Technology and Security

Risk Services

Session 2
IT Environment

for Universitas Padjadjaran

IS Audit – S1 Accounting
!@ #
IS Audit Syllabus
1. Introduction of IS Audit
2. IT Environment
3. IT Process
4. General Computer Control Review (1)
5. General Computer Control Review (2)
6. General Computer Control Case Study
7. Kuliah Umum
8. Mid-semester Exam
9. Application Control Review
10. Data Analysis Approach
11. IT Audit Integration
12. Application Control Case Study
13. IT Security
14. IT Risk Management & IT Governance
15. ERP Systems
16. Final Exam

!@ #
Learning objectives

• Gain understanding of the importance and role of IT

for the Business
• Understand IT organization & its requirements
• Introduce the students to:
– The concepts of hardware, operating systems, network, data
communication, Internet and Data Centers.
– The risks and controls associated with them, and
– The basic audit/review aspects and considerations of the above
concepts.

!@ #
 Technology and Security
Risk Services

Role of IT for the business

!@ #
Examples of IT in the business

• Accounting systems
• Payroll systems
• Production planning systems
• Inventory management systems
• Network
• Document scanning, printing, digital storing
• Email, Internet

!@ #
Examples of IT in the business

• How is Information Technology used in

organizations, examples?

!@ #
Elements of Information Technology

• Software
– Business applications
– Office applications
– Spreadsheets, databases, etc.
• Hardware
– PC’s/workstations
– Terminals
– Servers
– Network equipment (hub, switch, router, etc.)
– Printers, scanners, etc.

!@ #
Elements of Information Technology

• Support tools
– System development tools
– Change Management tools
– Helpdesk software
– Security software (firewall, anti-virus software, etc.)

!@ #
What Matters to CEOs?
1. Maximizing shareholder value
2. Protecting the market position of the company

Therefore they want IT to:

• Enable/facilitate the business’ strategy
• Deliver ROI
• Enhance competitive advantage
• Deliver quality while minimizing risk
• Achieve compliance goals

!@ #
CFO IT Perspectives

• 49% of CIOs report to the CFO (29% to the CEO)

• Technology expertise considered most important skill
after financial expertise (44% response)
• IT training first priority for developing accounting staff
(52%)
• 82% of CFOs say accounting departments have
become more involved in technology initiatives
• Responsibilities outside the scope of traditional
financial functions will occupy 37% of a senior
accountant’s time in five years.

Source: RHI Management Resources / FEI-CSC Surveys

!@ #
Changing Role of CFOs

Greater role in More strategic

technology and planning and
information decision
systems making
initiatives 26%
39%

Increased
other
Expanded interaction with
leadership and departments
Other/don't 16%
know management
5% role
14%

Source: RHI Management Resources Survey

!@ #
IT Priorities for CFOs

80
A. Identifying appropriate level of IT
70
investment 61.2%
60
B. Prioritizing technology investments
50 55.3%
2001
40
2000 C. Identifying how IT can improve or
30 1999 influence business processes
20 53.3%
10 D. Determining appropriate use of
0 eCommerce 32.4%
A B C D

Source: FEI-CSC Survey

!@ #
Management Challenges

• 30% of businesses are unable to determine

their return on technology investments
• 61% do not have a written strategic plan for
information systems
• Only 23% of those with plans believe them
to be fully aligned to the business strategy

Source: FEI-CSC Survey

!@ #
Business Requirements on IT

• Confidentiality
• Integrity and Reliability
• Availability
• Effectiveness and Efficiency
• Compliance

!@ #
Impact of IT on the Business

• Software implementation failures leading to

process failure, financial and reputational loss
• Lack of valid information required to make business
decisions
• Lack of security resulting in financial and
reputational loss
• Hardware failure leading to inability to process
transactions and/or trade effectively
• Legislative implications of non-compliance

!@ #
Possible Results

• Restatement of accounts
• Bankruptcy
• Falling share price
• Poor financial performance
• Bad publicity
• Customer dissatisfaction

!@ #
Top 10 IT Issues
1. Strategy – prioritizing technology investments
2. Budgeting – identifying appropriate investment level
3. Efficiency – evaluating/measuring return on technology
4. Security – confidentiality/integrity/reliability of data
5. Continuity – securing the availability of information
6. eCommerce – re-volution to e-volution
7. Project Management – high price of implementation failure
8. ERP – pros and cons of integrated software
9. Outsourcing – trusting your business to third parties
10. Regulation – legislation compliance (e.g., data privacy)

!@ #
 Technology and Security
Risk Services

Organization of IT for the

business

!@ #
Responsibility of IT Management

Where can you find the IT organization in a

company?
•Finance manager ( no specific IT manager)
•IT Manager, reporting to Finance Manager
•IT Manager or CIO, reporting to CEO
•CIO and IT Manager

!@ #
Responsibilities in IT Management

• System development
Development and implementation of new
information systems
• Application management
• Network Management
• Helpdesk/user support
• Project management

!@ #
Types of IT organizations
Small IT organization (1-5 people)

CEO/PresDir

Marketing Finance Production

Head of IT

Application management Network (hardware) management

and support

!@ #
Types of IT organizations
Medium size IT organization (5 - 50 staff)

CEO/PresDir

Marketing

Finance

Production

IT Department

System Development Infrastructure management Application management Helpdesk

Programmers Network management Database Manager

Information analysts Hardware management Office application management

Telecommunication management Business application management

!@ #
Organizational requirements for IT
departments
• Position in the organization
• Segregation of duties
• Screening and hiring
• Staff skills and development (training)

!@ #
 Technology and Security
Risk Services

Hardware

!@ #
Hardware (Content)

• Hardware architecture
• Hardware components
• Risks and Controls
• Hardware Review/audit techniques

!@ #
Hardware …
Hardware architecture
Classes
• Large (mainframe)
– IBM S-360/370, S390, z900
– Unisys NX4801-21
– Bull, Fujitsu
• Medium (mini computer)
– IBM S/36, S/38, AS/400 (i-series), RISC 6000
– DEC VAX
– HP3000 series, Bull
• Small (microcomputer)
– IBM PC Compatible
!@ #
!@ #
Hardware …
Hardware components
Devices
Processors
Storage
FDD, Hard disk, CD-ROM, Magnetic Tape, Micro film
Input/output devices
Keyboard, POS terminals, Barcode readers, Mouse,
Stylus, scanner
Printer, Monitor, Plotter
Communication and networking devices
Modems, routers, switches & hubs, NIC

!@ #
Hardware …
Risks and controls
Risks Controls
Failures • Environmental controls (humidifiers,
AC, UPS, surge protector)
• Monitoring and Maintenance
Theft, vandalism Physical access

Disasters Backup, avoid flammable materials

(incl. Printers)
Under/over capacity Capacity planning

!@ #
Hardware …
Hardware review/audit techniques
• Physical controls
• Environmental controls
• Hardware capacity management
– CPU, I/O, terminal, telecommunication, bandwidth and storage utilization
– Number of users
– New technologies, applications
– Service level agreements
• Hardware monitoring
– Hardware error reports
– Availability reports
– Utilization reports
• Hardware acquisition plan & maintenance
– Information processing requirements, Hardware requirements, System software requirements,
Support and maintenance requirements.

!@ #
 Technology and Security
Risk Services

Operating Systems

!@ #
Operating Systems

• Operating systems tasks

• Major Operating Systems
• Operating Systems Software Risks and Controls
• Operating systems review/audit techniques
• Operating systems Audit Tools

!@ #
Operating Systems …
Operating systems task
• Permits users to share hardware, data
• Schedules resources among users
• Informs users of any errors that occur with the
processor, I/O or programs
• Recovery from system errors
• Communication between the O/S and application
programs, allocating memory to processors, and
making the memory available upon the completion of a
process
• System file and system accounting management

!@ #
Operating Systems …
Major Operating systems
• Mainframe
– MVS, Unisys, etc
• Midrange/Minicomputers
– OS/400, VMS, Unix, SunOS, etc
• Micro computers
– Unix, Windows NT, Windows2000, Novell Netware, OS/2, MacOS,
DOS, Linux

!@ #
Operating Systems …
Risks and Controls

Risks Controls
Unauthorized access •Strong security management
(including user rights and password
controls management)
•Separation of duties
Poor logging and audit trails •Auditor’s involvement in requirement
and design phase
•Periodic review of log
Incompatibility with Change management
applications

!@ #
Operating Systems …
Review/Audit techniques
• System software selection procedures
– Address IS and business plan, meet control requirement, feasibility study, cost benefit analysis
• Installation controls
– Written plan for installation, documentations, identification before being placed to production
• Maintenance activities
• Change controls for system software
– Access limitation to library, changes are documented and tested
• Systems documentation
• Licensing
– protect against the possibility of penalties
– protect from public embarrassment
• Security parameters (special functions, passwords)
• Audit and logging

!@ #
Operating Systems …
O/S Audit tools
• AS/400
– PentaSafe
• Windows NT
– Systems Scanner, Kane Security Analyst (KSA), NMAP for NT,
Retina, BindView
• UNIX
– COPS (Computer Oracle and Password System), Tripwire, NMAP,
PC-Unix Audit

!@ #
 Technology and Security
Risk Services

Network

!@ #
Network & telecommunication
infrastructure
• Network Eras
• Network architecture
• Data Communication
• Network Protocols
• Transmission media
• Local area network and Wide Area Network
• Risks and controls
• Audit and Evaluation Techniques

!@ #
Network infrastructure…
Network Eras
• ERA 1: Mainframe Networks (1965 - 1975)
• ERA 2: Minicomputer Networks (1975 - 1985)
• ERA 3: Shared-bandwidth LANs (1985 - 1995)
• ERA 4: Switching LANs (1995 - )

!@ #
Network Eras …
Mainframe Networks
• Groups of terminals
attached to cluster
controllers
• Controllers were
connected to the front-
end processor through
point-to-point cables (for
local connections) or
leased telephone lines
(for remote connections).

!@ #
Network Eras …
Minicomputers Networks
• Terminals connected directly
to a port on the mini.
• Statistical multiplexers provide
wide area fine sharing and
error protection.
• Data PBXs were central to
many networks, allowing
terminal users to select
computers and contend for
expensive computer ports.

!@ #
Network Eras …
Shared-bandwidth LANs
• LAN-based network operating
systems emerged
• Shared bandwidth, PCs and
other devices were attached
to a single Ethernet segment
or a single token ring

!@ #
Network Eras …
Switched LANs
• The rapid growth in the power of PCs (servers), which can handle
throughput rates significantly higher than Ethernet or token ring
provides.
• Data representation through images rather than text.
• Emergence of the World Wide Web, document imaging, medical
radiology, CAD, video training, and pre-press editing (require large
amounts of bandwidth).

!@ #
Network architecture

• Bus configuration

• Ring configuration

• Star configuration

• Mesh configuration

!@ #
Network architecture …
Bus configuration
Advantages Disadvantages

• Reliable in very small networks • Heavy network traffic can

• Easy to use and understand slow the performance
• Requires less amount of cables, • Each connection between
less expensive two cables weakens the
• Is easy to extend electrical signal
• A repeater can be used to • Difficult to locate network
extend the configuration error. Difficult to trouble
shoot

!@ #
Network architecture …
Ring configuration
Advantages Disadvantages
• Every computer is given equal
• Failure of one computer in the
access, since a token is passed
network can affect the whole
around the ring indicating
authorization to transmit network
• Difficult to trouble shoot
• The network degrades • Adding or removing computers
gracefully can disrupt the network

!@ #
Network architecture …
Star configuration
Advantages Disadvantages
• Easy to modify and add new
computers • If the central hub fails the whole
network cease to function
• The center of the star is a good place • Require a device at the center to
to diagnose network problems
rebroadcast or switch network
• Single computer failures do not bring traffic
down the network • More cable is required than bus
• Several cable types can be used in the configuration
configuration

!@ #
Network architecture …
Mesh configuration
Advantages Disadvantages
• Fault tolerant
• Difficult to install and
• Easy to diagnose problems reconfigure, since there is a
• Guaranteed channel capacity connection with every
machine on the network
• High cost of installations

!@ #
Telecommunication infrastructure…
Data Communication
• Simply put, it involves the
transmission of speech and, or
data between two connected
devices.
• Data communications describes
the use of protocols (rules) and
specific equipment to coordinate
and facilitate the successful
transmission and receipt of data
between source and destination.

!@ #
Telecommunication infrastructure…
Network Protocols
Protocols are the set of rules for the packaging
and transmission of data.

Examples:
– Transmission Control Protocol/Internet Protocol
(TCP/IP)
– Virtual telecommunications Access Method (VTAM)
– IPX/SPX
– AppleTalk
– PPP (Point-to-Point Protocols), X.25

!@ #
Telecommunication infrastructure…
Transmission media
• Copper (twisted pair) circuits
• Coaxial cables
• Fiber optic systems
• Radio systems
• Microwave radio systems
• Satellite radio link systems

!@ #
Telecommunication infrastructure…
LANs and WANs
• LANs
– Within buildings or departments
– Digital signals used
– Computer to computer transmission
– Use high quality cables

• WANs:
– Spread over multiple sites
– Require the use of special communications hardware
– May use public long distance communications links
– Tend to be more complex than LANs.

!@ #
Telecommunication infrastructure…
Network Risks and Controls
Risks` Controls
Unauthorized access (incl. •Encryption
tapping)
•Access controls
Performance degradation •Performance monitoring
–Response time reports
–Down time reports
–Online monitors (Echo checking)
–Help desk reports
Remote access & dial-up Call back facility

Viruses, trojan •Anti-virus and forced-update

•Clear policy
•Astalavista.box.sk
!@ #
Telecommunication infrastructure…
Audit and Evaluation Techniques
• LAN review
– Physical security
• Observe LAN and transmission wiring closet, server
location, test access key
– Environmental controls
• Surge protector, Air conditioning, humidity, power
supply, backup media protection, fire extinguisher
– Logical security
• Interview LAN admin, penetration test, search for
written password, test log off period, dial-up
connection
!@ #
Internet
• What is Internet
• Why use Internet
• The risk of Internet
• How to control Internet use
• What is a Firewall
• How Firewall works
• What can Firewall do
• What can’t Firewall do

!@ #
What is Internet ?

• Worlds largest computer network.

• Based on TCP/IP protocol suite
• Links Universities, gov, companies, etc.
• Large international presence > 170 countries

!@ #
Why Use Internet ?

• Provides cost effective communication for:

– eCommerce
– Electronic Mail (SMTP)
– Remote Terminal Access (Telnet)
– File Transfer (FTP)

• Good information source

– World Wide Web access (HTTP)

!@ #
The Risk of Internet

• Perhaps the biggest risk.......You

You don’t know who is
out there!
• Because the Internet is so convenient to use, security
implications are often overlooked
– Possible network ‘backdoor’ connections open to
hackers
– Viruses from downloaded software (e.g. screensavers)
– Disclosure of sensitive info (e.g. credit card numbers)

!@ #
How to Control Internet Use ?

• Develop policies to define acceptable usage

– Personal use
– Business use (encrypting messages to
business partners)
• Educate users on internet risks
• Use of ‘Firewalls’

!@ #
What is a Firewall ?

• A firewall is a combination of hardware and software that

enforces an existing network access policy
• Prevents unauthorized traffic in and out of a secure
network
• It restricts people to entering at a carefully controlled
point
• It prevents attackers from getting close to other network
security defenses

!@ #
How Firewall works?

Firewall
Gateway Internet

Mainframe/
Legacy
Systems
Rejected external
traffic
Local Area Network

Wide Area Network

Firewall

!@ #
What can Firewall Do ?

• A firewall is a focus for security decisions. Think

of a firewall as a choke point. All traffic in and
out must pass through this single checkpoint, or
“Gateway”
• A Firewall can enforce security policy. Many of
the services that people want from the Internet
are inherently insecure. A Firewall acts as the
traffic cop for these services.

!@ #
What can Firewall Do ? (Cont’d)

• A Firewall can effectively log Internet activity. Because

all traffic passes through the firewall gateway, it a good
place to collect information about the system and
network use .... AND misuse.
• A firewall reduces external network exposure. It can also
be used to keep sections of a network separate from
other sections.
– e.g. Preventing certain employees attaching documents
to e-mails

!@ #
What can’t Firewall Do ?

• A firewall can’t protect you against malicious

insiders. If the fox is inside the hen house, a
firewall can do nothing for you.
• A firewall can’t protect you against connections
that don’t go through it. There is nothing it can
do for traffic that does not go through it.

!@ #
What can’t Firewall Do ? (Cont’d)

• A firewall can’t completely protect against new

threats. A firewall can only protect against
known threats. You can’t set up a firewall once
and expect it to protect you forever.
• A firewall can’t protect against viruses as these
are typically spread within documents

!@ #
 Technology and Security
Risk Services

Data Center

!@ #
Data Center

Data Center is the business of providing a physical

location as well as the applicable IT services (i.e.
bandwidth to the Internet, facilities management,
hardware/software, IT services, etc.) to run computer
applications (i.e. website, e-mail, trading systems etc.) at
a site that is generally, remotely located from a corporate
or individuals owned premises. The eventual goal is to
fully outsource corporate IT requirements, leveraging
economies of scale at price points and service levels that
are difficult to achieve in-house.”

!@ #
!@ #
!@ #
!@ #
!@ #
!@ #
Discussion

What are the risks associated with Data

Center??

……and what controls can mitigate the risks??

!@ #
Summary
• The hardware, systems software, communication lines,
networks, Internet and Data Center are all organizations assets
that should be properly controlled and managed by
management.
• Today’s auditors should familiar and be prepared to deal with
various rapid development in IT (hardware, OS,
communication, Networks, Internet and Data Center) and its
risks
• IS Auditors tasks:
– Review the existing controls available
– Test the compliance
– Recommend adequate controls

!@ #
Type of Applications

!@ #
 What is Application Software?
A software that is designed and created to
perform specific personal, business or
scientific processing task, such as word
processing, interactive game, business
application, etc.

!@ #
Categories of software
• In-house developed application

• Integrated application (e.g. ERP systems:

SAP, JDE, PeopleSoft, Oracle, etc)

• Package application (e.g. ACCPAC,

Picador, etc)

!@ #
Q&A

!@ #
 Technology and Security
Risk Services

Thank You

!@ #