Operation Control

Segregation of Duties

Avoid single person could be responsible for diverse and critical functions. Otherwise, error or misappropriation could occur and not be detected in a timely manner and in normal course of business processes.

Incident handling

identify when where whole

Shadow IT: IT users at an organisation electing to use tools and services that have not been officially sanctioned by said organisation.

• Converage - insurance?
• Action - what to do?
• Evidence
• Tasks to do during recovery

Management of removable media and system documentation

Monitoring

• audit logging
• Clock Synchronize

Logical Controls

Concurrent Sign-on Session

can be very useful, but also a control weaknesses

Suggestion:

• No or only few user can have concurrent
• No more than two
• Logged and reviewed

Remote access Control

• Deducated leased liveness
• VPN

1. Identification process (username?)
2. Authentication process (password?)
3. Permitted/denied

Input Control

source document design - arrange fields for ease of use.

Software development Control

• Business realization: 個system點幫到公司
• project management
  • Cost and resource/ Deliverable/Time(Duration)
• System development approach SDLC approaches
  • SDLC: 流水線

The structure of an IT Audit

Phase 1 - Audit Planning Phase

In this phase, auditor review controls such as General Controls and application controls. After that, plan tests of controls and substantive testing procedures.

Phase 2 - Test of Control

Perform tests of control -> Evaluate Test result -> Determine degree of reliance on controls.

Phase 3 - Substantive Testing Phase

Perform Substantive Tests -> Evaluate Result -> issue audit report

PDC Control Models

Preventive 預防

Detective 監察

Corrective 執屎

Internal Control Activities

• Independent verification
• Transaction Authorization
• Segregation of duties
• Supervision
• Audit trail provision

Physical Control

Provision of a secure area - Security perimeter

Prevent unauthorized access

• Physical lock : Conventional keys/Electronic access badge system/cipher lock
• Selection and design of secure areas
• intruder detection system(Camera)
• Sperate from 3rd party area and public area detection
• backup
• loading area

backup

• Full backup
• Incremental backup
  • Cumulative incremental: Since last full backup
  • Differentail incremental: Since last backup(any type)

Resumption programs

Hot Site - full equipped and can be operational in less than 24 hours
Cold site -
Partner with other companies

Risk Analysis

Step 1 - identify Threats and Risks

• Threat Agents: 觸發threats既人or物 fire/hacker/employee/…
• Weaknesses: 弱點
• Risks: weaknesses引致既後果

Step 2 - Quantify Impact of potential Threats

Single Loss Expectancy(SLE) + Annualized frequency = Annual Loss Expectancy(ALE)

Select a counter measurement

Cost/benefits calculation:

ALE before implementing safety measure - ALE after implenting safety measure - annual cost of safeguard = value of safefuard to the company