Beruflich Dokumente
Kultur Dokumente
1. Data Integrity
a. The difficulty of maintaining the integrity of the data is the most significant limitation of
computer-based audit tools
Security controls
Physical controls Physical access Keypad devices, Card reader, Biometric technologies
(limit physically controls (fingerprints, retina patterns, hand geometry)
enter the data Environmental 1) Temperature and humidity control
center) controls (to 2) Gaseous fire-suppression system (not water)
protect the 3) Data center not located on an outside wall
physical 4) Building housing data center not located in a flood plain
information
assets)
Logical controls Access control software
(to avoid Passwords and ID numbers
unauthorized File attributes can be assigned to control access to and the use of files.
access) Examples are read/write, read only, archive, and hidden.
Access controls have been developed to prevent improper use or manipulation of data
files and programs
A system access log records all attempts to use the system
Controlled disposal of documents.
Def
Compatibility test: Ascertain whether a code number is compatible with the use to be
made of the information
Access control matrices: The lists or tables of authorized users or devices
System access log: Records all attempts to use the system (date & time, codes used,
mode of access, data involved, operator interventions)
Encryption: Using a fixed algorithm to manipulate plaintext
Controlled disposal of documents: To destroy data when they are no longer in use
Automatic log-off: Prevent the viewing of sensitive data on an unattended data terminal
2. Internet Security
a. Connection to the Internet presents security issues.
1) Thus, the organization-wide network security policy should at the very least include
a) A user account management system
b) Installation of an Internet firewall
c) Methods such as encryption to ensure that only the intended user
receives the information and that the information is complete and accurate
account management a) New accounts are added correctly and assigned only to authorized
users
b) Old and unused accounts are removed promptly
c) Passwords are changed periodically, and employees are educated
on how to choose a password that cannot be easily guessed
Firewall (separates an Firewall systems ordinarily produce reports on organization-wide
internal network from Internet use, unusual usage patterns, and system penetration attempts
an external network) (These reports are very helpful to the internal auditor as a method of
continuous monitoring, or logging, of the system.)
encryption Data traveling across the network can be encoded so that it is
indecipherable to anyone except the intended recipient
Authentication measures verify the identity of the user, thus ensuring that only the
intended and authorized users gain access to the system
Checksums help ensure the integrity of data by checking whether the file has been
changed (to check whether this value equals the last known value)
← Firewall
Packet filtering system examines each incoming network packet and drops (does not
pass on) unauthorized packets
Proxy server maintains copies of web pages to be accessed by specified
users
Application gateway limits traffic to specific applications
Circuit-level gateway identify a valid TCP session
Stateful inspection stores information about the state of a transmission and uses
it as background for evaluating messages from similar sources
* Firewalls do not provide adequate protection against computer viruses. Thus, an
organization should include one or more antivirus measures in its network security
policy.
3. Data Storage
a. Storing all related data on one storage device creates security problems.
1) Greater emphasis on security is required to provide backup and restrict access to
the database.
2) The responsibility for creating, maintaining, securing, and restricting access to the
database belongs to the database administrator (DBA).
7. Privacy
a. Management is responsible for ensuring that an organization’s privacy framework is in
place. Internal auditors’ primary role is to ensure that relevant privacy laws and other
regulations are being properly communicated to the responsible parties.
b. The IIA provides guidance on this topic in Practice Advisory 2130.A1-2, Evaluating an
Organization’s Privacy Framework:
1) “Risks associated with the privacy of information encompass personal privacy
(physical and psychological); privacy of space (freedom from surveillance); privacy of
communication (freedom from monitoring); and privacy of information (collection, use,
and disclosure of personal information by others)” (para. 2).
a) Personal information is information associated with a specific individual.
2) “Effective control over the protection of personal information is an essential
component of the governance, risk management, and control processes of an
organization. The board is ultimately accountable for identifying the principal risks to the
organization and implementing appropriate control processes to mitigate those risks.
This includes establishing the necessary privacy framework for the organization and
monitoring its implementation” (para. 3).