 Explain how general controls and

application controls reduce IT risks.

 (1) to provide reasonable assurance that
the goals of each business process are
being achieved
 (2) to mitigate the risk that the enterprise
will be exposed to some type of harm,
danger, or loss (including loss caused by
fraud or other intentional and unintentional
acts)
 (3) to provide reasonable assurance that
the company is in compliance with
applicable legal and regulatory obligations.
General
Generalcontrols
controls

Application
Applicationcontrols
controls
Risk
Riskofofunauthorized
unauthorizedchange
change Risk
Riskofofsystem
systemcrash
crash
totoapplication software
application software

Cash
Cashreceipts
receipts
application
application
controls
controls
Sales
Sales Payroll
Payroll
applications
applications application
application
controls
controls controls
controls
Other
Othercycle
cycle
application
application
controls
controls
Risk
Riskofofunauthorized
unauthorized GENERAL CONTROLS Risk
Riskofofunauthorized
unauthorized
master
masterfile
fileupdate
update processing
processing
Administration
Administrationof
ofthe
theIT
ITfunction
function

Segregation
Segregationof
ofIT
ITduties
duties

Systems
Systemsdevelopment
development

Physical
Physicaland
andonline
onlinesecurity
security

Backup
Backupand
andcontingency
contingencyplanning
planning

Hardware
Hardwarecontrols
controls
The
Theperceived
perceivedimportance
importanceof ofIT
ITwithin
withinanan
organization
organizationisisoften
oftendictated
dictatedby
bythe
theattitude
attitudeof
of
the
theboard
boardof
ofdirectors
directorsand
andsenior
seniormanagement.
management.
 Chief
ChiefInformation
InformationOfficer
Officeror
orIT
ITManager
Manager

Security
SecurityAdministrator
Administrator

Systems
Systems Data
Data
Operations
Operations
Development
Development Control
Control
 Typical
Typicaltest
test
strategies
strategies

Pilot
Pilottesting
testing Parallel
Paralleltesting
testing
Physical
PhysicalControls:
Controls: Online
OnlineControls:
Controls:
Keypad entrances User ID control
Keypad entrances User ID control
Badge-entry systems Password control
Badge-entry systems Password control
Security cameras Separate add-on
Security cameras Separate add-on
Security personnel security
Security personnel securitysoftware
software
One
Onekeykeyto toaabackup
backup
and
andcontingency
contingencyplan
plan
isisto
tomake
makesuresurethat
that
all
allcritical
criticalcopies
copiesof
of
software
softwareand anddata
datafiles
files
are
arebacked
backedup upand
and
stored
storedoffoffthe
thepremises.
premises.
These
Thesecontrols
controlsare
arebuilt
builtinto
intocomputer
computer
equipment
equipmentbybythe
themanufacturer
manufacturerto to
detect
detectand
andreport
reportequipment
equipmentfailures.
failures.
Input
Inputcontrols
controls

Processing
Processing
controls
controls

Output
Outputcontrols
controls
These
Thesecontrols
controlsare
aredesigned
designedbybyan
an
organization
organizationto
toensure
ensurethat
thatthe
the
information
informationbeing
beingprocessed
processedisis
authorized,
authorized,accurate,
accurate,and
andcomplete.
complete.
Financial
Financialtotal
total

Hash
Hashtotal
total

Record
Recordcount
count
 Data input controls ensure the accuracy,
completeness, and timeliness of data during its
conversion from its original source into computer
data, or entry into a computer application. Data
can be entered into a computer application from
either manual online input or by batch processing
(automated). Someone reviewing input controls
should determine the adequacy of both manual
and automated controls over data input to ensure
that data is input accurately with optimum use of
computerized validation and editing and that
error handling procedures facilitate the timely
and accurate resubmission of all corrected data.
 1) Documented procedures should exist for
any data manually entered into
the application. These procedures should
include how to identify, correct,
and reprocess rejected data.
 2) Input edits should be used by the
application. These could include checking
for invalid field lengths, invalid characters,
missing or erroneous data, incorrect
dates, or the use of check digits.
 3) Input data should also be controlled by
the use of record counts,
batching techniques, control totals, or some
other type of logging. (Balancing of
source documents to input processing)
 4) Another way to help ensure appropriate
data is being entered into the application
is to require that an authorized person
approve the input documents.
The authorization levels of the assigned
approvers should also be reviewed to
determine if they are reasonable.
 5) Passwords should be used to control
access to the application. Passwords
should be changed periodically, deleted
when employees/users leave the University,
and modified to reflect changes as a
person’s responsibilities change.


 6) Duties should be separated to ensure
that no one individual performs more
than one of the following operations without
supervisory review:
- Origination of data
- Input of data into the system
- Processing the data
- Distribution of the output
Validation
Validationtest
test

Sequence
Sequencetest
test

Arithmetic
Arithmeticaccuracy
accuracytest
test

Data
Datareasonableness
reasonablenesstest
test

Completeness
Completenesstest
test
 Processing controls are used to ensure
the accuracy, completeness, and
timeliness of data during either batch
or real-time processing by the
computer application. Someone
reviewing these controls should
determine the adequacy of controls
over application programs and related
computer operations to ensure that
data is accurately processed through
the application and that no data is
added, lost, or altered during
processing.
 1) Documentation should exist explaining
the processing of data through
the application. Examples would be
narratives on how the application processes
data, flowcharts, and an explanation of
system or error messages.
 2) If the application is “run” on a regular
schedule to process data, either manually
or automatically, there should be
documented procedures explaining how this
is performed. There may be a schedule that
must be followed with controls in place
to ensure all processing was completed.
 3) A processing log may exist. If it does, it
should be reviewed for unusual
or unauthorized activity.
 4) The processing log, or another log or
report, should be used to document
any errors or problems encountered during
processing. Types of information that
should be considered keeping are
descriptions of any errors encountered,
dates identified, any codes associated with
errors, any corrective action taken, date
and times corrected.
 5) There should be controls in place to
make sure the correct generation/cycle of
files are used for processing. This may
include the generation of backup files
from processing to be used for disaster
recovery.
 6) Processing edits should also be used.
These may be similar to input edits
but applied to the data during processing.
 7) Audit trails should be generated during
processing. These audit trails should be logs
or reports that contain information about
each transaction. Data that should
be included are who initiated each of the
transactions, the data and time of
the transactions, the location of the
transaction origination (IP address as
an example).
These
Thesecontrols
controlsfocus
focuson
ondetecting
detectingerrors
errors
after
afterprocessing
processingisiscompleted
completedrather
rather
than
thanon
onpreventing
preventingerrors.
errors.
 Data output controls are used to ensure
the integrity of output and the correct and
timely distribution of any output produced.
Output can be in hardcopy form, in the
form of files used as input to other
systems, or information available for
online viewing. Someone reviewing these
controls should evaluate the adequacy of
controls over output to ensure that the
data processing results are accurate and
reliable, output control totals are accurate
and are being verified, and the resulting
information is distributed in a timely and
consistent manner to the end users.
 1) Output should be balanced/reconciled to
input. There should be adequate separation
of duties for the balancing / reconciliation
process.
 .
 2) There should be documented
procedures to explain the methods for the
proper balancing / reconciliation and error
correcting of output.

 3) Output should be reviewed for general

acceptability and completeness, including
any control totals.
 4) There should be either error reports
or a log kept of output errors. These
should contain information such as:
- A description of problems/errors
and date identified
- Corrective action taken

 5) Record retention and backup

schedules for output files should be
established. Consideration should be
given to rotate output files offsite
 RISK ANALYSIS
 Risk Analysis has been defined
as:
 "a formal process of determining

risks and developing a plan to

deal with them"
 Risks do not arise all by
themselves. A risk is normally a
product of two factors: threats
(something could go wrong) and
vulnerabilities (the information
system/s used by the business
will allow things to do wrong).
 Threats include:
- Deliberate manipulation of
information prior to
input/processing
- Impersonation of a legitimate
user
- Untrained or poorly trained
staff
 Vulnerabilities include:
- Poor website or network design
(e.g. which can allow "hackers" into
a system or web site)
- Poor recruitment procedures
 The first - and key stage - in

addressing risks is to do a risk

analysis
 A risk analysis process has three main
stages:
 (1) Understanding risks to the business

and how they can occur

 (2) Understanding the potential cost to

the business if they do occur (a business
should focus its attention with the risks that
have the greatest potential cost)
 (3) Identifying suitable and effective
measures and policies to:
- Minimise the likelihood of the threats
happening
- Prevent or detect the threat
- Enable appropriate recovery action to be
taken
Many risks can be quantified - since they
occur in most businesses - and there is lots
of evidence of how threats and
vulnerabilities arise.
 The most important element in
the process is that risk decisions
are taken openly. Denying the
presence of risk is not helpful.
But trying to reduce the risk to
zero is not realistic either.
 Control Access to What?

 Businesses need to control

access to:
Information
Computer applications
Operating system facilities
 Control over access to an information
system is achieved by using a logical
access system: such a system:
 - Requests details of the identification of the
user (e.g. by requesting a username and
password)
- Checks whether the user has the authority
to access the system
- Authenticates the user and allows access
 Effective control ensures that staff have
appropriate access to information and
applications, and do not abuse it.
 Management issues, such as periodic reviews

of user accounts, can apply as much to IT

systems as to physical access control systems.
Confidentiality of information is best achieved
by ensuring that people only have access to the
information they actually need.
 If access rules are too detailed, managing
them will be very difficult. If they are too
general, people will have access to
information or applications that they will
never need. A balance must be struck
depending on:

Needs of the business
Security features provided by the systems
Trust in staff
 Consideration of security issues during
system design, development and
procurement will greatly enhance
effectiveness. Look for:

 Strong password enforcement
 Management of access rights to read,

amend, process or delete information

 Analysis of what users require to do their

job
 Analysis of the security features each

system can provide

 How do you stop unauthorised physical
access to information systems? How do
you protect the security of the information
systems assets themselves (e.g. computer
rooms, laptops and disks)? The answers
lies in physical security controls. The key
controls you need to be aware of are
summarised in this revision note.
 Ensuring that there is a proper physical
environment for systems, records and staff
is essential for maintaining confidentiality,
integrity and availability of information.
 Management need to think about the
following aspects of physical security:
 (1) Protection
- of information and information
systems from the elements is as
important as protecting them from
unauthorised people
- of physical access, which should be
restricted to authorised personnel. IT
equipment is tempting to thieves, and
can be damaged by accidents or
sabotage


- of the physical operating environment in

a computer server room is as important as
ensuring that paper records are not
subject to damage by fire or flooding.
- of supporting equipment such as air
conditioning plant or mains services
 The main physical security controls are as

follows:
 The objective with physical access controls
is to stop unauthorised people getting
near to computer systems.
 The key is to have a range of controls that
include:
 - Personnel (e.g. security) controlling
human access
- Use of locks, key pads or car entry
systems to sensitive computer locations
- Intruder alarms (detection)
 Increasingly, computer equipment is smaller
and lighter - which makes it easier to steal.
So it makes sense for such equipment to be:
 - Locked away when not in use

- Marked with identification (e.g. bar code /

security code)
 The locations in which information
systems are held also need to be
protected. Measures include:
 - Site preparation (e.g. materials that are
fireproof)
- Detection equipment (e.g smoke
detectors)
- Extinguishing equipment (e.g. sprinklers)
- Protection of power supplies (e.g. back
up generator)
DISASTER RECOVERY
PLANNING
 Any natural or man-made event
that disrupts the operations of a
business
in such a significant way that a
considerable and coordinated
effort is required to achieve a
recovery.
 Geological: earthquakes, volcanoes,
tsunamis, landslides, and sinkholes
 Meteorological: hurricanes, tornados, wind
storms, hail, ice storms, snow storms,
rainstorms, and lightning
 Other: avalanches, fires, floods, meteors and
meteorites, and solar storms
 Health: widespread illnesses, quarantines,
and pandemics
 Labor: strikes, walkouts, and
slow-downs that disrupt services
and supplies
 Social-political: war, terrorism,
sabotage, vandalism, civil
unrest, protests, demonstrations,
cyber attacks, and blockades
 Materials: fires, hazardous
materials spills
 Utilities: power failures,
communications outages, water
supply shortages, fuel shortages,
and radioactive fallout from
power plant accidents
 Direct damage to facilities and equipment
 Transportation infrastructure damage

◦Delays deliveries, supplies,

customers, employees going to
work
 Communications outages
 Utilities outages
 Loss of Critical IT resources
 Loss of data
 BCP (Business Continuity Planning) and DRP
(Disaster Recovery Planning)
 Security pillars: C-I-A
◦ Confidentiality
◦ Integrity
◦ Availability
 BCP and DRP directly support availability
 BCP
◦Activities required to ensure the
continuation of critical business
processes in an organization
◦Alternate personnel, equipment,
and facilities
◦Often includes non-IT aspects of
business
 DRP
◦ Assessment, salvage, repair, and eventual
restoration of damaged facilities and systems
◦ Often focuses on IT systems
 A disaster recovery plan (DRP) - sometimes
referred to as a business continuity plan
(BCP) - describes how an organization is to
deal with potential disasters. Just as a
disaster is an event that makes the
continuation of normal functions impossible,
 a disaster recovery plan consists of the
precautions taken so that the effects of a
disaster will be minimized and the
organization will be able to either maintain
or quickly resume mission-critical functions.
 Typically, disaster recovery planning
involves an analysis of business processes
and continuity needs; it may also include a
significant focus on disaster prevention.
 What Should Be The Goals Of The
Disaster Recovery & Business
Resumption Plan?
The three (3) primary goals of disaster
recovery and business resumption planning
are to:
 Eliminate or reduce the potential for
injuries or the loss of human life, damage
to facilities, and loss of assets and records.
This requires a comprehensive assessment of
each department within the institution, to insure
that appropriate steps have been taken to:
◦ Minimize disruptions of services to the institution and its
customers;
◦ Minimize financial loss;
◦ Provide for a timely resumption of operations in case of a
disaster; and
◦ Reduce or limit exposure to potential liability claims filed
against the institution, and its directors, officers and other
personnel.
 Immediately invoke the emergency
provisions of Disaster Recovery &
Business Resumption Plan to stabilize
the effects of the disaster, allowing for
appropriate assessment and the
beginning of recovery efforts. We then
minimize the effects of the disaster and
provide for the fastest possible recovery.
 Implement the procedures contained
in the Disaster Recovery & Business
Resumption Plan according to the
type and impact of the disaster. When
we implement these procedures, we must
prioritize all recovery efforts as follows:

◦ Employees: Not only must we help to ensure

their survival as a basic human concern, but
because of their anticipated performance in
helping other persons on the institution's
premises when the disaster strikes;
◦ Customers: As we do with employees, we
must help to ensure the survival of or care for
customers affected by the disaster: physically,
mentally, emotionally and financially;
◦ Facilities: After ensuring the safety of
employees and customers, we then secure each
facility as shelter for both people and assets;
◦ Assets: Conducting a damage assessment will
determine which assets have been destroyed,
which ones are at risk and what resources that
we have left; and
◦ Records: Documenting the disaster and the
actions taken by the institution's personnel --
when combined with comprehensive videotapes
of facilities that are obtained during routine
facility inspections -- reduce the likelihood of
legal actions while helping to assess the
responsibility for losses.
 DISASTER RECOVERY PLAN
 Disaster recovery planning consists of
deciding in advance what, how, when and
who are needed to provide a solution that
will sustain critical business functions. The
planning process includes steps that
identify and document key elements in a
successful disaster recovery solution.
These steps include the following:

◦ 1. Identifying and prioritizing business-critical

systems and functions,

◦ 2. Identifying business-critical resources and

performing impact analysis,
◦ 3. Developing a notification plan,

◦ 4. Developing a damage assessment plan,

◦ 5. Designating a disaster recovery site (if

necessary and possible),

◦ 6. Developing a plan to recover critical functions

at the disaster recovery site, and identifying and
documenting security controls, and

◦ 7. Designating responsibilities.
 Disaster recovery planning is an ongoing,
dynamic process that continues throughout
the information system’s lifecycle.
 Information systems can be very complex,
fulfilling many business functions. Your
first step in disaster recovery planning is
to identify and prioritize the business-
critical functions, systems, and processes.
As a disaster recovery planner, you must
obtain input from Executive and
Functional Managers to determine each
system’s criticality
 Your second step in disaster recovery planning
is to identify the resources that are critical to the
information systems that support the functions,
systems, and processes that you identified in
step one. The critical resources that you identify
must include everything necessary to support the
critical function, system, or process. Some
examples of critical resources are:

• Servers, workstations and peripherals,

• Applications and data,

• Media and output,

• Telecommunications connections,

• Physical infrastructure (e.g., electrical power,

environmental controls), and

• Personnel.
 As a disaster recovery planner, you must
analyze the critical resources identified and
determine the impact on information
system operations if a given resource is
disrupted or damaged. The impact analysis
must include allowable outage times, i.e.,
“How long can a company afford to be
without this resource?” When analyzing the
impact, you must also consider the outage
effect on dependent systems.
 Using the resulting business impact
analysis, you must then develop and
prioritize strategies for recovery and
restoration.
 Your third step is to develop a plan for
notifying essential personnel when a
disaster occurs or is imminent. The plan
must describe the methods the company
uses to notify personnel during business
and non-business hours. Prompt notification
can reduce the disaster’s effects on the
information system because you will have
time to take mitigating actions.
 Your fourth step is to develop a plan for
assessing the nature and extent of damage to the
system, and determine the extent to activate the
Disaster Recovery Plan. Although damage
assessment procedures may be unique for each
system, you must address the following areas:

◦ • Cause of the outage or interruption,

◦ • Damage to the information system or data,

◦ • Potential for additional disruption or damage,

◦ • Physical infrastructure status,

◦ • Information system inventory and functional

status,

◦ • Requirements for repair or replacement, and

◦ • Estimated time to recover or restore.

 Disaster Recovery Plan activation criteria
(the conditions under which you activate
the plan) are unique to each event and
you must state them in the plan. You must
base criteria on:

◦ • Information system damage,

◦ • Facility damage,

◦ • System criticality, and

◦ • Anticipated disruption length.

 Your fifth step is to choose a disaster
recovery site where recovery of system
operations will be performed until
restoration is possible. The Disaster
Recovery Plan must define the specific site
for the contingencies identified within the
plan. The following table describes the site
types that may be used:
A facility with adequate space and
infrastructure (electric power,
telecommunications connections, and
environmental controls) to support the
information system, but no equipment.

 Low setup costs

Partially equipped office spaces that contain
some or all of the system hardware,
software, telecommunications, and power
sources. The warm site is maintained in an
operational status, ready to receive the
relocated system.
Office spaces appropriately sized to support
system requirements and configured with
the necessary system hardware, supporting
infrastructure, and support personnel.

Medium/High setup costs

 Fully redundant facilities with
full, real-time information
mirroring. Mirrored sites are
identical to the primary site in all
technical respects.

 High setup costs

 Your sixth step in disaster recovery
planning is to establish how you will
recover critical functions. The planning
requirements for this step may include
procuring and setting up necessary
equipment, providing guaranteed
safety and transportation for personnel,
obtaining backups from storage, etc.
You must include the procedures that
support these requirements in your
Disaster Recovery Plan
 Your seventh step in disaster recovery
planning is to designate responsibility for
key activities identified and their duties
outlined within the Disaster Recovery Plan.
You must make certain that the designated
personnel are trained to perform their
activities.
 The first seven steps, as taken, populate
sections of the Disaster Recovery Plan.
Once populated, you must keep the
Disaster Recovery Plan up-to-date, and
securely store it for use. You must validate
the Disaster Recovery Plan annually.
Whenever there are changes to your
information system, you must update and
validate the Disaster Recovery Plan