health and safety costs, unnecessarily high costs of production, high wastage, etc.)•Cost of loss of critical and vital information in terms of money and time to reproduce•Effectiveness of countermeasures•Number of accesses/transactions/inquiries processed per period•Nature, timing and extent of reports prepared and files maintained•Nature and quantities of materials handled (e.g., where inventory movements are recorded without values)•Service level agreement requirements and cost of potential penalties•Penalties for failure to comply with legal, regulatory and contractual requirements•Penalties for failure to comply with public health and safety requirements

114

Statistics for IS Audit U

If Auditor detected Number of Input errors of order form is 2 during Substantive testing, Could the Audited think that the internal control is almost good and work?

Sampling (Statistical) Test

All Input formsPopulation

Some of Input forms

SAMPLE

Are two errors acceptable?

115

Sampling U

Even if number of data in samples are same. There are many possibility to select samples

Normal distribution is commonly encountered in practice, and is used throughout statistics, natural sciences, and social sciences as a simple model for complex phenomena. For example, the observational error in an experiment is usually assumed to follow a normal distribution, and the propagation of uncertainty is computed using this assumption.

Population

SAMPLE

116

Factor of Selecting Sample U

feature of population

Size

Distribution

(Expected) Error rate

Accuracy of sample defined by an auditor

(Requested) Similarity of features among population and sample= (Requested) Confident Coefficient

Acceptable range = Precision

OKNG

Need more sampling data whenSize is big ( but ration of sample low ), Error rate is lowConfident coefficient is high, Precision is low

117

Type of Sampling (1) U

Statistical Sampling

Sampling

•(See the previous slide) Objective method to determine sample size and selection criteria

Method of Selection

Non-Statistical Sampling•Judgmental sampling. An auditor design sampling based on importance and risk

Target Data

Attribute sampling

Variable sampling

•Deal with presence or absence of attribute•Mainly applied in compliance testing

•Deal with population characteristics that vary, e.g. dollars and weights•Provide conclusions related variable•Mainly applied in substantive testing

118

Type of Sampling (1) U

•The model uses to estimate total different between audited value and un-audited value.

Target Data

Attribute sampling

Variable sampling

•Provide conclusions expressed in rates of incidence (frequency –estimate sampling)Attribute sampling

Stop or go sampling

Discover sampling

Stratified mean per unit

Uncertified mean per unit

Difference estimation

•The model can be used when the expected occurrence is extreme low. Purpose is detecting

•Auditor can change the size of sampling to get a appropriate result.

•A sample mean is calculated as an estimated total

•Sample means are calculated as each group estimated total

119

Computer-Assisted-Audit Techniques (CAAT)

What is CAAT&GAS?Followings are famous GAS: (General Audit Software)

• ACL: Audit Command LanguageACL Services Ltd.http://www.acl.com/

• IDEA:Interactive Data Extraction and AnalysisCaseWare Internationalhttp://www.caseware.com/

Go to both website

CAAT GAS

Tentative Audit Utility

General Office Tools

•MS-ACCES, MS-EXCEL

Developed Software

Tentative Audit Module

Online Audit system

•ACL, IEDA

U

120

Advantage of CAAT

• Reduced level of audit risk• Greater independence from auditee• Broader and more consistent audit coverage• Faster availability of info• Improved exception identification• Greater flexibility of run times• Greater opportunity to quantify internal control weaknesses• Enhanced sampling• Cost savings in long term

U

121

Overview of function of GAS


Business Data

Transaction Data

Log files Master dataSystem B


Business Data

Transaction Data

Log files Master dataSystem A

GAS

•Making Reports Statistic Analysis

Test data Audit data

•Generate Test Data

•Extract and Check Log files •Extract and

sampling data •Compare and Calculate

U

122

CAAT Considerations for installation and usage

• Ease of use, both for existing and future audit staff• Training requirements• Complexity of coding and maintenance• Flexibility of uses• Installation requirements• Processing efficiencies• Effort required to bring source data into CAAT• Documentations well-referenced to audit program• Clearly identify audit procedures and objectives• Request for read-only access to production data• Data manipulation should be done to copies of production files in controlled

environment• Reliability of software• Confidential of the data being proceeded

U

123

Type of Evidence

Tow primary Type• Direct Evidence

Existence of fact without inference or presumption.• Indirect Evidence

Hypothesis without direct evidence to make a claim

Examples of Evidence• Business evidence including a business record of transaction, receipts, invoic

es, and logs• Data extraction which mines details from data files by CAAT• Auditee claim in oral or written documents• Analysis of plans, polices, procedures and workflow.• Result of compliance and substantive tests• Auditor’s observation

U

124

Evidence Grading ( What good evidence is)

U

Poor Good Excellent

Material Relevance Unrelated Indirect Direct

Objectivity Subjective Requires few supporting facts to explain the meaning

Needs no explanation

Evidence Source Unrelated third party with no evidence

Indirect involvement by second party

Direct involvement by first party

Competency of Provider

Biased Nonbiased Nonbiased and independent

Evidence Analysis Method

Novice Experienced Experts

Resulting Trustworthiness

Low Medium High

125

Content of ReportingU

Content Description

Introduction •Audit objectives•Limitation of audit and a scope•Period of Audit coverage•Genera statement on nature and extent of audit process

Overall conclusion and opinion

•Adequacy of the controls and or procedures examined•The actual potential risk identified

Detailed and important audit finding and recommendation

•The controls and procedures examined are adequate or in adequate.•Specific finding based on viewpoint of both audit committee and organization•Recommendation for adding and/or modifying controls, procedures and organization.

A variety of finding

•All the finding and recommendations. Some are important, others are trivial.

126

Example Report: summary of RCM (Risk and Control Matrix)U

No

Type Risk Control and Procedure Audit Procedure Result & comment

Covering all payment transaction

Missing invoice by EDI

Sending e-mail when EDIand function to make the list of e-mail

•Program specification•Procedure•Log files•Working record

•GoodReviewing the list is not defined in the procedure

Error transition

Function of error transition

•Program specification•Error transition log•Invoices

•Excellentwork well

Regulation of correct error transition

•Procedure•Working record for correcting error

•GoodNeed more detail correction method

Correctness of payment date

Input error

Appropriate Editing (Checking function)

•Program specification•Record of error input•Observation of input activities

Good• some filed needed more checking functions

Appropriate input form (printed)

•Checking input form•Record of error input•Observation of input activities

•FairCustomer sometimes mistakes

Cross checking to order transition

•Procedure•Program specification

•None (Very poor)

127

Presenting and Communicating Audit ResultsU

Considerations for Presentation to Executive•Understandable for Exceptive. Because usually they doesn’t know IT technology, Don’t use technical terms.•Finding and recommendation should be made form the viewpoint of business

Considerations for communication•Communicate with management of audited entity first if possible•Gain agreement and develop course of corrective action•Communicate to top management and audit committee•Audit committee provides independent route to report sensitive info•Auditor normally is NOT expected to implement recommendations

128

Continuous Audit Approach

• To improve audit efficiency by making greater use of automated tools

• Collect evidence on system reliability while normal processing takes place

• Monitor operations on continuous basis

• Gather selective audit evidence; if not serious, action later

• Cut down needless paperwork

• May report directly through computer on findings

• Especially useful when no paper audit trail

• No disruption to daily operations

• Time lag between misuse and detection is reduced

• Enhance confidence in system’s reliability

U

129

Control Self-Assessment (CSA)

• Management and/work teams are directly involved in checking effectiveness of existing controls

• IS auditor act as control expert and assessment facilitator

• Simple questionnaires; facilitated workshops

• Objectives:

– Enhance audit responsibilities

– Educate line management in control responsibility and monitoring

– Concentrate on areas of high risk

130

Chapter 3.Domain4:

IT Service Delivery and Support

U

131


•4.1 Evaluate service-level management practices to ensure that the level of service from internal and external service providers is defined and managed.•4.2 Evaluate operations management to ensure that IT support functions effectively meet business needs.•4.3 Evaluate data administration practices to ensure the integrity and optimization of databases.•4.4 Evaluate the use of capacity and performance monitoring tools and techniques to ensure that IT services meet the organization’s objectives.•4.5 Evaluate change, configuration and release management practices to ensure that changes made to the organization’s production environment are adequately controlled and documented.•4.6 Evaluate problem and incident management practices to ensure that incidents, problems and errors are recorded, analyzed and resolved in a timely manner.•4.7 Evaluate the functionality of the IT infrastructure (e.g., network components, hardware and system software) to ensure that it supports the organization’s objectives.

U

132


•4.1 Knowledge of service-level management practices•4.2 Knowledge of operations management best practices (e.g., workload scheduling, network services management and preventive maintenance)•4.3 Knowledge of system performance monitoring processes, tools and techniques (e.g., network analyzers, system utilization reports and load balancing)•4.4 Knowledge of the functionality of hardware and network components (e.g., routers, switches, firewalls and peripherals)•4.5 Knowledge of database administration practices•4.6 Knowledge of the functionality of system software including operating systems, utilities and database management systems•4.7 Knowledge of capacity planning and monitoring techniques•4.8 Knowledge of processes for managing scheduled and emergency changes to the production systems and/or infrastructure including change, configuration, release and patch management practices•4.9 Knowledge of incident/problem management practices (e.g., help desk, escalation procedures and tracking)•4.10 Knowledge of software licensing and inventory practices•4.11 Knowledge of system resiliency tools and techniques (e.g., fault tolerant hardware, elimination of single point of failure and clustering)

133


Domain 4 IT Service Delivery and Support

Service Level Agreement, IT service support and delivery, DB, Network, System operation, H/W and S/W

U

Quiz book

134


U







Application Systems

AccountingSystem

Sales System

Company

….


135

Understanding operation of infrastructure 　 Problem of Current IT system and operation * IT system became core of business and social

activities, simultaneously it became bigger and more complicated

* Cost of IT is not clear, sometimes investment to IT development and operation doesn’t realize user needs.

ITIL ( Information Technology Infrastructure Library) is collection of good practices and knowledge/skill for operation of infrastructure and realizes;

- Stable and high quality operation of IT infra. - Providing clear indicator of ROI for IT operation

( Return of Investment)

Note: Quality of Development is usually mentioned by ideas of CMMI and other standards.

136

Overview of ITIL Ver3.0

•Service Strategy- Link IT service strategies to customer value• Service Design- Design services to satisfy business objectives•Service Transition- Implement service designs- Service knowledge management system- Refinement of change, configuration and release

processes• Service Operation- Deliver and manage services- Refinement of incident and problem

management processes- Event and access management• Continual Service Improvement- Never-ending review for opportunities

U

137

Process of ITIL (1)U

Cycle Processes and Functions

Service StrategyFinancial Management

Service Portfolio Management

Demand Management

Service DesignService Catalog Management

Service Level Management

Capacity Management

Availability Management

Service Continuity Management

Information Security Management

Supplier Management

Service TransitionTransition planning and support

Change Management

Service Asset and Configuration Management

Release and configuration Management

Service validation and testing

Evaluation

Knowledge Management

138



Service Operation

Event Management

Incident Management

Request fulfillment

Problem Management

Access Management

Monitoring and control

IT operation

Service Desk

-Technical Management

-IT Operations Management

-Applications Management

Continual Service Improvement

Improvement Process

Service Report

139

Service Level AgreementA service level agreement (frequently abbreviated as SLA) is a part of a service contract where the level of service is formally defined. In practice, the term SLA is sometimes used to refer to the contracted delivery time (of the service) or performance. As an example, internet service providers will commonly include service level agreements within the terms of their contracts with customers to define the level(s) of service being sold in plain language terms (typically the (SLA) will in this case have a technical definition in terms of MTTF, MTTR, various data rates, etc.)

Availability Time hour, percent

Maximum down-time Hardware Hours or percent

Failure frequency Hardware Number

Response time Hardware Duration in minutes

Periods of operation Time

Service times Time

Accessibility in case of problems Yes/no

Backup Time

Processor time Seconds

Instructions per second Number per second

Number of workstations Number

Example : Hardware Performance Metrics on SLA

140

Example: Strategy of reformation of IT Operation

Target Phase

Organization Roles Culture Skills Training Metrics

1 Aligned by Technology

Technology Specialists

Hero-Oriented

Job Titles in Place

Limited — Technical

FTE(M/M), Basic record of work

2 Hierarchical Org. Team system

Service Roles Emerge

Looking at Best Practices

Job Levels (Sill Standard) Defined

Technology by Job Levels

Basic QA, Basic record and monitoring

3 Process/Service -Centric;

Process Role Well-Defined

Working on Best Practices

Employee Skills Tracked

Formal Training, Job Rotations

Ordinary SLA, Data for proactive

4 Process Cycle based

Process Manager and Owner Role Well-Defined

Best Practices Effectively Used

Manage Skills Portfolio

Lifelong Training including management

Detail SLAData related business

FTE: Full Time Equivalent , QA: Quality Assurance, SLA: Service Level Agreement

141

Management and Tools for IT operationManagement

Network Monitoring tools

Service Desk (ITIL) support tools

Other tools

Incident Management X (Detect)

X (Manage)

Problem Management X (Detect)

X (Manage)

Service Management X (Measure) Excel

Capability ManagementX (Measure)

Excel

Configuration Management X (Monitor)

X (Manage)

Change Management X (Manage)

Finance Management Excel

Skill Management Excel or Access

Knowledge Management X (Manage)

Word, Excel

Evaluation and Report X (Data)

X (Data/Report)

Word, Excel

142

Sample: System for IT support (Medium and Small Class)Center

Central Service Desk

NOC

Remote

Local Service Desk/ Remote NOC

Service Desk Management System

Staff Skill / Capacity Management System

Traffic/QoS Monitoring SystemConfiguration

Management System Trouble detecting System

Traffic/QoS Monitoring System

Trouble detecting System

Info. of Configuration

History of Event & Incident

Needs and Request

Knowledge DB

Incident Management (Troubles shooting)

Capacity Development of ICT Staff

Capacity Development of ICT Staff

Info. of Traffic/QoS

Work Procedure

(Document)

Knowledge Management System

Service Catalog/ Service Level Management system

SC/SL DB

143

Conceptual Model of CMS (Change Management System)

144

Tools for IT operation• Service Desk Plus

http://www.manageengine.com/products/service-desk/index.html

Go to both website

U

http://www.manageengine.com/products/service-desk/index.html

145

Workflow of Change Management for approvalU

RFC

Why is Change management important ? More than 50% of incident and More than 90% of incident that affect on business are caused by changing.

User Change ManagerCAB

(Chang Advisory Board)

ConfigurationManager

Request For Changing

Review

Reject

ProgrammerOperator

Input RFC

Initial priority Update RFC

Argent Change

ProcedureArgent

Priority &schedule

Type

Approval and Plan

Trivial Impact assessment &

Discussion changing

NoApproval

Report

Serious

Change Procedure

Yes

Update RFC

Update RFC

146

Viewpoint of IS audit (Operation: Change Management)

U

Category Target Description

Testing Testing •Before Changing , Is new module or program tested in appropriate regulation and approved by management.

Procedure Changing procedure

•Is appropriate RFC (Request for Change ) format established and Is change request treated authorized process?•Do personnel follow changing regulations•Is change history recorded?•Is any management that makes decision of changing defined?•If possible, is any automated changing function developed?

Exception ExceptionAnd failure

•Is any urgent change procedure established•When change module/program doesn’t work well, is any recovery method established.•Do controls detect unauthorized changing?

147

Overview of Incident/Problem management and service desk

U

Remaining Bugs Operation error Crime System Break

Appear and/or occur

Risk/ Factor

FailureTrouble

User

Incident Management:to restore a normal service operation as quickly as possible and to minimize the impact on business operations

Monitoring System

Service Desk

Detect risk factor or symptoms

Problem Management:to get red of factor of risk or failure or to resolve the factor that made or will make failure

Request 1st level staff

2nd level staff

escalation

148

Viewpoint of IS audit (Incident & Problem management)

U


Procedure and situation

Regulation and procedure

•Does the organization have appropriate procedure to resolve the problem, especially escalation root .•Are recording tasks and functions of event, incident and problem developed?

Situation of Incident/ problem Management

•Do problem exist during processing?•Were resolving process resolved in timely manner and was the resolution complete reasonable?•Are all problems identified for verification and resolution?

Help desk (Service desk)

Help desk (Service desk)

•Does the help desk has appropriate staff?•Are there any SLA of the help desk?•Are there any appropriate supporting software for a help desk?•Does the help desk have appropriate regulation and procedures , especially escalation root to resolve the problem.•Does the help desk record appropriate support and working record?

149

Overview of Capacity Management

Reactive activities:•Monitoring and measuring•Responding and reacting to capacity related events (incidents)

Proactive activities:•Predicting future requirement and trends•Budgeting, planning and implementing upgrade.•Seeking ways to improve service performance.•Optimizing the performance of a service

U

150

Viewpoint of IS audit (Hardware)U


Planning & Acquisition

Planning •Is the plan aligned with business requirements?•Is the plan synchronized with IS plans?•Have criteria for acquisition of hardware been developed and appropriate?•Does new hardware suit the current IT environment?

Acquisition •Is the a acquisition in line with hardware acquisition plan?•Are procurements and document of procurements based on appropriate procedure an regulation?•Are procurements processes approved by appropriate management

Operation& Incident management

Operation & Maintenance

•Is scheduling adequate to meet workload schedules and user requirements?•Is scheduling flexible to accommodate required hardware and preventive maintenance?•Is maintenance done during off-peak workload period?•Is appropriate maintenance the vendors recommend done?

Monitoring &Incident / Problem management

•Have IS management staff reviewed malfunctions, abnormal system termination and operator action?•Is continuous review performed of hardware and system software performance and capacity•Is monitoring adequate in the case of equipment failure?•Is monitoring based on logs, maintenance history and adequate information?

151

Overview of MiddlewareMiddleware is computer software that connects software components or some people and their applications. It usually connects OS and application software.

Message-oriented Middleware•Message-oriented middleware is middleware where transactions or event notifications are delivered between disparate systems or components by way of messages, often via an enterprise messaging system.

Enterprise messaging system•An enterprise messaging system is a type of middleware that facilitates message passing between disparate systems or components in standard formats, often using XML, SOAP or web services.

Transaction processing monitors•Provides tools and an environment to develop and deploy distributed applications.

Application servers•software installed on a computer to facilitate the serving (running) of other applications.

SQL-oriented Data Access•SQL-oriented Data Access is middleware between applications and database servers.

U

152

Viewpoint of IS audit (OS and System software)U


Planning & Acquisition

Planning •Are the plan aligned with objective of business?•Do they meet the requirements?•Do they include IS controls?•Do the comply with short- and long-range IS plans?

Feasibility study and Acquisition process

•Are the proposed system objectives and purpose consistent with the request?•Has the cost-benefit analysis of system software procedures addressed?

Operation& Incident management

Security and Control

•Has the procedures been established to restrict the ability circumvent logical access.•Have procedures been implemented to manage software update?•Are controls adequate in change, authorization, security, Audit test, ….•Is master console secure?

Operation and documentations

•Have all appropriate levels of software been implemented?•Are there necessary documentations such as access violation, change management, parameter, active logs and reports ….?•Is the latest version with testing?

153

Basic Key word of Network

•LAN/WAN•DNS, DHCP, Web server, FTP and mail server•IPV4, IPV6, Port Number, Global IP Address•ISO architecture, NIC•TCP/IP , UDP•HTTP, ARP, SNMP•NAT, RADUS•SSL, Applet, CGI, .Net, PHP, Java, Cookie•Wireless IEEE802.11abg, WiMAX IEEE 802.16, Ubiquitous computing•WPA (Wifi Protected Access) , WAP (Wireless Application Protocol)•LADP, H32x, VOD, Streaming•QoS•VPN, SSH, DMZ, Proxy, Firewall, Security hole•Intrusion Detection System (IDS),Intrusion Prevention System (IPS)•URL, Serch Engine, SEO•Router, Switch , Hub, Modem , ATM, FR•Optical fiber, ADSL, FDDI, Ethernet•SNS, Blog•ISP•cloud computing, SaaS

U

154

Tools for Network Monitoring

Go to both website

U

Type Category Purpose Example (Recommendation)

Snap shot (Operate by manual)

Command for Network management

Detecting trouble ping, tracert, netstat

Network Analyzer Detecting trouble/ Measuring traffic (packet)

Snuffer, wireshark, ASTEC Eyes,

Daily tool ( Operate automatically)

Traffic Monitor Measuring traffic MRTG

SNMP manager Configuration management/ Detecting trouble

NET-SNMP

Server Monitoring Detecting trouble Nagios

155

Viewpoint of IS audit (Network Infrastructure & implementation)

U


Physical environment

Physical security for the facility

•Are network devices located in secure facility and restricted to the network administrator?•Are keys to enter the network facility secured?•Is the wiring physically secured?

Server facility •Is environment of servers well-controlled, (temperature, humidity and static electricity guards)•Are there appropriate and sufficient means for fires?•Are there appropriate and sufficient devices for breakdown of electricity?

Logical access control to network devices

Access and Password

•Is there appropriate regulations to manage password? •Are network access change requests authorized by appropriate manager with standard forms? •Are user assigned unique password?

Report and monitoring

•Are all the login processes recorded in log files.•Does any function can detect unauthorized log-in?•Are security reports reviewed adequately and in a timely manner?

156

DB NotarizationFirst Normal Form (1NF)• Eliminate duplicative columns from the same table. • Create separate tables for each group of related data and identify each row with a

unique column or set of columns (the primary key). Second Normal Form (2NF)• Remove subsets of data that apply to multiple rows of a table and place them in

separate tables. • Create relationships between these new tables and their predecessors through the

use of foreign keys. Third Normal Form (3NF)• •Remove columns that are not dependent upon the primary key.

U

Order form:Date 10th, OCT. 2010Customer name: UP company Customer No. 4650

Item Code Category Name Unit Price Qty

1090 201 Device Mouse xx 50 10

2053 204 Parts IC 7xxxx 5 100

3459 201 Device LAN cable 3 30

157

Viewpoint of IS audit (Data Base)U


Design Logical Schema

•Do all entities in the entity diagram exist?•Are all relations represented through foreign key?•Are constrains specification clearly?

Physical Schema

•Has allocation of initial and extension space been done by the requirements?•Are indexes present?•If the DB is not normalized, is justification accepted?•Is data redundancy minimized by DBMS?

Design an Operation

Reliability and integrity

•Are adequate change procedure to ensure the integrity of DB management software?•Is the integrity of DBMS’s data directory maintained?•Are integrity and confidential of data not affected by data import and export procedures?

Operation •Do backup and disaster recovery procedures exist?

Operation and Security

Security •Are security level of users and their roles appropriate and secure?•Is access to shared data appropriate?

158

Tasks of operation staff

•Executing and monitoring scheduled job•Facilitating timely backup•Monitoring unauthorized access and use of sensitive data•Monitoring and reviewing the extent to adherence to IT operation procedures as established by IS and business management •Participating in test of disaster recovery plans•Monitoring the performance, capacity, availability and failure of information resources•Facilitating troubleshooting and incident handling.

U

159

Viewpoint of IS audit (Operation)

U


Regulation and Control

Regulation and Control

•Are documented instruction adequate in peripheral , start and shutdown, trouble-shooting and record to be retained.•Have controls been put in place to ensure accuracy and efficiency of operation.•Is appropriate supervisor or supervisor’s function ?•Are controls for input appropriate and enough?

Environment Environment •Are online library facility located away from the computer room•Do all the storage media have appropriate label?

Operation Operation •Have procedures been established to control the storage media?•Are these procedures been followed?•Are the automated operation software and manual contingency procedures documented and tested?•Are all error of automated software notified to operator?

Security •Is access to files and documentation library restricted to operators?•Is access to correcting program and data programs restricted?•Are responsibility for operation of the computer and other devices limited?

160

Chapter 4.Domain6:

Business Continuity and Disaster Recovery

U

161


•6.1 Evaluate the adequacy of backup and restore provisions to ensure the availability of information required to resume processing.•6.2 Evaluate the organization’s disaster recovery plan to ensure that it enables the recovery of IT processing capabilities in the event of a disaster.•6.3 Evaluate the organization’s business continuity plan to ensure its ability to continue essential business operations during the period of an IT disruption.

U

162


•6.1 Knowledge of data backup, storage, maintenance, retention and restoration processes and practices•6.2 Knowledge of regulatory, legal, contractual and insurance issues related to business continuity and disaster recovery•6.3 Knowledge of business impact analysis (BIA)•6.4 Knowledge of the development and maintenance of the business continuity and disaster recovery plans•6.5 Knowledge of business continuity and disaster recovery testing approaches and methods•6.6 Knowledge of human resources management practices as related to business continuity and disaster recovery (e.g., evacuation planning and•response teams)•6.7 Knowledge of processes used to invoke the business continuity and disaster recovery plans•6.8 Knowledge of types of alternate processing sites and methods used to monitor the contractual agreements (e.g., hot sites, warm sites and cold sites)

163


Domain 6 Business Continuity and Disaster Recovery

Backup/Recovery, Availability, Continuity, Disaster Discovery Planning, Business Continuity Planning

U

Quiz book

164


U







Application Systems

AccountingSystem

Sales System

Company

….


165



Service StrategyFinancial Management

Service Portfolio Management

Demand Management

Service DesignService Catalog Management

Service Level Management

Capacity Management

Availability Management

Service Continuity Management

Information Security Management

Supplier Management

Service TransitionTransition planning and support

Change Management

Service Asset and Configuration Management

Release and configuration Management

Service validation and testing

Evaluation

Knowledge Management

166

Overview of Disaster Recovery Plan (DRP) U

Headquarters Data center

Backup

Recovery Site

Disaster

Restore

Backup Network

167

Type of Disaster and ThreatsU

Natural Man Made

•Flood & Other water based incidents

•Earthquakes

•Hurricane, Tornadoes, Monsoons

•Thunders, Hail and Ice storms

•Lightning and Electrical storms

•Snow and Winter storms

•Volcanic eruptions, ash fall out

•Large natural fires & smoke residues

•Political

•Fires

•Flood due to equipment, pipes, sprinklers etc.

•Epidemics

•Explosions

•Hazardous / toxic material spills, contamination, access denial

168

Overview of BCP: Business Continuity Plan

BCP: Business Continuity PlanAn ongoing process supported by senior management and funded to insure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and recovery plans, and ensure continuity of services through personnel training, plan testing, and maintenance.

BCP vs. DRP•BCP vs. DRP Business Continuity Plan (BCP) tells us what essential resources are needed to continue business operations.•The Disaster Recovery Plan (DRP) tells us how to bring back those essential resources. The purpose of the DRP is to carry out the BCP

U

169

Flow of of BCP / DRPU

Planning

Risk Assessment & Business Impact Analysis

Developing Plan Strategies & Developing The Plan

Plan Testing & Maintenance

Awareness & Training

170

Flow of of BCP / DRP: PlanningU

•Define BCP vs. DRP for clear understanding by all.•Identify Project Sponsors and Leadership. Defining objectives, policies, critical success factors, scope. Identifying legal and regulatory requirements.•Define standard terms and assumptions.•Develop a Project Plan and Budget. Hard costs and soft costs such as equipment, personnel resources, facilities, etc.

171

Flow of of BCP / DRP: Risk Assessment & Business Impact Analysis

U

•Process of identifying the risks to an organization, assessing the critical functions necessary for an organization to continue business operations, defining the controls in place to reduce organization exposure and evaluating the cost for such controls.•Identify the following: – Risk – Exposure to loss, injury, danger; potential for loss (qualitative or quantitative). – Threats – Event that can cause a risk to become an actual loss (natural or man-made). – Vulnerabilities –Exposure to an event that can cause actual loss.

Quantitative Risk:– Assigns a value to the risk.– Identifies cost of a particular effect, incident or phenomenon.– Can be state in an ALE (Annualized Loss Exposure or Expectancy).Qualitative Risk:– Intangible effects caused by a particular incident.– Descriptive – Usually relates a cause with an effect.

172

Type of Risk to be considered

U

Compliance Financial Operational Strategic Technical

Contractual Lost/Deferred Revenue

People Market Share Cyber crime

Regulatory Opportunity Production Partnerships E-Business

Service Level Agreements

Shareholder Equity

Supply Chain Reputation Infrastructure Failure

Critical assets– People;– Buildings and Facilities;– Computer Equipment (PCs, Servers, mainframes, etc.);– Telecom Equipment (PBX’s);– Communication equipment (Routers, Switches, CSU / DSU etc.);– Inventory and Materials;– Production & Plant Equipment;– Critical Data;– Critical Computer Applications;– Operating Systems and Databases;– Environmental (Power, HVAC, Physical Security); and– Internal & External Customers & Users.

173

Type of Recovery Site Recovery Site

U

Compliance Recovery Time

Cost Infrastructure

Equipment

Data Operators

Redundant (Mirror)

Seconds Double YesSame

YesSame

Same (real-time)

Same

Hot site Hours Very High

Yes Yes Restore Transfer

Warm Site Days High Yes No Restore Transfer

Cold Site Weeks Low No No Restore Transfer

Mobile Site 8 + hours to days

High Need Yes Restore Transfer

174

RTO and RPO

RTO: the duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity.

RPO: the point in time to which you must recover data as defined by your organization. This is generally a definition of what an organization determines is an "acceptable loss" in a disaster situation.

U

- 1day - 2hours - 1hour T =0 + 1hour +2hours + 1day

RTO

disaster

RPO

Tape Backup

Disk Backup Real-time

Transaction Backup

175

Design of new Controls for BCP / DRP

U

Current controls•Physical ControlsFire suppression / sprinkler systemsAccess control systemsSecurity guards•Procedural ControlsHiring and termination policiesClean desk policyDocument receipting•Logical ControlsData storage protectionProtection afforded assets by location in relation to threat

Evaluate the effectiveness •Deter the threat•Lessen the loss•Ability to deter or reduce risks

Improve the effectiveness of controls:• Implementing layers of protection where possible• Training• Documentation• Enforcement

176

Insurance for business including DRP

U

Insurances cover followings:•IS equipment and facilities•Media (software) reconstruction•Extra expense: based on the availability and cost of backup facility and operation.•Business interruption•Errors and omissions: for legal liability protection in financial loss to client.•Fidelity coverage: covering loss from dishonest or fraudulent acts by employees.•Media transportation

177

Organization for BCP/DRP after disaster

Team

Incident Response team

Emergency Acton team ( for first action for such as fire)

Information security team

Damage assessment team

Emergency management team

Offsite Storage team

Software team

Application team

Emergency operation team

Network recovery team ( for Information system)

Communication team

Transportation team

U

Team

User hardware team

Data preparation and records team

Administrative support team

Supplies team

Salvage team (Management of moving a recovery site)

Relocation team (Management of moving from a recovery site)

Coordination team ( for all the sites (branches) and recovery site)

Legal affair team

Recovery test team

Training team

178

Flow of of BCP / DRP: Developing Plan Strategies & Developing The Plan

U

Determine and guide the selection of alternative business recovery operating strategies for recovery of business and information technologies within the recovery time objectives, while maintaining the organization’s critical functions.Identify Requirements for DRP and BCP Strategies•Review business recovery issues from BIA•Review technology recovery issues for each support area•Review non-technology issues for each support areaIdentify Off-Site storage requirements and Alternative facilitiesIdentify Viable Recovery strategies within business functional areas:•Service Degradation•Internal Recovery (Reciprocal Agreement)•Commercial Recovery Center such as Hot site and Warm site.Consolidating Strategies across the Enterprise•Coordination of Technology Recovery•Enterprise Level Crisis Management•Enterprise Level Media Handling•Centralized strategy for interfacing with local

179

RAID: Redundant Array of Independent Disks

U

Level Description Minimum # of disks

Space Efficienc

y

Fault Toleran

ce

Read Benefit

Write Benefit

RAID 0 Block-level striping without parity or mirroring.

2 1 0 (none)

nX nX

RAID 1 Mirroring without parity or striping.

2 1/n n-1 disks

nX 1X

RAID 5 Block-level striping with distributed parity.

3 1 - 1/n 1 disk (n-1)X variable

http://en.wikipedia.org/wiki/File:RAID_5.svg



180

Backup schemesFull + incremental •A full + incremental repository aims to make it more feasible to store several copies of the source data. At first, a full backup (of all files) is made. After that, any number of incremental backups can be made. There are many different types of incremental backups, but they all attempt to only back up a small amount of data (when compared to the size of a full backup). A incremental backup copies everything that changed after the last backup (full, differential or incremental)Differential backup •A differential backup copies files that have been created or changed since the last full backup. It does not mark files as having been backed up (in other words, the archive attribute is not cleared). If you are performing a combination of full and differential backups, restoring files and folders requires that you have the last full as well as the last differential backup.

day1 Day2 Day3 Day4 Day5

File1 F D D D D

File2 F D D

File3 F D D D

File4 F D

U

Day of modified

day1 Day2 Day3 Day4 Day5

File1 F I I

File2 F I

File3 F I

File4 F I

181

Network Disaster Recovery Methods

U

Method for Redundancy•Secondary LAN cable•Providing multiple paths between routers•Dynamic routing protocol such a OSPF•Providing fail over device to avoid single point•Alternative routing including dial-up, cellular phone and microwave•Diverse routing•Lang-haul network diversity•Voice recovery

182


U

Content Detail content

Plan Scope and Objective

•Definition of Standard Terms•Selecting the appropriate Methodology•Scope of Project itself

Business Recovery Organization (BRO) and responsibilities

•BCP Planning Coordinator•Disaster Recovery Teams•Business Continuity Management Teams

Major Plan Components

•Reduction•Response•Recovery and Resumption

Escalation, notification and plan activation

•Disaster Declaration Procedures•Mobilization procedures•Damage assessment concepts•Recovery Site Activation

Vital records and off-site storage program

•What goes off-site•Inventory of what is off site•How do you get it back

Detail Plan (1/2)

183


U

Content Detail content

Salvage and Reclamation Procedures

•Document extent of damage, items destroyed, items recoverable.•Arrange for removal of recoverable items

Restoration Planning •Preparations of new facility.•Preparations for moving into new facility.•Plans for cutting over from temporary site to new facility.

Provisions for testing and maintenance of the plan

•Procedures for periodic and routine update of plan.•Procedures for periodic and routine testing of plan or plan•components.

Detail Plan (1/2)

184

Flow of of BCP / DRP: Plan Testing & MaintenanceU

A program to periodically and methodically test all major components of the plan to ensure that they are functioning as designed.•Allow for periodic testing of major plan components at least semi-annually.•Identify scope, goals and objectives for each individual test.•Provide for an independent auditing of test performance.•Provide for a post-mortem / report of test results which are communicated to appropriate management levels.•Provide a feedback mechanism into the plan maintenance process.•Provide for the allocation of adequate resources.

185

Flow of of BCP / DRP: Awareness & TrainingU

A program to create corporate awareness and enhance the skills required to develop, implement, maintain, and execute the Plan:

Method and media for awareness & trining•Videos / Films;•Newsletters;•Posters;•Promotional Items;•Brown-Bag Lunch Meetings; and•Budget and resources must be allocated.

186

Overview of viewpoint IS audit for DRP/BCP U

Headquarters Data center

Backup

Recovery Site

Disaster

Restore

Backup Network

BIA (Business Impact Assessment)

DRP/BCP Document

Emergency Team

MovementRecovering

Offsite Storage

187

Offsite Storage

U

Classification Description

Operating Procedure •Application run books, job stream control instructions, operating system manuals.

System and program documentation

•Design document, Program code list, error conditions and user manual

Special Procedure •Any procedure or instructions that are out of the ordinary

Input source documents output document

•Duplication copies of reports and summaries required for auditing, performance of vital work, scarification of legal requirement or expending insurance claims.

BCP •A copy of the latest version

188

Viewpoint of IS audit (Overview of DRP and BRP) U

Category Description

Plan •Reviewing business continuity strategy and its connection to business objectives•Reviewing BIA (Business Impact Assessment) to ensure that they reflect current business priorities and current controls.•Ensuring that the process of maintenance plans are in place and reviewed and modified in appropriate time•Verify the whether BCP support the overrall business continuity strategy•Evaluating BCP to determine their adequacy and currency based on BIA including RTO and RPO.•Reviewing the identification, priorities, and planned support of critical applications.Determining whether the all critical applications have been identified•Determining whether the secondary site has the correct versions of all system software.

Method & means

•Evaluating offsite storages•Verifying the treatment of backup media including transportation•Evaluating whether business continuity manual and procedures are written in simple and easy to understand.

Testing •Verifying that BCP’s effective by reviewing the results of test

Organization

•Evaluating the ability of personal to respond effectively in emergency situation by reviewing emergency procedure, records of training and results of testing•Reviewing the list of business continuity personnel , emergency site and venders. And checking address and phone number by sampling •Interviewing assigned personnel for understanding of their responsibility in case of interruption situation.

189

Viewpoint of IS audit (Detail of DRP and BRP)

U

Category Description

Procedure & method

•Identifying whether transactions reentered are appropriate.•Determining whether all recovery/ continuity are documented and teams have them.•Determine whether the plan adequately address movement to the recovery site and recovering from the recovery site.•Determining whether items necessary for the reconstruction of the information processing facility are stored offsite•Does the plan include procedure for merging master data into pre-disaster data.

Physical preparation

•Were is the backup facility site?•Are regular and systematic backup are taking?•Are telecommunication backup is working will?

190

Chapter 5.Domain 5

Protection of Information Assets

U

191


•5.1 Evaluate the design, implementation and monitoring of logical access controls to ensure the confidentiality, integrity, availability and authorized use of information assets.•5.2 Evaluate network infrastructure security to ensure confidentiality, integrity, availability and authorized use of the network and the information transmitted.•5.3 Evaluate the design, implementation and monitoring of environmental controls to prevent or minimize loss.•5.4 Evaluate the design, implementation and monitoring of physical access controls to ensure that information assets are adequately safeguarded.•5.5 Evaluate the processes and procedures used to store, retrieve, transport and dispose of confidential information assets.

U

192

Overview of skill and knowledge for Domain 5 (1)U

•5.1 Knowledge of the techniques for the design, implementation and monitoring of security (e.g., threat and risk assessment, sensitivity analysis and privacy impact assessment)•5.2 Knowledge of logical access controls for the identification, authentication and restriction of users to authorized functions and data (e.g., dynamic passwords, challenge/response, menus and profiles)•5.3 Knowledge of logical access security architectures (e.g., single sign-on, user identification strategies and identity management)•5.4 Knowledge of attack methods and techniques (e.g., hacking, spoofing, Trojan horses, denial of service and spamming)•5.5 Knowledge of processes related to monitoring and responding to security incidents (e.g., escalation procedures and emergency incident•response teams)•5.6 Knowledge of network and Internet security devices, protocols and techniques (e.g., SSL, SET, VPN and NAT)•5.7 Knowledge of intrusion detection systems and firewall configuration, implementation, operation and maintenance•5.8 Knowledge of encryption algorithm techniques (e.g., AESRSA)•5.9 Knowledge of public key infrastructure (PKI) components (e.g., certification authorities and registration authorities) and digital signature techniques

193

Overview of skill and knowledge for Domain 5 (2)U

•5.10 Knowledge of virus detection tools and control techniques•5.11 Knowledge of security testing and assessment tools (e.g., penetration testing and vulnerability scanning)•5.12 Knowledge of environmental protection practices and devices (e.g., fi re suppression, cooling systems and water sensors)•5.13 Knowledge of physical security systems and practices (e.g., biometrics, access cards, cipher locks and tokens)•5.14 Knowledge of data classification schemes (e.g., public, confidential, private and sensitive data)•5.15 Knowledge of voice communications security (e.g., voiceover IP)•5.16 Knowledge of the processes and procedures used to store, retrieve, transport and dispose of confidential information assets•5.17 Knowledge of controls and risks associated with the use of portable and wireless devices (e.g., PDAs, USB devices and Bluetooth devices)

194


Domain 6 Protection of Information Assets

U

Quiz book

195


U

IT control





Application Systems

AccountingSystem

Sales System

Company

….




196

What is “Protection of Information Assets”

Information Assets•all elements of information that either share a common usage, purpose, associated risk and/or form of storage. •Something that is considered of worth to the organization.

Protection of information assets •Protect against loss of nuclear sensitive/classified information,•Protect against the theft of material (both physical and information),•Protect against terrorist action,•Ensure nuclear safety,•Ensure business continuity, •Minimize business risk

U

197

Overview of threats to Information AssetsU

E-commerce System

E-commerce DB

CustomerOperator

Criminal

ABC Company

123Company

Password by interview

clacking

Scavenging

spoofing

Virus

Malice

Intrusion

Eavesdropping

lightning , fire

198

3+3 atomic elements of Information SecurityU

element Description Example

Confidentiality •ensuring that unauthorized people, resources or processes cannot access information

•Access control•Password•cryptogram

Integrity •Protection of information from intentional or accidental unauthorized changes

•Digital signature

Availability •Assurance that information is available whenever needed

•Redundancy of network•RAID

Accountability •Ensuring explanation information are genuine by recoded log or signature.

•Access log

Authenticity •Ensuring that the data, transactions, communications or documents (electronic or physical) are genuine.

•Digital signature•Password

Reliability •Ensuring that system and process work well

•Redundancy of network•RAID•Load monitoring

199

Concept of Protection of Information Assets (Attackers)U

Threats

Attackers

Vulnerabilities

Risks

Assets

Countermeasures

Owner

impose

may be aware of

give rise to

Wish to abuse and/or may damage

To

That increase To

that exploit

Leading to

may be reduced by may possess

to reduce

wish to minimizevalue

200

Type of computer crimesU

Source of Attack Target of Attack Example

A Computer is the objectives of the crimes. (Attackers often use another computer to launch an attack)

•Target may or may not be defined. Attackers launch attack with no specific target in mind.

•Distributed Dos•Virus•Spam

B Computer is the objectives of the crimes. (Attackers often use another computer to launch an attack)

•Special identified computer

•Denial of services (Dos)•Hacking

D Computer is the tools of the crime.Attacker uses computer but the target is not the computer.

•Target is data of information stored on computer or transmitted on network

•Fraud•Unauthorized access•Phishing•Key logger

E Computer symbolized the crime.Attacker lure the user of the computer to get confidential information

•Target is user of computer

•Social engineering- Fake website- Spam- spoofing

F Computer symbolized the crime.Attacker get physical information assets directory.

•Target is physical information asset

•Piggy bag•Scavenging

201

Overview: Common attack methods and techniquesU

Target of Attack Method

B •Attackers launch attack with no specific target in mind.

•Virus•Warm•Interrupt attack

•E-mail bombing•Flooding•Distributed Dos•Spam•Botnets•Virus

A •Special identified computer

•Network analysis•Port scan•Password crack

•Message modification•Race condition•Man in the middle attack•Packet replay•Masquerading•Buffer overflow

•Alternation attack•Malicious code•Clacking•Denial of services (Dos)•SQL injection

D •Target is data of information stored on computer or transmitted on network

•Key logger•War driving•Spy ware•Cross site scripting

•E-mail spoofing•Eavesdropping•Hacking•Remote maintenance•Salami

E •Target is user of computer

•Social engineering- spoofing

•Fake website•Phishing

F •Target is physical information asset

•Scavenging •Piggy bag

Computer Security Institute/FBI and Ernst & Young say nearly 50% of all network attacks come from the inside

202

Security control concept (1)

Access Control •Ability to permit or deny the use of resources by a particular entity•The ability to allow only authorized users, programs or processes system or resource access

Authentication •Who goes there?•Restrictions on who (or what) can access the system•Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources

Authorization •Are you allowed to do that?•Restrictions on actions of authenticated users•The right or a permission that is granted to a system entity to access a system resource

U

203

Security control concept (2)

Need-to-know•Having access to the information that is required to carry out work •ensuring that access to nuclear sensitive assets is limited to only those who have the necessary ‘need to know’ and the appropriate security clearance

Defense-in-depth•places multiple barriers between an attacker and your assets•the deeper an attacker tries to go, the more layers they need to get through undetected

Least privilege and functions•The minimum level of computer access to an asset in order to effectively carry out work•only a minimal set of users have root access•Users can user only minimum functions

U

204

General Idea: Type of Means of controlsExample of Control

Avoid Disconnect from network, stopping services

Reduce Backup site, Duplex system, Monitoring

Transfer Insurance, hosting

Accept Enhancement of customer support

U

Type Example of Control

Preventive Control

Firewall, DMZ , Antivirus software, IPS (Intrude Preventing system)

Detective Control

Log, IDS (Introduce Detecting system), Network monitoring.

Corrective Control

Backup , alternate device, recovery procedure

205

Technical measures of security

type Method P D C C I A

Network Fortress Firewall X x x x

IPS (Intrude Prevention System) X x x x

IDS (Intrude Detection system) X x x x

DMZ X x x x

Encryption PKI / X.509 X X

VPN (Virtual Private Network)/ IPSec X X

SSL X X X

General Signature Digital signature X X

Hash function X X x X

Encryption DES/AES X x X

Authentication Biometrics X X

Token device X X

One time password X X

Test Test Vulnerability testing (SATAN) X x x x

Penetrate testing X x x x

Mail Mail Spam filter X X x x x

S/ MINE X X X

PC PC Antivirus software X X X x x x

Personal firewall X X x x x

Confidentiality/ Integrity/ AvailabilityPreventive/ Detective/ Corrective

206

Information Security Cycle U

Risk Management

Identification of Important Information

Security Plan

Implementation

Follow up Measures

•Information security relies on the identification of information assets which is of worth to the organization and needs to be secured

•overall specification of all security precautions, procedures, and systems that are implemented at a facility to protect material, personnel, information assets, etc. In short, what is the plan to implement our controls

•Assessment of risks associated with protection of the information

•Security Plan & supporting procedures, Clearly defined roles & responsibilities, Training, awareness, & culture, Incident response procedures

•Security tends to degrade during the operational phase of the life cycle•regular audits, assessments, tests, and inspections provides a means of preventing degradation of security operations.

207

Security Audit

Evaluation of the information security status of all assets•Identify assets•Identify vulnerabilities•Identify threats •Determination of likelihood•Determination of consequence•Identify security controls•Risk mitigation

Security assessment areas cover;•Security Policy •Organizational Security •Asset classification and control •Personnel security •Physical and Environmental Security •Communications and Operations Management •Access Control •System development and maintenance •Business Continuity Management •Compliance •other

U

•Security tends to degrade during the operational phase of the system life cycle. Once it is in place it tends to be forgotten•One-time or regular evaluation of security and controls•Examine an entire system or a single anomalous event•Conformity to the requirements of relevant legislation or regulations / managements

208

Group roles and Responsibility for Security ManagementU

Executive manager

IS security steering committee

Security Advisory Group

CPO: Chief privacy Officer

CISO: Chief Information Security

Officer

Process Owners

Information asset Owners Process

Owners

Process Owners

Process Owners

Data Owners

Process Owners

User

Process Owners

Related third Party

Process Owners

Security Administrator Process

Owners

Security Specialist

Process Owners

IT Developer

IS Auditor

209

Key elements of information security managementU

element Description

Senior manager •Commitment and support from senior management are important to successful of information security management

Policy and procedure

•The policy frame work should be established-Standards to develop minimum security baseline-Measurement criteria and methods-Specific guidelines, practices and procedures

Organization •Responsibility for the protection of individual assets should be clearly defined.

Security awareness and education

•All employees and third party users should receive appropriate training and updates to security awareness and compliance with written security polices and procedures.

Monitoring and compliance

•IS auditor are usually charged to assess , on a regular basis, the effectiveness of security program

Incident handling and response

•Because security incident is an event adversely affecting the processing of compute usage, the organization should take the appropriate measures to reduce of incident when it happens.

210

Security baseline recommendationU

Item Objective Recommendations: Example

Inventory for Physical control

•Establish and maintain an inventory

•Users are expected to follow standers to connected network and registered network address.

Antivirus •Install antivirus software with automatic updating

•Database of antivirus software should be updated every day.

Passwords •Recognize the importance of passwords

•The IT department should provide password guidance.

patching •Make it automated •Each machine should be configured to patch automatically.

Minimizing services offered by infrastructure

•Eliminate unnecessary services- reduce security risk

•To improve basic security and minimize effort to maintain systems. Workstations should offer only needed services (software)

Addressing Vulnerabilities

•Eliminate many vulnerabilities with good system administration

•Information form enterprise wide scans helps to identify vulnerabilities on each system

Backups •Allow easy recovery from user mistakes and hardware failure

•Backups should be made offsite for decreasing security.

211

Summary Basic Security Evaluation Check list (1)U

Topics Point

Assets/Inventory •What type of data maintained by the company ?•Is there any confidential information? How do they keep?•Are there any specific requirement to handling data?

Environment •What kind of ICT devices dose the company have?•Are there wireless network? How is its security?•Is there a appropriate network maps for security?•What kind of OS does the company use?•How is remote network access?•How is licenses of software?•How is a configuration management of H/W and S/W?•Are there any physical security means for entering IT room?

Anti-virus •Does the company have anti-virus policy?•Do all workstations and servers have anti-virus software?•Does antivirus software update virus DB automatically?•Does each staff understand when he/she finds virus?

Password •Does the company have policy of using password•Does the company conduct training?•Is there any software detect weak password?•Do staff know that they cannot share password?

212

Summary Basic Security Evaluation Check list (2)U

Topics Point

Patch •Do all device update automatically? How often?•Is there any environment for testing new patch?•Is there any backup before update new patch?

Minimizing services

•Does the company identify necessary services?•Does the IT staff review minimizing services?•Is there any means to prevent new installation by unauthorized personnel?

Vulnerabilities •Is vulnerability testing done?•After testing? Does the company take means to vulnerabilities?•If someone finds vulnerability, who support next? •Are there any firewall an IDS in the network?

Backup and recovery

•Is backup done regularly?•Is backup kept in secure area?•Are there appropriate procedure for backup and recovery?•Can backup is appropriate to recover business in case of disaster?•Does IT staff have experience of recover or test of recover?

213

General Idea of Network SecurityProactive Endpoint Security•Define and deploy a baseline security policy•Provides instant desktop firewall protection•Blocks all unsolicited traffic to/from the PC•Uses stealth technology to make PCs invisible to hackers•Control how, when, and which resources PCs can access on the network•Enables very granular least privilege access of network resources•Safeguards PCs with intrusion prevention with no rule writing•Blocks traffic containing malicious codes•Stops execution of any mal-ware it detects on the PC

Outbound threat protection•Creates inventory of applications that attempt network access•Only allow the required apps for network access•Restrict network access by unrecognized programs•Prevent malicious code from compromising enterprise data•Ensures approved programs against spoofing, tampering,hijacking

Host Intrusion Prevention•Blocks buffer overflow & other attacks on PC apps and OS•Protects hosts against intrusion attempts, unauthorized access•Screens all network traffic at app layer for malicious codes•Requires little admin effort to defend enterprise PCs

U

214

Vulnerability Assessment & Penetration Testing

Vulnerability Assessment•Overall network infrastructure is assessed to determine any exploitable vulnerability•Sophisticated tools are used to identify any potential security weaknesses•Devices assessed include firewalls, routers, servers, etc.•Tests are performed to identify system weaknesses from both internal and external threats•Comprehensive report submitted with vulnerabilities found and corrective actions to be taken•Should be performed at regular intervals or after any major changes

Penetration Testing•Attempt to scrutinize the true strength of an organization’s security infrastructure against a real attack•Assume the role of a real intruder and attempts to breach the network in a controlled and safe way not affecting your services•Launches a series of attacks on the network using commonly used techniques•Various commercial and open source “hacker” tools will be employed during the tests

U

215

Environmental exposure and controls

Exposure•Lightening storm, earthquakes, volcanic eruption, hurricanes, tornados and other type of extreme weather.•Power failures : black out, brownout, sag/spikes and surges and Electromagnetic Interference: EMI.•Water damage/ flooding•Fire•Dust, smoke and other particulate matter including food.•Mouse and other animals and insects•Terrorist Controls•Alarm control panel•Uninterruptible power supply/ Generator•Fireproof walls, floors and cable•Water and fire/smoke detector•Fire extinguishers (handheld or equipment) •Humidity / Temperature control•Monitoring camera

U

216

Chapter 6.Domain 2

IT Governance

U

217


•2.1 Evaluate the effectiveness of the IT governance structure to ensure adequate board control over the decisions, directions and performance of IT so that it supports the organization’s strategies and objectives.•2.2 Evaluate the IT organizational structure and human resources (personnel) management to ensure that they support the organization’s strategies and objectives.•2.3 Evaluate the IT strategy and the process for its development, approval, implementation and maintenance to ensure that it supports the organization’s strategies and objectives.•2.4 Evaluate the organization’s IT policies, standards and procedures and the processes for their development, approval, implementation and maintenance to ensure that they support the IT strategy and comply with regulatory and legal requirements.•2.5 Evaluate management practices to ensure compliance with the organization’s IT strategy, policies, standard and procedures.•2.6 Evaluate IT resource investment, use and allocation practices to ensure alignment with the organization’s strategies and objectives.•2.7 Evaluate IT contracting strategies and policies and contract management practices to ensure that they support the organization’s strategies and objectives.•2.8 Evaluate risk management practices to ensure that the organization’s IT-related risks are properly managed.•2.9 Evaluate monitoring and assurance practices to ensure that the board and executive management receive sufficient and timely information about IT performance.

U

218


•2.1 Knowledge of the purpose of IT strategies, policies, standards and procedures for an organization and the essential elements of each•2.2 Knowledge of IT governance frameworks•2.3 Knowledge of the processes for the development, implementation and maintenance of IT strategies, policies, standards and procedures•2.4 Knowledge of quality management strategies and policies•2.5 Knowledge of organizational structure, roles and responsibilities related to the use and management of IT•2.6 Knowledge of generally accepted international IT standards and guidelines•2.7 Knowledge of enterprise IT architecture and its implications for setting long-term strategic goals•2.8 Knowledge of risk management methodologies and tools•2.9 Knowledge of the use of control frameworks (e.g., COBIT, COSO and ISO/IEC 17799)•2.10 Knowledge of the use of maturity and process improvement models (e.g., CMM and COBIT)•2.11 Knowledge of contracting strategies, processes and contract management practices•2.12 Knowledge of practices for monitoring and reporting of IT performance (e.g., balanced scorecards and key performance indicators)•2.13 Knowledge of relevant legislative and regulatory issues (e.g., privacy, intellectual property and corporate governance requirements)•2.14 Knowledge of IT human resources (personnel) management•2.15 Knowledge of IT resource investment and allocation practices (e.g., portfolio management return on investment)

219


Domain 2 IT Governance

IT governance, Governance organization, Governance strategy and policy, Management of security, outsourcing and human resources.

U

Quiz book

220




U

IT control





Application Systems

AccountingSystem

Sales System

Company

….


221

Framework of IS auditU

ITCLC ITGC ITACActivity

Plan Strategy

COBITInternal Control &IT Governance

ITIL V.3(ISO 20000)

Service Delivery and Operation

Val ITIT investment and

governance

ISO 9000 Quality Management

ISCA/CISA IS audit

ISO 27000 Security

COSO Internal Control

222

Concept of IT Governance: Definition & Summary

Definition•IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives. (CobiT 4.1)•[IT Governance] Consists of the leadership, organizational structures and processes that ensure that the enterprise’s information technology sustains and extends the organization’s strategies and objectives. (IIA International Professional Practices Framework)

Summary

a) Leadership and Clear Business Ownership

b) Aligned Business-Relevant Measures

c) Complete and Accurate Inventories

d) Linking Technical and Business Risk

U

223

Concept of IT Governance:

a) Clear Business Ownership and DirectionAlignment of Business and IT Objectives (CobiT 4.1 ‘Framework’)

U

Category for Objectives Company A Company B

Enterprise Strategy Rapid global expansionExpansion of proven

models

Business Goalsfor IT

Sacrifice standards for speed

Leverage IT standards

IT Goals Buy locally what worksConvert non-standard

systems

Enterprise Architecture for IT

Minimal Central

IT ScorecardNumber of blanches

supported% Standard

Example: Objectives of Two different companies

224

Concept of IT Governance:U

As Is Model

To be Model

Next Model

Enterprise Architecture for IT

An enterprise architecture (EA) is a conceptual blueprint that defines the structure and operation of an organization. The intent of an enterprise architecture is to determine how an organization can most effectively achieve its current and future objectives.

http://upload.wikimedia.org/wikipedia/commons/d/d0/NIST_Enterprise_Architecture_Model.jpg

225


Balanced ScorecardThe core characteristic of the Balanced Scorecard and its derivatives is the presentation of a mixture of financial and non-financial as well as leading and lagging measures each compared to a 'target' value within a single concise report.

U

Strategic target Measuring method Target Action plan

Person in charge

Financial

Improvement in profits nature Net profit 20% rise 　

The expansion of a customer Sales growth rate 30% rise

A few air crafts Lease cost 20% down

Customer Orientation

Expansion of a customer loyalty

Repeater ratio 90% or more 　

Customer rate of increase 30% rise

Keeping a departure time

Departure at the right time 90% or more

Average delay time Less than 10 minutes

Business Process

Keeping a schedule.

Flight cancellation ratio 0% 　

Customer complaint number of cases

Zero affair/month

Learning & Growth

Improvement of Training

Training cost 10% of sales 　

Training Time 10% rise

226

Concept of IT Governance:Balanced Scorecard: example of objectives and metrics

U

Viewpoint Objective Example Metrics

Financial

Business/ IT Alignment Operational budget approval

Value Delivery Business Unit Performance

Risk Management Results of Internal Audits

Customer Orientation

Customer Satisfaction Business Unit Survey ratings

Competitive Costs Attainment of unit cost targets

Business Process

Development Process Function Point Measures

Operational process Change Management effectiveness

Process Maturity Level of IT Processes

Enterprise Architecture State of the infrastructure assessment

Learning & Growth

Human Resource Management Staff Turnover

Employee Satisfaction Satisfaction survey scores

Knowledge Management Implementation of learned lessons

Genial Balanced Scorecard, Not IT

227


b) Aligned Business-Relevant Measures•Requires translation of traditional IT measures•Performance against Financial goals, either Business or IT•Operational efficiency•Innovation

U

Category for Objectives Measurement

Enterprise Strategy Leverage Scale

Business Goals for IT Take a day out of inventory

IT GoalsShare inventory, orders, safety stock

information with Suppliers

Enterprise Architecture for ITUse existing EDI infrastructure

For New EDI Message

IT ScorecardCash flow

Warehouses not built

Example: Changing supply and inventory system

228


c) Complete and Accurate Inventories•IT-dependent Business Processes•Data Repositories and Information Flows•IT Infrastructure•IT Resources and Processes

U

Category for Objectives Information Flows

Enterprise Strategy Influence Trade Customer

Business Goals for IT“Right information, right place, right time”

for Sales

IT GoalsEffectively combine product profitability,

share, store data

Enterprise Architecture for ITLaptops in Shopping Carts

Efficient (Cheap) communications

IT ScorecardSolution cost efficiency

Sales Representative Satisfaction

Example: Information flow of sale

229


d) Linking Technical and Business Risk•Risk is most important factor of business.•Management needs to be able to compare IT Risks with other risks.•IT Governance must do an effective job of translating technical risks to business risks.

U

IT Risk Business Exposures

Incidents resulting from Changes

Disruptions to Critical Business Processes (i.e.: Orders to Cash)

Input or output error Compromise Company Reputation

Information Security Incidents Reduce Organizational Capacity

230

IT Governance Focus Area: (ITGI)U

Enterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goal of:

• Providing strategic direction

• Ensuring that objectives are achieved

• Ascertaining that risks are managed appropriately

• Verifying that the enterprise’s resources are used responsibly

231

IT Governance Focus Area: (ITGI)U

Strategic alignment

Focuses on ensuring the linkage of business and IT plans; on defining, maintaining and validating the IT value proposition; and on aligning IT operations with enterprise operations

Value delivery Is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT

Resource management

Is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimization of knowledge and infrastructure.

Risk management

Requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise, and embedding of risk management responsibilities in the organization

Performance measurement

Tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting

232

IT governance flow and cycle (CobiT)U

Business ObjectivesGovernance Objectives

Planning and Organization

Application and Implementation

Delivery & Support

EffectivenessEfficiency

ConfidentialityIntegrity

ComplianceReliability

Information

PeopleApplication Systems

TechnologyFacilities

Data

IT recourses

Monitoring

PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine the technological directionPO4 Determine the IT Processes, …….

AI1 Identify automated solutionsAI2 Acquire and maintain application softwareAI3 Acquire and maintain technology infrastructureAI4 Enable operation and useAI5 Procure IT resourcesAI6 Manage …….

DS1 Define and Manage Service LevelsDS2 Manage third party servicesDS3 Manage performance and capacityDS4 Ensure continuous serviceDS5 Ensure systems securityDS6 Identify and allocate costs…….

M1 Monitor and evaluate IT PerformanceM2 Monitor and evaluate internal control…….

233

IT Management hierarchy (CobiT)U

Domain Domain…..

Process Process…..

Action Action…..

Natural grouping of processes often matching an organizational domain of responsibility

A series of joined activities with natural control breaks

Actions needed to achieve a measurable result—activities have a life cycle, whereas tasks are discrete

234

IT Government : Type of PlanningU

Item Strategic Planning Long-tem Planning Operational Planning

Time Frame

•3 years + •1-3 years •1 year or less

Question •What business are we in? Should we expand and contract?

•What are the major business components?•What we concentrate on now?•What products and services are planned?

•What specific tasks must be done to meet the long term plan?

Output •General broad statement of what business the company is in

•Financial goals•Market opportunities•Management organization•Next review period

•Assumptions for the period•Changes needing to be made•Production times•Responsibility•Budget

235

Organization of steering committeeU

Board of Directors

CEO Office Executive Chairperson

Marketing Sales Legal R&D IT

Admin.Production Finance QC HR

IT Strategy /Steering Committee

IT Strategy (Committee) IT Steering (Committee)

•Advices the board and management of IT strategy•IT delegated by the board to provide input to the strategy and prepare tits approval•Focus on current and future strategic IT issue

•Decides the overall level of IT spending and how costs will be allocated.•Assist executive in the delivery of the IT strategy.•Oversees day-day management of IT service delivery and IT projects•Focus on implementation

236

General role of IS auditor for IT governanceU

An Auditor is well positioned to provide leading practice recommendations to senior management to help the quality and effectiveness of IT governance initiatives implemented.

As an entity that monitors compliance , audit help ensure compliance with IT conversance initiatives implemented within an organization. The continual monitoring, analysis and evaluation of metrics associated with IT governance initiatives require and independent and balanced view to ensure a qualitative assessment that subsequently facilitates the qualitative improvement of IT process and associated IT governance initialtive.

237

Issues and targets of IT governance (1)U

Area Issue Description

Information Security

Information Security

•Institute process to integrate security to with business process•Review and assist security strategy and integration effort.•Ensure that business owners support integration

Risk Management

Risk Management

•Establish risk tolerance.•Ensure regulatory compliance.•Ensure the roles and responsibility include risk management in all activities.

IT strategy Process improvement & assurance

•Provide oversight of all assurance functions and plans for improvement and integration•Identify critical business processes and assurance•Direct assurance integration efforts

IT investment and allocation

•Crate a positive control environment by assuming responsibility for formulating, developing , documenting and controlling polices covering general goals and directives

Enterprise architecture

•Provide oversight of all plans and assurance functions

238

Issues and targets of IT governance (2)U

Area Issue Description

IT Management Practice

Human resource management

•Provide oversight of the strategic plan of hireling and training

Sourcing Practice

•Provide oversight of the strategic plan of sourcing•To ensure the risk for outsourcing and the remaining accountability

Change management

•To ensure the process and technology for change management

Financial Management

•Provide oversight the financial plan for IT investment•To ensure the appropriate management for IT investment

Quality Management

•Provide oversight of the Quality control•To ensure the situation of QCM

IT organization

•Provide oversight of duty and responsibility including segregation

239

Thanks for you joining the lecture!

U

Contact: Go Otae-mail [email protected]

Web www.beyondbb.jp (Japanese)

mailto:[email protected]

http://www.beyondbb.jp/

Documents

1 Information System Audit Essential of IS Audit for IT Engineer UP-ITTC October. 2010