APPLICATION CONTROL

Ali Masjono
 Application Control
Communication Control

Users Users Users

Output control Input
Communication Control Control
User ID
Process Control and
Password

App1 App1 App1 App1

Boundaries
control Boundaries
control

Process Control Permission

Communication Control /approval

Data administrator control

database administrator control

Data
 REVIEW LAST MEETING

ROn Weber, Information System Control and Audits

Page 3
3
 APPLICATIONS CONTROLS

• Students should be able to:

• Explain and identify boundaries controls
• Explain and identify Input controls.
• Explain and identify Communications controls
• Explain and identify Process controls
• Explain and identify Database controls
• Explain and identify Output controls

ROn
Weber,
Inform
ation
10/4/11 4
System
 APPLICATION CONTROL
BY NATE LORD ON MONDAY SEPTEMBER 10, 2018

• Application control is a security practice that blocks or

restricts unauthorized applications from executing in
ways that put data at risk. The control functions vary
based on the business purpose of the specific
application, but the main objective is to help ensure the
privacy and security of data used by and transmitted
between applications.

 https://digitalguardian.com/blog/what-application-control Page 5
5
 APPLICATION CONTROL
BY NATE LORD ON MONDAY SEPTEMBER 10, 2018

• Application control includes completeness and validity

checks, identification, authentication, authorization,
input controls, and forensic controls, among others.

Page 6
6
 Application Control
by Nate Lord on Monday September 10, 2018
• Completeness checks – controls ensure records processing from initiation to completion
• Validity checks – controls ensure only valid data is input or processed
• Identification – controls ensure unique, irrefutable identification of all users
• Authentication – controls provide an application system authentication mechanism
• Authorization – controls ensure access to the application system by approved business
users only
• Input controls – controls ensure data integrity feeds into the application system from
upstream sources
• Forensic controls – controls ensure scientifically and mathematically correct data, based
on inputs and outputs

Page 7
7
 Application Control
by Nate Lord on Monday September 10, 2018
• Simply put, application controls ensure proper coverage and the
confidentiality, integrity, and availability of the application and its
associated data. With the proper application controls, businesses
and organizations greatly reduce the risks and threats associated
with application usage because applications are prevented from
executing if they put the network or sensitive data at risk.

Page 8
8
SECURE YOUR SOFTWARE WITH AN APPLICATION
CONTROL AUDIT.
• An application control audit is designed to ensure that an
application’s transactions and the data it outputs are secure,
accurate and valid. As applications have become the primary attack
vector for malicious individuals seeking to breach enterprise
defenses, the application control audit has become an important
tool in ensuring that software is free from flaws and vulnerabilities
that might be exploited by hackers.

Page 9
9
 APPLICATION CONTROL SOFTWARE:
APPLICATION CONTROL AUDIT SOLUTIONS FROM VERACODE.

• Performing an application control audit for every piece of software in your

application portfolio can be both time-consuming and expensive. This type of
application security assessment typically involves Dynamic Analysis Security
Testing (DAST), also known as black box testing, which seeks to find
weaknesses by probing and attacking an application in a runtime environment
just as a hacker would. The time involved in this kind of web application audit
often causes tension with aggressive development timelines, and
development teams will frequently postpone testing until later stages of
development. The risk is that when an application control audit reveals
weaknesses at this stage, the flaws are harder and more expensive to fix.

Page 10
10
 APPLICATION CONTROL FRAMEWORK
• Application control involve ensuring that individual
application systems safeguard assets, maintain data
integrity and achieve their objectives effectively and
efficiently
• Pengendalian aplikasi ditujukan untuk meyakinkan bahwa
setiap sistem aplikasi yang digunakan oleh suatu
organisasi dapat menjaga asset, memaintain integritas
data dan dapat mencapai tujuan secara efisien dan
efektif.

10/4/11 ROn Weber, Information System Control and Audits 11

 APPLICATION SYSTEM CONTROL DIFFER FROM
MANAGEMENT CONTROL IN FOUR WAYS
• Application controls exercised by hardware and software rather
than people.
• Application control apply data and processing of data rather
than system development, maintenance and operation
processes.
• Application control existence in each application system is cost
benefit question, the existence the management control
depend on cost-benefits analysis of the whole set of
applications
• Application control tend to focus on safeguarding asset
(reducing expected loss from unauthorized or inadvertent
removal or destruction of assets) and maintain data integrity
(ensuring that data is authorize, complete, accurate and not
redundant)

ROn
Weber,
Inform
ation
10/4/11 12
System
 PERBEDAAN PENGENDALIAN APLIKASI DAN
PENGENDALIAN UMUM
• Pengendalian aplikasi berbeda dengan pengendalian manajemen
dalam beberapa hal berikut ini
• Pengendalian aplikasi melibatkan hardware dan software bukan
SDM
• Pengendalian aplikasi diterapkan pada data dan prosesnya, bukan
pada proses pengembangan, maintenan dan proses operasional
sistem.
• Pengendalian aplikasi ada pada setiap sistem aplikasi dan
berhubungan dengan biaya dan manfaat. Sedangkan pengendalian
manajemen bergantung kepada analisis biaya dan manfaat
terhadap aplikasi secara menyeluruh.
• Pengendalian aplikasi cenderung fokus kepada penjagaan asset
(penjagaan terhadap kemungkinan hilang, pemindahan,
penghancuran) dan memaintain integritas data (meyakinkan
otorisasi penggunaan, lengkap, akurat dan tidak terjadi
pengulangan penyimpanan data)
ROn
Weber,
Inform
ation
10/4/11 13
System
 WHY EVALUATE APPLICATION CONTROLS
• External auditors might have conclude that
management controls are reliable, as a result
auditors decided to proceeds to test the controls in
material application system with a view to relying on
these control and reducing extent of substantive
testing.
• Internal auditor, based on an evaluation of
management controls, might wish to test an
hypothesis about the strength or weaknesses in
specific types of controls within the application
system.
ROn
Weber,
Inform
ation
10/4/11 14
System
 ASSESSING INFORMATION TECHNOLOGY RISK
 Boundary
 Comprises the components that establish the interface
between the user and the system.
 Input
 Comprises the components that capture, prepare and enter
command and data into system
 Communication
 Comprises the components that transmit data among
subsystem and systems

IS
Constr
ol and
AUdit,
ROn
15 Weber.
9/28/11 15
CISA
 ASSESSING INFORMATION TECHNOLOGY RISK
 Processing
 Comprises the components that perform decision making,
computation, classification, ordering and summarizing of data
in the system
 Database
 Comprises the components that define, add, access, modify
and delete data in the system.
 Output
 Comprises the components that retrieve and present data to
users of the system

IS Constrol and AUdit, ROn Weber. CISA review Manual, ISACA, 2003 16
9/28/11 16