1 / 15

Chapter 14: Operational Control Issues

Chapter 14: Operational Control Issues. MBAD 7090. Objectives. Understand the concept of general operational controls Four key areas Two examples. Overview. Operational or general controls are those controls are related to the climate/environment, and the global functionality.

ziva
Télécharger la présentation

Chapter 14: Operational Control Issues

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 14: Operational Control Issues MBAD 7090 IS Security, Audit, and Control (Dr. Zhao)

  2. Objectives Understand the concept of general operational controls Four key areas Two examples IS Security, Audit, and Control (Dr. Zhao)

  3. Overview • Operational or general controls are those controls are related to the climate/environment, and the global functionality. • Not application specific • Information Technology and Systems are complex and one general control weakness can have a domino like impact to the rest of the infrastructure. IS Security, Audit, and Control (Dr. Zhao)

  4. Four Key Areas Organizational controls Data files and program controls Recoverability (backup, restart, disaster recovery) and environmental controls Physical security and access controls IS Security, Audit, and Control (Dr. Zhao)

  5. Organizational Controls • Standards • Policies • Procedures • Not to do: • Lack of use • Only prepared for experienced staffs • To do: • Be tested periodically • Maintain logs of unusual events IS Security, Audit, and Control (Dr. Zhao)

  6. Data files and Program Controls • File label: • Clear and updated • Both volume and content • Library function • An inventory record • A procedure: who should be able to access what • Segregate custodial duties from operation duties IS Security, Audit, and Control (Dr. Zhao)

  7. Recoverability and Environmental Controls • Recoverability • Backup/restart • Disaster recovery • Business continuity • Environmental • Climate • Geographic location • Fire • Contaminants IS Security, Audit, and Control (Dr. Zhao)

  8. Physical Security Controls • Facility access (Who has access to the server closet or router/communications closets?) • Personnel badges • Alarms and guards • Office locks and CPU locks • Wiring closets (Do they have a Wiring diagram?) (Is it current?) IS Security, Audit, and Control (Dr. Zhao)

  9. Environmental Controls • Possible hazards: • Natural disasters • Airborne contaminants • Static electricity • Power surges, blackouts, and brownouts IS Security, Audit, and Control (Dr. Zhao)

  10. An Example General controls for a bank: IS Security, Audit, and Control (Dr. Zhao)

  11. CoBiT • Delivery & Support Domain • DS3: manage performance and capacity • DS4: ensure continuous service • DS8: assisting and advising information technology customers IS Security, Audit, and Control (Dr. Zhao)

  12. Data Center Reviews Audit program areas (please see the p.348-350): Administration of IT Activities Operating Systems Software and Data Computer/Server Operations/ Business Redemption and Continuity Security Administration IS Security, Audit, and Control (Dr. Zhao)

  13. Date Center Key Areas: Software and Data Security Controls Physical and Environmental Controls Data Access Management Policy and Procedure Data and Software Backup Management Other Management Controls IS Security, Audit, and Control (Dr. Zhao)

  14. Auditing the Call Center • In House or Outsourced • Functionality • If Outsourced, security of data • Metrics/Monitoring paramount • Systems Development • Data Integrity and Data Security • Physical Security and Recovery • Department Resources • Compliance to Standards/Policy IS Security, Audit, and Control (Dr. Zhao)

  15. Class Discussion You are an internal auditor assigned to perform an operations audit of a data center. On reviewing the operations policy and procedures manuals, you find that the manuals appear to be fairly complete and up-to-date. Q: Please describe three audit tests you would perform to test whether the manuals are actually used and followed. IS Security, Audit, and Control (Dr. Zhao)

More Related