Академический Документы
Профессиональный Документы
Культура Документы
IT Environment (2)
for
for Universitas
Universitas Padjadjaran
Padjadjaran
Accounting
Accounting Department
Department
IT
IT Audit
Audit S1
S1 Regular
Regular Class
Class
1 October 2005
1
IS Audit Syllabus
No
Subject Name
Date
Introduction of IS Audit
17-Sep-05
IT Environment (1)
24-Sep-05
IT Environment (2)
1-Oct-05
IT Processes
8-Oct-05
15-Oct-05
22-Oct-05
29-Oct-05
Mid-semester Exam
12-Nov-05
19-Nov-05
10
26-Nov-05
11
3-Dec-05
12
10-Dec-05
13
17-Dec-05
14
24-Dec-05
15
Final Exam
3 Oct 2005
TBA
Agenda
Operating Systems
Application Software
Database and DBMS
Data Center
Network & telecommunication infrastructure
Internet & Firewalls
3 Oct 2005
Session 3 Objectives
Gain understanding of the importance and role of IT
for the Business
Understand IT organization & its requirements
Introduce the students to:
The
The concepts
concepts of operating systems, database, applications and
Data Centers.
The
The risks
risks and
and controls
controls associated
associated with
with them,
them, and
and
The
The basic
basic audit/review aspects and considerations of the above
concepts.
3 Oct 2005
Operating Systems
3 Oct 2005
Operating Systems
Operating systems tasks
Major Operating Systems
Operating Systems Software Risks and Controls
Operating systems review/audit techniques
Operating systems Audit Tools
3 Oct 2005
Operating Systems
Operating systems task
3 Oct 2005
Operating Systems
Major Operating systems
Mainframe
MVS, Unisys, etc
Midrange/Minicomputers
OS/400, VMS, Unix, SunOS, etc
Micro computers
Unix, Windows NT, Windows2000, Novell Netware, OS/2, MacOS,
DOS, Linux
3 Oct 2005
Operating Systems
Risks and Controls
Risks
Unauthorized access
Controls
Strong security management
(including user rights and password
controls management)
Separation of duties
Operating Systems
Review/Audit techniques
System
System software
software selection
selection procedures
procedures
Address
Address IS
IS and
and business
business plan,
plan, meet
meet control
control requirement,
requirement, feasibility
feasibility study,
study, cost
cost benefit
benefit analysis
analysis
Installation
Installation controls
controls
Written
Written plan
plan for
for installation,
installation, documentations,
documentations, identification
identification before
before being
being placed
placed to
to production
production
Maintenance
Maintenance activities
activities
Change
Change controls
controls for
for system
system software
software
Access
Access limitation
limitation to
to library,
library, changes
changes are
are documented
documented and
and tested
tested
Systems
Systems documentation
documentation
Licensing
Licensing
protect
protect against
against the
the possibility
possibility of
of penalties
penalties
protect
protect from
from public
public embarrassment
embarrassment
Security
Security parameters
parameters (special
(special functions,
functions, passwords)
passwords)
Audit
Audit and
and logging
logging
3 Oct 2005
10
Operating Systems
O/S Audit tools
AS/400
PentaSafe
Windows NT
Systems Scanner, Kane Security Analyst (KSA), NMAP for NT,
Retina, BindView
UNIX
COPS (Computer Oracle and Password System), Tripwire, NMAP,
PC-Unix Audit
3 Oct 2005
11
Application Softwares
3 Oct 2005
12
3 Oct 2005
13
Categories of software
In-house developed application
Integrated application (e.g. ERP systems:
SAP, JDE, PeopleSoft, Oracle, etc)
Package application (e.g. ACCPAC,
Picador, etc)
3 Oct 2005
14
3 Oct 2005
15
16
17
Data
Data is
is organized
organized as
as aa tree
tree structure
structure
Parent
Parent and
and child,
child, child
child can
can not
not have
have more
more than
than 11 parent
parent
Ex.
Ex. IBMs
IBMs IMS
IMS (Information
(Information Mgt.
Mgt. Systems)
Systems)
Network
Network database
database model
model
Data
Data related
related through
through sets,
sets, allow
allow reverse
reverse pointers
pointers
Ex.
Ex. CAs
CAs IDMS
IDMS
Relational
Relational Database
Database model
model
Unlike
Unlike Hierarchical
Hierarchical and
and Network,
Network, RDBMS
RDBMS separated
separated app.
app. and
and data
data
Models
Models information
information in
in table
table (column
(column and
and rows)
rows)
Ex.
Ex. IBMs
IBMs DB2,
DB2, Oracle,
Oracle, Sybase,
Sybase, MS
MS Access,
Access, Paradox,
Paradox, DBASE
DBASE
Object-oriented
Object-oriented database
database
Simplify
Simplify programming,
programming, flexible,
flexible, deals
deals with
with variety
variety of
of data
data types
types
Ex.
Ex. Objectivity/DB,
Objectivity/DB, IBM
IBM San
San Fransisco,
Fransisco, ONTOS
ONTOS DB,
DB, ObjectStore
ObjectStore
3 Oct 2005
18
3 Oct 2005
19
3 Oct 2005
20
To
To manage
manage data
Relieves the application of file handling
Maintains the integrity of data
Ensures that the data is available to multiple applications
applications
Provide access control and security over data
3 Oct 2005
21
Controls
Confidentiality
Availability
3 Oct 2005
Change management
Backup and recovery procedure
22
How
How DBMS
DBMS handle
handle concurrent
concurrent updates
updates
DBMS
DBMS maintenance
maintenance (including
(including fixing
fixing and
and testing)
testing)
Functions performed by DBA
3 Oct 2005
23
Data Center
3 Oct 2005
24
Data Center
Data Center is the business of providing a physical
location as well as the applicable IT services (i.e.
bandwidth to the Internet, facilities management,
hardware/software, IT services, etc.) to run computer
applications (i.e. website, e-mail, trading systems etc.) at
a site that is generally, remotely located from a corporate
or individuals owned premises. The eventual goal is to
fully outsource corporate IT requirements, leveraging
economies of scale at price points and service levels that
are difficult to achieve in-house.
3 Oct 2005
25
3 Oct 2005
26
3 Oct 2005
27
3 Oct 2005
28
3 Oct 2005
29
3 Oct 2005
30
3 Oct 2005
31
Network
3 Oct 2005
32
Network Protocols
Transmission media
33
Network infrastructure
Network Eras
ERA 1: Mainframe Networks (1965 - 1975)
ERA 2: Minicomputer Networks (1975 - 1985)
ERA 3: Shared-bandwidth LANs (1985 - 1995)
ERA 4: Switching LANs (1995 - )
3 Oct 2005
34
Network Eras
Mainframe Networks
Groups of terminals
attached to cluster
controllers
Controllers were
connected to the frontend processor through
point-to-point cables (for
local connections) or
leased telephone lines
(for remote connections).
3 Oct 2005
35
Network Eras
Minicomputers Networks
Terminals connected directly
to a port on the mini.
Statistical multiplexers provide
wide area fine sharing and
error protection.
Data PBXs were central to
many networks, allowing
terminal users to select
computers and contend for
expensive computer ports.
3 Oct 2005
36
Network Eras
Shared-bandwidth LANs
LAN-based network operating
systems emerged
Shared bandwidth, PCs and
other devices were attached
to a single Ethernet segment
or a single token ring
3 Oct 2005
37
Network Eras
Switched LANs
The rapid growth in the power of PCs (servers), which can handle
throughput rates significantly higher than Ethernet or token ring
provides.
Data representation through
through images rather than text.
Emergence of the World Wide Web, document imaging, medical
radiology, CAD, video training, and pre-press editing (require large
amounts of bandwidth).
3 Oct 2005
38
Network architecture
Bus configuration
Ring configuration
Star configuration
Mesh configuration
3 Oct 2005
39
Network architecture
Bus configuration
Advantages
Disadvantages
3 Oct 2005
40
Network architecture
Ring configuration
Advantages
Every computer is given equal
access, since a token is passed
around the ring indicating
authorization to transmit
The network degrades
gracefully
3 Oct 2005
Disadvantages
41
Network architecture
Star configuration
Advantages
Disadvantages
Easy
Easy to
to modify
modify and
and add
add new
new
computers
computers
3 Oct 2005
42
Network architecture
Mesh configuration
Advantages
Fault
Fault tolerant
tolerant
Easy to diagnose problems
Guaranteed channel capacity
3 Oct 2005
Disadvantages
Difficult to install and
reconfigure, since there is a
connection with every
machine on the network
High cost of installations
43
Telecommunication infrastructure
Data Communication
Simply put, it involves the
transmission of speech and, or
data between two connected
devices.
Data communications describes
the use of protocols (rules) and
specific equipment to coordinate
and facilitate the successful
transmission and receipt of data
between source and destination.
3 Oct 2005
44
Telecommunication infrastructure
Network Protocols
Protocols are the set of rules for the packaging
and transmission of data.
Examples:
Transmission Control Protocol/Internet Protocol
(TCP/IP)
Virtual telecommunications Access Method (VTAM)
IPX/SPX
AppleTalk
PPP (Point-to-Point Protocols), X.25
3 Oct 2005
45
Telecommunication infrastructure
Transmission media
Copper (twisted pair) circuits
Coaxial cables
Fiber optic systems
Radio systems
Microwave radio systems
Satellite radio link systems
3 Oct 2005
46
Telecommunication infrastructure
LANs and WANs
LANs
Within
Within buildings
buildings or departments
Digital signals used
Computer
Computer to
to computer
computer transmission
transmission
Use high quality cables
cables
WANs:
3 Oct 2005
47
Telecommunication infrastructure
Network Risks and Controls
Risks`
Unauthorized access (incl.
tapping)
Performance degradation
Controls
Encryption
Access controls
Performance monitoring
Response time reports
Down time reports
Online monitors (Echo checking)
Help desk reports
Viruses, trojan
3 Oct 2005
48
Telecommunication infrastructure
Audit and Evaluation Techniques
LAN review
Physical security
Observe LAN and transmission wiring closet, server
location, test access key
Environmental controls
Surge protector, Air conditioning, humidity, power
supply, backup media protection, fire extinguisher
Logical security
Interview LAN admin, penetration test, search for
written password, test log off period, dial-up
connection
3 Oct 2005
49
Internet
3 Oct 2005
50
Internet
What is Internet
Why use Internet
The risk of Internet
3 Oct 2005
51
What is Internet ?
Worlds largest computer network.
Based on TCP/IP protocol suite
Links Universities, gov, companies, etc.
Large international presence > 170 countries
3 Oct 2005
52
3 Oct 2005
53
3 Oct 2005
54
3 Oct 2005
55
What is a Firewall ?
A firewall is a combination of hardware and software that
enforces an existing network access policy
Prevents unauthorized traffic in and out of a secure
network
It restricts people to entering at a carefully controlled
point
It prevents attackers from getting close to other network
security defenses
3 Oct 2005
56
Mainframe/
Legacy
Systems
Internet
Rejected external
traffic
Firewall
3 Oct 2005
57
3 Oct 2005
58
3 Oct 2005
59
3 Oct 2005
60
3 Oct 2005
61
Summary
The hardware, systems software, communication lines,
networks, Internet and Data Center are all organizations assets
that should be properly controlled and managed by
management.
Todays auditors should familiar and be prepared to deal with
various rapid development in IT (hardware, OS,
communication, Networks, Internet and Data Center) and its
risks
IS Auditors tasks:
Review
Review the
the existing
existing controls
controls available
available
Test
Test the
the compliance
compliance
Recommend
Recommend adequate
adequate controls
controls
3 Oct 2005
62
3 Oct 2005
63
Thank You
3 Oct 2005
64