1 / 16

Chapter 16: Audit Method and Techniques for Operations

Chapter 16: Audit Method and Techniques for Operations. MBAD 7090. Objectives. Key IT operation areas: Contingency and disaster-recovery planning DBMS recovery Telecommunications End-user computing. Contingency and Disaster-Recovery Planning. Definition:

merrill-bean
Télécharger la présentation

Chapter 16: Audit Method and Techniques for Operations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 16: Audit Method and Techniques for Operations IS Security, Audit, and Control (Dr. Zhao) MBAD 7090

  2. Objectives • Key IT operation areas: • Contingency and disaster-recovery planning • DBMS recovery • Telecommunications • End-user computing IS Security, Audit, and Control (Dr. Zhao)

  3. Contingency and Disaster-Recovery Planning • Definition: • Disaster recovery is the process, policies and procedures of restoring operations critical to the resumption of business, including regaining access to data (records, hardware, software, etc.), communications (incoming, outgoing, toll-free, fax, etc.), workspace, and other business processes after a natural or human-induced disaster. • Business recovery • Disaster recovery is a subset of business recovery IS Security, Audit, and Control (Dr. Zhao)

  4. Disaster-Recovery Planning • Management support • Documented • Need a written plan • Updated frequently • Tested frequently • Phase 1: regular inspection and walk-through • Phase 2: planned disaster simulation • Phase 3: disaster simulation without warning. • Varying degrees of “disaster” • A video IS Security, Audit, and Control (Dr. Zhao)

  5. DBMS Recovery • Businesses have increasing reliance on timely and reliable access to central database-management systems. • The ability to recover and continue business operations is critical in today’s 7 day a week, 24 hour a day business environment. IS Security, Audit, and Control (Dr. Zhao)

  6. Transaction properties • Goal: ensure data integrity from transactions • Atomicity: preclusion partially completed transactions • Permanence • Serialization of transactions: do not use inconsistent data from partially completed transactions • Prevention of cascading aborts: an incomplete transaction cannot reveal results to other transactions • Consistency IS Security, Audit, and Control (Dr. Zhao)

  7. DBMS Risks • Transaction failure • System failure: • Bugs, errors, and anomalies from operating system or hardware • Communication failure: • Media failure: • Disk crashes, controller failure, head crashes, or media degradation • Malicious intents IS Security, Audit, and Control (Dr. Zhao)

  8. DBMS Corrective Actions • Restoring the system resources to a usable state • Correcting damages or removing invalid data • Restarting or continuing the interrupted process IS Security, Audit, and Control (Dr. Zhao)

  9. Data Warehouse Application • Data warehouse: is a repository of an organization's electronically stored data. • An application IS Security, Audit, and Control (Dr. Zhao)

  10. Data Warehouse Conversion Control Issues • How stable was the data when it was transferred? • At what point in time should the data migrate to the data warehouse? • Too close to the transaction, and its still in flux, and subject to change. • Too far away, and the detail is lost in an aggregation. • What operational unit holds the keys to the data’s storage and definition? • What is the state of the data value? IS Security, Audit, and Control (Dr. Zhao)

  11. Data Communications Threats • Criminal groups • Foreign intelligence services • Hackers • Hacktivists • Information warfare • Insider threat • Virus writers IS Security, Audit, and Control (Dr. Zhao)

  12. Data Communications Controls • Planning • Testing • Data Communication controls • Prevention • Detection • Correction IS Security, Audit, and Control (Dr. Zhao)

  13. LAN Audit and Security Issues • Threats to the physical security of network • Site control and management • Protect network wires • Unauthorized access and eavesdropping • Firewalls • Encryption • LAN traffic analyzer • Attacks from within the networks’ (authorized) user community IS Security, Audit, and Control (Dr. Zhao)

  14. Wireless Lan • IEEE 802.11 Wired Equivalent Privacy (WEP) protocol • 64-bit key and RC4 encryption algorithm • Challenges: • No group-keyed access control • Interception of radio signals is hard to detect • Virtual Private Network (VPN) • A VPN is a computer network in which some of the links between nodes are carried by open connections in some larger network (e.g., the Internet) instead of by physical wires. • Challenges: poor quality reception, unstable and frequent reconnection IS Security, Audit, and Control (Dr. Zhao)

  15. End-User Computing Controls • Assignment of ownership of data • User accountability • Backup procedures • Physical access controls • Appropriate documentation of end-user-developed applications and related changes • Segregation of duties IS Security, Audit, and Control (Dr. Zhao)

  16. Discussions • For your home PC: • What are the current controls? • What are the remaining risks? IS Security, Audit, and Control (Dr. Zhao)

More Related