IT Auditing notes 2
Operation Control
Segregation of Duties
Avoid single person could be responsible for diverse and critical functions. Otherwise, error or misappropriation could occur and not be detected in a timely manner and in normal course of business processes.
Incident handling
identify when where whole
Shadow IT: IT users at an organisation electing to use tools and services that have not been officially sanctioned by said organisation.
- Converage - insurance?
- Action - what to do?
- Evidence
- Tasks to do during recovery
Management of removable media and system documentation
Monitoring
- audit logging
- Clock Synchronize
Logical Controls
Concurrent Sign-on Session
can be very useful, but also a control weaknesses
Suggestion:
- No or only few user can have concurrent
- No more than two
- Logged and reviewed
Remote access Control
- Deducated leased liveness
- VPN
- Identification process (username?)
- Authentication process (password?)
- Permitted/denied
Input Control
source document design - arrange fields for ease of use.
Software development Control
- Business realization: 個system點幫到公司
- project management
- Cost and resource/ Deliverable/Time(Duration)
- System development approach SDLC approaches
- SDLC: 流水線
IT Auditing notes 2