IT General Controls and Why We Need Them -Dennis McLaughlin, CISA (Cyber AIT) Dennis McLaughlin - Cyber AIT 1
|
|
- Egbert Francis
- 6 years ago
- Views:
Transcription
1 IT General Controls and Why We Need Them -Dennis McLaughlin, CISA (Cyber AIT) 1
2 Agenda Background ICOFR need for IT General Controls IT General Control Areas Financial Process Example Project Governance Manage Security Manage Change Manage Data Operations Manage Incidents Wrap-up 2
3 Background 25 Years Experience in IT Field Service, Software Engineer, SAP Configuration, Project Manager, IT Auditor, College Instructor, Cyber Security Engineer, IT Audit Manager Boise State University BBA Computer Information Systems Certified Information Systems Auditor since 2004, ISACA Boise Board of Directors IT Audit/Cyber Security Experience Micron Technology (IT Audit, SOX year one design and testing) Albertsons (Cyber Security Engineer, Internal Audit Liaison) SUPERVALU (IT Audit/IT SOX Manager, External Audit Liaison, Cyber Security Liaison) Lamb Weston (IT Audit Manager) - Current Owner CyberAIT (Architect, Investigate, Train) consulting 3
4 ICOFR need for IT General Controls Frameworks are used to meet responsibilities under SOX to maintain a system of Internal Control over Financial Reporting (ICOFR) COSO Framework used by most enterprises COBIT (in conjunction with COSO) can be used to provide the assessment and improvement of IT internal control practices of an enterprise. IT General Controls are controls that are a part of IT processes, provide a stable operating environment and enhance the effective operation of application controls. ITGC s are the foundation of the Financial and Operational Controls used for SOX assessments. Entity Level Controls Financial Controls Operational Controls IT General Controls ISACA, Relating the COSO Internal Control Integrated Framework and COBIT, USA, 2014, Control-Integrated-Framework-and-COBIT.aspx 4
5 IT General Control Areas Project Governance Policies, Projects for Creation / Acquisition of Systems, SDLC Process Manage Security Policies, Passwords, Developer Access to Production, Access Reviews, SOD Manage Data Policies, Backup Configuration, Backup Execution, Offsite Storage, Restoration, Backup Tool Access Reviews Manage Change Policies, Change Approval, Change Testing, Change Deployment, Change Validation, Change Management Tool Access Reviews Manage Operations Policies, Schedule Exceptions, Schedule Changes, Physical Security of Data Centers Manage Incidents Policies, Incident Tracking, Emergency Changes 5
6 Financial Process Example Let s take a common financial transaction Electronic Journal Entry According to the PCAOB, the financial control testing would need to Cover the nature, timing, and extent of the testing of journal entries and other adjustments. During our review of the of IT General Controls foundation, we will explore how the Electronic Journal Entry is supported by the different IT General Control areas. 6
7 Project Governance Policies PMO, SDLC Projects for Creation / Acquisition of Systems Official Project Identification Tasks (Suggest, Research, Approve, Plan, Execute, Deploy) Capital Approval Board (CAB) Approval Gates (Approve, Plan, Execute (Design, Build, Test), Deploy) Software Development Life Cycle Process Established SDLC process Required Artifacts for : Design Process, Requirements Gathering, Architecture Specifications, Security Review Journal Entry Support If a GL Application upgrade is needed, the project would need PMO approval Project Artifacts would need to be created to support the project Approval Gates for each stage of the project should direct the project progress. 7
8 Manage Security Policies IT Security Policy, Acceptable Use Policy, Mobile Device Management Policy Passwords Password Configuration and Review (Based on Passwords in IT Security Policy) Developer Access to Production Monitoring of developer update access to production systems Journal Entry Support Single Sign On (SSO) Passwords for GL Accountants network access Passwords on the servers/systems that house the GL Application Passwords on the GL Application itself (if not controlled by SSO) GL Application Developers should not have update access to the GL Application Servers or Databases 8
9 Manage Security (cont.) Access Provisioning Network / Active Directory Request and Approval Server / System Access Request and Approval Application Access Request and Approval Access Reviews Functional / System Account Reviews Elevated Access Reviews Application Access Reviews SOX Dependent Tool Access Reviews Journal Entry Support Access requests to GL Application servers/systems and the GL Application itself Access reviews of the GL Application servers/systems and GL Application itself Access reviews of the applications used for provisioning and access reviews if applicable (e.g., Sailpoint) 9
10 Manage Security (cont.) Segregation of Duties in SOX Applications Segregation of Duties Matrix Access Terminations Dependent on Feed from HR Network / Active Directory Access Server / System Access Application Access Journal Entry Support GL Application SOD matrix for GL Process Removal of GL Finance team members Active Directory access. Removal of Access for GL Application Servers / Systems and the GL Application access 10
11 Manage Data Policies Backup Schedules, Retention Schedule, Data Destruction Backup Configuration Tool configuration by server / system type Backup Execution Management and Monitoring of Backup Execution Journal Entry Support Configuration of the backup tools for the GL Application Server and Database Management of the backups of the GL Application Server and Database 11
12 Manage Data (cont.) Offsite Storage Identification of Offsite Storage for backups Physical Access Reviews of the Offsite Storage Areas Restoration Backup Restoration Validation Backup Tool Access Reviews Journal Entry Support GL Application server and database backup offsite storage Planned restoration testing of the Server and Database Backups used for the GL Application 12
13 Manage Change Policies Change Ticket Requirements Change Approval A change request is created and approved according to policy Change Testing A valid Test program is created, executed and approved Change Deployment Approval is obtained before the changes are deployed to production Change Validation Post Deployment Validation takes place before releasing to end users Change Management Tool Access Reviews 13
14 Manage Change (cont.) Journal Entry Support A change is needed to update how Journal Entries are entered in the GL Application A valid change ticket is entered in the ticketing system that is approved before any further action is taken A testing plan is created and executed during the testing of the change. This testing needs to include User Acceptance Testing and approval of the test results by both the IT team and the Business Owners of the GL Application Before the deployment to production of the GL Application changes, the final deployment approval needs to be obtained to ensure that all of the expected change requirements are made After the deployment to production, a member of IT and the GL Management team needs to validate the change before releasing the changes to the entire user population 14
15 Manage Operations Policies Management and Monitoring of scheduled batch jobs Schedule Exceptions Batch Job Failure Notification to include the creation of a Issue Ticket Batch Job Restart Schedule Changes Changes to Scheduled Batch Jobs Physical Security of Data Centers Regular review of physical access Review of Vendor Access requests 15
16 Manage Operations (cont.) Journal Entry Support Batch jobs that post journal entries or create daily reconciliation reports are monitored and restarted when they fail If a business change needs to delay or reschedule jobs related to Journal Entries based on projects requirements. The data center that houses the GL financial information is adequately protected. 16
17 Manage Incidents Policies Incident Creation and Management, Escalation Process Incident Tracking Incidents are logged and tracked Incidents are approved for escalation Emergency Changes Related to a logged and approved Incident Change Documented and Approved within a time frame of the emergency fix Post-Deployment testing is documented as appropriate 17
18 Manage Incidents (cont.) Journal Entry Support An incident is reported that Journal Entries are not being routed for approval correctly. Based on the severity and number of people affected, an incident may be declared If the fix requires a change to production, an Emergency Change ticket needs to be created to track the change to the GL Application. 18
19 Wrap up IT General Controls can create a foundation for Finance and Operational Controls Project Governance Manage Security Manage Data Manage Change Manage Operations Manage Incidents Every company / situation is going to be different and will be dependent on the Risk Assessment of Business and IT Processes and in-scope Applications. Reference Book: IT Control Objectives for Sarbanes-Oxley Using COBIT 5, 3rd Edition 19
20 Questions? Dennis McLaughlin, CISA 20
USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES
WHITE PAPER USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES Table of Contents I. Overview II. COSO to CobIT III. CobIT / COSO Objectives met by using QualysGuard 2 3 4 Using QualysGuard
More informationInformation Technology Risks & Controls for Financial Systems PEM-PAL Treasury CoP Workshop 2011 Kristin Lado Tufan
Information Technology Risks & Controls for Financial Systems PEM-PAL Treasury CoP Workshop 2011 Kristin Lado Tufan 1 Introduction IT Risk and Compliance Officer in Information Management and Technology
More informationTable of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING
Table of Contents Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING Chapter 1: Significance of Internal Auditing in Enterprises Today: An Update 3 1.1 Internal Auditing History and Background
More informationNo IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP
No IT Audit Staff? How to Hack an IT Audit Presenters Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP Learning Objectives After this session, participants will be able to: Devise
More informationIntroduction To IS Auditing
Introduction To IS Auditing Instructor: Bryan McAtee, ASA, CISA Bryan McAtee & Associates - Brisbane, Australia * Course, Presenter and Delegate Introductions * Definition of Information Technology (IT)
More informationAuditing IT General Controls
Auditing IT General Controls Amanthi Pendegraft and Nadine Yassine September 27, 2017 Agenda Introduction and Objectives IT Audit Fundamentals IT General Controls Overview Access to Programs and Data Program
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationPresenter: Ben Miron September 9, 2008
Understanding IT General Controls Presenter: Ben Miron September 9, 2008 Session Objectives Understand the IT Environment Define and Identify IT General Controls Develop an understanding for the IT audit
More informationIT Audit Auditing IT General Controls
IT Audit Auditing IT General Controls Agenda Introduction IT Audit IT General Controls Overview Access to Programs and Data Program Change & Development Computer Operations Lessons Learned from Regulatory
More informationSecurities Industry Association Sarbanes Oxley from the IT Practitioner s Point of View. October, 2004
Securities Industry Association Sarbanes Oxley from the IT Practitioner s Point of View October, 2004 Introduction Influences on Bear Stearns approach Bear Stearns IT Strategy 2 SOX Section 404 SEC. 404.
More information354 & Index Board of Directors Responsibilities Audit Committee and Risk Committee Coordination, 244 Audit Committee Functions and Responsibilities, 2
Index Accounts Payable Process Review Procedures Assessments, 191 Actions to Resolve Risks COSO ERM Control Activities, 97 Activity Management COSO ERM Control Activities, 81 AICPA SAS No. 1 Internal Controls
More informationALERT LOGIC LOG MANAGER & LOG REVIEW
SOLUTION OVERVIEW: ALERT LOGIC LOG MANAGER & LOG REVIEW CLOUD-POWERED LOG MANAGEMENT AS A SERVICE Simplify Security and Compliance Across All Your IT Assets. Log management is an essential infrastructure
More informationPosition Description IT Auditor
Position Title IT Auditor Position Number Portfolio Performance and IT Audit Location Victoria Supervisor s Title IT Audit Director Travel Required Yes FOR OAG HR USE ONLY: Approved Classification or Leadership
More informationRisk Based IT Auditing Master Class. Unlocking your World to a Sea of Opportunities
Risk Based IT Auditing Master Class Unlocking your World to a Sea of Opportunities The Digital World Information Technology has developed into a nerve center of every organisation. It has become an intrinsic
More informationThe Future of IT Internal Controls Automation: A Game Changer. January Risk Advisory
The Future of IT Internal Controls Automation: A Game Changer January 2018 Risk Advisory Contents Introduction 01 Future Operating Models for Managing Internal Controls 02 Summary 07 Introduction Internal
More informationEffective COBIT Learning Solutions Information package Corporate customers
Effective COBIT Learning Solutions Information package Corporate customers Thank you f o r y o u r interest Thank you for showing interest in COBIT learning solutions from ITpreneurs. This document provides
More informationISACA Survey Results. 27 April Ms. Nancy M. Morris, Secretary Securities and Exchange Commission 100 F Street NE Washington, DC
3701 Algonquin Road, Suite 1010 Telephone: 847.253.1545 Rolling Meadows, Illinois 60008, USA Facsimile: 847.253.1443 Web Sites: www.isaca.org and www.itgi.org 27 April 2006 Ms. Nancy M. Morris, Secretary
More informationAdministration and Data Retention. Best Practices for Systems Management
Administration and Data Retention Best Practices for Systems Management Agenda Understanding the Context for IT Management Concepts for Managing Key IT Objectives Aptify and IT Management Best Practices
More informationVal-EdTM. Valiant Technologies Education & Training Services. Workshop for CISM aspirants. All Trademarks and Copyrights recognized.
Val-EdTM Valiant Technologies Education & Training Services Workshop for CISM aspirants All Trademarks and Copyrights recognized Page 1 of 8 Welcome to Valiant Technologies. We are a specialty consulting
More information26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC
3701 Algonquin Road, Suite 1010 Telephone: 847.253.1545 Rolling Meadows, Illinois 60008, USA Facsimile: 847.253.1443 Web Sites: www.isaca.org and www.itgi.org 26 February 2007 Office of the Secretary Public
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationAuditing in an Automated Environment: Appendix B: Application Controls
Accountability Modules Auditing in an Automated Environment: Initials Date Agency Prepared By Reviewed By Audit Program - Application W/P Ref Page 1 of 1 The SAO follows control objectives established
More informationIT Audit Process Prof. Liang Yao Week Two IT Audit Function
Week Two IT Audit Function Why we need IT audit A Case Study What You Can Learn about Risk Management from Societe Generale? https://www.cio.com/article/2436790/security0/what-you-can-learn-about-risk-management-fromsociete-generale.html
More informationThe Minimum IT Controls to Assess in a Financial Audit (Part II)
The Minimum IT Controls to Assess in a Financial Audit (Part II) Tommie W. Singleton, Ph.D., CISA, CITP, CMA, CPA, is an associate professor of information systems (IS) at the University of Alabama at
More informationSOC Reporting / SSAE 18 Update July, 2017
SOC Reporting / SSAE 18 Update July, 2017 Agenda SOC Refresher Overview of SSAE 18 Changes to SOC 1 Changes to SOC 2 Quiz / Questions Various Types of SOC Reports SOC for Service Organizations (http://www.aicpa.org/soc4so)
More informationSparta Systems TrackWise Digital Solution
Systems TrackWise Digital Solution 21 CFR Part 11 and Annex 11 Assessment February 2018 Systems TrackWise Digital Solution Introduction The purpose of this document is to outline the roles and responsibilities
More informationWITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:
SOLUTION OVERVIEW: ALERT LOGIC THREAT MANAGER WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE Protecting your business assets and sensitive data requires regular vulnerability assessment,
More informationCyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.
Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK. In today s escalating cyber risk environment, you need to make sure you re focused on the right priorities by
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More informationAchieving effective risk management and continuous compliance with Deloitte and SAP
Achieving effective risk management and continuous compliance with Deloitte and SAP 2 Deloitte and SAP: collaborating to make GRC work for you Meeting Governance, Risk and Compliance (GRC) requirements
More informationMapping PCI DSS v2.0 With COBIT 4.1 By Pritam Bankar, CISA, CISM, and Sharad Verma
Volume 2, April 2011 Come join the discussion! Pritam Bankar and Sharad Verma will be responding to questions and comments in the discussion area of the COBIT Use It Effectively topic beginning 21 April
More informationCOPYRIGHTED MATERIAL. Index
Index 2014 revised COSO framework. See COSO internal control framework Association of Certified Fraud Examiners (ACFE), 666 Administrative files workpaper document organization, 402 AICPA fraud standards
More informationBusiness Continuity Planning
Information Systems Audit and Control Association www.isaca.org Business Continuity Planning AUDIT PROGRAM & INTERNAL CONTROL QUESTIONNAIRE The Information Systems Audit and Control Association With more
More informationlocuz.com SOC Services
locuz.com SOC Services 1 Locuz IT Security Lifecycle services combine people, processes and technologies to provide secure access to business applications, over any network and from any device. Our security
More informationTable of Contents. Preface xiii PART I: IT GOVERNANCE CONCEPTS. Chapter 1: Importance of IT Governance for All Enterprises 3
Table of Contents Preface xiii PART I: IT GOVERNANCE CONCEPTS Chapter 1: Importance of IT Governance for All Enterprises 3 Chapter 2: Fundamental Governance Concepts and Sarbanes Oxley Rules 9 Sarbanes
More informationGlobal Security Consulting Services, compliancy and risk asessment services
Global Security Consulting Services, compliancy and risk asessment services Introduced by Nadine Dereza Presented by Suheil Shahryar Director of Global Security Consulting Today s Business Environment
More informationITSM20F_Umang. Number: ITSM20F Passing Score: 800 Time Limit: 120 min File Version: 4.0. Exin ITSM20F
ITSM20F_Umang Number: ITSM20F Passing Score: 800 Time Limit: 120 min File Version: 4.0 http://www.gratisexam.com/ Exin ITSM20F IT Service Management Foundation based on ISO/IEC 20000 (ITSM20F.EN) Version:
More informationSAS70 Type II Reports Use and Interpretation for SOX
SAS70 Type II Reports Use and Interpretation for SOX November 19, 2007 Presented by: Erin Erickson, Senior Manager Enterprise Governance and Brenda Karl, Director Technology Risk Management Agenda Background
More informationSparta Systems TrackWise Solution
Systems Solution 21 CFR Part 11 and Annex 11 Assessment October 2017 Systems Solution Introduction The purpose of this document is to outline the roles and responsibilities for compliance with the FDA
More informationMastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud
FOR LIVE POGRAM ONLY Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud TUESDAY, AUGUST 9, 2016, 1:00-2:50 pm Eastern IMPORTANT INFORMATION FOR THE
More informationMIS 5121: Business Process, ERP Systems & Controls Week 9: Security: User Management, Segregation of Duties (SOD)
MIS 5121: Business Process, ERP Systems & Controls Week 9: Security: User Management, Segregation of Duties (SOD) Edward Beaver Edward.Beaver@temple.edu ff Video: Record the Class Discussion v Something
More informationCertified Information Security Manager (CISM) Course Overview
Certified Information Security Manager (CISM) Course Overview This course teaches students about information security governance, information risk management, information security program development,
More informationThe Data Catalog The Key to Managing Data, Big and Small. April Reeve May
The Data Catalog The Key to Managing Data, Big and Small April Reeve May 18 2017 April Reeve Thirty years doing data oriented stuff Data Management disciplines Data Integration, Data Governance, Data Modeling,
More informationFDIC InTREx What Documentation Are You Expected to Have?
FDIC InTREx What Documentation Are You Expected to Have? Written by: Jon Waldman, CISA, CRISC Co-founder and Executive Vice President, IS Consulting - SBS CyberSecurity, LLC Since the FDIC rolled-out the
More informationTop Reasons To Audit An IAM Program. Bryan Cook Focal Point Data Risk
Top Reasons To Audit An IAM Program Bryan Cook Focal Point Data Risk Focal Point Data Risk A New Type of Risk Management Firm THE FACTS Born from the merger of three leading security & risk management
More informationSOX/COBIT Framework. and Netwrix Auditor Mapping. Toll-free:
SOX/COBIT Framework and Netwrix Auditor Mapping www.netwrix.com Toll-free: 888-638-9749 About SOX All public companies in the U.S. are subject to Sarbanes Oxley (SOX) compliance without exceptions. SOX
More informationMobile: Website:
Sakthiswaran R Mobile: +91 90499 94873 E-mail: sakthishwaran@yahoo.co.in Website: http://www.sakthiswaran.com Summary of Experience & Expertise Over 3+ Years of experience in external Information Systems
More informationFRAUD-RELATED INTERNAL CONTROLS
GLOBAL HEADQUARTERS THE GREGOR BUILDING 716 WEST AVE AUSTIN, TX 78701-2727 USA TABLE OF CONTENTS I. THE NEED FOR INTERNAL CONTROLS Example... 1 Threats to an Organization s Internal Control Environment...
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationRich Powell Director, CIP Compliance JEA
Rich Powell Director, CIP Compliance JEA Review access control requirements CIP-003 and CIP-007 Discuss compliance considerations Implementation Strategies Hints/Tips for audit presentation Account Control
More informationREPORT 2015/149 INTERNAL AUDIT DIVISION
INTERNAL AUDIT DIVISION REPORT 2015/149 Audit of the information and communications technology operations in the Investment Management Division of the United Nations Joint Staff Pension Fund Overall results
More informationManaged Security Services - Endpoint Managed Security on Cloud
Services Description Managed Security Services - Endpoint Managed Security on Cloud The services described herein are governed by the terms and conditions of the agreement specified in the Order Document
More informationSparta Systems Stratas Solution
Systems Solution 21 CFR Part 11 and Annex 11 Assessment October 2017 Systems Solution Introduction The purpose of this document is to outline the roles and responsibilities for compliance with the FDA
More informationGeneral Information System Controls Review
General Information System Controls Review ECHO Application Software used by the Human Services Department, Broward Addiction Recovery Division (BARC) March 11, 2010 Report No. 10-08 Office of the County
More informationSAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010
JAYACHANDRAN.B,CISA,CISM jb@esecurityaudit.com August 2010 SAS 70 Audit Concepts and Benefits Agenda Compliance requirements Overview Business Environment IT Governance and Compliance Management Vendor
More informationVMware vcloud Air SOC 1 Control Matrix
VMware vcloud Air SOC 1 Control Objectives/Activities Matrix VMware vcloud Air goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a
More informationPerforming a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH
Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH 1 Speaker Bio Katie McIntosh, CISM, CRISC, CISA, CIA, CRMA, is the Cyber Security Specialist for Central Hudson Gas &
More informationCOSO Enterprise Risk Management
COSO Enterprise Risk Management Establishing Effective Governance, Risk, and Compliance Processes Second Edition ROBERT R. MOELLER WILEY John Wiley & Sons, Inc. Contents Preface xi Chapter 1: Introduction:
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationCybersecurity Overview
Cybersecurity Overview DLA Energy Worldwide Energy Conference April 12, 2017 1 Enterprise Risk Management Risk Based: o Use of a risk-based approach for cyber threats with a focus on critical systems where
More informationWhat Auditors Want. John Mitchell. PhD, MBA, CEng, CITP, FBCS, MBCS, FIIA, MIIA, CISA, QiCA, CFE
What Auditors Want 14 th February 2008 John Mitchell PhD, MBA, CEng, CITP, FBCS, MBCS, FIIA, MIIA, CISA, QiCA, CFE LHS Business Control Tel: +44 (0)1707 851454 47 Grangewood Fax: +44 (0)1707 851455 Potters
More informationTAKING THE MYSTERY OUT OF IT AUDIT
TAKING THE MYSTERY OUT OF IT AUDIT What Every Non-IT Auditor Should Know and Every IT Auditor Should Be Able To Tell The Presentation Ross E. Wescott MA CISA CIA CCP CUERME Wescott & Associates The Conference
More informationCOURSE BROCHURE CISA TRAINING
COURSE BROCHURE CISA TRAINING What is CISA? The CISA, Certified Information Systems Auditor, is a professional designation which provides great benefits and increased influence for an individual within
More informationIT Attestation in the Cloud Era
IT Attestation in the Cloud Era The need for increased assurance over outsourced operations/ controls April 2013 Symeon Kalamatianos M.Sc., CISA, CISM Senior Manager, IT Risk Consulting Contents Introduction
More informationPeopleSoft Finance Access and Security Audit
PeopleSoft Finance Access and Security Audit City of Minneapolis Internal Audit Department September 20, 2016 1 Contents Page Background... 3 Objective, Scope and Approach... 3 Audit Results and Recommendations...
More informationDefinition of Internal Control
Definition of Internal Control - To address and limit potential risks - designed, implemented and maintained by those charged with governance to provide reasonable assurance about the achievement of the
More information1Z Oracle Identity Governance Suite 11g PS3 Implementation Essentials Exam Summary Syllabus Questions
1Z0-339 Oracle Identity Governance Suite 11g PS3 Implementation Essentials Exam Summary Syllabus Questions Table of Contents Introduction to 1Z0-339 Exam on Oracle Identity Governance Suite 11g PS3 Implementation
More informationChapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC
Chapter 8: SDLC Reviews and Audit... 2 8.1 Learning objectives... 2 8.1 Introduction... 2 8.2 Role of IS Auditor in SDLC... 2 8.2.1 IS Auditor as Team member... 2 8.2.2 Mid-project reviews... 3 8.2.3 Post
More informationTable of Contents. Policy Patch Management Version Control
Table of Contents Patch Management Version Control Policy... 2 The Patch Management Version Control Process... 2 Policy... 2 Vendor Updates... 3 Concepts... 3 Responsibility... 3 Organizational Roles...
More informationPredstavenie štandardu ISO/IEC 27005
PERFORMANCE & TECHNOLOGY - IT ADVISORY Predstavenie štandardu ISO/IEC 27005 ISMS Risk Management 16.02.2011 ADVISORY KPMG details KPMG is a global network of professional services firms providing audit,
More informationNASDAQ BWISE ACADEMY COURSE CATALOG
NASDAQ BWISE ACADEMY COURSE CATALOG 1 MANUAL TITLE HERE Copyright 2014, The NASDAQ OMX Group, Inc. All Rights Reserved. Q14-NUMBER. DATE TABLE OF CONTENTS 1 NASDAQ BWISE ACADEMY COURSE CATALOG 4 1.1 Introduction
More informationSan Francisco Chapter. What an auditor needs to know
What an auditor needs to know Course Objectives Understand what a data center looks and feels like Know what to look for in a data center and what questions to ask Deepening understanding of controls that
More informationExam Requirements v4.1
COBIT Foundation Exam Exam Requirements v4.1 The purpose of this document is to provide information to those interested in participating in the COBIT Foundation Exam. The document provides information
More informationKey Drivers for Data Security
Security User Management Access Control Data Protection Monitoring Key Drivers for Data Security Regulatory Compliance Sarbanes-Oxley (SOX), Foreign Exchange Instruments and Exchange Law (J-SOX) EU Privacy
More informationOracle Risk Management Cloud
Oracle Risk Management Cloud Release 12 New Feature Summary December 2016 TABLE OF CONTENTS REVISION HISTORY... 3 COMMON TECHNOLOGIES... 4 APPLICATIONS SECURITY... 4 User Account Management... 5 Administrator
More informationNASDAQ BWISE ACADEMY COURSE CATALOG
NASDAQ BWISE ACADEMY COURSE CATALOG 1 MANUAL TITLE HERE Copyright 2014, The NASDAQ OMX Group, Inc. All Rights Reserved. Q14-NUMBER. DATE TABLE OF CONTENTS 1 NASDAQ BWISE ACADEMY COURSE CATALOG 4 1.1 Introduction
More informationUser Guide. Manual. User Guide. Date 10-January Version 2.0
Manual Date 10-January-2017 Version 2.0 1 Contents 1 Authorization Box for Dynamics NAV... 3 1.1 Role Generator... 3 1.2 User Management... 3 1.3 SoD Monitoring... 3 1.4 Incident Management... 3 2 Settings
More informationOpportunities to Integrate Technology Into the Classroom. Presented by:
Opportunities to Integrate Technology Into the Classroom Presented by: Mark Salamasick, CIA, CISA, CRMA, CSP Executive Director of Audit University of Texas System Discussion Topics Internal Audit Textbook
More informationstandards and so the text is not to be used for commercial purposes, gain or as a source of profit. Any changes to the slides or incorporation in
ISO/IEC JTC 1/SC 27/WG 4 IT Security Controls and Services M. De Soete, ISO/IEC JTC 1 SC27 Vice Chair copyright ISO/IEC JTC 1/SC 27, 2014. This is an SC27 public document and is distributed as is for the
More informationVersion v November 2015
Service Description HPE Project and Portfolio Management on Software-as-a- Service Version v2.0 26 November 2015 This Service Description describes the components and services included in HPE Project and
More informationRecords Retention Schedule
Retention Schedule Form C must Record Title Storage 1. Page 18 of 104 106 Category 2: Electronic Data Processing Section 2.1 Automated Applications 2.1.001 38 Automated Files - Processing Files Machine-readable
More informationITIL. Change Manager. ITSM Academy
ITIL V3 Roles and Responsibilities Change Manager 1 About ITSM Academy Certified Woman Owned Business Accredited ITSM Education Provider ITIL Foundation/Bridge, V3 Capability, V2 Practitioner, Service
More informationNASDAQ BWISE ACADEMY COURSE CATALOG
NASDAQ BWISE ACADEMY COURSE CATALOG 1 MANUAL TITLE HERE Copyright 2014, The NASDAQ OMX Group, Inc. All Rights Reserved. Q14-NUMBER. DATE TABLE OF CONTENTS 1 NASDAQ BWISE ACADEMY COURSE CATALOG 4 1.1 Introduction
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationCISA Training.
CISA Training www.austech.edu.au WHAT IS CISA TRAINING? The CISA, Certified Information Systems Auditor, is a professional designation which provides great benefits and increased influence for an individual
More informationInformation backup - diagnostic review Abertawe Bro Morgannwg University Health Board. Issued: September 2013 Document reference: 495A2013
Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board Issued: September 2013 Document reference: 495A2013 Status of report This document has been prepared for the internal
More informationBest Practices & Lesson Learned from 100+ ITGRC Implementations
Best Practices & Lesson Learned from 100+ ITGRC Implementations Presenter: Vivek Shivananda CEO of Rsam Dec 3, 2010 ISACA -NY Chapter Copyright 2002 2010 Relational Security Corp. (dba Rsam) Agenda Overview
More informationAutomated Firewall Change Management Securing change management workflow to ensure continuous compliance and reduce risk
Automated Firewall Change Management Securing change management workflow to ensure continuous compliance and reduce risk Skybox Security Whitepaper January 2015 Executive Summary Firewall management has
More informationTRAINING SEMINAR COURSE OUTLINE October
TRAINING SEMINAR COURSE OUTLINE October 10-12 2016 FACILITATOR S BIOGRAPHY SHAWNA M FLANDERS CRISC, CISM, CISA, CSSGB, SSBB Shawna is the Founder and CEO of Business Technology Guidance Associates, LLC.,
More informationEX0-101_ITIL V3. Number: Passing Score: 800 Time Limit: 120 min File Version: 1.0. Exin EX0-101
EX0-101_ITIL V3 Number: 000-000 Passing Score: 800 Time Limit: 120 min File Version: 1.0 http://www.gratisexam.com/ Exin EX0-101 ITIL Foundation V 3.0 & ITIL Foundation Version: 8.0 Exin EX0-101 Exam Topic
More informationInternational Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017
3701 Algonquin Road, Suite 1010 Telephone: 847.253.1545 Rolling Meadows, Illinois 60008, USA Facsimile: 847.253.1443 Web Sites: www.isaca.org and www.itgi.org 25 April 2008 International Auditing and Assurance
More informationUniversity Information Technology Data Backup and Recovery Policy
University Information Technology Data Backup and Recovery Policy I. Purpose and Scope A. The purpose of this policy is to document the University of Utah Information Technology (UIT) data backup and recovery
More informationSolution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites
Solution Pack Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Subject Governing Agreement DXC Services Requirements Agreement between DXC and Customer including DXC
More informationISO/IEC overview
ISO/IEC 20000 overview Overview 1. What is ISO/IEC 20000? 2. ISO/IEC 20000 and ITIL 2 BS 15000 BS15000 started in UK and first launched on July 1, 2003. Which was replaced by ISO/IEC 20000 after formal
More informationRethinking Information Security Risk Management CRM002
Rethinking Information Security Risk Management CRM002 Speakers: Tanya Scott, Senior Manager, Information Risk Management, Lending Club Learning Objectives At the end of this session, you will: Design
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) 1. Domain 1 The Process of Auditing Information Systems Provide audit services in accordance with IT audit standards to assist the organization in protecting
More informationEmbedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere
Embedding GDPR into the SDLC Sebastien Deleersnyder Siebe De Roovere Who is Who? Sebastien Deleersnyder 5 years developer experience 15+ years information security experience Application security consultant
More informationIdentity Intelligence
Identity Intelligence At the service of Risk & Audit Shlomi Wexler CTO shlomi@whiteboxsecurity.com What Is Identity Intelligence? Who did what? When and where did access occur? Who has access to what?
More information