Theme 1: IT Governance and Audit Methodologies



Similar documents
Cloud Based E-Government: Benefits and Challenges

Managing IT Security with Penetration Testing

Applying Business Architecture to the Cloud

HHSN W 1 QSSI - Quality Software Services, Inc

WHITE PAPER: STRATEGIC IMPACT PILLARS FOR EFFICIENT MIGRATION TO CLOUD COMPUTING IN GOVERNMENT

Cordys Business Operations Platform

Audit Techniques for Service Oriented Architecture Applications

Evaluate the Usability of Security Audits in Electronic Commerce

Risk Considerations for Internal Audit

Highlights & Next Steps

E-Commerce at Wells Fargo. SF IIA/ISACA Presentation

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

CYBER SECURITY, A GROWING CIO PRIORITY

AUD105-2nd Edition. Auditor s Guide to IT - 20 hours. Objectives

SECTION C: DESCRIPTION/SPECIFICATIONS/WORK STATEMENT

1. Introduction to ehealth:

ISV Strategy for Revenue & Customer Growth

Government of India Ministry of Communications & Information Technology Department of Electronics & Information Technology (DeitY)

Data as a Service Virtualization with Enzo Unified

Master of Science in E-Business Department of Management Information Systems College of Business Administration 2013/ /1436

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Approach to Information Security Architecture. Kaapro Kanto Chief Architect, Security and Privacy TeliaSonera

XACML and Access Management. A Business Case for Fine-Grained Authorization and Centralized Policy Management

ITIL AS A FRAMEWORK FOR MANAGEMENT OF CLOUD SERVICES

Certified Information Systems Auditor (CISA)

Intel Enhanced Data Security Assessment Form

The Next Generation of Security Leaders

MANAGING USER DATA IN A DIGITAL WORLD

Moving Applications To Cloud

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

The Need for Service Catalog Design in Cloud Services Development

Four Top Emagined Security Services

Working Group on. First Working Group Meeting

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

SD Elements: A Tool for Secure Application Development Management

Introduction...3. Conclusion White paper: IT SECURITY FOR SMART SCHOOLS

SECTION A: DESCRIPTION/SPECIFICATIONS/WORK STATEMENT

IT Governance Regulatory. P.K.Patel AGM, MoF

A collaborative approach of Business Intelligence systems

Better Data is Everyone s Job! Using Data Governance to Accelerate the Data Driven Organization

Preface Introduction

SECTION C: DESCRIPTION/SPECIFICATIONS/WORK STATEMENT Article C.1 Introduction This contract is intended to provide IT solutions and services as

Cloud Computing Services and its Application

goberlin a Trusted Cloud Marketplace for Governmental and Commercial Services

NIST Cloud Computing Program

Innovative Analysis of a CRM Database using Online Analytical Processing (OLAP) Technique in Value Chain Management Approach

Task Area 1: IT Services for Biomedical Research, Health Sciences, and Healthcare

Business Intelligence

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

HYBRID CLOUDS DEFINING A SUSTAINABLE STRATEGY DR. RAGHU P. PUSHPAKATH KRISHNAKUMAR GOPINATHAN SACHIN KANOTH MADAKKARA

CHAPTER 1 INTRODUCTION

Accelerate Your Enterprise Private Cloud Initiative

Fly. Wealth and Retirement IT Hosting

Strengthen security with intelligent identity and access management

The following is intended to outline our general product direction. It is intended for informational purposes only, and may not be incorporated into

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

I D C V E N D O R S P O T L I G H T. H yb r i d C l o u d Solutions for ERP

Executive Brief. Best Practices for Software Selection. Best Practices for Software Selection. July #1 Structured Selection Methodology

Chartis RiskTech Quadrant for Model Risk Management Systems 2014

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

How can Identity and Access Management help me to improve compliance and drive business performance?

PERFORMANCE MANAGEMENT APPROACHES IN ECONOMIC ORGANIZATIONS USING INFORMATION TECHNOLOGY *

Helping organizations secure and govern application services for SOA, Web and the Cloud

IBM Internet Security Systems October FISMA Compliance A Holistic Approach to FISMA and Information Security

SOACertifiedProfessional.Braindumps.S90-03A.v by.JANET.100q. Exam Code: S90-03A. Exam Name: SOA Design & Architecture

FUTURE RESEARCH DIRECTIONS OF SOFTWARE ENGINEERING AND KNOWLEDGE ENGINEERING *

How to Turn the Promise of the Cloud into an Operational Reality

Table of Contents. Auditor's Guide to Information Systems Auditing Richard E. Cascarino Copyright 2007, John Wiley & Sons, Inc.

HP Service Manager. Software Version: 9.34 For the supported Windows and UNIX operating systems. Processes and Best Practices Guide

Master of Science Service Oriented Architecture for Enterprise. Courses description

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Information Security Management System for Cloud Computing

A discussion of information integration solutions November Deploying a Center of Excellence for data integration.

A STUDY OF OPEN INNOVATION IN CLOUD COMPUTING

BPM Perspectives Positioning and Fitment drivers

Information Security Managing The Risk

Cloud Computing and Standards

An organization properly establishes and operates its control over risks regarding the information system to fulfill the following objectives:

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

VALUE PROPOSITION FOR SERVICE PROVIDERS. Helping Service Providers accelerate adoption of the cloud

A New Way to Compute or: How I Learned to Stop Worrying and Love the Cloud

Domain 1 The Process of Auditing Information Systems

St. George s University

BUSINESS MANAGEMENT SUPPORT

Cybersecurity Implications in the US Chemical Industry. Modernization and Greenfield Opportunities

Cloud Cube Model: Selecting Cloud Formations for Secure Collaboration

Mobile Cloud Computing In Business

Enterprise SOA Strategy, Planning and Operations with Agile Techniques, Virtualization and Cloud Computing

Data Management Emerging Trends. Sourabh Mukherjee Data Management Practice Head, India Accenture

FFIEC Cybersecurity Assessment Tool

Auditing Cloud Computing. A Security and Privacy Guide. Wiley Corporate F&A

IT Product Development & Solution Provider IT Project Management Technology Risk Management Strategy & Services Result & Process Oriented IT Services

Chief School Business Official [29.110]

Cloud, where are we? Mark Potts, HP Fellow, CTO Cloud November 2014

CLOUD COMPUTING SERVICES CATALOG

Welcome to Modulo Risk Manager Next Generation. Solutions for GRC

The ICS Approach to Security-Focused IT Solutions

Asset Management for the Public Sector with Total Accountability

Transcription:

Theme 1: IT Governance and Audit Methodologies Recent rapid development of new IT technologies was followed up by an instantaneous integration of them at the organizational level. The management of the enterprises faces a new challenge: structural redefinition of the IT segment in order to create plus value and to minimize IT risks through an efficient management of all IT resources of the organization. These changes have had a significant impact on the governance of the IT departments. (1) Examination of existing auditing methodologies for the IT Governance at the organizational level. (2) The evaluation of existing research references on the risks associated with IT Governance, as a key process in planning the audit mission that allows for the identification of the segments with increased risks. 1. Mirela GHEORGHE, Audit Methodology for IT Governance, Informatica Economica, Vol. 14 No. 1/2010, Issue Topic: Informatics Audit. http://revistaie.ase.ro/53.html 2. G. Hardy, The Role of the IT Auditor in IT Governance, Information Systems Control Journal, 2009. ------------------------------------------- Theme 2: Service Oriented Architecture and Audit Techniques for its Services The Service Oriented Architecture (SOA) approach enables development of flexible distributed services. Auditing such services implies several specific challenges related to interoperability, performance and security. The recherché, analysis and systematization of scientific literature on: (1) Emphasizing the quality attributes and potential risks in SOA applications that an architect should be aware when designing a distributed system; (2) Identifying the key risk factors and models for risk evaluation; (3) The reasons for auditing SOA applications, as well as the most important standards; (4) The steps for a successful audit process. 1. Liviu COTFAS, Dragoş PALAGHIŢĂ, Bogdan VINTILĂ, Audit Techniques for Service Oriented Architecture Applications, Informatica Economica, Vol. 14 No. 1/2010, Issue Topic: Informatics Audit. http://revistaie.ase.ro/53.html 2. Young-Gab Kim, Dongwon Jeong, Soo-Hyun Park, Jongin Lim, and Doo-Kwon Baik. 2007. Modeling and Simulation for Security Risk Propagation in Critical Information Systems. In Computational Intelligence and Security, Yuping Wang, Yiu-Ming Cheung, and Hailin Liu (Eds.). Lecture Notes In Artificial Intelligence, Vol. 4456. Springer-Verlag, Berlin, Heidelberg 858-868. 3. S. Senft and F. Gallegos, Information Technology Control and Audit, 3rd ed., CRC Press, 2009. Theme 3: ebusiness Services and Information Security Auditing ebusiness is different than other business because it involves any commercial or business activities that takes place by means of electronic facilities, including on the Internet, proprietary networks and home banking, instead of through direct physical exchange or contact. This system creates an environment that operates at a much greater speed than traditional methods and involves much less

paper-based evidence of activities. However, the ebusiness related risks should not be considered in isolation but rather as a part of the overall internal control framework of an entity. The recherché, analysis and systematization of scientific literature on: (1) identifying and assessing the risks associated with an ebusiness environment; (2) managerial ebusiness strategies those identify and address risks; (3) ebusiness Information Systems (IS) audit as a critical component of the ebusiness plan; (4) risk analysis for ebusiness applications in order to establish the IS audit particularities in this field. 1. Floarea NĂSTASE, Pavel NĂSTASE, Robert ŞOVA, Information Security Audit in e- business applications, Informatica Economica, Vol. 11 No. 1/2007. http://revistaie.ase.ro/41.html 2. Carlin and F. Gallegos. IT Audit: A Critical Business Process. IEEE Computer, 40(7):87 89, 2007. Theme 4: Auditing Cloud Computing The use of cloud computing is rapidly expanding all over the world at an amazing pace because of its tangible benefits in cost reduction of IT services by obtaining them over the Internet. Possible advantages are quite obvious: ability to reduce capital expenditure, share the services ensuring massive, often seemingly unlimited scalability, the ability to dial up usage or pay as you use and when required, reduce IT related expenses and thereby enhance competitive advantage along with bottom line. In a typical cloud service model, External Service Provider (ESP) offers various IT services to the business, depending on the Service Level Agreement (SLA) and selection of services. Examination, evaluation and systematization of methodical literature on: 1) Risk management - Though cloud computing services have unique advantages, there are critical issues relating to confidentiality, data integrity, security, availability, disaster preparedness, tax implications and other risks. Most of these challenges arise out of loss of physical control over IT assets and services. Internal audit needs to evolve from its traditional passive role of looking at internal control and compliance issues to a proactive role of a strategic value advisor. 2) Role of audit Information System Audit should help in planning and organizing, acquisition and implementation, delivery and support, monitoring and evaluation of technology selection, regulatory compliance, selection and performance of third party service providers and suppliers and contract compliance. Information system audit checks should be used to test confidentiality, data integrity, availability, security, authentication, reliability etc. It should take increasing responsibility and ensure value addition in key strategic domains such as brand protection, mergers and acquisitions, customer relations, cost reduction and revenue maximization, fraud detection, control and prevention, data governance and quality, keeping in pace with rapidly changing business environment and the way business is carried out in a cloud service environment. Audit should focus on value addition by supporting strategic initiatives, providing high quality business insights as an integral part of the process and should also actively involve in continuous monitoring, evaluation and improvement of control environment and regulatory compliance. 3) Tech infrastructure - Important audit concerns are focused on creation and maintenance of a technology infrastructure plan in alignment with IT strategic and tactical plans based on technology direction, contingency arrangement, and direction for acquisition of technology resources. Internal audit should also focus on critical business concerns while adopting a cloud computing strategy such as classification of data on the basis of sensitivity and criticality of business, security issues along with legal and privacy implications, formulation of appropriate cloud policies and procedures, retrieval of data, disaster management and identification of

services which can be depended on the cloud without serious business risk. In nutshell, auditing should evolve as a value adding, assurance providing, consulting activity, based on objective, independent evaluation of control environment, systems and procedures and continuously monitoring for improving governance process and risk management to help the organization accomplish its business objectives. 1. Jeremy Rissi, Sean Sherman, Ben Halpert, Cloud-Based IT Audit Process, book chapter, Ben Halpert book Auditing Cloud Computing - A Security and Privacy Guide, John Wiley & Sons, 2011. 2. S. Pearson, Taking account of privacy when designing cloud computing services, Software Engineering Challenges of Cloud Computing (CLOUD'09), ICSE Workshop on, 23-23 May Vancouver, BC, 2009. Theme 5: eservices Security Audit The eservices security audit target consists of complex applications that function as ebusiness systems. In general such applications are tested from the external perspective. Typical eservices security auditing in different areas: ebanking - The ebanking services audit is applied to typical online banking applications at the application layer. Included by default in the scope of auditing are PIN / TAN (including itan / mtan), HBCI, BTX (also with newer interfaces), common web-based systems, mobile banking. The auditing is performed from all available perspectives (e.g. simulating that the potential attacker would be a client, another bank, employee, contractor, etc.). Applicable areas: o e-banking Services Audit / Anonymous Perspective o e-banking Services Audit / Anonymous & User Perspectives o Fake Services Audit for e-banking o Client System Audit etrading / einsurance / ecommerce / Generic ebusiness - the selected auditing covers the particular aspects of the online trading, online insurance and ecommerce platforms. The audit must cover practically any possible type of online services both internal and external ones: o e-business Services Audit / Anonymous Perspective o e-business Services Audit / Anonymous & User Perspectives o Fake Services Audit for e-business egovernment - the same functional services as for other complex application environments, customized to fit the target selection, with the addition of structuring the procedures and reporting as required by governmental regulations (federal / local state legal and procedural requirements): egovernment Services Audit / Anonymous Perspective egovernment Services Audit / Anonymous & User Perspectives The recherché, analysis and systematization of scientific literature on the above areas of the eservices Security Audit. Theme 6: Auditing IT Service Management The Model comprising six sub-areas: policies and strategies; operation; support; external drivers; user interaction; and

impacts on the external environment. It can be applied in the areas of financial and performance auditing to support comparative evaluations of service management within or across several agencies. Provide a systematic presentation through the recherché and analysis of scientific literature on the above sub-areas, beginning with a review of the risk factors connected with senior management's roles and responsibilities, give examples of the risk factors associated with service management activities, and provide practical examples of potential risk factors and the impacts they might inflict. Typical risk reduction strategies are also need to be described. Theme 7: Auditing by the Delivery of egovernment Services Government information and services are increasingly being made available electronically to citizens and businesses via the Internet. This concept is termed egovernment. The egovernment is a major strategic initiative of the government s information technology (IT) plan. The government s website, is the portal (single electronic access point) through which eservices can be accessed. The government s primary method for developing and maintaining eservices is through a self-funded contract with a third party contractor. The contract focuses exclusively on the government market and has established eservices. An egovernment service is defined as an application, or series of applications, on the Internet that provides a specific service to a citizen or business. The application(s) are interactive and/or transaction based. This means information is collected or provided by the customer and a service is then delivered (a transaction is completed). The goal of an eservice is to provide a start-to-finish solution to the customer. As an example, a citizen seeking a permit or license provides all necessary information, payment is collected, and the state delivers the service including all necessary information and documentation (in this case a permit or license) to the customer. Additional examples are: Web systems that allow customers to enter search criteria and then receive information from those systems; Filling out a tax form and paying taxes online; Purchasing goods and paying for them using an online shopping cart; Any service that accepts an electronic payment using the payment portal. Thus, it is important to audit egovernment services, also known as eservices, regularly. The audit work focuses on the government eservices. The auditing objectives are to: identify the methods used to provide eservices; determine the processes and criteria established to identify, evaluate, and prioritize the development and implementation of eservices; review the methodologies used to determine the fees to pay for the self-funded electronic government services. determine if controls are in place to measure the success of eservices. Perform recherché, assessment and categorization of scientific literature on the above objectives/aspects of the egovernment services auditing. Theme 8: IT auditing software

Auditing Software Specialized programs that perform a variety of audit functions, such as sampling databases and generating confirmation letters to customers and vendors. It can highlight exceptions to categories of data and alert the examiner to possible error. Audit software often includes a non-procedural language that lets the auditor describe the computer and data environment without detailed programming. EDP audit An analysis of an organization's computer and information systems in order to evaluate the integrity of its production systems as well as potential security cracks. EDP auditor A person who performs an EDP audit within an organization. Such individuals analyze the existing systems and procedures using audit software that samples databases and generates confirmation letters. Perform recherché, assessment and categorization of existing or proposed by market auditing software. http://www.theiia.org/itauditarchive/index.cfm?act=itaudit.reflibcategory&catid=7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information