pervasive controls
Hot site
facilities with space and basic infrastructure and all of the IT and communications equipment required to support the critical applications, along with office furniture and equipment. Usually maintain installed versions of programs required to support critical applications. DRPs utilizing hot sites will need to transfer a complement of employees to augment existing small staff
Warm site
facilities with space and basic infrastructure, and some or all of the required IT and communications equipment installed. Equipment may be less capable than normal production equipment. DRPs utilizing warm sites will need to transfer all employees, and load current version of data
Cold sites
facilities with the space and basic infrastructure adequate to support resumption of operations, but lacking any IT or communications equipment, programs, data or office support. DRPs utilizing cold sites will include provisions for acquiring hardware, software, and office equipment
Admin controls: Physical security:
facility selection / construction - where you pick to build. Higher ground. To build in code, have to have tornado shelter. Facility management and emergency response procedures.
Physical controls: Physical security:
fencing, lighting, locks, "man traps" set of physical barriers that will lock you in if you do not have access. EX: long aisle that was funnel into building. Gate would open and then immediately close behind you. before next gate would open, you had to lay ID card. Inactive card = would not open. Gate behind was closed though.
Mirrored site
fully redundant sites with real-time data replication from the production site. Fully equipped and staffed, and can assume critical processing with no noticeable interruption to the users
Scope -
general vs application - general is for ALL IT systems - app is at specific software level/app. Deal with input and processing and output of data. Narrow
Technical services -
infrastructure
Fidelity bonds:
insurance policy against fraud. CFO took money but because of fidelity bond, org gets money back.
GCCs
logical and physical security, change management, BCP and DRP
If org is not big enough to have appropriate seg of duties, then
make sure monitoring is strong. Seg requires 4 ppl. Cash. Then expect to see compensating control and look at cash intake month to month and see significant decrease in cash and credit card receipts constant, then fraud.
Monitoring means
management assessment to determine whether control plans are functioning appropriately.
Implementation -
manual - human intervention - automated - operate without humans. Embedded in AIS.
GCCs: BCP and DRP Site Recovery Options from best to least
mirrored site, hot site, warm site, cold site, mobile site, reciprocal site
Logical security
mitigates risk by reducing likelihood of unauthorized access to data and programs (apps). Access control (authentication - how does comp know you are who say you are, authorization - what apps or data can you see, entitlement - what type of privileges do you have with respect to that e.g. create or delete. *they go in order. Once have first, then second.
Forced vacations:
most in banks and finance. Minimum of 5 consecutive days off a year. Many frauds require constant care. Feeding care.
Encryption: (logical security)
network traffic needs to be encrypted. You used to be able to read emails before encryption. You could see IP address and what websites they were accessing. ---- encryption takes special algorithm and converts clear text data into something that is unreadable. Transmit in unreadable and computer on receiving end has key to un crypt it
COBIT 5 is a
new departure in the corporate governance of information technology. Restructuring and reorganizing of the framework from being an IT process model into an IT governance model. More inclusive, "strategic" and "big picture" oriented than COBIT 4 .1. Uses a "holistic" approach that is more flexible, more principles-based and less procedures-based than COBIT 4.1. 5 is overarching governance framework to corporate governance with IT bend on it. Made it loose enough to other frameworks can fit into it. More inclusive and big picture and strategic. COBIT 5 is handful to implement - need more guidance.
Mobile site
packaged, modular processing facilities mounted on transportable vehicles and kept ready to be delivered and set up at a location that may be specified upon activation DRPs utilizing mobile sites must account for ancillary infrastructure, right-of-access, and plan to utilize mobile resources
Annual disclosure:
policy requires emps to sign cert that they have read employee handbook, code of conduct, conflict of interest policy, IT acceptable use policy. End game is that you cannot claim ignorance. IT acceptable use policy - work computers have no expectation of privacy. Being spied on.
Function -
preventive - prevent error or omission from ever occurring - detective - alerts/lets you know error or noncompliance has occurred. Life lock. Depends on how timely - corrective - fixes an instance of noncompliance after already occurred. Puts back into compliance.
Steering committee -
prioritize IT projects invest
Enablers -
processes, org structures, culture ethics and behavior, principles policies and frameworks, info, services infrastructure apps, people skills and competencies.
Classifying IT controls:
scope, function, and implementation
Personnel management control plans:
security - faurd theft. Future staff skills. Turnover anticipation. Job descriptions.
Data center manager and everyone under them
(we have moved to cloud now though) 2017 moving away from this. Outsourcing and not storing all the computers in house. Pay to host. Reason is gets away with lots of cost and overhead from it. If do, have data control - data entry - computer operations - data librian
Detective - records instance of noncompliance. Does not fix. (function)
- Periodic reporting. All failed log in attempts. Needs to be timely - Reconciliations - Surveillance - must be timely.
GCCs: change management *
Changes to IT (programs and infrastructure) should be made in an orderly and controlled manner that mitigates risk of unintended consequences. note this means both hardware and software changes. How do we make sure software we are implementing functions and that is all it does. Does not introduce other issues - malware, viruses, unexpected interactions with other software that brings down network, do not intro platform for someone to commit fraud. Goes through all processes to ensure this.
Retention control plans:
Companies should provide create and challenging work opportunities as well as channels for advancement whenever possible. Rewarding.
Common components of a DRP include
Disaster Declaration Procedure Roles and Responsibilities Emergency Contact List System Recovery Procedures System Operations Procedures System Restoration Procedures
USE THIS APPROACH TO IDENTIFY AND CLASSIFY.
Does this control preclude an instance from occurring in first place? Does it simply alert us or log? Does this control, after detecting, resolve it?
What goes into a BCP?
Key processes What are the key business processes that support critical business objectives? Key systems What are the key systems that support key business processes? How will we run these systems (hot site, cold site, warm site)? Key data What are the key data necessary for key systems? Key personnel Who are the key people and where will we need them? Short-, medium-, and long range contingencies What do we do if this outage lasts a week/month/months/year?
Monitoring
Involves putting controls in place to periodically follow up on the operation of control plans. Determine a baseline to know when a control is operating effectively, to identify if there is a change in a process or a control plan, and to periodically test that a control is operating. Also involves ensuring that appropriate communication of control weaknesses occur. EX is going to doc for annual physical to base off of in future
Selection and hiring control plans:
Job candidates should be carefully screened, selected and hired. Onboarding. What types of access will they have - in email, Sage, etc. = system access.
Logical and Physical security
Logical security deals with access controls over virtual resources (information, data, applications) If logical security is weak, I can access your data anywhere in the world Physical security deals with access controls over tangible resources (servers, data centers, network appliances) If I can physically access your computer, all of the logical security measures become useless
Preventative (function)
Prevent errors, omissions, security incidents from occurring - Validity checks on input data. Letter in numeric field - Completeness checks. All fields filled out or no forward - Access control on who has access to systems and data. Authentication. Username and password. Key. - Technical controls like firewalls, antivirus, web surfing
how to back up
Security over apps, back ups to app/data. Record backups on tape and store off site. If don't store off site, then they will burn too. Need to think about hardware. If plain jane, then fine. Servers. Other thing is make sure all media associated with apps. Cant just backup data, need to also backup how to get the data to work. The app. What app is installed with. Data become worthless. Cant access it.
implementation
Seems automated is better. Computers are good at doing routine tasks day in and day out. They do not have emotions. No bad days. Consistent and efficient for easy tasks. Bad side of manual is emotions, tired, sick, fights. Human judgement. Who is right. Upside is sometimes we need human judgement. For complex tasks. Want automated if tasks is same or routine.
Reciprocal site
agreements between separate, but similar companies to temporarily share IT facilities in the event that one company loses processing capability DRPs utilizing reciprocal agreements must account for burden of maintaining hardware/software similarity between the two, security and privacy considerations, and difficulty enforcing agreements
Technical controls: Physical security:
alarms - motion detection, broken windows. Monitoring (CCTV) close circuit TVs, how often are backed up. HVAC heating ventilation and AC temp and humidity. Power supply - comps like nice even flow with no lags and spikes. Fire detection/suppression - cant be water. Suck oxygen out. No residue either. Problem with this is people can't survive. Remove enough to put out fire but people are uncomfortable but alive.
Rotations of duties:
alternate job periodically. Fraud and cross train emps for back fill.
seg of duties General model:
authorize event, execute events, record event, safeguard event.
seg of duties example:
changes to software. One writes code, one authorizes move, one tests, one safeguarding.
With proper seg of duties,
collusion would need to occue between departments to exploit the system and conceal abuse.
Physical security:
controls designed to physically protect IT assets
Corrective - (function)
corrects once identified- Making backups of data so you can restore back. - Correction of data entry errors. Convert to correct case. Street address formats. - Identifying and removing unauthorized users from systems - terminated and report issued and sent to supervisor so they can go through and do paperwork to remove their system access. - Recovery from incidents and disasters
Personnel termination control plans:
defines procedures when an employee leaves an org. IT and HR have already gone in and deleted access to system while you walk in to be terminated. And security guard at desk. Take keys. No access. Does it vary with level in org? high up, may be terminated immediately. Some no two weeks. Instant.
Security officer =
dotted line off between CEO and CIO. Security officer keeps ppl off corporate campus. ISO reports into him. Physical barrier.
The purpose of DRP is to
ensure that cost-effective controls are in place to prevent possible IT disruptions and to recover the IT capacity of the organization in the event of a disruption
CIO -
entire IT function. Nowadays have technical and strategic
Focus on authentication* in order of least secure to most (logical security)
- Something you know -password. PIN. Cheapest. Easiest to compromise. Problem is they do not afford us nonrepudiation. Means disagree. All they system knows is that someone somewhere knows the username and password. Me and Jordan know each other's password but computer does not know exactly who it is. Have to change every 30 days is because they know get compromised. - Something you have - token. Key fob device with screen. Key fob has code that has been record on server somewhere. 6-digit code with limited time. Usually paired with something you know password. Password then token. We utilize soft tokens = cookies. Online banking says you are not logging in on trusted resource. It wrote text file and put on hard drive the first place/time you logged in. Every time you log in after, it looks for cookie. - Something you are -biometrics. Retinal scan, fingerprints, voice. Also software you can install that recognizes the way that you type. Used on very sensitive. == take advantage of unique characteristics about individuals that identifies them. - ****take advantage of multiple of these = multi factor authentication. Combine something fairly weak with someone you know and something you are. This makes them STRONG.
COBIT 5 principles
1. Meeting stakeholder needs - variety of them and they have competing needs. Good for one department is not good for org as whole. Need to evaluate all stakeholder needs and figure way to optimize. 2. Covering the enterprise end to end - looking as whole. Not just IT piece. 3. Applying a single integrated framework - bring all frameworks in 4. Enabling holistic approach - as a whole 5. Separating governance from management - governance is making sure invest in right needs and tie to business need. Management is day to dat execution of this.
COBIT 5 Enablers -
7 Role is to make sure processes operate efficiently to meet intended goals
4 basic functions of event processing:
Authorizing events, executing events, recording events and safeguarding resources resulting from consummating events.
GCCs: BCP and DRP: What is the difference between Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)
BCP is more operational and long-term in focus, emphasizing how the organization will continue operating throughout a short-,medium-, or long-term disaster or outage Focuses on key processes and objectives. DRP is more technical and short-term in focus, emphasizing recovery Data/application back ups and restoration DRP in BCP
In org,
CEO then CFO and CIO and VPs, report to CIO are managers
Change Management
Changes to IT (programs and infrastructure) should be made in an orderly and controlled manner that mitigates risk of unintended consequences If I can make unauthorized changes to your applications, then I can get what I want
GCCs: change management environ
Enviros rep subnetworks in an org that allow for the orderly dev, testing and promotion of software changes. -DEV: purpose: allows app dev (coders) a safe and isolated enviro to build and test software. Where it will not seep to rest of org. only devs allowed here. Once they are satisfied that they built to meet requirements, request to promote software to QA enviro. Done through change management sofwater. Someone will auth. Devs then no access to it. - QA: Purpose: allows dedicated test team to test software functionality. Only QA team allowed here. Have test scripts. List of all required functions. Script of buttons to click and data to enter to test. Indp group unaffiliated with building so no bias or do not know how to work it so they can try to break it. Get kicked back if functionality not there - staging: Purpose: allows for system and integration testing. Access: QA team and power users only. Power users = knowledge end users that know how it should work. Staging should be as close as possible to live enviro. Lots of testing here - power users test for functionality, integration testing / sociability testing EX when kid home alone with just fam, behaves, at playground, kid becomes hellion. Because software has not been interfacing with email, ERP, production system, etc. - production aka live: purpose: live processing of transaction, reports, etc. Access: end users. No going back from here. Stays here.
Processes
Governance - evaluate how mgmt. doing, direct them, and monitor. Mgmt. - plan , build , run , monitor Mgmt. feedback to top.
Automated Controls
Implemented within the AIS/IS More comfort that these will be executed consistently
Manual Controls
Performed by users / human intervention Subject to human error, human judgement
BCP/DRP
Policies and procedures that ensure data and applications are available after a disaster (DRP), and that mission critical business processes can be executed to ensure continuance of operations (BCP) If my company can't operate during a disaster and I can't access my data, I'm dead in the water
Also have IT steering committee off this.
Ppl that represent business functions of org. high level people. HR, production, etc. each major department. Responsibility is to identify and prioritize IT initiatives so that they follow business objs of org. Holds IT accountable for investments. Too much IT in steering committee makes it off course. From people in every unit = IT investments tie into goals and needs. Align.
COBIT: History
Previously EDPA - was financial statement auditors with grip on IT trying to see how data came to statements. Responsible for making sure system was processing data accurately and only once. Need framework to help audit AIS as part of whole. Began for audit AISs, then to control for IT, then management for EIS etc., then IT governance (ppl spending way too much on IT without returns. Economists came up with productivity paradox. Looked at IT spend from econ view. For every $ spent, do not get $ back. Did not have effective alignment. Business units and IT's job is to support but there was disconnect) - COBIT 4.0 and 4.1 - prescriptive. Check box approach. Easier to implement, then Governance of enterprise IT - COBIT 5 - from rules based to principles based. Clear separation between management of IT and governance of IT
COBIT: History revision
Revision was necessary to "provide a renewed and authoritative governance and management framework for enterprise information and related technology" Integrates all other major ISACA frameworks and guidance (Val IT 2.0, Risk IT 2.0, and ITAF)
Personnel Policy Control Plans: Common Practices
Rotation of duties: Forced vacations: Fidelity bond: Annual disclosure:
GCCs: change management environment
There would be controls between each enviro for auth to promote software to next environ until gets to prod.
Personnel development control plans:
Training must occur regularly and be a top priority. Performance reviews should assess strengths and weaknesses and identify opportunities for promotion, training and personal growth.
GCCs: change management auditors
Typically auditors are involved in evaluation the change mgmt. or "promote to prod" process. Should involve: some type of code library in place to allow for code to check in and out, workflow sys to document auths, sign off approvals to promote, heavy logging of workflow of software - if dev took sip of coffee, it would be logged. Fixing problems.
GCCs: change management *Involves:
seg of duties - do not allow developers to have access to production systems and data. Do not want them to be able to change the way it works. They know how it works so they can EX: move fraction of pennies to their accounts. environments - development enviro - where app developers will do work - test or A/A enviro - set of QA pros test functionality - staging enviro - where run integration testing to make sure software does not have any interactions - production enviro - end users use approvals - as move from one eviro to next, needs to be approval process to auth emergency procedures - sometimes have to let developers in where things break. Emergency changes/fixes should be approved and scrutinized. Watch everything they do though.
The segretation of duties:
separates the 4 basic functions of event processing:
(scope) General computer controls GCCs -
span entire IT functions. Impact confidentiality, integrity, and availability of all IT systems. - Change management - Business contiutiy/disaster recorvery - Logical and physical secutiry - Info security admin and awareness. Let people know about hazards. - Budgeting and resource allocation - utilized - IT org structure and control environ - does CIO create appropriate tone at top - Computer operations and network management - make sure systems themselves up and running. Batch jobs done. Backups done.
(scope) Application controls -
specific. Always deal with input, processing, output. Make sure input proper format and error free. Processing done accurately and once. Output to get data out and to right people and secured. Storage another one. - Validity checks and completeness checks on data entry - expect numbers but see numbers. Filled out all fields. Don't allow to proceed. - Problem management (degrade gracefully) do not drop to blue screen - Transaction controls
Technical servicers manager and everyone under them
then quality assurance group - any change to software or infrastructure, then QA tests to make sure it works as intended - then database administration - all data is stored somewhere and they manage it and pulls data out in reports - telecom/network control - gets info back and forth. Firewall. - systems programming -
Collusion is
way to get around it. 2 or more people acting together to circumvent seg of duties. Person recording and receiving cash cooperating and say to pocket it and then split it.
Function -
what is intended purpose.
Then systems development manager and everyone under them
write specific software for certain companies needs that cants just buy commercial software - then systems analysis - go into bus units and ask what they need and pull together requirements. Then systems design - pull guidance and write features. Then application programming - coders. If company does not do a lot of in house software development, then this all goes away.