tag:blogger.com,1999:blog-87797088257922236682024-02-20T09:54:11.948-08:00Information Systems AuditingPraguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.comBlogger64125tag:blogger.com,1999:blog-8779708825792223668.post-16634883659111027572013-01-13T01:10:00.001-08:002013-01-13T07:13:13.121-08:00Document ManagementDocument management is synonymous with information management and can feed into the information strategy. It should be encoded within a policy.<br />
<br />
It should comprise<br />
<ul>
<li>Creation - </li>
<li>Classification - sensitivity, ownership and custody includes labelling</li>
<li>Transmission - respond to risk of inadvertent transmission (e.g logical and physical access control, clear desk, clear screen, storage encryption policies), deliberate attempts to access or steal documents and confidentiality of documents sent to 3rd parties*</li>
<li>Retention & - should take into account commercial value and regulatory requirements. May be a minimum/maximum rule</li>
<li>Destruction - should require heightened control where the risks associated with failure to destroy are high. Ideas include destruction certificates, outsourcing, management oversight, formal destruction process. </li>
</ul>
*Transmission conditions for sensitive data sent to third parties might include the following; <br />
<ul>
<li>Management responsibilities and procedures for controlling and notifying transmission,despatch and receipt.</li>
<li>Minimum standards for packaging and transmission.</li>
<li>Responsibilities and liabilities in the event of loss of data.</li>
<li>Use of an agreed labelling system for sensitive or critical information, ensuring that the labels are immediately understood and that the information is appropriately protected.</li>
<li>Information ownership and responsibilities for data protection.</li>
<li>Technical standards for recording and reading information.</li>
<li>Any special controls that may be required to protect information in transit, such as passwords.</li>
<li>Splitting the consignment into more than one delivery and/or despatching</li>
</ul>
Should take into account the particular security risks related to traffic travelling via the internet. Praguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.comtag:blogger.com,1999:blog-8779708825792223668.post-19215165684699454122013-01-12T14:54:00.002-08:002013-01-13T07:22:43.678-08:00DatabasesDatabases are application that store data. They fall into a number of types; <br />
<ul>
<li>hierarchical</li>
<li>networked database systems</li>
<li>relational</li>
<li>object oriented</li>
</ul>
Praguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.comtag:blogger.com,1999:blog-8779708825792223668.post-55776876642099692532013-01-12T14:50:00.002-08:002013-01-12T14:50:43.207-08:00SoftwarePraguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.comtag:blogger.com,1999:blog-8779708825792223668.post-2920184290015683562013-01-12T13:37:00.000-08:002013-01-14T06:42:25.581-08:00NetworksThere are two types of network. <br />
<ul>
<li>LAN & </li>
<li>WAN </li>
</ul>
Routers connect the two. They are configured to pass and accept messages to and from legitimate WAN addresses. Firewalls can be used, too. <br />
<br />
Four types of architecture<br />
<ul>
<li>Bus</li>
<li>Ring</li>
<li>Star</li>
<li>Tree</li>
</ul>
Network risks include<br />
<ul>
<li>Wiretapping or copper of fibre optic cables</li>
<li>Sniffer programs</li>
<li>Wireless leakage </li>
</ul>
Separate domains can be used, but <a href="http://informationsystemsauditing.blogspot.com/2013/01/network-management.html">network management</a> is a critical and highly skilled role. <br />
<br />
The internet itself is a WAN. It was developed as a means for academic to share files, so it was not developed with security in mind. Messages are broken up into packets for transmission and are reconverted into messages at the target computer. The coding and decoding is done by TCP (transaction control protocol). Major uses of the internet for communication are email and <a href="http://informationsystemsauditing.blogspot.com/2013/01/e-commerce-security.html">ecommerce</a>. <br />
<br />Praguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.comtag:blogger.com,1999:blog-8779708825792223668.post-90287028622451112332013-01-12T11:19:00.002-08:002013-01-12T14:58:29.874-08:00Network ManagementNetwork management governs connections between hardware, applications, LANs, WANs and the internet. Responsibilities include<br />
<ul>
<li>Planning & design</li>
<li>Change management</li>
<li>Troubleshooting</li>
<li>Maintenance</li>
<li>Performance</li>
<li><a href="http://informationsystemsauditing.blogspot.com/2013/01/capacity-management.html">Capacity/availability management</a></li>
<li>Configuring, control and optimisation of networked resources</li>
</ul>
Network planning is closely aligned to <a href="http://informationsystemsauditing.blogspot.com/2013/01/it-strategy.html">IT strategy</a>. <br />
<br />Praguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.comtag:blogger.com,1999:blog-8779708825792223668.post-12999765553658132692013-01-12T06:24:00.000-08:002013-01-12T06:25:22.921-08:00Managing Outsourcing ArrangementsThe following covers the various outsourcing stages. <br />
<strong></strong><br />
<strong>Requirement Analysis</strong><br />
<br />
Services required need to be planned internally and documented. Should be formalised in ITT or RFP documents which need to be very detailed. <br />
<br />
<strong>Proposal Evaluation and Supplier Selection</strong><br />
<br />
XSP Evaluation process would include<br />
<br />
- cost <br />
- functionality (viability & their dependence on 3 Ps)<br />
- supplier track record (references, credentials, service history)<br />
- security<br />
<br />
<strong>Contract Preparation</strong><br />
<br />
Contracts should include <br />
<ol>
<li>Security measures</li>
<li>Change management process</li>
<li>Audit provisions. </li>
<li>Transitional details</li>
<li>Termination provisions</li>
<li>Escalation procedures</li>
<li>Reporting structure, protocols, formats</li>
<li>Regulatory responsibilities</li>
<li>Access control agreements</li>
<li>IPR, copyright issues</li>
<li>Description of services and</li>
<li>Service level agreement</li>
</ol>
<strong>Implementation of new service</strong><br />
<br />
May include a number of steps and transfer of staff, equipment, data etc<br />
<br />
<strong>Monitoring</strong><br />
<strong></strong><br />
Service level management should be a defined process with clear reporting protocols. It can use KPIs. Praguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.comtag:blogger.com,1999:blog-8779708825792223668.post-8006258760446828762013-01-12T05:48:00.002-08:002013-01-13T23:59:40.622-08:00OutsourcingTypes of arrangements for managing resources are as follows<br />
<br />
- Inhouse<br />
- Outsourced<br />
- Cosourcing<br />
- Partnership<br />
- Colocating<br />
<br />
Main reasons/justifications for outsourcing;<br />
<ul>
<li>Savings (Cost)</li>
<li>OpeX (Accounting, Cashflow)</li>
<li>Flexibility (Quality)</li>
<li>Take advantage of new technologies</li>
<li>Core Competencies (Quality)</li>
<li>Speed of deployment (Time)</li>
<li>Scalability (Quality)</li>
</ul>
Barriers to changing apps internally<br />
<ul>
<li>Familiarity</li>
<li>Inevitability of bugs, patches, </li>
<li>Training</li>
</ul>
Hardware, software (Software as a Service - SaaS), network management (Platform/Infrastructure as a service PaaS/IaaS) and people can be outsourced. Outsourcing companies can be called XSPs meaning external service providers. <br />
<br />
Application Service provider, Internet Service provider, Management service provider.<br />
<br />
Things to consider<br />
<br />
- Strategic value of IT to the organisation<br />
- Future needs<br />
- Transition costs<br />
- Feasibility of separating IT (or elements of it) from the business<br />
- Existing human resources<br />
<br />
The next section is <a href="http://informationsystemsauditing.blogspot.com/2013/01/managing-outsourcing-arrangements.html" target="_blank">how to manage outsourcing arrangements effectively</a>. <br />
<br />
<br />
<br />
<br />Praguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.comtag:blogger.com,1999:blog-8779708825792223668.post-18817736703923086422013-01-12T03:19:00.000-08:002013-01-13T23:32:52.587-08:00Capacity ManagementThe purpose of these activities is to determine how information technology demands will increase and over what timescale.<br />
<br />
In essence capacity management is made up of three sub processes:<br />
<ul>
<li>Business capacity management (BCM) – to forecast capacity needs based on business events</li>
<li>Service capacity management (SCM) – to ensure capacity levels support established service level targets</li>
<li>Resource capacity management (RCM)</li>
</ul>
Inputs <br />
<ul>
<li>Performance and workload monitoring</li>
<li>Application sizing</li>
<li>Resource forecasting</li>
<li>Demand forecasting and</li>
<li>Modelling</li>
</ul>
Outputs <br />
<span lang="JA" style="font-family: Utopia-Regular; font-size: small;"><span lang="JA" style="font-family: Utopia-Regular; font-size: small;"> </span></span><br />
<span lang="JA" style="font-family: Utopia-Regular; font-size: small;"><span lang="JA" style="font-family: Utopia-Regular; font-size: small;"><ul>
<li><div align="LEFT">
Forecasts</div>
</li>
<li><div align="LEFT">
Capacity plan</div>
</li>
<li><div align="LEFT">
Tuning data and </div>
</li>
<li><div align="LEFT">
Service level management guidelines</div>
</li>
</ul>
<div align="LEFT">
Possible KPIs related to efficiency and effective capacity management</div>
<ul>
<li><div align="LEFT">
total cost of unplanned capacity expenditures</div>
</li>
<li><div align="LEFT">
total cost of unused capacity </div>
</li>
<li><div align="LEFT">
accuracy of capacity forecasts </div>
</li>
<li><div align="LEFT">
number of incidents related to capacity/performance issues</div>
</li>
<li><div align="LEFT">
number of service level agreement performance targets missed due to capacity.</div>
</li>
</ul>
<div align="LEFT">
ISO 2000 on service management covers this area. </div>
</span></span><br />Praguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.comtag:blogger.com,1999:blog-8779708825792223668.post-73685602706224611762013-01-12T03:18:00.003-08:002013-01-12T03:18:57.062-08:00Change ControlPraguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.comtag:blogger.com,1999:blog-8779708825792223668.post-3661448544718919422013-01-12T03:18:00.001-08:002013-01-12T03:20:43.178-08:00Distributed & Local ComputingPraguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.comtag:blogger.com,1999:blog-8779708825792223668.post-78366174569350914862013-01-12T01:15:00.001-08:002013-01-12T12:06:26.101-08:00ProjectsElements of project management are as follows<br />
<br />
<ul>
<li>project outline</li>
<li>feasibility study</li>
<li>set-up and testing</li>
<li>implementation</li>
<li>monitoring.</li>
</ul>
Praguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.comtag:blogger.com,1999:blog-8779708825792223668.post-33739261123120754902013-01-12T01:10:00.008-08:002013-01-12T02:30:00.241-08:00Features Of System DevelopmentThe process should <br />
<br />
- respond to agreed business requirements/criteria<br />
- be practical and efficient<br />
- take into account user and staff considerations<br />
- incorporate service management and performance capabilities<br />
- consider security from the very beginning (noting that the development of security is an iterative process)<br />
<br />
It should be well documented and progress through the phases should be authorisedPraguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.comtag:blogger.com,1999:blog-8779708825792223668.post-49064110567097711542013-01-12T01:10:00.005-08:002013-01-12T03:22:48.519-08:00Types Of System DevelopmentThere are four types of system development which are as follows; <br />
<br />
- Applications developed internally to be marketed commercially to third parties<br />
- Applications developed internally to deploy internally*<br />
- Development by a third party of bespoke software for you.* <br />
- Development by a third party of software sold to your company and others.*<br />
<br />
*There is more flexibility internally as support is on hand immediately and the application can be temporary withdrawn without wider ramifications. <br />
<br />
Time, cost and quality considerations need to be taken into account and balanced. <br />
<br />
<br />Praguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.comtag:blogger.com,1999:blog-8779708825792223668.post-2933029228006432342013-01-12T01:10:00.002-08:002013-01-12T11:25:48.811-08:00System Development Life CycleThe basic elements of the system development life cycle are as follows; <br />
<ul>
<li>Plan</li>
</ul>
Those developing the new system will go out to the end user environment to discover what key functions the new system is expected to have. Constraints such as space, cost and legislate will supplement user needs at this stage. The initial analysis is validated with managers and users to check that the problem and context are fully understood. <br />
<ul>
<li>Design and build</li>
</ul>
A variety of designs or solutions may be produced and evaluated. Trade-offs may be made between short-term and long-term considerations. <br />
<ul>
<li>Implement</li>
</ul>
Occurs once the best design is chosen and agreed, the software construction begins. The newly developed system now needs to be <a href="http://informationsystemsauditing.blogspot.com/2013/01/system-development-testing-phases.html" target="_blank">tested</a> to ensure that the system supports the desired functions and provides an acceptable performance. <br />
<ul>
<li>Monitor</li>
</ul>
Monitoring means keeping a watching brief and dealing with maintenance and other issues as they arise such as errors not discovered during the testing phase to improve the systems services. <br />
<br />
It is good practice to have development lifecycle documents - these should include security. <br />
<br />
Life cycle models include the following<br />
<br />
- waterfall, rapid prototyping, incremental and spiral. <br />
<br />
<br />
<ul>
</ul>
Praguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.comtag:blogger.com,1999:blog-8779708825792223668.post-76654668639321754192013-01-12T01:09:00.001-08:002013-01-12T03:24:08.985-08:00System Development Testing PhasesTesting during the implementation phase of the system development life cycle should subject the system to conditions as similar as possible to real life. For example<br />
<br />
- real information<br />
- operating a capacity similar to expected high capacity workloads<br />
<br />
In-house developed software has the following phases<br />
<br />
- program testing<br />
- system testing (simulates live running)<br />
- operations acceptance testing to test the system to ensure compatability and that critical instructions (e.g. restart, back up, recovery) can be performed<br />
- user acceptance testing <br />
<br />
Separate domains should be maintained for development, testing and production. <br />
<br />
For commercially produced software, the stages would include<br />
<br />
- pre-alpha (e.g QA)<br />
- alpha<br />
- beta (testing ability to deliver and support the software)<br />
- golden master<br />
- first customer ship<br />
<br />
Go-live options are as follows<br />
<br />
Big bang<br />
Pilots<br />
Phased implementation<br />
Parallel systems<br />
<br />Praguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.comtag:blogger.com,1999:blog-8779708825792223668.post-33122233866138240732013-01-11T13:13:00.000-08:002013-01-11T16:12:01.580-08:00Operational ManagementConducting the operation and maintenance of computer equipment and services. Comprises<br />
<br />
- Production cycle (e.g deployment of patches, upgrades and installations)<br />
- Back-up management<br />
- Batch managementPraguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.comtag:blogger.com,1999:blog-8779708825792223668.post-17873492236188037092013-01-11T13:04:00.000-08:002013-01-12T12:30:08.361-08:00IT RolesA typical information technology department would encompass the following roles; <br />
<ul>
<li><a href="http://informationsystemsauditing.blogspot.com/2013/01/system-development.html" target="_blank">System Development</a></li>
<li>Technical support (may include helpdesk or be combined with network management)</li>
<li><a href="http://informationsystemsauditing.blogspot.com/2013/01/operational-management.html" target="_blank">Operational Management</a></li>
<li><a href="http://informationsystemsauditing.blogspot.com/2013/01/network-management.html" target="_blank">Network Management</a> (access management, capacity management) </li>
<li>E- skills</li>
<li>Database Management </li>
</ul>
Praguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.comtag:blogger.com,1999:blog-8779708825792223668.post-34847035798951427012013-01-11T12:51:00.000-08:002013-01-13T23:36:03.040-08:00FirewallsFirewalls are hardware or software used to filter traffic between networks. Often it is used to control traffic from the internet to the organisation's network, but this need not be the case. <br />
<br />
The firewall can be configured to deny all with exceptions or accept all with exceptions. The former is the most secure, but bear in mind the costs associated with checking false negatives. The objectives of the firewall ought to be documented. These might include ; <br />
<br />
- Rules about no services being run on the firewall other than those required to provide firewall services<br />
- What may or may not be allowed to cross the firewall. <br />
<br />
Public services should be placed on the outside of the firewall to prevent denial of service threats affecting the internal network. <br />
<br />
Behind the firewall a demilitarised zone can be created. In this zone, the types of software tools operating may include the following; <br />
<br />
- Hostile applet scare<br />
- Authentication software for users trying to access the LAN remotely or from the internet.<br />
- Net nanny<br />
- Virus scanner <br />
<br />
Another alternative way of controlling traffic from the internet is to have an air gap in which just one computer is connected to the internet. Items are screened there, before being transmitted via a mobile device to computers on the internal network. This does have the disadvantage of being slower. Praguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.comtag:blogger.com,1999:blog-8779708825792223668.post-5871658922912167262013-01-11T12:20:00.001-08:002013-01-12T12:26:58.458-08:00HardwareHardware are tangible pieces of computer equipment. <br />
<br />
They includes mainframes, servers, desktops, UPS, mobile devices and <a href="http://informationsystemsauditing.blogspot.com/2013/01/firewalls.html" target="_blank">firewalls</a>. <br />
<br />
Hardware risks arise from physical and logical contact. <br />
<br />
Examples of these risks are as follows which I have separated into overt and surreptitious actions. <br />
<br />
Overt <br />
<ul>
<li>Vandalism</li>
<li>Adjust hardware settings</li>
<li>Theft of entire item or components like memory chips</li>
</ul>
Surreptitious<br />
<ul>
<li>Spying (by attaching devices like keystroke loggers to capture information input to the computer)</li>
<li>Crashing the system </li>
<li>Access software and data for copying, deletion, alteration or transmission to another location</li>
<li>Malicious code</li>
</ul>
<br />
<br />Praguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.comtag:blogger.com,1999:blog-8779708825792223668.post-79205490053810520722013-01-11T11:57:00.000-08:002013-01-12T14:51:55.251-08:00IT EquipmentThese can be categorised as <a href="http://informationsystemsauditing.blogspot.com/search?q=hardware#!/2013/01/hardware.html" target="_blank">hardware</a>, <a href="http://informationsystemsauditing.blogspot.com/2013/01/software.html">software</a> and peripherals. Praguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.comtag:blogger.com,1999:blog-8779708825792223668.post-29810170690537759792013-01-11T04:43:00.008-08:002013-01-11T16:12:57.712-08:00Features Of A Good IT Security SystemPraguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.comtag:blogger.com,1999:blog-8779708825792223668.post-41271228046142186742013-01-11T04:43:00.005-08:002013-01-11T16:14:06.589-08:00CulturePraguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.comtag:blogger.com,1999:blog-8779708825792223668.post-4028137557676420332013-01-11T04:43:00.003-08:002013-01-12T11:09:38.458-08:00Segregation of DutiesHere are some segregation of duties ideas<br />
<br />
- Developers should never have acccess to production data. <br />
- Logical access should never be approved by those setting up user profiles<br />
- Application/operation managers should not be responsible for network controls<br />
- Database access monitoring should be performed by an independent party. <br />
- Dual control over deletions and other significant changes should be considered. Praguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.comtag:blogger.com,1999:blog-8779708825792223668.post-29598857105609008652013-01-11T04:43:00.001-08:002013-01-11T16:14:23.513-08:00Monitoring IdeasPraguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.comtag:blogger.com,1999:blog-8779708825792223668.post-42931316579295244442013-01-11T04:42:00.001-08:002013-01-11T16:13:49.132-08:00Application ControlsPraguetoryhttp://www.blogger.com/profile/16520923731691837948noreply@blogger.com