SlideShare ist ein Scribd-Unternehmen logo

Controls in Audit.pptx

Als PPTX, PDF herunterladen
H
HardikKundra

Security Controls in Audit and Setting Control Formulation, Types of Audits

Bildung
1 von 17
SECURITY CONTROLS Controls are a security mechanism, policy, or procedure that can successfully counter attacks, reduce risk, resolve vulnerabilities and otherwise improve security within an organization. Whether an organization is considering a technical or operational control to mitigate risk, or an administrative solution such as training and new procedures or policies, the control needs to focus on the hardware, telecommunications, and software that protect sensitive information in one of the following three states:  Data at rest  Data in transit  Data in process
GOAL-BASED SECURITY CONTROLS
IMPLEMENTATION-BASED CONTROLS
SECURITY CONTROL FORMULATION Any information resource with value to an organization requires some degree of security protection. This provides a starting point for formulation and development of security controls. The wide variety of ICT system components within an organization’s supply chain result in significantly different security requirements, with the potential for equally different corresponding protective mechanisms to satisfy the requirements. Security Categorization of ICT Systems - The first step in the formulation and development of security controls establishes the security categorization for the ICT system. In addition to categorizing each ICT component and the data stored and processed within them, the security team begins the process of developing the system security plan by documenting security categorization and system description information.
SECURITY CONTROL FORMULATION • Identifying Information Types: organizations may group information types into categories defined by guidelines such as FIPS 199 or CNSSI 1253. However, organizations have the flexibility to define or identify their own information types and to select their own impact levels. • Each information system categorization can be represented as SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are LOW, MODERATE, HIGH, or NOT APPLICABLE • The resulting level, is subsequently used to determine overall system security categorization and serve as the basis for selecting a security control baseline.
Setting stage for Control Implementation • Coming out of the security control selection process, the security plan will provide criteria relative to what controls and control enhancements will be implemented for the ICT system. • Prior to engaging in control implementation, functional and technical members of the implementation project group facilitate decisions related to how each control will be implemented and assign responsibility of activities to be performed within the process, to individuals with the appropriate skill level and knowledge of the system; including hardware, software, and associated configurations. • Managers that assign responsibilities need to be mindful that the nature of the work required to implement a control varies considerably across management, operational, and technical controls.
Setting stage for Control Implementation Control Implementation through Security Engineering: • Identify the organizational security risks Define the security needs to counter identified risks • Transform the security needs into activities • Establish confidence and trustworthiness in correctness and effectiveness in a system • Determine that operational impacts due to residual security vulnerabilities in a system or its operation are tolerable (acceptable risks) • Integrate the efforts of all engineering disciplines and specialties into a combined understanding of the trustworthiness of a system
TYPES OF IT AUDITS • Technological position audit : - This audit reviews the technologies that the business currently has and that it needs to add. Technologies are characterized as being either "base", "key", "pacing" or "emerging". • Systemsand ApplicationsAudit :- An audit to verify that systems and applications are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity. System and process assurance audits form a subtype, focussing on business process-centric business IT systems. Such audits have the objective to assist financial auditors. • Information ProcessingAudit :- An audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions.
TYPES OF IT AUDITS • SystemsDevelopment Audit :- An audit to verify that the systems under development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for systems development. • Management of IT and Enterprise Architecture Audit :- An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing. • Client/Server, Intranets, and Extranets Audit :- An audit to verify that telecommunications controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers
Implementing a Multi-tired Governance Making Information Governance Tangible: • The mandate of information governance is to add value to the business as well as to help it achieve its goals. • Therefore, capable information governance will link technology processes, resources, and information to the overall purposes of the enterprise. • Since information is an asset, all organizations have the obligation to assure its uninterrupted confidentiality, integrity, and availability for use. • Therefore, managers have the responsibility to establish a tangible internal control system, which will explicitly protect the everyday functioning of the information processing and retrieval processes of the particular business.
Implementing a Multi-tired Governance There are seven universally desirable characteristics, which an information governance infrastructure should embody: Effectiveness—that is, the organization’s information must be ensured relevant and pertinent to the business process that it serves as well as delivered in a timely, correct, consistent, and usable manner. Efficiency—in the simplest terms information must be made readily available through the most optimal (productive and economical) means possible. Confidentiality—sensitive information must be protected from unauthorized disclosure or access as well as tampering. Integrity—the accuracy and completeness of information as well as its validity must be assured in accordance purpose. .
Implementing a Multi-tired Governance Availability—information must be accessible when required by the business Process Compliance—all information and information processing must comply with those laws, regulations, and contractual arrangements to which the business process is subject, that is, externally imposed business criteria. Reliability—relates to the provision of appropriate information for management to operate the entity and for management to exercise its financial and compliance reporting responsibilities. These generic qualities are operationalized through an explicit set of control behaviors that are executed in a practical, day-to-day systematic fashion.
Establish Real, Working Control Framework • The process of implementing a set of controls entails the identification, prioritization, assurance, and sustainment of an effective response to every plausible threat. • This control deployment function is not a one-shot “front- end” to setting up a static security solution. • It is a constant and organized probing of the environment to sense the presence of and respond appropriately to any potential sources of harm to the organization’s information assets.
AUDIT PROCESS • One of the best practices for an audit function is to have an audit universe.The audit universe is an inventory of all the potential audit areas within an organization. • Basic functional audit areas within an organization include sales,marketing, customer service, operations, research and development,finance, human resource,information technology,and legal. • An audit universeincludes the basic functional audit area, organization objectives,key business processesthat support those organization objectives,specific audit objectives,risks of not achieving those objectives,and controls that mitigate the risks
QUESTIONS ??
THANK YOU !!

Empfohlen

Information system audit 2
Information system audit 2 Information system audit 2
Information system audit 2
Jayant Dalvi
 
Compliance
ComplianceCompliance
Compliance
Priyank Hada
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
joellemurphey
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
JunaidAhmed976315
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
Divya Tiwari
 
IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...
IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...
IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...
cveiga12
 
CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...
CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...
CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...
cveiga12
 

Empfohlen

Information system audit 2
Information system audit 2 Information system audit 2
Information system audit 2
Jayant Dalvi
 
Compliance
ComplianceCompliance
Compliance
Priyank Hada
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
joellemurphey
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
JunaidAhmed976315
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
Divya Tiwari
 
IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...
IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...
IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...
cveiga12
 
CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...
CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...
CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...
cveiga12
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer Environment
Adetula Bunmi
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
Priyank Hada
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptx
dotco
 
Security Baselines and Risk Assessments
Security Baselines and Risk AssessmentsSecurity Baselines and Risk Assessments
Security Baselines and Risk Assessments
Priyank Hada
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
LynellBull52
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by
FirstMutualHoldings
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
Piyush Jain
 
Six Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceSix Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC Compliance
Lumension
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptx
dotco
 
it grc
it grc it grc
it grc
9535814851
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architecture
MubashirAslam5
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptx
dotco
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptx
JoshJaro
 
Unit Iii
Unit IiiUnit Iii
Unit Iii
Ram Dutt Shukla
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit Process
Ram Srivastava
 
what is system audit and objectives of system audit.pptx
what is system audit and objectives of system audit.pptxwhat is system audit and objectives of system audit.pptx
what is system audit and objectives of system audit.pptx
simratkaur290104
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010
Donald E. Hester
 
Risk Assessment Famework
Risk Assessment FameworkRisk Assessment Famework
Risk Assessment Famework
lneut03
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Pooja Bhuva
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
Jisc
 

Weitere ähnliche Inhalte

Ähnlich wie Controls in Audit.pptx

Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
Priyank Hada
 
Security Baselines and Risk Assessments
Security Baselines and Risk AssessmentsSecurity Baselines and Risk Assessments
Security Baselines and Risk Assessments
Priyank Hada
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
LynellBull52
 
Six Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceSix Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC Compliance
Lumension
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptx
JoshJaro
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit Process
Ram Srivastava
 
what is system audit and objectives of system audit.pptx
what is system audit and objectives of system audit.pptxwhat is system audit and objectives of system audit.pptx
what is system audit and objectives of system audit.pptx
simratkaur290104
 
Risk Assessment Famework
Risk Assessment FameworkRisk Assessment Famework
Risk Assessment Famework
lneut03
 

Ähnlich wie Controls in Audit.pptx (20)

The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer Environment
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptx
 
Security Baselines and Risk Assessments
Security Baselines and Risk AssessmentsSecurity Baselines and Risk Assessments
Security Baselines and Risk Assessments
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
 
Six Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceSix Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC Compliance
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptx
 
it grc
it grc it grc
it grc
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architecture
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptx
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptx
 
Unit Iii
Unit IiiUnit Iii
Unit Iii
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit Process
 
what is system audit and objectives of system audit.pptx
what is system audit and objectives of system audit.pptxwhat is system audit and objectives of system audit.pptx
what is system audit and objectives of system audit.pptx
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010
 
Risk Assessment Famework
Risk Assessment FameworkRisk Assessment Famework
Risk Assessment Famework
 

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 

Controls in Audit.pptx

  • 1. SECURITY CONTROLS Controls are a security mechanism, policy, or procedure that can successfully counter attacks, reduce risk, resolve vulnerabilities and otherwise improve security within an organization. Whether an organization is considering a technical or operational control to mitigate risk, or an administrative solution such as training and new procedures or policies, the control needs to focus on the hardware, telecommunications, and software that protect sensitive information in one of the following three states:  Data at rest  Data in transit  Data in process
  • 4. SECURITY CONTROL FORMULATION Any information resource with value to an organization requires some degree of security protection. This provides a starting point for formulation and development of security controls. The wide variety of ICT system components within an organization’s supply chain result in significantly different security requirements, with the potential for equally different corresponding protective mechanisms to satisfy the requirements. Security Categorization of ICT Systems - The first step in the formulation and development of security controls establishes the security categorization for the ICT system. In addition to categorizing each ICT component and the data stored and processed within them, the security team begins the process of developing the system security plan by documenting security categorization and system description information.
  • 5. SECURITY CONTROL FORMULATION • Identifying Information Types: organizations may group information types into categories defined by guidelines such as FIPS 199 or CNSSI 1253. However, organizations have the flexibility to define or identify their own information types and to select their own impact levels. • Each information system categorization can be represented as SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are LOW, MODERATE, HIGH, or NOT APPLICABLE • The resulting level, is subsequently used to determine overall system security categorization and serve as the basis for selecting a security control baseline.
  • 6.
  • 7. Setting stage for Control Implementation • Coming out of the security control selection process, the security plan will provide criteria relative to what controls and control enhancements will be implemented for the ICT system. • Prior to engaging in control implementation, functional and technical members of the implementation project group facilitate decisions related to how each control will be implemented and assign responsibility of activities to be performed within the process, to individuals with the appropriate skill level and knowledge of the system; including hardware, software, and associated configurations. • Managers that assign responsibilities need to be mindful that the nature of the work required to implement a control varies considerably across management, operational, and technical controls.
  • 8. Setting stage for Control Implementation Control Implementation through Security Engineering: • Identify the organizational security risks Define the security needs to counter identified risks • Transform the security needs into activities • Establish confidence and trustworthiness in correctness and effectiveness in a system • Determine that operational impacts due to residual security vulnerabilities in a system or its operation are tolerable (acceptable risks) • Integrate the efforts of all engineering disciplines and specialties into a combined understanding of the trustworthiness of a system
  • 9. TYPES OF IT AUDITS • Technological position audit : - This audit reviews the technologies that the business currently has and that it needs to add. Technologies are characterized as being either "base", "key", "pacing" or "emerging". • Systemsand ApplicationsAudit :- An audit to verify that systems and applications are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity. System and process assurance audits form a subtype, focussing on business process-centric business IT systems. Such audits have the objective to assist financial auditors. • Information ProcessingAudit :- An audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions.
  • 10. TYPES OF IT AUDITS • SystemsDevelopment Audit :- An audit to verify that the systems under development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for systems development. • Management of IT and Enterprise Architecture Audit :- An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing. • Client/Server, Intranets, and Extranets Audit :- An audit to verify that telecommunications controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers
  • 11. Implementing a Multi-tired Governance Making Information Governance Tangible: • The mandate of information governance is to add value to the business as well as to help it achieve its goals. • Therefore, capable information governance will link technology processes, resources, and information to the overall purposes of the enterprise. • Since information is an asset, all organizations have the obligation to assure its uninterrupted confidentiality, integrity, and availability for use. • Therefore, managers have the responsibility to establish a tangible internal control system, which will explicitly protect the everyday functioning of the information processing and retrieval processes of the particular business.
  • 12. Implementing a Multi-tired Governance There are seven universally desirable characteristics, which an information governance infrastructure should embody: Effectiveness—that is, the organization’s information must be ensured relevant and pertinent to the business process that it serves as well as delivered in a timely, correct, consistent, and usable manner. Efficiency—in the simplest terms information must be made readily available through the most optimal (productive and economical) means possible. Confidentiality—sensitive information must be protected from unauthorized disclosure or access as well as tampering. Integrity—the accuracy and completeness of information as well as its validity must be assured in accordance purpose. .
  • 13. Implementing a Multi-tired Governance Availability—information must be accessible when required by the business Process Compliance—all information and information processing must comply with those laws, regulations, and contractual arrangements to which the business process is subject, that is, externally imposed business criteria. Reliability—relates to the provision of appropriate information for management to operate the entity and for management to exercise its financial and compliance reporting responsibilities. These generic qualities are operationalized through an explicit set of control behaviors that are executed in a practical, day-to-day systematic fashion.
  • 14. Establish Real, Working Control Framework • The process of implementing a set of controls entails the identification, prioritization, assurance, and sustainment of an effective response to every plausible threat. • This control deployment function is not a one-shot “front- end” to setting up a static security solution. • It is a constant and organized probing of the environment to sense the presence of and respond appropriately to any potential sources of harm to the organization’s information assets.
  • 15. AUDIT PROCESS • One of the best practices for an audit function is to have an audit universe.The audit universe is an inventory of all the potential audit areas within an organization. • Basic functional audit areas within an organization include sales,marketing, customer service, operations, research and development,finance, human resource,information technology,and legal. • An audit universeincludes the basic functional audit area, organization objectives,key business processesthat support those organization objectives,specific audit objectives,risks of not achieving those objectives,and controls that mitigate the risks