Thursday, April 2, 2009

IT RISK MANAGEMENT

Accusing and managing risk related to technology

KIND OF RISK

confidentiality
Integrity
Availability

3 keys buss. Risk you look at when doing risk management,

Key player- big 5 accounting firms (KPMG) out of which 4 are present in Pakistan

Ernst and young
Touch and deloitte
Protiviti
Price waterhouse cooper

Requirement for IT risk management are,

· Good buss. Management
· Good knowledge of IT
· Knowledge of auditing and accounting

Qualification

CISA
CACISMCISSPCPA

You can either form a professional service firm, audit firm or you may go to the industry (firm hiring for internal IT audit), then you also have the option of going into security.

You need to look at the organization context.

ROLE IN THE BIG 4

· Financial audit
· Internal IT audit
· Advisory / consulting (assessment year 2000)


ENTRY TO MARKET

· Professional service
· Industry
Internal audit
IT audit
Now firms have internal audit directors

To get to the point of financial audit you need to do IT audit

(The time when I left he started explaining AUDIT PROCESS which I missed)

IT LEVEL ASSESMENT

IT entity level control (control at organizational level)

· IT strategy
· Staff training
· Policies

IT general Control

Looking at the process, revolve around three key risk

· Logical access (confidentiality)
· SDLC and change management (Integrity)
· IT operations (Availability)

Application Control

Control built within transactions / application

IT development Manual control

E.g reports generated by systems

Frame work for IT

· COBIT: control objective for IT

· Framework for implementing control in each area

LOGICAL ACCESS

· Data access path
· User administration process
· New user Access
· User Access maintenance
· User termination

Above three are preventive

Review of access

APPROPRITE SEGREGATION of duties, (for e.g approving and setting up, access), should be diff. ppl.

· Password and security configuration

· Operating systems, network and database

SDLC AND CHANGE MANGEMENT

· Understanding SDLC and change management process
· Authorization and approval from system owner

IT OPERATIONS
· Back up and recovery procedure
· Help desk and incident management
· Data central walkthrough
· Physical security of data
Posted by at No comments:

Wednesday, March 18, 2009

Reply, its fun

welocming all those,who are food lovers.

Share your experince of trying something new that turned out too be yucky!
Posted by at 2 comments:
Subscribe to: Posts (Atom)