Slide 1ObjectivesOverviewFour Key AreasOrganizational ControlsData files and Program ControlsRecoverability and Environmental ControlsPhysical Security ControlsEnvironmental ControlsAn ExampleCoBiTData Center ReviewsDate Center Key Areas:Auditing the Call CenterClass DiscussionM B A D 7 0 9 0Chapter 14: Operational Control IssuesFall, 20081IS Security, Audit, and Control (Dr. Zhao)ObjectivesFall, 2008IS Security, Audit, and Control (Dr. Zhao)2Understand the concept of general operational controlsFour key areasTwo examplesOverviewFall, 2008IS Security, Audit, and Control (Dr. Zhao)3Operational or general controls are those controls are related to the climate/environment, and the global functionality.Not application specificInformation Technology and Systems are complex and one general control weakness can have a domino like impact to the rest of the infrastructure.Four Key AreasFall, 2008IS Security, Audit, and Control (Dr. Zhao)4Organizational controlsData files and program controlsRecoverability (backup, restart, disaster recovery) and environmental controlsPhysical security and access controlsOrganizational ControlsFall, 2008IS Security, Audit, and Control (Dr. Zhao)5StandardsPoliciesProceduresNot to do:Lack of useOnly prepared for experienced staffsTo do:Be tested periodicallyMaintain logs of unusual eventsData files and Program ControlsFall, 2008IS Security, Audit, and Control (Dr. Zhao)6File label:Clear and updatedBoth volume and contentLibrary functionAn inventory recordA procedure: who should be able to access whatSegregate custodial duties from operation dutiesRecoverability and Environmental ControlsFall, 2008IS Security, Audit, and Control (Dr. Zhao)7RecoverabilityBackup/restartDisaster recoveryBusiness continuityEnvironmentalClimate Geographic locationFireContaminantsPhysical Security ControlsFall, 2008IS Security, Audit, and Control (Dr. Zhao)8Facility access (Who has access to the server closet or router/communications closets?)Personnel badgesAlarms and guardsOffice locks and CPU locksWiring closets (Do they have a Wiring diagram?) (Is it current?)Environmental ControlsFall, 2008IS Security, Audit, and Control (Dr. Zhao)9Possible hazards:Natural disastersAirborne contaminantsStatic electricityPower surges, blackouts, and brownoutsAn ExampleFall, 2008IS Security, Audit, and Control (Dr. Zhao)10General controls for a bank:Facility Organization Data Files or ProgramsRecoverability1. Security guard2. Cameras3. Access control w/badges4. Vault5. Timers1. Business strategy2. Regulations3. Board of directors4. Credentials1. Policies2. Procedures3. Access control4. Professional standards5. Change control1. DR plan2. DR testsCoBiTFall, 2008IS Security, Audit, and Control (Dr. Zhao)11Delivery & Support DomainDS3: manage performance and capacityDS4: ensure continuous serviceDS8: assisting and advising information technology customersData Center ReviewsFall, 2008IS Security, Audit, and Control (Dr. Zhao)12Audit program areas (please see the p.348-350):Administration of IT ActivitiesOperating Systems Software and DataComputer/Server Operations/ Business Redemption and ContinuitySecurity AdministrationDate Center Key Areas:Fall, 2008IS Security, Audit, and Control (Dr. Zhao)13Software and Data Security ControlsPhysical and Environmental ControlsData Access ManagementPolicy and Procedure Data and Software Backup ManagementOther Management ControlsAuditing the Call CenterFall, 2008IS Security, Audit, and Control (Dr. Zhao)14In House or OutsourcedFunctionalityIf Outsourced, security of dataMetrics/Monitoring paramountSystems Development Data Integrity and Data SecurityPhysical Security and RecoveryDepartment ResourcesCompliance to Standards/PolicyClass DiscussionFall, 2008IS Security, Audit, and Control (Dr. Zhao)15You are an internal auditor assigned to perform an operations audit of a data center. On reviewing the operations policy and procedures manuals, you find that the manuals appear to be fairly complete and up-to-date.Q: Please describe three audit tests you would perform to test whether the manuals are actually used and
View Full Document