Accounting Information Systems - Chapter 14

The process that ensures effective and efficient use of IT so a company can achieve goals and provide value

IT governance

Define the criteria a company can use to implement, manage, and monitor IT governance, including measurements for effectively leveraging IT resources

IT governance frameworks

- Developed by the Information Systems Audit and Control Association (ISACA), and its name originally stood for "Control Objective for Information and Related Technology"

- The most widely used international standard for IT governance

- Designed to help companies meet regulatory compliance requirements, manage IT risks, and ensure that IT strategies are aligned with corporate goals

COBIT 2019

What is the difference between COSO and COBIT (Focus, Scope, Audience)?

Focus: COSO - corporate governance, COBIT - IT governance

Scope: COSO - All internal controls, COBIT - Only IT specific controls

Audience: COSO - Management, Board of Directors, Internal and external audit, COBIT - IT managers, IT professional, Internal and external audit

What are the 2 categories that the domains are divided into?

1. IT Governance Objectives

2. Management IT Objectives

What are the 5 domains of COBIT 2019 and which category are they in?

1. Evaluate, Direct, and Monitor (EDM) - IT Governance

2. Align, Plan, and Organize (APO) - Management IT

3. Build, Acquire, and Implement (BAI) - Management IT

4. Deliver, Service, and Support (DSS) - Management IT

5. Monitor, Evaluate, and Assess (MEA) - Management IT

These objectives focus on creating the strategy

IT governance objectives

These objectives focus on turning the Strategy into Action

Management IT Objectives

- The only IT governance-focused domain in COBIT 2019

- This domain states that the board of directors or governing body of an organization must evaluate stakeholder needs and IT strategic options, create direction by prioritizing and making decisions about these options, and monitor these IT strategies for performance, progress, and compliance

Evaluate, Direct, and Monitor (EDM)

Where management assesses IT requirements, acquires technology, and implements the technology

Build, Acquire, and Implement (BAI)

Focuses on existing IT projects and whether they are meeting the organization's objectives

Monitor, Evaluate, and Assess (MEA)

Addresses the way IT is used to meet organizational objectives

Align, Plan, and Organize (APO)

Relates to the operational side of IT projects, including IT support

Deliver, Service, and Support (DSS)

Identify, authorize (grant permission), authenticate (ensure that users are who they say they are), and provide access to users of a computer information system

Logical access controls

Help a company keep track of who is coming and going to prevent unauthorized individuals from entering a facility

Physical access controls

Companies implement a type of authorization called ________ to restrict network access by assigning individuals specific roles that have predefined criteria for what they can and cannot access in the system

role-based access control (RBAC)

What are the 3 role-based access controls?

1. User access roles are groups with predefined permissions to which users are assigned, with each user assigned to only one role at a time

2. A permission is a listing of access rights, or privileges, a user has once assigned to a role

3. The administrator role is the highest role in the hierarchy and has permissions for all objects

What are the 4 user roles? (In order)

1. Administrator

2. Creator

3. User

4. Read-Only

- Has all privileges for all objects

- Can add, remove, and set access rights and privileges for all objects

Administrator

Can configure and use existing creations (reports/dashboards)

User

Can create, use, configure, and delete

Creator

- Can view the data and details about the data

- Cannot perform any actions through the menus and toolbars

Read-Only

The process of associating the username of each authorized user with a unique identifier

User Authentication

Occurs when a strong combination of identifiers is required when a user logs in

Multifactor Authentication

What are the 3 things user authentication can be granted on. Provide an example of each

1. Knows - Login ID, Password, Pin

2. Has - ID Badge, Smart Card, Smart Key

3. Is - Fingerprint, Voiceprint, Facial Scan

- The formal process of granting access to a new user

- This process can be different from one company to another

User access provisioning

What are the three steps to user access provisioning

1. Access Requested

2. Access Approved

3. Access Granted

The formal process of changing a user's access (including fully removing their access rights)

User access de-provisioning

What are the 2 options for user access de-provisioning. What are the steps in each.

1. Terminate - Remove all access

2. Transfer - Review access level, update access

Exists when a user has not accessed the system for a significant period of time but still has an active role that grants them access

Dormant Access

- Periodic reviews of all current users and their system roles

- This internal control protects the data and security of the system by lowering a variety of inappropriate use risks

User access reviews

What are 4 problems that can happen when there is unauthorized access to a company's systems?

1. Employee fraud

2. Malicious attacks on systems and data

3. Systems and data being held for ransom

4. Data breaches

- Used to protect the physical components on which systems and data are stored

- Also known as a network operations center (NOC), it is an area in a building—or even an entire building—that is dedicated to the physical storage of computer and telecommunication systems

- Can be either onsite or offsite

Data Center

What are the three key environments of a data center?

1. Outside environment

2. Inside environment

3. Physical security

Data center should be near the bottom floors of its physical building, and an ideal building will be on higher ground to avoid flooding

Outside Environment

- Most data centers have their own air-conditioning units, and the rooms are chilled to prevent overheating

- Raised floors allow air to circulate and keep equipment cool

- Smoke and water detectors

- Fire suppression system

- access control vestibule

Inside Environment

- Place where data center employees ensure that things are operating properly.

- Inventory of equipment, systems, and data is also stored here

- Conditions of the inside environment are monitored here

Operations Center

- Not everyone can enter the data center

- This is the center of the company's IT infrastructure, and unauthorized access to this room is a high risk to the equipment that is powering the business

- Only employees directly involved with operating the data center are authorized to enter.

- A robust IT governance process ensures all physical computer systems and data equipment are protected

Physical Security

What are 3 common risks to physical equipment and systems?

1. A natural disaster causing damage to systems and equipment may result in a disruption of business activities and financial losses

2. An unauthorized user gaining access to physical equipment may result in theft, malicious attacks, fraud, or data breaches

3. Failure to maintain facilities in accordance with laws and regulations may result in fines and reputational losses

- A set of procedures that a business undertakes to protect employees, other stakeholders, and assets in the event of a disruptive event

- It ensures that a business and all its processes continue running

- It is always evolving, and companies use lessons learned from previous events to improve

Business continuity planning (BCP)

A subset of business continuity planning, and its focus is keeping technology up and running

Disaster Recovery

What are the 3 key considerations of data backups:

1. The backup site (location)

2. The backup strategy (quantity)

3. The backup cycle (frequency)

Companies categorize systems and data based on ________

Importance

- A physical location where company personnel will go to recover systems and data after a disaster

- A re-creation of a data center and provides the company with a place of operations if the data center is impacted during a disaster

Backup Sites

What are the 3 types of backup sites

1. Hot

2. Warm

3. Cold

A backup site, which is immediately operational after a disaster, is the most expensive, and it runs and backs up continuously

Hot Backup Site

- Equipped with servers ready for systems to be installed and contains only some of the equipment needed to ramp up operations

- It might take more than a couple of hours to switch over

- The cost of maintaining it is significantly less

- Only be updated at the end of each day instead of in real time

Warm Backup Site

- An almost empty room with no servers or equipment ready

- It has physical space, power, climate control, and physical security controls but is otherwise unequipped

- Data is not stored here because systems are not installed

- Significant time must be spent installing equipment, systems, and data

- Recovering often takes days or weeks

- Cheapest Option

Cold Backup Site

When a disaster strikes, a business focuses on two metrics, which are:

1. Recovery time objective (RTO)

2. Recovery point objective (RPO)

How much data can be lost before it causes significant damage to the business. Time since last backup

Recovery point objective (RPO)

How much time a system can be down before it causes significant damage to the business. Time to resume operations

Recovery time objective (RTO)

Determines which data is being stored during a data backup

Backup Strategy

What are the 3 basic types of backup strategies?

1. Full

2. Differential

3. Incremental

- Back up all data

- Slowest backup time

- Takes up the most amount of storage space

Full Backup

- Back up all data since last full backup

- Moderate backup time

- Takes up a moderate amount of storage space

Differential Backup

- Back up new data since most recent backup of any type

- Fast backup time

- Takes up the least amount of storage space

- Cheapest option

Incremental Backup

- Determines when data is being stored during a data backup

- This is the frequency with which data is backed up

- All three data strategies can be implemented

- Important when planning for RPO

Backup Cycles

What are the 3 backup cycles?

1. Grandfather cycle

2. Father cycle

3. Son cycle

Full backup, once a month

Grandfather Cycle

Full backup, once a week

Father Cycle

Incremental or differential backup, every day

Son Cycle

- A standardized process that decreases risk by controlling the identification and implementation of required changes to a system

- Updates to a system can have a significant impact on its users

- Changes must be made quickly and reliably

Change Management

What are the 3 stages of change management process?

1. Creating changes in the test environment

2. Evaluating accuracy of changes in the model environment

3. Implementing changes in the production environment

- Often called a "sandbox" because developers can "play" here without having any impact on the actual system

- Users submit requests, developers write code, and code is sent to be modeled

Test Environment

- A recent copy of the live system which is used to implement the code in an environment that looks almost like production

- The changes are tested before the code is sent to the production environment

The Model Environment

- Involves the production environment, during which the updated system goes live and is available for end users

- Code is implemented and systems go live

Production Environment

Follow the formal change management process to avoid the risk of mistakes

Normal Changes

- Require immediate action to mitigate a significant risk such as a system outage, compliance issue, or security risk

- Bypass the model environment and move directly to the production environment

Emergency Changes

Unauthorized or incorrectly executed changes to a system may result in

1. Incompatibility with existing infrastructure

2. Disruptions in ongoing business processes due to system malfunctions or outages

3. Data breaches or malicious code being programmed into the systems

4. Internal fraud, which occurs when an employee steals from the business