Hardware error > provide information to aid in detecting hardware failures and initiating corrective action.
Database renormalizing > increased redundancy.
Normalization is optimization process for a relational database that minimizes redundancy.
Referential integrity > it ensures that a foreign key in one table will equal null or the value of a primary in the other table.
Cyclical checking > It is the control technique for the regular checking of accumulated data on a file against authorized source documentation.
Domain integrity > data item has a legitimate value in the correct range or set.
Relational integrity > performed at the record level and is ensured by calculating and verifying specific fields.
Concurrency controls prevent data integrity problems.
Access control restrict updating of the database to authorized users.
Quality controls such as edits ensures the accuracy, completeness and consistency of data maintained in the database.
Database integrity > Table link/reference checks ensure the database integrity.
Audit logs > enable recording of all events that have been identified and help in tracing the events.
Querying /Monitoring > access time checks helps designers improve database performance.
Rollback and roll forward > ensure recovery from an abnormal disruption.
Configuration management is widely accepted as one of the key components of any network.
Topological mappings provide outlines of the components of the network and its connectivity. Application monitoring is not essential and proxy server troubleshooting is used for troubleshooting purposes.
CRC > check for a block of transmitted data. CRC can detect all single-bit and bubble-bit errors.
Parity Check (Vertical redundancy check) >
Echo checks > detect line errors
Screening router / Packet filter > work at the protocol, service and port level. It analyze from layers 3 and 4.
Circuit gateway > like proxy or program that acts as an intermediary between external and internal accesses.
Managing risk steps : identification and classification of critical information > Identification of threats, vulnerabilities > calculation of potential damages.
Screened-subnet firewall > used as a demilitarized zone. Utilizes two packet filtering routes and a bastion host.
Screened-host firewall > utilizes a packet filtering router and a bastion host.
Atomicity > Guarantees that either the entire transaction is processed or none of it is.
Consistency > ensures that the database is in a legal state when the transaction begins
Isolation > means that, while in a intermediate state, the transaction data are invisible to external operations.
Durability > Guarantees that a successful transaction will persist, and cannot be undone.
Hardware maintenance program should be validated against vendor specifications. Maintenance schedules normally are not approved by the steering committee. Unplanned maintenance can’t be scheduled.
Library control software should be used to separate test from production libraries in mainframe and / or client server environments. The main objective of library control software is to provide assurance that program changes have been authorized. Library control software is concerned with authorized program changes and would not automatically move modified programs into production and can’t determine whether programs have been thoroughly tested.
Referential integrity is provided by foreign key.
Post-incident review improve internal control procedures.
Capacity management is the planning and monitoring of computer resources to ensure that available IT resources are used efficiently and effectively.
Determine unauthorized changes made to production code the auditor examine object code to find instances of changes and trace them back to change control records.
Provide assurance that the management practices for the development/acquisition, testing, implementation, maintenance and disposal of system and infrastructure will meet the organization’s objective.
PERT chart > will help determine project duration once all the activities and the work involved with those activities are know.
Function point analysis > is a technique for determining the size of a development task based on the number of function points. Function points are factors such as inputs, outputs, inquiries, logical internal files.
Rapid Application Development > is a methodology that enables organizations to develop strategically important systems faster while reducing development costs and maintaining quality.
Object-oriented system development > is the process of solution specification and modeling.
Completeness check > is used to determine if a field contains data and not zeros or blanks.
Check digit > is a digit calculated mathematically to ensure original data where not altered.
Existence check > checks entered data for agreement to predetermined criteria.
Reasonableness check > matches input to predetermined reasonable limits or occurrence rates.
Functional acknowledgements are standard electronic data interchange (EDI) transactions that tell trading partners that their electronic documents are received.
Base case system evaluation > uses test data sets developed as part of comprehensive testing programs. It is used to verify correct systems operations before acceptance as well as periodic validation.
Redundancy check > detects transmission errors by appending calculated bits onto the end of each segment of data.
Reasonableness check > compare data to predefined reasonability limits or occurrence rates established for the data.
Parity check > hardware control that detects data errors when data are read from one computer to another.
Check digits > detect transposition and transcription errors.
CMMI level 5 > Continuous improvement
CMMI level 4 > Optimizing, quantitative quality goals
CMMI level 3 > Documented process
Prototype system > provide significant time and cost savings. Also have several disadvantages like poor internal controls, change control becomes much more complicated and it often leads to functions or extras being added.
Sanitized live transaction > test data will be representative of live processing.
Timebox management > by its nature, sets specific time and cost boundaries. It is very suitable for prototyping and rapid application development (RAD) and integrates system and user acceptance testining.
Waterfall life cycle model > best suited to the stable conditions where requirements are well understood and are expected to remain stable, as is the business environment in which the system will operate.
Top-down approach to testing ensures that interface errors are detected early and that testing of major function is conducted early.
Bottom-up approach to testing begins with atomic units, such as programs and module and works upward until a complete system test taken place.
1. Evaluate the effectiveness of IT governance structure
2. Evaluate the IT organizational structure & human resource
3. Evaluate the IT strategy and process
4. Evaluate the organization’s IT policies, standards, procedures and processes
5. Evaluate management practices
6. Evaluate IT resource investment, use and allocation practices
7. Evaluate IT contracting strategies and policies and contract management practices
8. Evaluate risk management practices
9. Evaluate monitoring and assurance practices
15 Knowledge statements:
Fundamentally, IT governance is concerned with two issues: that IT delivers value to the business and that IT risks are managed. The first is driven by strategic alignment of IT with the business. The second is driven by embedding accountability into the enterprise.
IT governance is the management system used by directors.
IT governance is the responsibility of the board of directors and executive management.
IT resources should be used responsibly, and IT-related risks should be managed appropriately.
This high-value goal can be achieved by aligning IT governance framework with best practices.
The key IT governance practices are IT strategy committee, risk management and IT balanced scorecard.
IT governance is a structure of relationships and processes used to direct and control the enterprise toward achievement of its goals by adding value while balancing risk vs. return over IT and its processes.
Govern IT within their enterprises are described in four focus areas: Strategic alignment, value delivery, resources management, risk management and performance measurement.
IT Governance Focus Area: Strategic alignment, Value delivery, Risk management, Resource management, Performance measurement.
Board of directors & executive management can use the information security governance maturity model to establish rankings for security in their organizations. The ranks are nonexistent, initial, repeatable, defined, managed and optimized. When the responsibilities for IT security in an organization are clearly assigned and enforce, and an IT security risk and impact analysis is consistently performed, it is said to be “managed & measurable”.
Cross-training is a process of training more than one individual to perform a specific job or procedure.
Compensating controls are internal controls that are intended to reduce the risk of an existing opotential control weakness that may arise when duties can’t be appropriately segregated. Overlapping controls are two controls addressing the same control objective or exposure. Since primary controls can’t be achieved when duties can’t or are not appropriately segregated, it is difficult to install overlapping controls. Boundary controls establish the interface between the would-be user of a computer system and the computer system itself and are individual-based, not role-based, controls. Access controls for resources are based on individuals and not on roles.
IT Governance Frameworks:
Control Objective for Information and related Technology (COBIT) : Framework that ensure IT is aligned with the business, IT enables the business and maximizes benefits, IT resources are used responsibly, and IT risks are managed appropriately.
ISO/IEC 27001 (ISO 27001): Guidance to organizations implementing and maintaining information security programs
ITIL: Framework with hands on information regarding how to achieve successful operational service management of IT
IT Baseline Protection catalogs, or IT-Grundschutz Catalogs: Detecting and combating security weak points in the IT environment.
Information Security Management Maturity Model (ITM3): SIM maturity model for security.
ISO/IEC 38500:2008 Corporate governance of information technology
The continual monitoring, analysis and evaluation of metrics associated with IT governance initiatives require an independent and balanced view to ensure a qualitative assessment that subsequently facilitates the qualitative improvement of IT processes and associated IT governance initiatives.
IT governance need to be assessed:
• Alignment of the IS function with the organization’s mission, vision, values, objectives and strategies.
• Achievement of performance objectives established by the business (e.g., effectiveness and efficiency) by the IS function.
• Legal, environmental, information quality, fiduciary, security, and privacy requirements.
• The control environment of the organization.
• The inherent risks within the IS environment.
The IT balanced scorecard (BSC) is a process management evaluation technique that can be applied to the IT governance process in assessing IT functions and processes.
BSC provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures of evaluate customer satisfaction.
Mitigation is the strategy that provides for the definition and implementation of controls to address the risk described. Avoidance is a strategy that provides for not implementing certain activities or processes that would incur risk. Transference is the strategy that provides for sharing risk with partners or taking insurance coverage. Acceptance is a strategy that provides for formal acknowledgement of the existence of a risk and the monitor of that risk.
To assess IT risks, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches.
Vulnerabilities represent characteristics of information resources that may be exploited by a threat. Threats are circumstances or events with the potential to cause harm to information resources. Probabilities represent the likelihood of the occurrence of a threat. Impacts represent the outcome of result of a threat exploiting vulnerability.
Enterprise architecture (EA) involves documenting the organization’s IT assets and processes in a structured manner to facilitates understanding, management and planning for IT investments. It involves both a current state and a representation of an optimized future state. In attempting to complete an EA, organizations can address the problem either from a technology perspective or a business process perspective.
The goals of IT governance are to improve IT performance, to deliver optimum business value and to ensure regulatory compliance. The key practice in support of these goals is the strategic alignment of IT with the business.
IT governance is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise. Reducing IT costs may not be the best IT governance outcome for an enterprise. Decentralizing IT resources across the organization is not always desired. Centralizing control of IT is not always desired.
IT governance maturity model:
0 Non-existent Management process are not applied at all
1 initial Process are ad hoc and disorganized
2 Repeatable Process follow regular pattern
3 Defined Process are documented and communicated (lowest label of maturity model)
4 Managed Process are monitored and measured
5 Optimized Best practices are followed and automated
Corporate governance is a set of management practices to provide strategic direction, thereby ensuring that goals are achievable, risks are properly addressed and organizational resources are properly utilized. Hence the primary objective of corporate governance is to provide strategic direction. Based on the strategic direction, business operations are directed and controlled.
Performance measurement includes setting and monitoring measurable objectives of what the IT processes need to deliver (process outcome) and how they deliver it (process capability and performance). Strategic alignment primarily focuses on ensuring linkage of business and IT plans. Value delivery is about executing the value proposition throughout the delivery cycle. Resource management is about the optimal investment in and proper management of critical IT resources. Transparency is primarily achieved through performance measurement as it provides information to the stakeholders on how well the enterprise is performing when compared to objectives.
Internal control self-assessment (CSA) may highlight noncompliance to the current policy, but may not necessarily be the best source for driving the prioritization of IT projects.
It is critical that an independent security review of an outsourcing vendor be obtained.
A definition of key performance indicators is required before implementing an IT balanced scorecard.
Accountability cannot be transferred to external parties.
The security policy provides the broad framework of security, as laid down and approved by senior management. It includes a definition of those authorized to grant access and the basis for granting the access.
Risks are mitigated by implementing appropriate security and control practices. Insurance is a mechanism for transferring risk. Audit and certification are mechanisms of risk assurance, and contracts and SLAs are mechanisms of risk allocation.
Strategic planning sets corporate or departmental objectives into motion. Comprehensive planning helps ensure an effective and efficient organization. Strategic planning is time- and project-oriented, but also must address and help determine priorities to meet business needs. Long- and short-range plans should be consistent with the organization’s broader plans for attaining their goals.
Assessment methods provide a mechanism, whereby IS management can determine if the activities of the organization have deviated from planned or expected levels. These methods include IS budgets, capacity and growth planning, industry standards/ benchmarking, financial management practices, and goal accomplishment. Quality management is the means by which the IS department processes are controlled, measured and improved. Management principles focus on areas such as people, change, processes and security. Industry standards/benchmarking provide a means of determining the level of performance provided by similar information processing facility environments.