Chapter 8: Controlling Information Systems: Introduction to Pervasive Controls Accounting Information Systems, 9e Gelinas ►Dull ► Wheeler © 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license or or service ona a password-protected website for classroom use distributed with a certain product serviceor or otherwise otherwise on password-protected website for classroom use. Learning Objectives Describe the major pervasive controls that organizations employ as part of their internal control structure. Explain how pervasive controls help ensure continuous, reliable operational and IT processes. Appreciate how an organization must plan and organize all resources, including IT resources, to ensure achievement of its strategic vision. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Learning Objectives (cont’d) Overview the major controls used to manage the design and implementation of new processes, especially new IT processes. Appreciate the integral part played by the monitoring function in ensuring the overall effectiveness of a system of internal controls. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Suggested Exercise Questions SP 8-1 on page 290 SP 8-2 on page 291 P 8-2 on page 293 P 8-3 on page 293 P 8-4 on page 294 P 8-5 on page 295 P 8-6 on page 295 P 8-7 on page 296 © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Organizational Governance and IT Governance Organizational governance: processes employed by organizations to select objectives, establish processes to achieve objectives, and monitor performance. IT governance: process that ensures the enterprise’s IT sustains and extends the organization’s strategies and objectives. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Hypothetical Computer System (large size organization) © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Information Systems Organization (large size organization) © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Summary of IT Organization Functions © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Summary of IT Organization Functions (cont’d) © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Summary of IT Organization Functions (cont’d) © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Control Objectives for Information and Related Technology (COBIT) Provides guidance on the best practices for the management of information technology. IT resources must be managed by IT control processes to ensure an organization has the information it needs to achieve its objectives. Provides a framework to ensure that IT: is aligned with the business. enables the business and maximizes benefits. resources are used responsibly. risks are managed appropriately. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. IT Control Process Domains COBIT groups IT control processes into four broad domains: Plan and organize Acquire and implement Deliver and support Monitor and evaluate © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. IT Control Domains and Processes © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Stakeholders in AIS A stakeholder is any person who has an interest in an existing or proposed AIS. Stakeholders can be technical or nontechnical workers. They may also include both internal and external workers. System owners System users System designers System builders Systems analysts (project managers) System Owners System owners –responsible for funding the project of developing, operating, and maintaining the information system. They usually come from the ranks of management. - large IS project: senior managers - medium IS project: middle managers - smaller IS project: middle or supervisory Primary Concerns - how much will the systems cost? - how much value or what benefits will the system return to the business? System Users System users – a “customer” who will use or is affected by an IS on a regular basis Make up the vast majority of “customers” Primary concern: get the job done using an IS! Internal users Clerical and service workers, technical and professional staff, supervisors, middle managers, and executive managers External users Internet EC constomers, suppliers, partners… System Designers and System Builders System designer – a technical specialist who translates system users’ business requirements and constraints into technical solution. DBA, Network architects, web designer, security experts… System builders – a technical specialist who constructs information systems and components based on the design specifications generated by the system designers. Programmers (applications, systems, and DB), network administrators, web masters.. Systems Analysts Systems analyst – a specialist who studies the problems and needs of an organization to determine how people, data, processes, and information technology can best accomplish improvements for the business. Roles: − Bridge (facilitator) between management and technical specialist: next slide − Understand both business and computing − Ultimately, a problem solver The Systems Analyst as a Facilitator Where Do Systems Analysts Work? May be permanently assigned to a team that supports a specific business function May also be pooled and temporarily assigned to specific projects Figure on next slide Where Do Systems Analysts Work? Skills Needed by the Systems Analyst Working knowledge of (existing and emerging) IT General business problem-solving skills Good interpersonal communication skills Good interpersonal relation skills Flexibility and adaptability Character and ethics Other Stakeholders External Service Provider (ESP) – a systems analyst, system designer, or system builder who sells his/her expertise and experience to other businesses to help those businesses purchase, develop, or integrate their information systems solutions; may be affiliated with a consulting or services organization. • PwC, Accenture (previously Anderson Consulting – spun off from Arthur Anderson consulting) • Consultants, Contracted SA, SD, SB, programmers.. Project Manager – an experienced professional who accepts responsibility for planning, monitoring, and controlling projects with respect to schedule, budget, deliverables, customer satisfaction, technical standards, and system quality. • Usually senior analysts Plan & Organize Domain: IT Control Process 1 Establish Strategic Vision for Information Technology IS management should establish a process for developing a strategic. IS strategic planning effort must ensure support of the organization’s strategic plan and that IT is optimally deployed. Plan must ensure that the organization is prepared to anticipate competitors’ actions and take advantage of emerging technology. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Plan & Organize Domain: IT Control Process 2 Develop Tactics to Plan, Communicate, and Manage Realization of the Strategic Vision Manage IT resources with budgeting, controlling expenditures and monitoring costs. Establish direction and related policies consistent with the control environment established by senior management. Communicate policies. Personnel policies for IT. Project-management framework. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. IT Control Process 1: Organizational Controls IT steering committee: coordinates the organizational and IT strategic planning processes and reviews and approves the strategic IT plan. Security officer: safeguards the IT organization by (1) establishing employee passwords and access to data and (2) making sure the IT organization is secure from physical threats. Organizational design principles and segregation of duties. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Segregation of Duties within the IT Department © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Acquire & Implement Domain Identify, develop or acquire, and implement IT solutions. Must correctly determine the requirements for a new information system and see that those requirements are satisfied by the new system. Systems development life cycle (SDLC): The SDLC covers the progression of information systems through the systems development process, from birth, through implementation, to ongoing use and modification. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. A Simple System Development Process System development process – a set of activities, methods, best practices, deliverables, and automated tools that stakeholders use to develop and maintain information systems and software. See “IS Development” from the class website Acquire & Implement Domain: IT Process 3 Identify Automated Solutions SDLC must include procedures to: define information requirements formulate alternative courses of action perform feasibility studies assess risks Solutions should be consistent with the strategic IT plan. May develop the IT solution in-house OR contract with third parties for all or part of the development. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Acquire & Implement Domain: IT Process 4 Develop and Acquire IT Solutions Develop and acquire application software. Acquire technology infrastructure. Develop service level requirements and application documentation which typically includes the following: Systems and program documentation Operations run manual User manual Training materials © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Acquire & Implement Domain: IT Process 5 Integrate IT Solutions Into Operational Processes Provide for a planned, tested, controlled, and approved conversion to the new system. After installation review to determine that the new system has met users’ needs in a costeffective manner. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Acquire & Implement Domain: IT Process 6 Manage Changes to Existing IT Systems Changes to the IT infrastructure must be managed via change request, impact assessment, documentation, authorization, release and distribution policies, and procedures. Program change controls: provide assurance that all modifications to programs are authorized, and that changes are completed, tested, and properly implemented. These controls very important with enterprise systems due to the interdependence and complexity of the business processes. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Program Change Controls © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Deliver & Support Domain: IT Process 7 Deliver Required IT Services © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Deliver & Support Domain: IT Process 8 Ensure Security and Continuous Service To ensure computing resources are operational, IT management must plan for increases in required capacity or losses of usable resources. To ensure that computing resources are secured, management should establish a process to account for all IT components. Processes should be in place to identify, track, and resolve problems in a timely manner. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Ensure Continuous Service Business continuity planning (also known as disaster recovery planning, contingency planning, and business interruption planning): a process that identifies events that may threaten an organization and provides a framework to ensure that the organization will continue to operate when the threatened event occurs or will resume operations with a minimum of disruption. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Continuity of IT Services Backup: making a copy of data, programs, and documentation. Recovery: use the backup data to restore lost data and resume operations. Continuous Data Protection (CDP): all data changes are date stamped and saved to secondary systems as the changes are happening. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Continuity of IT Services (cont’d) Mirror site: the site that maintains copies of the primary site’s programs and data. Electronic vaulting: service whereby data changes are automatically transmitted over the Internet on a continuous basis to an off-site server maintained by a third party. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Continuity of IT Services (cont’d) Hot site: fully equipped data center that can accommodate many businesses and that is made available to client companies for a monthly subscriber fee. Cold site: facility usually comprised of airconditioned space with a raised floor, telephone connections, and computer ports into which a subscriber can move equipment. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Continuity of IT Services (cont’d) Denial-of-service attack: a Web site is overwhelmed by an intentional onslaught of thousands of simultaneous messages, making it impossible for the attacked site to engage in its normal activities. Distributed denial-of-service attack: uses many computers (called zombies) that unwittingly cooperate in a denial-of-service attack by sending messages to the target Web sites. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Distributed DoS Distributed denial-of-service attack (DDoS) – attacks from multiple computers that flood a Web site with so many requests for service that it slows down or crashes. Distributed Denial-of-Service Attack Restricting Access to Computing Resources – Layers of Protection © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Restricting Logical Access to Stored Programs, Data, and Documentation Access control software: ensures that (1) only authorized users gain access to a system through a process of identification (e.g., a unique account number for each user) and authentication (e.g., a password to verify that users are who they say they are), (2) restricts authorized users to specific data they require and sets the action privileges for that data (e.g., read, copy, write data), and (3) monitors access attempts and violations. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Restricting Logical Access to Stored Programs, Data, and Documentation (cont’d) Intrusion-detection system (IDS): part of access control software that logs and monitors who is on or trying to access the network. Intrusion-prevention system (IPS): actively block unauthorized traffic using rules specified by the organization. Library controls: a combination of people, procedures, and computer software that restrict access to data, programs, and documentation in an offline environment. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Restricting Logical Access to Stored Programs, Data, and Documentation (cont’d) Data encryption: process that employs mathematical algorithms and encryption keys to encode data so that it is unintelligible in its encrypted form. Public-key cryptography: employs a pair of matched keys for each system user, one private (i.e., known only to the party who possesses it) and one public. The public key corresponds to but is not the same as the user’s private key. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Computer Hacking and Cracking Computer hacking and cracking: intentional, unauthorized access to an organization’s computer system, accomplished by bypassing the system’s access security controls. Hacker: someone who simply gets a kick out of breaking into a computer system but does not hold malicious intentions to destroy or steal. Cracker: term used when a hacker’s motive is crime, theft, or destruction. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Hacking techniques © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Physical Protection of IT Assets Preventive maintenance: periodic cleaning, testing, and adjusting of computer equipment to ensure their equipment’s continued efficient and correct operation. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Deliver & Support Domain: IT Process 9 Provide Support Services Identify training needs of all personnel internal and external. Conduct timely training sessions. Help desk: provides advice and assistance to users to help them overcome problems encountered in using IT resources so that they can effectively use those resources. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Monitor & Evaluate Domain: IT Process 10 Monitor and Evaluate the Processes Establish a system for defining performance indicators (service levels). Gather data about processes and generate performance reports. Measure progress toward identified goals. Obtain outside confirmation based on independent review. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Trust Services Principles and Criteria © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.