CHAPTER 7
INFORMATION SYSTEM CONTROLS for SYSTEMS RELIABILITY
SUGGESTED ANSWERS TO DISCUSSION QUESTIONS
7.1 1. Encryption is the final layer of preventative controls in that encrypting data provides a barrier against an intruder who has obtained access to company data. Encryption employing a digital signature and a public key infrastructure (PKI) can also strengthen authentication procedures and helps to ensure and verify the validity of e-business transactions. The digital signature is some sort of identifying information about the signer that is encrypted with the signer’s private key. This identifying information can only be decrypted using the corresponding public key. Since a private key is only known to it’s owner,
…show more content…
However, few people have such an extensive background, and personnel training and development are both expensive and time consuming. So, many organizations may find it necessary to accept some tradeoffs in staffing the Information Systems audit function. Since auditors generally work in teams, one common solution is to include members who have computer training and experience. Then, as audit teams are created for specific purposes, care should be taken to ensure that the members of each audit team have an appropriate mix of skills and experience. However, in today’s technological age, all internal and external auditors on an audit engagement team must have a sound understanding of basic information security concepts so that during the course of an audit, they would be able to identify, report, and communicate security risks and exposures to the security specialists on the audit team for further assessment and investigation.
7.4 To provide absolute information security an organization must follow Jeff Richards’ “Laws of Data Security.”
1. Don’t buy a computer 2. If you buy a computer, don’t turn it on.
As this humorous solution indicates, there is no way to make a system absolutely secure. However, as discussed in the text, there are numerous methods to make a system more
Without an Internal Audit Group to shepherd the IT's activities and guarantee that they stay agreeable with the security administration systems to which the association has submitted, the presentation of danger could be intemperate and a genuine risk to the fruitful operation of the association. The Audit's presentation and Compliance Framework denote a noteworthy change in the Office's audit hones. Further, it reasoned that the presentation of the graduated danger based methodology has met global principles and speak to best work on, bringing about a viable and effective audit
In today’s IT world every organization has a responsibility to protect the information and sensitive data they have. Protecting data is not only responsibility of security and IT staff but every individual is involved in protecting the information. The risks to information security are not digital only, but it involves technology, people and process that an organization may have. These threats may represent the problems that are associated to complex and expensive solution, but doing nothing about these risks is not the solution.
The essential legal policies for instituting an information security policy for any organization, regardless of tax status, such as commercial, non-profit entity or a federal agency and how those policies, both governmental and organizational, can impact an organization’s ability to ensure the integral information security triad of confidentiality, integrity and availability.
In the final chapter of CompTIA Security + Study Guide eBook, it covers some great topics, key elements of implementation, support, and managing the security efforts in a company or organization. It’s important for IT Professionals to understand their role in a company/ organization. It’s also extremely important for them to understand the boundaries of security within that company/organization. Adopting best security practices while adhering to company policies will ensure that both parties are happy. There are many fines lines with security management.
Different types of security threats can occuring on the job. Such as vulnerabilities that continue to grow and evolve in scale but also in complexity. Technology roles such as system/network administrators get exposed to a variety of technologies which benefits them in the security analyst work field. The vast cooperation between new members and senior members of the team allow improvements of each other's skills. New knowledge and practices come to be understood during the exchange of
These businesses realize that maintaining the public’s trust is one of the keys to commercial success, so they employ investigative accountants to strategically manage the complexities of risks and threats. Investigative accountants scrutinize fraudulent activities, assist senior management with risk management and strive to mitigate potential vulnerabilities. Investigate accountants often respond to fraud allegations and reported financial irregularities. They adopt a strategic threat management approach that enables them to anticipate and respond to risks. They apply advanced technology approaches to help internal customers track and manage data activities. They employ information management principles, data analytics techniques and sophisticated technology tools to help management make well-informed
The Sarbanes-Oxley Act of 2002 has dramatically affected overall awareness and management of internal controls in public corporations. Since modern accounting systems are computer based, accurate financial reporting depends on reliable, and secure, computing environments. Information security professionals are being asked to understand and comply with Sarbanes-Oxley in short time frames and with limited budgets. It is important that they learn as much as they can and create realistic compliance strategies (Stults, 2004).
The Public Key Infrastructure (PKI) can be as strong as we want to design the system. Public Key Infrastructure (PKI) adoption is necessary in order to stay competitive and secure in today’s world. After implementation, data will more secure, customer will have more trust in operations, and this company will be compliant for years to
Research Objective: The main theme of this research paper is to protect sensitive information that any organization or business possess. With community’s increasing reliance on information systems and technology there is scope for security breaches, more likely to happen. Not only monetary loss it can create damage to information assets that has sensitive data. To secure these assets from any internal or external damage organizations has to follow proposed rules and guidelines. Also security responsibilities
In this paper we will look at defining the problem of data security and public administration. The reader will see the evidence gathered to get a better understanding of the problem of not securing data when sending it. The reader will learn different alternatives to how they can ensure the data is secure.
In order to properly secure the Information Technology (IT) infrastructure today, there are many different areas that need to be addressed. Each of these areas pose different vulnerabilities and challenges to properly securing an IT environment. By identifying these vulnerabilities, applying controls to address them, and designing a robust security plan the IT infrastructure at WD Enterprises will be more secure and provide better protection against these threats. This plan along with design and application of a code of ethics related to the IT profession, will ensure the staff is held accountable to the standards and objectives of the organization. To accomplish these goals, a review of the organization’s vulnerabilities will be performed followed by suggestions and discussions of the security models that can be used to overcome these risks. Following that, a security plan will be designed along with a code of ethics. These will become the blueprint for securing the IT infrastructure at WD Enterprises.
Public key infrastructure also known as PKI refers to a suite of software, hardware, people, policies and procedures needed to manage, distribute, create, store, revoke and utilize digital certificates. The use of digital certificates will help customers of Vantura Partners group in a number of ways allowing for secure e-commerce, confidential e-mail, secure banking, and Non-Repudiation for contracts. In the most secure environments where strong passwords are an inadequate means of identifying a person and vulnerable to man-in-the middle attacks.
Public key infrastructure, known as PKI supports the distribution and identification of public encryption keys which allows users and computers to securely exchange data over the internet and networks to confirm the identity of the other party. Without PKI, sensitive information can still be encrypted and exchanged, but there would be no assurance of the identity of the other party. Any form of sensitive data exchanged over the Internet is reliant on PKI for security.
Prior to graduating, future analysts will need to have knowledge of the profession and how they will be able to become an information security analyst. Graduates should expect to “plan and carry out security measures to protect an organization’s computer networks and systems” in this profession(United). Analysts also have duties such as monitoring the organization’s networks for security breaches, conduct investigations when breaches occur, install
In order to effectively implement security governance, the Corporate Governance Task Force (CGTF) recommends that organizations follow an established framework, such as the IDEAL framework from the Carnegie Mellon University Software Engineering Institute. This framework, which is described in the document “Information Security Governance: Call to Action,” defines the responsibilities of (1) the board of directors or trustees, (2) the senior organizational executive (i.e., CEO), (3) executive team members, (4) senior managers, and (5) all employees and users. This important document can be found at the Information Systems Audit and Control Association (ISACA) Web site at www.isaca.org/ContentManagement/ContentDisplay.cfm?ContentID=34997.