Controlling Information Systems: IT Processes:

In chapter 8 we look at Controls specifically designed for the Information Systems Function.

COBIT (Control Objectives for Information and Related Technology)

(What is this?)
COBIT was developed by the Informations Systems Audit and Control Foundation to provide guidance (to managers, users, and auditors) on the best practices for the management of information technology. According to COBIT, IT resources must be managed by IT control processes to ensure an organization has the information necessary for accomplishing it's objectives. Similiar to COSO for internal controls and it's support of organizational governance, COBIT pertains to IT controls and supports IT governance; COBIT provides a framework to ensure:
(1) IT is aligned with the business
(2) IT enables the business and maximizes benefits
(3) IT risks are managed properly
(4) IT resources are used responsibly

IT resources include:
  • Information - Data, in all their forms, that are input, processed, and output by information systems.
  • Application sytems - These are automated systems and manual procedures that process information
  • Infrastructure - Technology and facilities (which include hardware, operating systems, DBMSs, networking, multimedia, and the environment that houses and supports them) that enable the processing of the applications.
  • People - Personnel who plan, organize, acquire, implement, deliver, support, monitor, and evaluate information systems and services.
COBIT's defintion of Control: The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.

Information Systems Function (ISF):

Define, what is this?
Types of Organizational structurs for ISF:
  • Centralized - the CIO is the central leader of all the information system functions.
  • Decentralized - personnel is assigned to non-central organizational units.
  • Functional - personnel are assigned to the organizational unit that they work in. This can be used both by centralized and decentralized organizations. Usually, this creates a lot of duplicate work. Ex: Finance, Operations, Plant, etc.
  • Matrix - personnel from different functional areas are put together to work under one supervisor in an effort to integrate the various organizational dimensions.
  • Project - creates permanent systems development structures based on project, product, or geographical location.
Summarize the key control concerns (similar to business exposures) for the various ISF functions (see if you can combine similar concerns by hierarchical layer in the organization chart).

COBIT Control Process Domains:

Plan and Organize
Process 1: establish strategic vision for IT
Process 2: develop tactics to plan, communicate, and manage realization of the strategic vision.
· Organizational control plans
Ø Segregation of duties: authorization, executing, recording and safeguard
Ø Organizational control plans for the IT organization: security officer vs. IT steering committee
· Personnel control plans
Ø Selection and hiring control plans- applicants should be carefully screened, selected, and hired.
Ø Retention control plans- companies should try to the best of their abilities to provide challenging and creative opportunites as well as offer viable promotions.
Ø Personal development control plans- companies should provide regular training based on deficiencies identified in regular performance reviews. Performance reviews are neccesary in order to determine 1) if an employee is satisfying the job requirements listed in the job description. 2) To assess stregnths and weaknesses. 3) Help management to determine if salary adjustments and/or promotions are needed. 4) To identify opportunities for training.
Ø Personnel management control plans
Personnel planning control plans- protect future managerial and technical skills and uses anticipated turnover in order to develop position filling strategies.
Job Description control plans- give specific responsibilities for each position and identify resources to be used.
Supervision control plans- require approving, monitoring and observing of others work.
Personnel security control plans- help to detect and deter possible irregularities and fradulent activity.
§ Rotation of duties- employees will ocassionally trade duties.
§ Forced vacation- employees are required to take vacations and another employees fills in.
§ Fidelity bond- idemnifies a company against losses from employees wit access to cash and other assets.
Termination control plans- set of procedures for when an employee voluntarily resigns or is let go. Can include immediate termination of computer/asset access and even security escort off the premises.

Acquire and Implement Domain
Process 3: Identify automated solutions
Process 4: Develop and acquire IT solutions
· Develop and acquire application software
· Acquire technology infrastructure
· Develop service legal requirements and application documentation
Ø Systems documentation
Ø Program documentation
Ø Operations run manual
Ø User manual
Ø Training material
Process 5: Integrate IT solutions
Process 6: Manage changes to existing IT systems---Program change control

Deliver and Support Domain
Process 7: Deliver required IT services
Process 8: Ensure security and continuous service
· Ensure continuous service
Ø Continuous data protection
Ø Electric vaulting
Ø Hot site vs. cold site
Ø Prevent denial of service attack

· Ensure physical security—preventive maintenance
· Restrict access to computing resources
Ø Control plans for restricting physical access to computer facilities
Ø Control plans for restricting logical access to stored programs, data
Ø Firewall, library control, intrusion-detection/prevention
Process 9: Provide support services—with a help desk function

Monitor and Evaluate
Process 10: monitor and evaluate the process
· Trust services principles
Ø Security
Ø Availability
Ø Processing integrity
Ø Online privacy
Ø confidentiality

  • Planning and Organization
    • Process#1 - Establish Strategic Vision for Information Technology
    • Process#2 - Develop Tactics to Plan, Communicate, and Manage Realization of the Strategic Vision
  • Acquistion and Development
  • Process#3 - Identify Automated Solutions
    • Process#4 - Develop and Acquire IT Solutions
    • Process#5 - Integrate iT Solutions into Operational Processes
    • Process#6 - Manage Changes to Existing IT Systems
  • Delivery and Support
    • Process#7: Deliver Required IT services
Define service levels-- Service level requirements for the minimum levels of the quantity and quality of IT services, must be defined
Manage third party services-- Processes must be in place to idetify, manage, and monitor nonentity IT resources
Manage IT operations-- Standard procedures for IT operations must be established, including procedures for staff, job scheduling, and preventitive maintenance.
Manage data-- Application controls relate directly to the data as it is being processed. General controls ensure data integrity after the data has been processed.
Identify and allocate costs--Management should identify the costs of providing IT services and should allocate those costs to the users of those services.
    • Process#8: Ensure Security and Continuous Service**

    • Process#9: Provide Support Service - Identify training needs of all personnel to ensure effective use of information technology. Provide assistance or help desk services to all employees after training has been received.
  • Monitoring
    • Process#10: Monitor and Evaluate the Processes - Establish a system for defining performance, generate reports, and management review.

Segergation of Duties:

Segregating Events Processing:
Segregating Information Systems Functions:

Personnel control Plans:

  • Key Control Issues:
  • Selecting and Hiring Plans
  • Retention Plans
  • Personnel Development Plans
  • Personnel Management Plans