ch-17 control and governance of information system

8/9/2019 Ch-17 Control and Governance of Information System

1/17

Control and governance of

information systems

By Sheetal Thomas

Dean, GIMT


2/17

Need for control of information

system High cost of loss of data and wrong

decision making

Possibility of computer abuse Risk of computer errors

Protection of hardware, software, and

personnel Data privacy and confidentiality


3/17

Objectives of CIS

Safeguarding of assets

Maintenance of data integrity

Effectiveness in achieving organizationalobjectives

Efficient consumption of resources


4/17

Information technology governance

IT infrastructure library

Service delivery

Service support Planning to implement service management

Security management

Infrastructure management

Business perspective

Applications management

Software assets management


5/17

Control objectives for information

and related technology Planning and organization

Acquisition and implementation

Delivery and support Monitoring


6/17

Management control of information

system Top management controls

Planning

Organizing Leading

Monitoring


7/17

Systems development

management control Feasibility study and project initiation

System analysis and specifying userrequirements

System design and development Acceptance testing

Implementation and maintenance

Auditing the systems development management

function Concurrent audit

Post implementation audit

General audit


8/17

Programming Management

Controls Planning

Control

Design Coding

Testing

Operation and maintenance


9/17

Controls

Data resource management controls

Security management controls

Exposure analysis

Operations management controls

Control of computer and network operations

Maintaining data files, programme files, and

documentation Help desk and technical support

Management of outsourced operations


10/17

Quality assurance management

controls Capability maturity model

The initial level

The repeatable level The defined level

The managed level

The optimizing level


11/17

Application control of information

systems Boundary controls

Access controls

Cryptographic controls

Audit trail controls Existence controls

Input controls Design of source documents and data entry screens

Data code controls Batch controls

Validation of data input

Audit trail controls

Existence controls


12/17

Communication controls

Transmission impairment

Component failure

Subversive threats Audit trail controls

Existence controls

Processing controls


13/17

Database controls

Access controls

Integrity controls

Application software controls

Concurrency controls

Cryptographic controls

File handling controls

Audit trail controls

Existence controls

Roll forward

Roll back


14/17

Output controls

Inference controls

Batch report design controls

Output production and distribution controls Audit trail controls

Existence controls


15/17

Information system Audit

Inf. System audit procedures

Use of computers in information systems audit

Business continuity and disaster recovery Business continuity management

Availability

Reliability

Recoverability

Business continuity planning

Disaster recovery planning


16/17

Categorizing the functions

Critical functions

Vital functions

Sensitive functions Non-critical functions

Components of a disaster recovery plan

Emergency plan Backup plan

Recovery plan

Test plan


17/17

Testing a disaster recovery plan

Paper test

Preparedness test

Post test

ch-17 control and governance of information system

Documents