Becker’s CPA Course
Business Environment
and Concepts
Version 4.0
Lydia McCracken
B6:M3 – B6:M6
Contents
B6:M3 – The Role of IT in Business ...................................................................................................................................... 1
B6:M4 – Data Management and Analytics .......................................................................................................................... 4
B6:M5 – System Development and Change Management .................................................................................................. 6
B6:M6 – IT Risks and Reponses ......................................................................................................................................... 10
B6:M3 – The Role of IT in Business
(1) The Role of IT in Business
Systematic Implementation of hardware and software so that data can be transmitted, modified, accessed, and
stored.
(2) IT Infrastructure
Multiple, interconnected technological components, with the infrastructure involving a combination of onpremise and outsourced hardware, software, and specialized personnel.
•
•
•
•
•
•
Hardware → Physical components of computers and computer-related accessories
Infrastructure Housing → Facilities and the safeguards on those facilities that contain hardware
Networking Devices → Enables connectivity and communication between devices on a computer
o Routers: Manage network traffic, determine the most efficient path through the network for the
packet to travel.
o Switches (Power Strip): Similar to routers, connect and divide devices with a computer network. Does
not perform as many advanced functions as a router.
o Gateway: Acts as intermediary between different networks. Transforms data from one protocol to
another. A protocol is a rule or set of rules that governs the way in which information is transmitted.
o Servers: Coordinates the computers, programs and data that are part of the network. Client sends a
request to the server, and it provides a response or executes some action.
o Firewall: Software or hardware, that protects a person’s or a company’s network traffic by filtering it
through security protocols with predefined rules.
▪ Circuit-Level Gateways: Verifying the source of a packet and meet rules and polices set by the
security team.
▪ Network Address Translation Firewalls: Assign an internal network address to specific
approved external sources.
▪ Stateful Multilayer Inspection Firewalls: Combines the two firewalls above.
▪ Next-Generation Firewalls: Different firewall rules to different applications as well as users.
Software → Applications, procedures, or programs that provide instructions for a computer to execute.
Networks → A group of computers and other machines that are interconnected electronically using a series
of networking devices.
o Local Area Network (LANs): Limited geographic area
o Wide Area Network (WANs): Connect other networks such as LANs together to provide broad
coverage.
Mobile Technology → Technology that travels! Allows organizational activities to occur in real time. An
extension of mobile technology is IoT (Internet of Things) which typically requires either Bluetooth or internet
(such as Google Home).
(3) The Role of Management Information Systems (MIS)
Enables companies to use data as part of their strategic planning process as well as the tactical execution of that
strategy.
•
Accounting Information System (AIS) → Collects, records, and stores accounting information, then complies
that information using accounting rules to report both financial and nonfinancial information to decision
makers. Also, creates an audit trail for accounting transactions.
o AIS Subsystems:
▪ Transaction Processing System (TPS): Converts economic events to financial transactions and
distributes the information
▪ Financial Reporting System (FRS) or General Ledger System (GLS): Aggregates daily financial
information from the TPS. Enable timely regulatory and financial reporting
▪ Management Reporting System (MRS): Information to solve day-to-day business problems.
o Functions of an AIS:
▪ Collect, record, and store data and transactions
▪ Transform data into information through compilation and reporting
▪ Safeguard and maintain data integrity
•
Decision Support System (DSS) → Interactive tools to support day-to-day decision making
o “What-if” Scenarios: Often used for forecasting activities of managerial importance
o Artificial Intelligence: An expert system is designed to mimic the knowledge and decision-making
abilities of the users who employ them so that decisions can be automated.
Executive Information Systems (EIS) → Provide senior executives with immediate and easy access to internal
and external information to assist in strategic decision making. Often present data in high-level reports and
visualizations that allow for big-picture decision making to ensure alignment with overall strategic objectives.
•
Data in an AIS is often processed and aggregated to become inputs to a DSS and an EIS to
enable management to make data-driven decision.
•
Customer Relationship Management (CRM) System → Enables organizations to monitor and manage
interactions between the organization and its past, current, and potential customers.
o CRM Objectives:
▪ Enhance existing customer satisfaction
▪ Attract new customers
▪ Targeted marketing
▪ Anticipate customer needs
▪ Enable cross-selling and upselling
▪ Forecast sales and manage sales staff
▪ Manage sales leads
o CRM Strategies:
▪ Create customer profiles
▪ Personalized experiences and promotions
▪ Automate recommendations and cross-selling opportunities
o CRM Benefits:
▪ Increase customer service
•
•
•
•
•
•
▪ Increase revenue/profits
▪ Making offerings that are perceived by the consumer to be tailored and unique to them
o Types of CRM:
▪ Operational CRM → Generates leads and converts them those into customers
▪ Analytical CRM → Insights to management to aid in the decision-making process
▪ Collaborative or Strategic CRM → Collaboration and sharing of customer information across
function such as sales, marketing, and support teams.
Inventory Management → Assist with tracking procurement, and distribution of inventory items. Usually
connected to a point-of-sale POS) system.
Knowledge Management System (KMS) → IT system that disseminates knowledge related to the
organization.
Supply Chain Management (SCM) → Unifies business process beginning with the original supplier and ending
with the customer.
o SCM Objectives: Achieving flexibility and responsiveness in meeting the demands of customers and
business partners (Planning → Sourcing → Making → Delivery)
o SCM Benefits:
▪ Enhanced control
▪ Reduce cash tired up in inventory
▪ Increases cash flow and its predictability
▪ Improve forecasting for procurement , delivery, and production
Enterprise Resource Planning (ERP) → Cross functional systems that are utilized to support different business
functions and allow for the integration of information across departments.
o ERP Benefits:
▪ Stores information in central repository
▪ Acts as the framework for integrating and improving organization's ability to monitor and
track sales
▪ Provide vital cross functional information
▪ Improve customer service
▪ Allows greater access controls
o ERP Disadvantages:
▪ Time to successfully implement
▪ Extremely cost prohibitive
▪ Integration of all the business units can be complex
▪ Significant changes to the business processes
Enterprise Performance Management (EPM) → Also known as Business Performance Management (BPM) or
Corporate Performance Management (CPM). Is factual solutions designed to help executives make strategic
decisions.
EPM is more management-process focused whereas ERP is more focused on
operational practice.
E-Commerce → Facilitates the sale of goods and services using the internet.
o Types of e-commerce:
▪ Business-to-Business (B2B): Buying and selling of goods and services between business
entities
▪ Business-to-Consumer (B2C): Business to interface and sell goods to their consumers
▪ Consumer-to-Business (C2B): Reversal of traditional buying and selling model
▪ Consumer-to-Consumer (C2C): Online marketplace in which individual consumers buy and
sell goods with each other.
▪ Government E-Commerce: Between government and any other entity
o Electronic Fund Transfer system (EFTs): EFT system uses an online network in a variety of
technologies to transact, process, and verify money transfers and credits among banks, businesses,
and consumers
(4) IT Outsourcing and Cloud Computing
o
o
o
o
o
Could Computing → Renting storage space, processor power, proprietary software, or a combination of the
three, on remote service from other company rather than buying or building those components.
▪ Infrastructure-as-a-Service (IaaS): Outsources any of the servers, storage, hardware, networking
services, and networking components to third party providers, and is generally billed on a per-use
basis.
▪ Platform-as-a-Service (PaaS): Rent tools or solutions remotely that are used to fulfill a specific
business purpose.
▪ Software-as-a-Service (SaaS): Company delivers a host subscription-based software services to
customers through licensing or service delivery.
IT Outsourcing Advantages
▪ Lower costs: Pay for what they need
▪ Expertise: Disorganization access to IT experts on all fractional cost basis
▪ Resources: Specialized in high quality resources
▪ Enhanced focus on the core business
IT Outsourcing Disadvantages
▪ Less control: loses some control over how the IT functions are performed and grants the outsourced
firm access to sensitive information
▪ Quality control
▪ Immediate access to IT support: Perceived lack of access to IT personnel
Outsourcing Risk
▪ Security and privacy practices
▪ Data access ability
▪ Data disposal
▪ Vulnerability for attacks
System and Organization Controls (SOC)
▪ SOC 1® → Attestation Engagement (SSAE) 18. Assurance that the service organizations controls are
designed and operating effectively so that the financial statements are not negatively impacted.
• Type 1: Fairness of the presentation of management's description of the service organization
system and the suitability of the design of controls
• Type 2: Also reports on the operating effectiveness of the controls to see the related control
objectives
▪ SOC 2® → SSAE 18. Need at the station concerning controls as they relate to security, processing
integrity, availability, and privacy (also has a type 1 and type 2 reports)
▪ SOC 3® → Attestation concerning controls as they relate to security, processing integrity, availability,
and privacy. However, this report is for companies that do not have the knowledge required to make
effective use of SOC 2® report.
B6:M4 – Data Management and Analytics
(1) The Evolving Role of Big Data in the Decision-Making Process
•
•
•
•
Data: Fact, occurrence, instance, or an otherwise measurable observation.
Big Data: Corporate accumulation of massive amounts of data that can be used for analysis, commonly
referred to as data analytics.
Dimensions of Big Data (5 Vs)
o Volume → Quantity of amount of data points
o Velocity → Speed of data accumulation or data processing
o Variety → Range of data types being used (Structure, Unstructured, Semi-Structured)
o Veracity → Reliability, quality, or integrity of the data
o Value → Insights Big Data can yield
Big Data Governance: Comes with challenges, such as ethical and legal concerns pertaining to the
organization itself, employees, customers, and stakeholders.
o Big Data Confidentiality → Safeguarded to protect it from an authorized access and exploitation
o
o
o
Big Data Privacy →Customer and patient data must be safeguarded from unauthorized access to
meet customer privacy expectations as well as regulatory requirements
Big Data Ethics → Understand the ethical implications at every step of the data lifecycle. Make
sure authorized personnel are granted the minimum level of access to data necessary to perform
their functions. Attempt to eliminate bias in the algorithm apply to decision support models.
Governance Responsibility → Should be led by a designated individual, should have input from
leaders across the organization, and periodically updated as necessary
(2) Data Management
•
•
Storing Data in Relational Databases: One of the most efficient and effective methods for many use cases
is to store data in a relational database.
o Relational Databases → Allow data to be stored in different tables and the tables are linked
through relationships using key fields.
Relational Database Concepts
o Tables → Establishes columns and rows to store specific types of data records
o Attributes (Columns) → Describes the characteristics or properties
o Records (Rows) → Record contains information about one entity within the table.
o Fields → intersection of column and row in which data is entered (data values)
o Data Types → Category of data
o Database Keys → Unique identifiers and create relationships within relational database
▪ Primary Key: Unique identifier for a specific row, made up of one or more attributes.
▪ Foreign Key: Attributes in one table that are also primary keys in another table.
o Relationships → Link between a primary key in one table and a foreign key in another table.
o Data Dictionary → Provides information about the data in a database. Typically lists each
attribute and denotes the features and limitations of that attribute.
o Database Views
▪ Logical Database View: How the data appears to a user
▪ Physical Database View: How the data is actually stored
o Data Queries and Reports → Extracting data is typically done via query tools
(3) Extract, Transform, and Load (ETL)
•
•
•
Data Extraction: Automated process, semi-automated process, or manual extraction. Native source and
the means of assessing the data must be determined this will dictate the tools needed for designing the
overall process of extraction.
o Data Identification → Understand the issue the business is trying to address to ensure that data
request has the proper scope to resolve it.
o Obtaining Data → If the ETL process is automated, API will most likely be designed.
▪ Requesting The Data: Recipient of the request must be provided with full details of what
is needed including the data file, type, format type, and required attributes.
▪ Manual Extraction: A person may have to use specialized data mining software or right
customized queries to obtain the data.
Transforming Data: Taking the often unstructured data, cleaning it, and validating it for sure it is accurate
and ready for analysis.
Loading the Data: Load the data into a software program for analysis or into a data storage location.
o Data Storage
▪ Operational Data Store: Capturing in operational activities from variety of input systems.
▪ Data Warehouse: Very large data repositories that are centralized and utilized for
reporting and analysis rather than for transaction purposes.
▪ Data Mart: Like data warehouse but is more focused on specific purpose such as
marketing or logistics and is often a subset of data warehouse.
▪ Data Lake: Similar to data warehouse, but it contains both structured and unstructured
data, with data mostly being in its natural or roll format.
o Data Storage Requirements
▪
▪
o
o
o
Entity Integrity: Each table must have a unique primary key as a record identifier
Preferential Integrity: A change to a primary key in one table must also cause a change to
any related foreign key in a table that is linked.
Storage Attributes
▪ Relevance
▪ Elements to be included and excluded
▪ Relationship between elements include validity, completeness, and accuracy
Types of Loading
▪ Initial Full Loading: Entire data set is loaded into our repository
▪ Incremental Loading: Difference between existing data and new data
▪ Full Refresh Loading: Entire data set is loaded into repository, replacing the previous load
Mode Verification: Vital validate it to ensure no data was lost in the process
(4) Data Analytics
•
•
Process of taking room data, identifying trends, and then transforming that knowledge into insights that
can help solve complex business problems. Once the ETL process has been performed, data analytics can
be utilized for a variety of tasks, including validation, planning, insights, risk mitigation, and decision
support.
Types Of Data Analytics
o Descriptive Analytics: What happened.
▪ Observant’s summary statistics
▪ Storing the data
▪ Analyzing data based on distinguishing characteristics
o Diagnostic Analytics: Why the event happened
▪ Performing a drill-down analysis
▪ Performing cluster or profile analysis
▪ Performing correlation analysis
▪ Performing sequence checks
o Predictive Analytics: Transitioning insight into foresight
▪ Regression analysis
▪ Classification analysis
▪ Decision tree
o Prescriptive Analytics: How to shape a desired event
▪ Artificial intelligence and machine learning
▪ Scenario modeling or “what-if” analysis
B6:M5 – System Development and Change Management
(1) Evolving the IT Infrastructure: Organizations update their IT infrastructure over time to keep pace with the
shifts or to be early adopters.
(2) Change Management Overview: Polices, procedures, and resources employed to govern change in an
organization.
• The Change Management Process
o Identify and define the need
o Design a high-level plan including goals
o Approval from management
o Appropriate budget and timeline
o Assign personnel
o Identify and address potential risks
o Implementation road map
o Necessary resources, including IT, and train the appropriate personnel
o Test the change
o Execute the implementation plan
o
Review and monitor change, test as needed
(3) Change Management Risks
•
•
•
Selection and Acquisition Risks
o Lack of expertise
o Lack of formal selection and acquisition process
o Software/Hardware Vulnerability and Incompatibility
Integration Risk
o User resistance
o Lack of management support
o Lack of stakeholder support
o Resource concerns
o Business disruption
o Lack of system integration
Outsourcing Risks
o Lack of organizational knowledge
o Uncertainty of the third party’s knowledge and management
o Lack of security
(4) Change Management Controls
•
•
Change Management and New Systems Controls: Controls are designed to minimize the possibility that
the inherent risks will cause business disruptions or negatively impact IT systems.
o Polices & Procedures: Clear change management guidelines, from selection to integration and
maintenance
o Emergency Change Polices: Separate contingency policies and procedures
o Standardized Change Requests: Using consistent forms and requests protocols
o Impact Assessment: Documentation noting the effect a change will have
o Authorization: Designated levels of authority
o Separation of Duties: Will help protect against assets or information being utilized improperly
o Conversion Controls: Minimize data conversion errors related to the impacted IT assets
o Reversion Access: Unexpected complications, ability to revert to the prior system or process that
existed before the change.
▪ Can be accomplished via parallel implementation.
o Pre-implementation Testing: Determine if the change is functioning properly and there are no
irregularities.
o Post-implementation Testing: Reconciling transactions processed in the new environment
against the same transactions that were processed in the previous environment.
o Ongoing Monitoring: Continuous periodic reviews
Outsourcing Controls
o Outsourcing policies and procedures
o System and organization controls (SOC) reports
o Utilize key performance indicators (KPIs)
(5) Managing Risks of System Development
•
System Development Life Cycle
o
Waterfall Model: Different teams of employees performing separate
tasks in sequence. Some challenges associated with this model:
▪
Great deal of time to complete
▪
Benefits not utilized until complete
▪
No customer input and change can be difficult to manage
▪
Some employees may be idle
o
o
•
Plan: Evaluates the needs for a new or improved information system.
Analyze: Information is gathered from all vital stakeholders. Compile and analyze all the needs of
the end users to establish specific and detailed goals.
o Design: Start with high-level conceptual designs. Creation of the technical implementation plan.
Individual technologies are evaluated and selected.
▪ Conceptual Design → Broad translation of the business requirements
▪ Logical Design → Hardware/Software specifications
▪ Physical Design → More granular platform and product specifications
o Develop: Buildings and rooms are prepared, hardware is purchased, and delivered, and
programmers create proprietary software to run the company’s new product if applicable.
o Test: System is checked for adherence to the business requirements.
▪ Backward-looking testing → Which tests against initial requirements
▪ Forward-looking testing → Conducted to see how well employees and customers can
perform tasks (user-acceptance testing)
o Deploy: Choose and document an implementation strategy
▪ Plunge or big Bang → Immediately deliver to all customers and clients (lowest cost,
highest risk)
▪ Ramped (Rolling, Phased) Conversion → Portions of the new system replace
corresponding parts of the old system (above-average cost, below-average risk)
▪ A/B Testing (Pilot, Canary) → Subset of users gets the new system first (average cost,
average risk)
▪ Blue/Green (or Other Pair of Colors), or Shadow → New system is fully deployed in
parallel with the old system (highest cost, lowest risk)
o Maintain: Ongoing adjustments and improvements
Systems Development and New System Risks
o Resource Risk: Expensive and time-consuming. Risk that allocation of resources related to
finance, labor or time is insufficient.
o Scheduling Risk: Uncertainty pertaining to the timeline and schedule. Work backwards to
establish milestones in the timeline.
o Technical Risk: Systems development is driven by the need for new or updated technology that
requires technical knowledge. May not be adequately staffed to handle problems that require
strong technical knowledge. If the technical design and functionality do not align with user needs
and the organizational strategies, this misalignment may require significant rework.
o Project Management Risk: team does not have clearly defined leadership, team member roles,
responsibilities, and project goals.
o User Resistance Risk: Employees will not accept the system, refusal to use the new system,
treating the system as scapegoat for any issue that arise, blatantly damaging components of the
system.
(6) Managing Risk of Legacy System
•
•
•
•
Legacy System: Outdated technology or system already in service. Benefits of maintaining a legacy system
versus phasing it out and replacing it usually do not outweigh the risks of keeping the system.
Reasons for Persistence of Legacy System
o Costs
o Time
o User resistance
o Features and customization
o Risk of information loss
Risks of Legacy Systems
o Security Vulnerability: May be extremely vulnerable regarding security
o Lack of Vendor Support: Eventually, support will end, and new vulnerabilities may not be
discovered in timely manner.
o Compatibility Issues: Incompatible with modern systems
o Lack of Efficiency and Effectiveness: Not be able to compare with the speed/reliability of a
modern system.
Mitigating Risks of Legacy Systems
o Isolating the System: Isolating risky legacy system from other systems
o Hardening: Turning off any unnecessary features
o Virtual Patches: Could be applied at the network level
o Monitoring: Frequent review and monitoring of legacy systems
(7) Information Systems and Change Management Testing Strategies
•
•
•
•
Purpose of Testing
o Whether the software is operating as expected
o Discovers errors, defects, missing components, and gaps in the software
o Meets the business and users’ requirements
Software Testing Process
o Testing plan
o Identify and prioritize the key areas
o Which type of test
o Execute
o Results and identify defects
o Report the findings
Guidelines for Successful Testing
o Emphasizes rapid cycle. Identifies major bugs
o Build robust automated testing
o Formal technical reviews
o Continuous testing approach
Types of Tests
o Unit Test: Validate the smallest components, isolate each part of the program and show that
each part is functioning properly and as designed.
o Integration Tests: If the units, once they are combined, function as designed together.
o System Tests: Evaluate the system as a whole. Determine whether it meets the functional and
technical specifications in addition to any specified quality.
▪ Functional Tests: Validate those functions are working effectively and efficiently
▪ Black-Box Testing: Testers focus on testing the system in the same manner an end user
would validate outcomes
▪ White-Box Testing: Provides the user with many details and focused on code and design
improvement.
▪ Exploratory Tests: Less-common or exception-based situations with no specified tst cases
▪
•
•
•
Performance Testing: Test the tun-time (speed) performance of software when
processing the required workload.
▪ Recovery Testing: Ability to recover from failures
▪ Security Testing: Rerun pervious test cases after new features or functionalities have
been incorporated.
▪ Regression Tests: Rerun pervious test cases after new features or functionalities have
been incorporated
▪ Stress Testing: How well it deals with abnormal resource demands.
▪ Sanity Testing: Exercises the logical reasoning and behavior of the software to determine
whether system logic is functioning as designed.
o Acceptance Tests: Whether the software works correctly for the intended user in the normal
work environment. QA team has a set of prewritten scenarios and test cases that are used to test
the application.
▪ Alpha Test: Tested by the customer under the supervision of the developer at the
developer’s site.
▪ Beta Test: Tested by the customer at his or her own site without the developer being
present.
Change Management Testing: Testing of the change process and controls both within the organization
and outside the organization.
o Inspecting policies and procedures
o Reviewing controls and test whether they are designed and operating effectively
Testing the Change: Organizations may test the actual change!
Testing Outsourced Changes: If the change management process was outsourced, then the same testing
that would be performed for an internally performed change should be executed.
B6:M6 – IT Risks and Reponses
(1) Understanding IT Risks
•
•
The overall process for understanding how risks can be identified and addressed is through the security
life cycle.
Security Life Cycle:
o Identify: What assets exist and identify and document the risks
o Assess: Likelihood of the risks, level of the impact of that threat
o Protect: Mitigation strategies. Developing and communicating security polices and procedures
and developing and implementing controls.
o Monitor: Continually monitor for new risks and ensure that current risk mitigation efforts are still
effective.
(2) Identifying IT Risks
•
•
Technology Risk: Disruption to business as a result of any information technology activity
o Security Risk: Unauthorized access or user of an organization’s information technology
o Availability Risk: Organization will not be able to access and utilize its information technology as
needed.
o Operational Risk: Organization is unable to operate effectively or efficiently due to issues
concerning information technology.
o Financial Risk: Risk of losing financial resources as a result of them being misused, lost, wasted, or
stolen.
o Compliance Risk: IT not sufficiently meeting the requirements of regulatory bodies.
o Strategic Risk: Risk of misalignment of business and IT strategies.
Types of IT Threats
o Natural and political disasters
o Errors in software and equipment malfunctions
o Accidental actions
•
•
o Intentional actions
Risk Management
o To successfully manage risk, organizations must meet the following three objectives:
▪ Integrate the management of IT into the overall risk management
▪ Make well-informed decisions abut the nature and extern of the risk, the risk appetite,
and the risk tolerance of the enterprise.
▪ Develop a response to the risk
o IT Risk Defined: Business risk associated with the use, ownership, operation, involvement,
influence, and adoption of IT within an enterprise.
IT Risk Mitigation Strategies and Roles: Starts with the people within the organization. Management must
determine what the overall risk appetite is for the organization and develop a security strategy that
includes policies and procedures to align that risk appetite with information systems and information
technology.
o Organization must include controls designed to safeguard confidentiality, integrity, and
availability of data.
o Organization must determine its risk appetite in order to build its information security policies
and procedures.
o Security policy is a document that defines how an organization plans to protect its IT
infrastructure and resources, including its tangible and intangible information assts.
o Goal of a good security policy is to require individuals to protect the IT infrastructure and
information.
o Security policy is communicated to everyone within an organization. Receipt and
understandability of security policy requires either an assessment or acknowledgement of
responsibility and recognition.
(3) The Role and Categorization of IT Controls
•
•
•
Categories of IT Controls
o General Controls: Ensure that an organization’s control environment is stable and well-managed
o Application Controls: Build into typical business process that use computer applications. Ensure
that transactions and data processed through the computer applications are accurate, complete,
valid, and authorized.
Nature of IT Controls
o Manual Controls: Performed by a person without making direct use of automated systems
o Automated Controls: Performed by an automated system without interference of a person
o IT-Dependent Manual Controls: Individual performing a control function with some use of an IT
component (combination)
Function of IT Control
o Preventive Controls: Take precautions to prevent problems
o Detective Controls: Find and reveal issues or deficiencies not averted by preventative controls
o Corrective Controls: Identify, repair, restore, and recover from issues that cause damage to a
system or process.
(4) System Access and Segregation of Duties
•
•
Vital that system access controls and segregation of duties exist to mitigate risks of fraud and error.
Defense-in-depth approach, multiple layers of security controls are implemented to ensure that
mitigating controls are in place if other controls fail.
Logical Access Controls: Utilize software and protocols to monitor and control access to information and
an organization’s IT infrastructure.
o User Access Controls: Identify which users access the system and to track their activity while
using this system.
o Authorization Controls: There must be a process to verify the individual who is accessing and
utilizing the system
▪
•
•
•
•
•
•
Passwords, personal identification numbers (PIN), biometrics, physical tokens, push
notifications, multifactor authentication.
Managing Passwords: Policy must address the following password characteristics – Requirement, length,
complexity, age, and rescue.
Access Control Lists: Restricts access and actions of authenticated users based on granted permissions.
o Create (or write) access
o Read only
o Update access
o Delete
Personnel Changes: Important that their access, authentication, and authorization is modified as
appropriate
o Documented in procedures
o HR should generate the request
o Mechanism to disable accounts when an employee leaves an organization
Network Security: Security in place to protect its private network from unauthorized access.
o Packet-Filtering Firewall: Inspect the header information found in packets of data that travel
between the organization’s network and the internet.
o Application-Based Firewall: Exchange of information but not the direct exchange of packets.
o Stateful Inspection: Packet header and destination
o Organizations may also employ intrusion detection systems (IDSs)
Vulnerability Controls
▪ Hardening: When application or systems are first installed, reduce their surface
vulnerability by turning off features or functions that are not needed.
▪ Patch Management: As vulnerabilities are discovered they should be addressed by
patches (fixes)
▪ Anti-malware Program: Implementing robust procedures around the uses of external
devices, accessing certain websites, and executing suspicious programs, in addition to
installing malware controls to monitor and identify threats.
o Data Encryption: Essential foundation for electronic commerce. Password or a digital key to
scramble a readable message into an unreadable message. Recipient uses another digital key to
decrypt the ciphertext message back into plaintext.
▪ Symmetric Encryption: Sender and recipient use the same key
▪ Asymmetric Encryption: Sender and recipient use the different keys
o Digital Certificates: Certify the identify of the owners of a particular public key. Contains that
party’s public key.
▪ Public Key Infrastructure (PKI): Refers to the system and processes used to issue and
manage asymmetric keys and digital certificates.
o Digital Signatures use asymmetric encryption to create legally binding electronic documents.
Web-based E-Signatures are an alternative and are provided by vendors as a software product.
Physical Controls: Monitor and control the environment of the workplace and computing facilities.
o Physical access controls are often preventive controls that stop or deter unauthorized access to a
facility. Physical access controls can also be applied to specific assets that may be at risk.
o Segregation of Duties: Reduces opportunities for anyone to be in a position to both perpetrate
and conceal errors or fraud in the normal course of one’s duties.
▪ Segregation od duties normally revolves around granting and/or restricting access to
production programs, production data, and execution activities.
▪ Following areas need to have proper segregation of duties: System programming, end
user transaction/data, data custody and storage, and authorization responsibility and
monitoring.
▪ Analysts = Hardware; Programmers = Software
▪ Security Administrators are responsible for restricting access to systems, applications, or
databases. If the security administrator were also a programmer for that system, that
individual could gain access to unauthorized areas as well give access to another person.
(5) Risks and Controls of Critical, Confidential, and Private Information
•
•
•
•
•
•
Important to understand how information should be safeguarded.
o Critical Information: Vital for the organizations to perform its essential functions and achieve its
strategic objectives.
o Confidentiality: Keep information within or about the organization from being misused or access
without authorization.
o Privacy: The rights of employees and customers to keep their personal information safe and to
understand how their information will be collected, used, and disclosed to others.
First, identify what data and information is stored in all their data repositories. Categorize the data as
confidential, private, and/or critical, and determine what risks exist and how those risks will be mitigated
and controlled.
Confidential information poses many risks as data loss may cause reputational, operational and /or
financial harm to an organization.
Privacy Risk: Impact the data if an organization’s employees, customers, and users. Protected by many
regulatory standards.
Reputational Risks: When customers’ private data is leaked or disclosed.
Policy Management and Training: Require users within an organization to adhere to strict guidelines
concerning safeguarding confidential and private information. Robust training program covering these
policies.