Controlling

1

• Controlling
• Information Systems
• IT Processes

2
Learning Objectives

• Learn the major IT resources
• Appreciate the problems in providing adequate
  controls over IT resources
• Study major IT control processes and practices
  organization use to manage IT resources
• Understand how IT and personnel control plans can
  help an organization achieve its strategic vision
  for IT
• Overview the major steps in acquiring and
  implementing new IT resources
• Examine business continuity and security controls
  that help ensure continuous, reliable IT service
• Value the integral part played by the monitoring
  function in ensuring the overall effectiveness of
  a system of internal controls

Controlling Information Systems IT Processes
3
IT Governance vs. Organizational Governance

• Organizational governance processes employed by
  organizations to select and attain objectives.
• IT governance processes to see that that the
  organizations IT supports the attainment of
  organizational objectives.

4
Control Objectives for Information Technology
(COBIT)

• Developed by the Information Systems Audit and
  Control Foundation to provide guidanceto
  managers, users, and auditorson the best
  practices for the management of information
  technology.
• According to COBIT
• IT resources must be managed by IT control
  processes to ensure that the organization has the
  information it needs to achieve its objectives.
• Exhibit 8.1 defines the IT resources that must be
  managed and Chapter 1 describes the qualities
  that this information must exhibit in order for
  it to be of value to the organization.

5
IT Resources

• Data Objects in their widest sense (i.e.,
  external and internal), structured and
  nonstructured, graphics, sound, etc.
• Application systems Application systems are
  understood to be the sum of manual and programmed
  procedures reflecting business processes.
• Technology Technology covers hardware, operating
  systems, database management systems, networking,
  multimedia, etc.
• Facilities Facilities are all resources used to
  house and support information systems.
• People People include staff skills awareness
  and productivity to plan, organize, acquire,
  deliver, support, and monitor information systems
  and services.

6
A Hypothetical Computer System

• The IT resources are typically configured with
  some or all of the elements shown in Figure 8.1
• This computer system consists of one or more
  mainframe computers connected to several
  networked client computers (CCs) and PCs perhaps
  through an LAN and to PCs and CCs located in the
  organizations other facilities, perhaps through
  a WAN
• Computer facilities operated by other
  organizations are connected, perhaps via the
  Internet and through a firewall to the mainframe,
  servers, and PCs.

7
Hypothetical Computer System Figure 8.1
8
Questions for the IT Control Process

• How we can protect the computer from misuse,
  whether intentional or inadvertent, from within
  and outside the organization?
• How do we protect the computer room, and other
  rooms and buildings where connected facilities
  are located?
• Do we have disaster plans in place for continuing
  our operations?
• What policies and procedures should be
  established to provide for efficient, effective,
  and authorized use of the computer?
• What measures can we take to help ensure that the
  personnel who operate and use the computer are
  competent and honest?

9
Information System Function

• The ISF is the dept. or function that develops
  and operates information systems
• Centralized CIO is central leader of all
  information system functions
• Decentralized Assigns personnel to non-central
  (e.g., departments) organizational units
• Functional organization Assigns personnel to
  skills-based units (e.g., programming, systems
  analysis). Used by both decentralized and
  centralized organizations
• Matrix Assembles work groups or teams, comprised
  of members from different functional areas, under
  the authority of a team leader
• Project Establishes permanent systems
  development structures such as Financial Systems
  Development

10
Centralized Information System Organization
11
Summary of Information Systems Functions
12
Summary of Information Systems Functions(continue
d)
13
Summary of Information Systems Functions(continue
d)
14
COBIT

• COBIT organizes IT internal control into domains
  and process
• Domains include
• Planning and organization
• Acquisition and implementation
• Delivery and support
• Monitoring
• Processes detail steps in each domain

15
IT Control Domains and Processes
16
IT Control Processes Domains

• Planning Organization Domain
• IT Process 1 Establish strategic vision
• IT Process 2 Develop tactics to realize
  strategic vision
• Acquisition Implementation Domain
• IT Process 3 Identify automated solutions
• IT Process 4 Develop acquire IT solutions
• IT Process 5 Integrate IT solutions into
  operations
• IT Process 6 Manage change to existing IT systems

17
IT Control Processes Domains (cont.)

• Delivery Support Domain
• IT Process 7 Deliver required IT services
• IT Process 8 Ensure security continuous
  service
• IT Process 9 Provide support services
• Monitoring Domain
• IT Process 10 Monitor Operations

18
IT Process 1Elements of Strategic IT Plan

• A summary of the organizational strategic plans
  goals and strategies, and how they are related to
  the information systems function.
• IT goals and strategies, and a statement of how
  each will support organizational goals and
  strategies.
• An information architecture model encompassing
  the corporate data model and the associated
  information systems.
• An inventory of current information systems
  capabilities.

19
IT Process 1 Elements of Strategic IT Plan

• Acquisition and development schedules for
  hardware, software, and application systems and
  for personnel and financial requirements.
• IT-related requirements to comply with industry,
  regulatory, legal, and contractual obligations,
  including safety, privacy, transborder data
  flows, e-Business, and insurance contracts.
• IT risks and risk action plan
• Process for modifying the plan to accommodate
  changes to the organizations strategic plan and
  changes in information technology conditions.

20
IT Control Domains and Processes
21
IT Process 2Tactics to Plan, Communicate
Manage Vision

• Ensure overall effectiveness
• Ensure projects are completed on time
• Ensure quality projects
• Organizational Control Plans for the Information
  Systems Function
• Personnel Control Plans

22
Organizational Control Plans

• Segregation of Duties
• Within IS function
• Controlling for Input Accuracy, Update Accuracy,
  Security of Resources
• Reducing Risk of Erroneous recordkeeping,
  Erroneous management decisions, embezzlement or
  loss of resources
• Information System Function

23
Segregating 4 IS Functions

• Authorizing Events (non ISF)
• Executing Events (non ISF)
• Recording Events
• Safeguarding Resources attributed to/from Events
  (non ISF)

24
Segregation of Duties
25
Segregation of Duties Applied to IS Function
26
IT Process 2 Organizational Control Plans

• Organizational Control Plans for the Information
  Systems Function
• The information systems function (ISF) normally
  acts in a service capacity for other operating
  units in the organization. In this role, it
  should be limited to recording events and posting
  event summaries.
• Approving and executing events along with
  safeguarding resources should be carried out by
  departments other than IS.

27
IT Process 2 Organizational Control Plans

• Within the ISF we segregate duties
• Data librarian grants access to stored data and
  programs to authorized personnel to reduce the
  risk of unauthorized computer operation by
  programmers or unauthorized programming by
  operators.
• The security officer assigns passwords, monitors
  employees network access, grants security
  clearance for sensitive projects, and works with
  human resources on interview practices and
  background checks
• The information technology steering committee
• Coordinates the organizational and IT strategic
  planning processes
• Reviews and approves the strategic IT plan
• Helps the organization establish and meet user
  information requirements Help ensure effective
  and efficient use of IT resources.
• The committee should consist of about seven
  executives from major functional areas of the
  organization, including the information systems
  executive report to senior management and meet
  regularly.

28
IT Process 2 Personnel Control Plans

• Selection Hiring Control Plans
• Qualified personnel including technical
  background
• Retention Control Plans
• Retaining may be harder than hiring
• Provide challenging work and opportunities for
  advancement
• Personnel Development Control Plans
• Training and development
• Personnel Management Control Plans
• Personnel Planning Control Plans
• Skills, Turnover, Filling Positions
• Job Description Control Plans
• Job descriptions written and updated
• Supervision Control Plans
• Approving, monitoring, and observing the work of
  others
• Personnel Security Control Plans
• Rotation of duties, Forced vacations, Bonding
• Personnel Termination Control Plans
• procedures when an employee voluntarily or
  involuntarily leaves an organization.

29
IT Control Domains and Processes
30
IT Process 3 Identify Automated Solutions

• To ensure selection of the best approach to
  satisfying users IT requirements, an
  organizations systems development lifecycle must
  include procedures to
• define information requirements
• formulate alternative courses of action
• perform technological, economic, and operational
  feasibility studies
• assess risks
• Solutions should be consistent with the strategic
  information technology plan
• At completion of this process
• Organization must decide what approach will be
  taken to satisfy users requirements, and whether
  it will develop the IT solution in-house or will
  contract with third parties for all or part of
  the development

31
IT Process 4Develop/Acquire IT Solutions

• Develop and Acquire Application Software
• Acquire Application Infrastructure
• Develop Service Level Requirements and
  Application Documentation which typically
  includes the following
• Systems documentation
• Program documentation
• Operations run manuals
• User manuals
• Training materials

32
IT Process 5 Integrate IT Solutions Into
Operational Processes

• To ensure that a new or significantly revised
  system is suitable, the organizations SDLC
  should provide for a planned, tested, controlled,
  and approved conversion to the new system.
• After installation, the SDLC should call for a
  review to determine that the new system has met
  users needs in a cost-effective manner.
• When organizations implement enterprise systems,
  the successful integration of new information
  systems modules into existing information and
  operations processes becomes more difficult and
  more important.

33
IT Process 6 Manage Changes to Existing IT
Systems

• To ensure processing integrity between versions
  of systems and to ensure consistency of results
  from period to period, changes to the IT
  infrastructure (hardware, systems software, and
  applications) must be managed via change request,
  impact assessment, documentation, authorization,
  release and distribution policies, and
  procedures.
• Program change controls provide assurance that
  all modifications to programs are authorized, and
  ensure that the changes are completed, tested,
  and properly implemented.
• Changes in documentation should mirror the
  changes made to the related programs.

34
IT Control Domains and Processes
35
IT Process 7Deliver Required IT Services

• Define service levels
• Manage Third-party services
• Manage IT Operations
• Manage data (backup)
• Identify and allocate costs

36
IT Process 8 Ensure Security Continuous
Service

• Ensure Continuous Service
• Disaster recovery planning Contingency planning
  Business interruption planning Business
  continuity planning.
• Restricting Access to Computing Resources
• Restrict physical access to computer facilities.
• Restrict logical access to stored programs, data,
  and documentation.
• Ensure Physical Security
• Smoke detectors, fire alarms, fire extinguishers,
  fire-resistant construction materials, insurance
• Waterproof ceilings, walls, and floors adequate
  drainage water and moisture detection alarms
  insurance
• Regular cleaning of rooms and equipment,
  dust-collecting rugs at entrances, separate
  dust-generating activities from computer, good
  housekeeping
• Voltage regulators, backup batteries and
  generators

37
IT Process 8 (Cont.)
38
IT Process 9 Provide Support Services

• Identify the training needs of all personnel,
  internal and external, who make use of the
  organizations information services, and should
  see that timely training sessions are conducted.
• Assistance through a help desk function

39
IT Control Domains and Processes
40
IT Process 10 Monitor Operations

• Gather data about processes
• Generate performance reports