Application and Information Access Control by lys51934


More Info
									                                                              Training Module Templates
                                                          Information Systems Control Table

       Key Systems Controls                 Definition                                                 Example
       General Controls                     Controls over data center operations, system software      A travel system has an application control that
                                            acquisition and maintenance, access security, and          requires a manager’s approval prior to completing
                                            application system development. These controls apply       the travel request. If the system’s access security
                                            to all systems – mainframe, server, and end-user           controls are ineffective, a user may be able to
                                            computing environments and all need to be evaluated.       masquerade as their own manager in order to
                                                                                                       defraud the organization.
       Data Center Operations               Includes job set-up and scheduling, operator actions,      Complete hardware malfunction results in hard drive
                                            backup and recovery procedures, and contingency or         failure and loss. The control would be: Data backup
                                            disaster recovery planning. Data center operations         occurs nightly and procedures for temporary transfer
                                            controls may also address capacity planning and            of data storage responsibilities to secondary server
                                            resource allocation and use.                               in place.
       System Software Controls             System software controls include controls over effective   Anti-virus software on employee’s computer might
                                            acquisition, implementation and maintenance of system      not contain up-to date virus definition file and allow
                                            software – the operating system, data base                 malicious code into the network. The control could
                                            management systems, telecommunications software,           be: Virus update execution occurs as part of the
                                            security software and utilities – which run the system     computer start up script and records latest update in
                                            and allow applications to function.                        a database, against which weekly reports are run.

       Access Security Controls             Access security controls are next. Access security         A user may masquerade as another user to gain
                                            controls restrict authorized users to only the             applications or permissions that would otherwise be
                                            applications or application functions that they need to    denied to him or her. The control could be:
                                            do their jobs, supporting an appropriate division of       Computer access and applications with client-server
                                            duties.                                                    architecture utilize Public Key Infrastructure and thin-
                                                                                                       client applications comply with information assurance
                                                                                                       access security policies.
       Application System                   Application system development and maintenance             An unauthorized change is made to the information
       Development and                      controls include all software development methodology      system that adversely affects existing controls. The
       Maintenance                          policies, including change control procedures and          control could be: All system changes require
                                            COTS integration.                                          approval from the system program manager and
                                                                                                       must have impact analyses completed.
       Application Controls                 Application controls are designed to control application   Disbursing system allows disbursement prior to
                                            processing. These are automated transaction or             commitment. Control: System requires three way
                                            process controls.                                          match before payment is made.

Training Module: Information Systems Control Table v1.0                            1 of 1

To top