Академический Документы
Профессиональный Документы
Культура Документы
Learning Objectives
Discuss how the COBIT framework can be used to
develop sound internal control over an organizations
information systems.
Explain the factors that influence information systems
reliability.
Describe how a combination of preventive, detective,
and corrective controls can be employed to provide
reasonable assurance about information security.
8-2
AIS Controls
COSO and COSO-ERM address general internal control
COBIT addresses information technology internal control
8-3
Availability
Information must be available
whenever needed.
Efficiency
Information must be produced
in a cost-effective manner.
Compliance
Controls must ensure
compliance with internal
policies and with external legal
and regulatory requirements.
Confidentiality
Sensitive information must be
protected from unauthorized
disclosure.
Integrity
Information must be accurate,
complete, and valid.
Reliability
Management must have
access to appropriate
information needed to
conduct daily activities and to
exercise its fiduciary and
governance responsibilities.
8-4
COBIT Framework
Information
Criteria
8-5
COBIT Cycle
Management develops plans to organize information
resources to provide the information it needs.
Management authorizes and oversees efforts to acquire (or
build internally) the desired functionality.
Management ensures that the resulting system actually
delivers the desired information.
Management monitors and evaluates system performance
against the established criteria.
Cycle constantly repeats, as management modifies existing
plans and procedures or develops new ones to respond to
changes in business objectives and new developments in
information technology.
8-6
COBIT Controls
210 controls for ensuring information integrity
Subset is relevant for external auditors
IT control objectives for Sarbanes-Oxley, 2nd Edition
8-7
Confidentiality
Sensitive organizational information (e.g., marketing plans, trade secrets) is
protected from unauthorized disclosure.
Privacy
Personal information about customers is collected, used, disclosed, and
maintained only in compliance with internal policies and external regulatory
requirements and is protected from unauthorized disclosure.
Processing Integrity
Data are processed accurately, completely, in a timely manner, and only with
proper authorization.
Availability
The system and its information are available to meet operational and
contractual obligations.
8-8
8-9
8-10
8-11
Time-Based Model
Combination of detective and corrective controls
P = the time it takes an attacker to break through the
organizations preventive controls
D = the time it takes to detect that an attack is in progress
C = the time it takes to respond to the attack
For an effective information security system:
P > D + C
8-12
8-13
8-14
Preventive Control
Training
User access controls (authentication and authorization)
Physical access controls (locks, guards, etc.)
Network access controls (firewalls, intrusion prevention
systems, etc.)
Device and software hardening controls (configuration
options)
8-15
Authentication vs.
Authorization
Authenticationverifies who a person is
1. Something person knows
2. Something person has
3. Some biometric characteristic
4. Combination of all three
8-16
Firewall
Software or hardware used to filter information
8-17
8-18
8-19
Detective Controls
Log Analysis
Process of examining logs to identify evidence of possible
attacks
Intrusion Detection
Sensors and a central monitoring unit that create logs of
network traffic that was permitted to pass the firewall and
then analyze those logs for signs of attempted or successful
intrusions
Managerial Reports
Security Testing
8-20
Corrective Controls
Computer Incident Response Team
Chief Information Security Officer (CISO)
Independent responsibility for information security assigned
to someone at an appropriate senior level
Patch Management
Fix known vulnerabilities by installing the latest updates
Security programs
Operating systems
Applications programs
8-21
8-22
New Considerations
Virtualization
Multiple systems are
run on one computer
Cloud Computing
Remotely accessed
resources
Software
applications
Data storage
Hardware
Risks
Increased exposure if
breach occurs
Reduced
authentication
standards
Opportunities
Implementing strong
access controls in the
cloud or over the server
that hosts a virtual
network provides good
security over all the
systems contained
therein
8-23