Systems Test 2
What does COBIT say about IT Governance Objectives
- Located in the EDM part of the COBIT Core Model
Different types of COBIT Information and Technology Issues
- People and Org Issues - Data Issues - Security Issues - Resource Issues - Systems Development and Innovation Issues - Compliance Issues
What kind of guidance can assist us in evaluating ITGCs over Computer Operations
- Physical Operation s - Backup and Recovery - Business Continuity
What are the common outage types that necessitate backup and recovery procedures and controls?
- Power outage - Hardware failure - Fire - Flood - Earthquake - Software Error - Bombing - Snow/wind storm - Network outage - Contamination
Classifications of ITGCs
- Preventive Controls - Detective and corrective controls - They are designed to either prevent or detect and correct issues related to the confidentiality, integrity, and availability of IT functions and data
SOC Reports
- SOC for Service Organizations - SOC 1: ICFR - SOC 2: TSC - SOC 3: TSC for General Use - SOC for Cybersecurity - SOC for Supply Chain
Other Factors to Consider in the Risk Assessment- per COBIT
- Threat - ______ Environment - Role of IT - Sourcing Model - Implementation Methods - Technology Adoption - Enterprise Size
Typical Manage Access Risks
- Users of the IT environment are not the intended users due to inadequate authentication and security settings. - The access of IT users of the IT environment creates segregation of duties concerns. - Access to functions within the IT application is combined into "roles". The access rights within the roles contain segregation of duties issues that could cause a material misstatement of the financial statements. - Direct data changes are made without authorization
ITGCs vs Application Controls
ITGCs are general controls to protect the availability, security, processing integrity and confidentiality/privacy of financial information. Application controls are specific controls to prevent or detect and correct problems in processing a single transaction or groups of similar transactions.
IT Risk Assessment Frameworks
-COSO - Trust Services Criteria - COBIT
3 Main Objectives of ITGCs
1. Confidentiality 2. Integrity 3. Availability
Critical Elements of a BCP
- Accountability - Roles and Responsibilities - Program Scope - Recovery Strategy Development - Plan Development and Maintenance - Testing - Training and Awareness - Legal, regulatory and contractual assessment - Internal audit participation - Reference
Risks of Outsourcing IT
- Already made investments in IT - Some things may be impossible to convert - Security concerns - Does not meet customer specifications - Less control , dependent on expertise of 3r party - May raise prices
Typical ITGCs for IT Environment &Governance
- Annual risk assessments - Competent leadership - IT performance metrics routinely documented and communicated to the governance structure
Other Security Controls
- Backup and recovery controls - Log analysis - White hack or penetration testing - Continuous monitoring - Employee training and awareness - Vulnerability assessments - Other external consultant engagements
How is the IT Organization Structured
- Centralized Approach - Distributed Approach
What does an Information Security Team look like in an organization
- Chief Information Security Officer organized around 4 main activities- 1. Protect, shield, defend, prevent 2. Monitor, Hunt, detect 3. Respond, recover, sustain 4. Govern, manage, comply, educate, manage risk
Most Common Types of Cyberattacks
- Classic Buffer Overflow - SQL Injection - Cross-Site Scripting (XSS) - Cross-Site Request Forgery (CSRF) - Clickjacking - Denial of Service - Distributed Denial of Service - Malware - Ransomware - Spyware - Phishing - Spear Phishing - Social Engineering - Brute Force Attack - Password Spraying - Advanced Persistent Threats
What do IT Concerns include?
- Consistency between IT and Corporate Strategy - Delivery of organizational capability and value from IT investment
Governance Layer
- Consists of Evaluating, Directing, and Monitoring (EDM) - - Ensures direction and priority setting, performance and compliance, and meeting all stakeholder needs
What are the 5 domains and Processes of COBIT
- Control Environment - Risk Assessment - Control Activities - Information and Communication - Monitoring Activities
Benefits of Outsourcing IT
- Cost Savings - Global Scale - Performance/Availability - Security - Speed - Productivity - Reliability
IT system and support devices that may be considered critical (BCP)
- Data Centers/Servers - Phones/Communications (internal and external) - Network connections/drives - Key business/operations, including commerce/ public facing applications
What is IT Governance's dual role
- Governing through IT to effect strategic outcomes - Governance of IT to ensure that IT investments and services are accountably affected for improved organizational performance
Cybersecurity Disclosures
- Have potential to materially impact financial statements, catastrophically disrupt business, and/or damage organizational reputation at all businesses - Many cyber-incidents are perpetrated from within organizations- impacting internal controls and financial numbers
Top Causes of Data Breaches
- Humans - Web Attacks - Cyber Espionage - Insider and Privileged Misuse - Miscellaneous Errors - Point of Sale - Payment Card Skimmers - Physical Theft and Loss - Crimeware
What do ITGCs Encompass
- IT Architecture - IT Components - People - Processes - An evaluation of the control environment
Typical IT Environment and Governance Risks
- IT and business strategy not aligned - IT operations include risks which impact achievement of corporate goals - IT resources does not support enterprise strategy - Lack of segregation of duties for key IT roles which impact internal controls over financial reporting - Inadequate/non-existent related performance metrics
IT Governance vs IT Management
- IT governances draws on corporate governance principles to manage and use IT to achieve corporate goals - IT management is empowered through IT governance to make decisions and take actions within the entity's overall vision and principles
ITGC Risks are generally classified into these categories
- IT operations risks - IT access risks - IT program and system change risks
Why would a company outsource all or a part of their IT operation?
- It is more cost effective than operating the function in-house. - The service provider can deliver better performance than the business can in-house. - And typically, it is because the outsourced function "is not a core competency" of the business.
Reasons to Launch a Cyberattack
- Monetary gain - Disruption of supply, communication, and economic infrastructures - Thrill of the challenge - Bragging rights in the hacker community - Seeking revenge on employer (i.e., disgruntled employee) - Theft of personally identifiable information (PII) - Disrupt systems by performing denial-of-service attacks - Threatening national security by weakening a nation's economy
Typical Manage Change Risks
- New IT application programs or changes to the production IT application programs, including reports and interfaces, are not appropriate for the business or the IT environment. - New IT application programs or changes to existing programs, including reports, configurations and interfaces, do not function as described or requested because they are not adequately tested by appropriate persons - Multiple instances of the same IT application that should be identical are not the same. - Configuration changes made by IT personnel are inappropriate or unauthorized - Implementation failure of new systems, system upgrades, or key system integrations which impact controls over financial reporting
Managing Change
- New System implementations or changes made to existing systems are appropriate and function as intended by management. - New IT application programs or changes made to existing IT application programs are appropriate and function as intended by management - Applies to all IT Environment Layers
COBIT Audience
-Management: to help them balance risk and control investment in an IT environment -Auditors: to provide a framework to assist them to come to an opinion on the level of assurance on the particular subject matter being audited
Information Security Compliance
1, Internal Policy Compliance- implement its own set of policy and procedure 2. Regulatory Compliance- international, federal, state regulations and other compliance standards related to PII
What types of security controls are expected
1. At the data level - Direct access to database limited 2. Through the application as an end user - Segregation of duties 3. Through the operating system - Limit the number of employees with admin rights (back door access) 4. At the network level there should be access and administrative rights to the correct personnel. Use of VPNs 5 At the data center or computer room level - multiple physical controls
Managing Access (aka Logical Access) Objectives
1. Authentication and Validation- provide access to the IT environment only to authorized, appropriate users 2. Authorization/Access Rights- authenticated and validate users are restricted to performing authorized, appropriate tasks - Applicable to all IT environment layers- Data, Application, Operating System, Network, and Data Center/Computer Room
What are the Top 10 Technology Risk Factors
1. Cyber Breach 2. Manage security incidents 3. Privacy 4. Monitor Regulator Compliance 5. Access Risk 6. Data Integrity 7. Disaster Recovery 8. Data Governance 9. Third-party Risk 10. Monitor/Audit IT, Legal and regulatory Compliance
What Current Risks and Trends are Top of Mind at Google
1. Environment and Sustainability Compliance 2. Supply Chain 3. Business Continuity 4. Compliance Growth and Maturity
ITGC Evaluation Approach
1. Gain an understanding of the IT process 2. Identify risks within the processes 3. Identify ITGCs that address the risks in the key areas of IT governance, operations, access, and change 4. Perform a walkthrough to verify understanding of ITGC procedures 5. Test ITGCs that address the risks in the areas of IT access, change, and operations
Primary Types of Cyber Adversaries
1. Hacktivist 2. Nation States 3. Cybercriminals 4. Competitor
4 Types of Site Backup
1. Hot Site 2. Cold Site/Empty Shell 3. Mutual Aid Pact 4. Internally provided backup
ITGC Objectives are accomplished with controls over:
1. IT Access 2. IT Change 3. IT Operations - (Could also be referred to as "Manage" Access/Change/ IT Operations
4 Recovery Principles
1. Identify and rank critical applications 2. Create a Recovery Team with roles and responsibilities 3. Provide a Backup for Lal Essential Components of Compute Operations 4. Provide for Regular and Effective Testing of the Plan
4 Backup Principles
1. Perform Regular Backups 2. Test Backup Process Reliability 3. Use Secure Storage 4. Perform Test Restores
4 Backup Principles- Information
1. Regular Backups: Principle = Daily 2. Management should provide a means to test the data afterward to ensure that the process is actually recording all of the data onto the target backup device. an IT auditor should ensure that a health check is periodically performed. 3. Principle for storage is to use a location that is at a safe distance from the entity's location. The cloud can provide this element. 4. management should provide a test for restoring the backup at least once a year. That test should be documented, even if it is just a screenshot showing the data restored.
What 3 Areas does LOD 2 Cover
1. Risk and Control Governance 2. Audit Management 3. Advisory Services
5 Elements of IT Governance
1. Strategic Alignment 2. Risk Management 3. Performance Management 4. Resource Management 5. Value Delivery
COBIT Takeaways- IT
1. The Focus is on I &T - All the information the enterprise generates, processes, and uses to achieve its goals as well as the technology to support that throughout the enterprise
4 Recovery Principles- Information
1. The principles of developing a business continuity plan/disaster recovery plan (BCP/DRP) include a step to identify the critical applications and rank them in importance of operations. This list becomes strategically valuable if ever needed in providing the recovery team with a blueprint of how to restore application software. advocate categorizing applications in terms of confidentiality, integrity and availability (our 3 core ITGC objectives). 2. The team should include all the functions and roles necessary to quickly and completely restore computer operations. There should be a document that identifies the team members, their respective roles and the steps each would take in restoring operations. 3. The heart of a BCP/DRP is to provide a backup means of providing the essential components of computer operations. The site should include a building, electricity, furniture and other basic needs for housing the computer operations 4. Full test of the BCP/DRP at some regular interval to ensure that it actually works and to improve the plan to be more efficient and effective
What should take place in a walkthrough of a process/control
1. Understand the design of the ITGC 2. Design Characteristics/Attributes 3. Obtain evidence the control is performed by the control owner 4. Update any documentation
COBIT Takeaways- IT Governance
2. Overarching IT Governance Framework - Supports enterprise risk management and value generation, a specific focus given enterprise use and dependence on information and technology - Used for assurance-related objectives - Created by ISACA who provides a toolkit and resources for implementing and using the framework
SOX Compliance: What is the IT role?
: to identify the company's biggest priorities when reporting financial risk, sometimes with help from auditors. Your role, then, is to support the processes that minimize all identified risks. The most pertinent sections of SOX for IT teams are 302, 404, 409 and 802
What does COBIT 19 provide internal IT organization and those who audit systems and controls
A guidebook/playbook to follow: Answers - Are we doing the right things, the right way, are we doing them well, are we recognizing the benefits
Hot Site
A separate and fully equipped facility where the company can move immediately after a disaster and resume business - Designed to accommodate a wide range of computer systems. It has facilities, furniture, equipment and operating systems available. System can be on and running all the time ("ready for use"). Typically a shared site that serves the needs of subscribers
COSO
A very effective framework for risk and control management, but does NOT provide enough specifics with respect to IT environment, IT risk assessment, IT control activities, IT information and communication, and IT monitoring
Mutual Aid Pact
Agreement between two or more organizations with comparable computer facilities to aid each other with their data processing needs in the event of a disaster. - an agreement between two or more organizations with compatible computer facilities to aid each other. Lower cost, but highly depends on tested or untested trust.
What processes are subject to ITGCs
All processes- ITGCs should operate at tthe process level and a re normally independent of a particular process
Data Breach
An event in which confidential data has potentially been viewed, stolen, or used by an individual unauthorized to do so
Cold Site/Empty Shell
An off‐site location that has all the electrical connections and other physical requirements for data processing, but does not have the actual equipment or files. - two or more users organizations that buy or lease a building and remodel it into a computer site (i.e., raised floors and adequate air conditioning), but without the computer and peripheral equipment.
Private Cloud
Cloud computing resources used exclusively by a single business or organization - Can be physically located on the company's on-site data center - Services and infrastructure are maintained on a private network
COBIT
Control Objectives for Information and Related Technology; - relied on for IT operations, IT risk assessment and implementing overall IT governance, risk assessment, control activities - Created by ISACA
Identity Management
Ensures that only authorized people have access to the technology resources they need to perform their job functions - Prevents unauthorized access to systems and resources and raises alerts and alarms when access attempts are made by unauthorized personnel or programs
Business Continuity Plans
Focused on critical business-centric processes and the workplace being inaccessible. Broader than just the IT and data - ITGCs include BCPs
Disaster Recovery Plans
Focused on organizations accessing and recovering mission-critical data and IT processing capabilities - Recovery Time Objective - Recovery Point Objective
Authorization vs Authentication
Giving permission vs the process that determines the identity of the person requiring access (something you are - fingerprint; something you have - key; something you do - typing sequences; something you know - password)
How would we gain an understanding of the IT environment and governance structure?
IT questionnaire about controls; IT Entity Level Controls, Backup and recovery controls, access and security controls, network security controls, change management controls, system development life cycle controls
Distributed Data Processing (DDP) Approach
Involves reorganizing the computer services function into small IT units that are placed under control of end users - IT Unit within each unit of the organization - Loses standardization of approach - IT may be able to get to them quicker - Can get expensive; rarely seen today
Something to remember about COBIT
It is not intended to be a model of a general organization-wide business control framework - It focuses on enterprise information and technologies that produce the information which can impact financial reporting - IT needs to align with the business organizations
COBIT includes a way to evaluate an entity's maturity and process capability with respect to the 40 processes
It provides measurement mechanisms
Internally Provided Backup
Large organizations with multiple data processing centers may prefer self-reliance provided by creating internal excess capacity.
What is the IT Risk: Direct changes to data are made by IT personnel without authorization.
Manage Access
What is the IT Risk: New IT application programs, or changes to existing programs, do not function as described or requested because they were not adequately tested.
Manage Change
What is the IT Risk: Business Continuity plans have not been updated in 5 years
Manage IT Operations
What is the IT Risk: Database administrator positions do not have job descriptions.
Manage IT Operations
Authentication
Objective is that the person using the credential is who they claim to be - Could be some form of multifactor access controls such as additional credentials, temporary PINs, security questions, and biometrics
Purpose of Testing ITGCs
Obtain sufficient evidence the ITGCs are operating effectively - The control design is in production/operation - The control is/is not effective - The testing strategy and scope needs to be modified based on test controls, inquiry and observations
Public Cloud
Owned and operated by a third-party cloud service provider, which deliver their computing resources, like servers and storage, over the Internet
Management Layer
Plan, build, run, and monitor- all based on governance direction - APO- Align, Plan, Organize - BAI - Build, Acquire, Implement - DSS- Deliver, Service, Report - MEA- Monitor, Evaluate, and Assess
IT General Controls
Procedures and policies implemented by management to safeguard the information system hardware and applications from unauthorized access or changes - Essential for an organization's application to accurately and completely capture, process, store and provide/report its information. Users need to trust this information - Are specifically important to users of financial statements - Protect IT systems, infrastructure, programs and data
Platform as a Service (PaaS)
Refers to cloud services which provide an "on-demand environment for developing, testing, delivering and managing software applications." If you were a software development business and did not want to establish your own data center, paying for this "on-demand" is a cost-effective way to provide your developers with the environments they need to create, test and deploy applications.
The Role of Security
Security is the foundation of systems reliability and is necessary for achieving each of the other 4 Trust Services Criteria - Security controls are pervasive and: - restrict system access to authorized users only, thereby protecting the confidentiality of sensitive organizational data and the privacy of personal information - Protect information and processing integrity by preventing submission of unauthorized or fictitious transactions and preventing unauthorized changes - Provide protection against a variety of attacks, ensuring the system is available when needed.
IT Governance
Subset of corporate governance that focuses on the management and assessment of strategic IT resources - the ability for the enterprise's IT to sustain and promote the organization's strategies and objectives - Primarily managed between IT Managers, the Chief Information Officer, and enterprise IT oversight functions
SOC
System and Organization Controls; - A suite of service offerings that CPAs may provide in connection with system-level controls of a service organization or entity-level controls of other organizations
COBIT Governance and Management Objectives
The COBIT Core Model Consists of a Governance Layer and a Management Layer
Cybersecurity Disclosures Expectations
The Commission expects that a company's financial reporting and control systems would be designed to provide reasonable assurance that information about the range and magnitude of the financial impacts of a cybersecurity incident would be incorporated into its financial statements on a timely basis as the information becomes available. - Guidance issued, but final rules to be issued in April 2023
What facilitates value
The alignment of IT with enterprise governance and goals - Enterprise Governance of IT + Business/IT Alignment = Value Creation
Corporate Governance
The system of rules, practices, and processes by which a company is directed and controlled
Hacktivist
They form a small, foreign population of politically active hackers that includes individuals and groups with anti-U.S. motives. They pose a medium-level threat of carrying out an isolated but damaging attack. - Appear bent on propaganda rather than damage to critical infrastructures. - Goal is to support their political agenda. Their sub-goals are propaganda and causing damage to achieve notoriety for their cause.
Software as a Service (SaaS)
This is a method for delivering software applications over the Internet, on demand, and typically paid as a subscription. The cloud provider "hosts and manages" the application and underlying infrastructure, handles the maintenance (like application upgrades and security patches). - Typically available to the client over the internet using a web browser or app for mobile devices.
Infrastructure as a Service (IaaS)
This is essentially renting IT infrastructure or a "data center". As a client you typically have access to servers, virtual machines (VMs), storage, networks, operating systems. Clients typically pay the provider on an "as you go" basis.
Managing 3rd Party Risk
To gain confidence in the 3rd party's system of control, businesses rely on System and Organization Controls (SOC) reporting, more commonly referred to as SOC reports.
Gartner's top security and risk trends
Trend No. 1: Attack surface expansion Trend No. 2: Identity system defense Trend No. 3: Digital supply chain risk Trend No. 4: Vendor consolidation Trend No. 5: Cybersecurity mesh Trend No. 6: Distributed decisions Trend No. 7: Beyond awareness
Trust Services Criteria
Used to evaluate and report on controls over the security , availability, process integrity, confidentiality or privacy of information and systems - Can also be used as a risk and control assessment framework - .24 maps to the COSO IC framework - AICPA
