Internal Controls & IT General Controls 3 & CDLC

Question 1

What Physical Controls should be considered with a “Computer Center”?

Answer 1

• Computer Center houses main servers and other sensitive IT
• Controlling physical access is high risk
• Purpose is to make it difficult to gain unauth entrance
• Check for physical controls:
  (1) Locked doors
  (2) Cameras
  (3) Monitor incoming traffic
• Electronically, manually, and/or by security guards

Question 2

What Physical Controls should be considered with a “Server Room”?

Answer 2

• Main objective to provide physical access controls at same level as risk and sensitivity, which is very high for servers
  (1) Servers s/b in separate room w/ separate physical controls
• 2nd set of controls
  (2) Have glass walls around server room so auth personnel in the Computer Center could see an unauth person in server room

Question 3

Name the 3 basic InfoSec “triangle”

primary areas of concern:

Answer 3

CIA
(1) Confidentiality
- Data stored and also in transit
- Objective to
ensure confidentiality of systems, processes, and data created, transported and stored
(2) Integrity (data and processing)
- Focus on accuracy and reliability of data, systems and processes that generate it and info produced from data
(3) Availability
- Data avail when needed for business operations

Question 4

What is Authorization vs. Authentication?

Answer 4

Authorization:
- Login credentials and restricts user access
- Authorization controls by themselves not adequate for higher risks
- Hacker can obtain or guess login and if
successful able to gain access to network, but still unauthorized access
Authentication:
- Objective is the person using credentials is who s/he claims to be
- Authentication controls ex: additional credentials,
temporary PINs, security questions, and biometrics (ultimate and control is person (fingerprint))

Question 5

What is Encryption and its 3 characteristics?

Answer 5

• Scrambles data using algorithm to
  prevent translation if intercepted
• Encryption strength is combo of these 3 aspects:
  (1) Methods: public keys, private keys
  (2) Engines: 128, 192, 256-bit (highest)
  (3) Types of authentication: encrypting and decrypting methods

Question 6

What are the 5 Phases in a Control Development Life Cycle (CDLC)?

Answer 6

DIOEM

(1) Design
(2) Implementation
(3) Operational
(4) Effectiveness
(5) Monitoring

Question 7

Under the Control Development Life Cycle (CDLC), what is involved in the “Design” Phase?

Answer 7

Design Phase is 1 (of 5) phases

(1) Begins w/ formal, structured approach to Control Development by mgmt
- Mgmt must ensure expert input consistently applied to the development
- Ensure controls developed as needed and designed effectively
(2) ID controls needed
- ID key business processes associated w/ material items related to financial reporting or critical business processes
- Determine what controls s/b in place to prevent, detect and correct material misstatements
(3) Assess controls for design effectiveness
- Control’s ability to mitigate risk and/or prevent, detect and correct material misstatements, errors or failures related to Policies
(4) Document controls
- Include control objectives, how control operates, and location of entity’s systems and business processes

Question 8

Under the Control Development Life Cycle (CDLC), what is involved in the “Effectiveness” Phase?

Answer 8

• Effectiveness is related to the control objective, likely the mitigation of business or financial reporting risk (RMM)
• Effectiveness also associated w/ consistent application of the control
• Ultimate assurance is a ToC, only perform ToCs if plan to rely on the control
• Cannot rely on control if ITGCs have a SD or MW
• ITGC need to be reliable as a whole before external CITP can rely upon an automated control