Studied by 79 people
Quiz 2 Reviewer
System
set of elements, including hardware and software, that work together to run one or more computers
System Interfaces
exist where data output from one application is sent as input to another, with little or no human interaction
provide the ability to transfer data even if the systems use different programming languages or were created by different developers
User Interfaces
interfaces that involve humans
System-to-system interfaces
→ occur when data is transferred between two systems, whether internal or external.
→ Data may also be transferred to specialized tools for analysis
Partner-to-partner interface
occurs when two partners continuously transfer data back and forth across agreed-upon systems.
→ These transfers are generally done on a regular basis.
Person-to-person transfers
→ are often the most unnoticed and unmanaged.
→ They can be as easy as attaching a data le to an email and sending it.
→ These forms of transfer tend to be more difficult to observe, manage, secure and control
Risk Associated with System Interfaces
Unmanaged interfaces can add to the risk regarding data security, privacy and error.
If an interface is not functioning correctly, one possible consequence is that incorrect management reports (e.g., research, financial, intelligence, performance and competitive) have a signicant negatively impact a business and decision-making.
Beyond an effect on business value, even a small error can invoke potential legal compliance liability.
Primary Objective of maintaining security of data being transferred through system interfaces
to ensure that the data intended to be extracted from the originating system are the same as the data that were downloaded and recorded in the recipient system.
→ The data needs to be protected and secured throughout the transfer process
Secondary Objective of maintaining security of data being transferred through system interfaces
→ to prevent unauthorized access to the data via interception, malicious activity, error or other means.
→ Unavailability of system interfaces can also affect the reliability of data
Controls Associated with System Interfaces
IS auditor should ensure that the organization has a program that tracks and manages all system interfaces and data transfers, whether internal or external, in line with the business needs and goals.
- This includes the ability to see all the transfers made, including those that are ad hoc, whether the organization is using a commercial or custom managed le transfer (MFT) system.
Controls
need to be implemented with the objective of ensuring that the data residing on the sending system are precisely the same data that are recorded on the receiving system
➢ For example, an organization may use a software package that can generate controls during the extraction that automatically reconcile the data after they are recorded on the receiving system
Controls
→ Although automated controls are generally preferred over manual controls, another control can be manual reconciliation by running a report of the data sent and comparing it to a report on the data received.
→ This should be done by a qualified person who has the ability to detect material differences in the data.
Encryption
necessary when the risk of unauthorized access or interception is relatively high (e.g., industrial espionage, identity theft, credit card data theft).
There also should be a control over nonrepudiation, which ensures that the intended recipient is the actual recipient of the data.
Encryption
is a method of securing data by converting it into a coded format, making it unreadable to unauthorized users. It protects sensitive information from being accessed or intercepted during transmission.
End Users
the people who access business applications that were programmed, serviced and installed by others,
End-User Computing (EUC)
refers to the ability of end users (who typically are not programmers) to design and implement their own applications or information systems using computer software products.
- Often, an end-user support manager is a liaison between an IT department and end users
Benefits of EUC
- users can quickly build and deploy applications, taking the pressure off of the IT department.
- EUC also enables organizations to be more flexible and more rapidly address shifting marketplaces, regulations and consumer interests.
Lack of IT department involvement in EUC
brings associated risk, because the applications may not be subject to an independent review and, frequently, are not created in the context of a formal development methodology
In most instances, EUC applications do not pose a signicant risk to the enterprise. Nonetheless, management should dene risk criteria to determine the criticality of the application.
- These applications should also be subject to data classication, and those deemed critical enough should be subject to the same controls as any other application
Organizations
need to manage and control EUC and the IS auditor should ensure that policies for the use of EUC exist.
Inventory
of all such applications should exist, and those deemed critical enough should be subject to the same controls as any other application
Data
also exists in many forms, such as text, numbers, graphics and video.
- After data is made meaningful, they become information, which is crucial to the operation of an enterprise
Data Governance ensures that;
Stakeholder needs, conditions and options are evaluated to determine balanced, mutually agreed enterprise objectives to be achieved
Direction is set
Performance and compliance of data/information resources are monitored and evaluated
Data Governance
reflects the practice of evaluating requirements and bringing direction and control over data and information so that users have access to that data and can trust and rely on it.
- also involves monitoring the performance of IT operations
→ specically those areas that relate to data and its availability, integrity and condentiality.
Data Management Body of Knowledge (DMBOK)
defines data management as “the planning and execution of policies, practices, and projects that acquire, control, protect, deliver, and enhance the value of data and information assets.”
Data Quality
key to data management
- there are three subdimensions of quality
- intrinsic
- contextual
- security/accessibility
- Each sub dimension is divided further into several quality criteria
