Professional Documents
Culture Documents
8 IS Controls For System Reliability Part1 - Information Security
8 IS Controls For System Reliability Part1 - Information Security
8-1
Learning Objectives
Discuss how the COBIT framework can be used to
develop sound internal control over an organizations
information systems.
Explain the factors that influence information systems
reliability.
Describe how a combination of preventive, detective,
and corrective controls can be employed to provide
reasonable assurance about information security.
8-2
AIS Controls
COSO and COSO-ERM address general internal control
COBIT addresses information technology internal
control
8-3
Effectiveness
Information must be relevant
and timely.
Availability
Information must be
available whenever needed.
Efficiency
Information must be
produced in a cost-effective
manner.
Confidentiality
Sensitive information must
be protected from
unauthorized disclosure.
Compliance
Controls must ensure
compliance with internal
policies and with external
legal and regulatory
requirements.
Reliability
Management must have
access to appropriate
information needed to
conduct daily activities and
to exercise its fiduciary and
governance responsibilities.
Integrity
Information must be
accurate, complete, and
valid.
8-4
COBIT Framework
Information
Criteria
8-5
COBIT Cycle
8-6
COBIT Controls
210 controls for ensuring information integrity
8-7
Security
Confidentiality
Processing Integrity
Privacy
Access to the system and its data is controlled and restricted to legitimate
users.
Availability
The system and its information are available to meet operational and
contractual obligations.
8-8
8-9
8-10
8-11
Time-Based Model
Combination of detective and corrective controls
8-12
8-13
8-14
Preventive Control
Training
User access controls (authentication and authorization)
Physical access controls (locks, guards, etc.)
Network access controls (firewalls, intrusion prevention
systems, etc.)
Device and software hardening controls (configuration
options)
8-15
Authentication vs.
Authorization
8-16
Border router
Firewall
8-17
8-18
8-19
Detective Controls
Log Analysis
Intrusion Detection
Managerial Reports
Security Testing
8-20
Corrective Controls
Computer Incident Response Team
Chief Information Security Officer (CISO)
Patch Management
Operating systems
Applications programs
8-21
8-22
New Considerations
Virtualization
Risks
Increased exposure if
breach occurs
Reduced
authentication
standards
Cloud Computing
Remotely accessed
resources
Opportunities
Software
applications
Data storage
Hardware
Copyright 2012 Pearson Education, Inc. publishing as Prentice Hall
Implementing strong
access controls in the
cloud or over the server
that hosts a virtual
network provides good
security over all the
systems contained
therein
8-23