Information Systems Control - Chapter 8

Questions and Answers

Which type of control primarily focuses on ensuring data is delivered accurately and consistently to users?

• Physical Component Controls
• Communication Controls
• Output Controls (correct)
• Cryptographic Controls

What is the primary purpose of using cryptographic controls in data processing?

• To prevent accidental data loss on storage media
• To manage physical access to IT equipment
• To secure transaction data before it's processed (correct)
• To validate file integrity during data transfers

What category of controls is designed to mitigate risks associated with the hardware and physical aspects of data processing?

• Communication Controls
• Software Controls
• Physical Component Controls (correct)
• Output Controls

What is the main aim of implementing software controls in data processing?

To validate checks and maintain data integrity (B)

What is the purpose of line error controls within communication systems?

To detect and correct errors of data transmissions (D)

Which of the following is NOT a primary function of incident response?

Modifying system reboot procedures. (A)

In what context are 'rerun procedures' usually categorized?

Contingency planning (C)

What is the primary purpose of directive controls?

To provide specific directions to staff. (C)

Which action best describes a directive control in practice?

Providing guidelines for handling a security breach (B)

Which of these characteristics is NOT typical of directive controls?

They are complex to implement as it involves decision making (A)

What is a key step for management when implementing directive controls?

Ensuring that directives are approved for compliance (C)

How do corrective controls differ from directive controls?

Corrective controls aim to rectify damage, whereas directives give instructions (D)

What would be an immediate response that directive controls help facilitate?

Responding to a detected risk event (B)

Which of the following is NOT a primary objective of controls within an information system?

Predictive (C)

Which control type primarily focuses on preventing errors or irregularities from occurring in the first place?

Preventive (D)

Which of the following control classifications is related to how information systems resources are physically accessed?

Physical Access (D)

Which of the following is considered a management control framework?

Management Control Framework (B)

According to the provided information, which type of software did ABC Multispecialty Hospital start using in the early 90s?

Specific software for recording daily financial transactions (C)

What is the approximate number of total employees, including doctors and administrative staff, at ABC Multispecialty Hospital?

3000 (C)

What is the term used for the type of controls that focus on taking actions to minimize or eliminate the impact of an error after it has been identified?

Corrective controls (C)

Besides critical care, what other two service lines are mentioned as areas where ABC Multispecialty Hospital has been a market leader?

Ambulatory care and home health care (A)

Which method provides the most secure user authentication based on risk assessment?

Biometric Authentication and/or Digital Certificates (D)

What is a critical security measure for managing stored passwords in an operating system?

Using one-way hashing algorithms and encrypting the password file (B)

Which user should primarily have access to system utilities?

System administrator only (A)

What is the primary function of a duress alarm in a system?

To alert authorities when a user is forced to perform an action (D)

What is the purpose of a 'terminal time out' security measure?

To log out a user if their terminal is inactive for a period to prevent misuse (D)

What is the main control provided by 'Limitation of connection time'?

To limit or deny system access outside specific schedules (B)

How does an application's menu interface contribute to information access restriction?

It limits access to specific functions and information based on user roles. (D)

What should be the primary consideration when designing a duress alarm?

It must be simple enough to operate under stressful conditions. (A)

What is a significant risk associated with portable computers in an organization?

Theft of data from the hard drive. (A)

Which of the following security measures is NOT mentioned as critical for portable computing devices?

GPS tracking of devices. (C)

Why is implementing a Virtual Private Network (VPN) recommended for employees working from home?

To establish a secure channel for data sharing with remote workers. (B)

What is the primary focus of the Management Control Framework in IT?

Reviewing and securing management functions for information systems. (C)

According to the provided text, what is the responsibility of top management regarding IT controls?

To determine the sufficiency of IT controls in meeting business objectives. (C)

What does the scope of control include for Top Management, as outlined in the text?

Formulating high-level IT policies and procedures to establish a sound internal control framework. (A)

Which of these options BEST describes the role of the Management Control Framework?

To ensure management functions are reviewed and controlled in a planned manner. (A)

What is the primary goal of having top management controls on IT systems?

To ensure IT functions correctly and meets strategic objectives. (B)

What is the primary purpose of an emergency power-off switch in a data center?

To allow quick and safe shutdown of equipment in emergency situations. (C)

Why are redundant power links important for data centers?

To ensure a consistent supply of power to all equipment even when one source fails. (C)

Where should water detectors typically be placed in a computer room?

Under raised floors, near drain holes, and around unattended equipment. (D)

Why is it generally not advisable to place a computer room in the basement of a multi-story building?

To reduce vulnerability to floods and water damage. (D)

Apart from physical barriers, what is another method to protect an installation from water damage in flood-prone areas?

Locating the installation on upper floors while avoiding the top floor. (D)

What is the most significant pollutant within a computer installation, which can cause physical damage to the hardware?

Dust accumulation on storage devices. (C)

Why are eating, drinking, and smoking typically prohibited within an information processing facility?

To keep the environment free from potential pollutants that can harm the equipment. (A)

What are Physical Access Controls Primarily intended to safeguard?

The physical and digital assets of an information processing facility. (B)

Flashcards

Directive Controls

These controls provide directions to employees to follow and limit potential damage or loss, focusing on achieving a specific outcome.

Business Continuity Plan (BCP)

A plan designed to ensure an organization can continue operating in the event of a disaster or disruption.

Contingency Planning

A set of procedures to recover from a disruption or incident.

Backup Procedures

Making copies of data to protect against loss.

Rerun Procedures

Restoring a system to a working state.

System Reboot

Restarting a computer or system.

Change Input Value

Changing an input value to test a system's response.

Report Violations

Reporting violations of security policies or procedures.

Emergency Power-Off Switch

An emergency power-off switch should be easily accessible and protected from unauthorized access.

Power Backup and Alignment

Redundant power links should be available at the data center to ensure continuous operation even if one power supply fails.

Water Detectors

Water detectors should be placed in areas prone to water damage, such as beneath raised floors, near drain holes, and equipment storage.

Strategic Location of Computer Room

To minimize the risk of flooding, the location should not be in a basement or on the ground floor of a multi-story building.

Waterproofing and Water Leakage Alarms

Water damage can be prevented by using waterproof materials for ceilings, walls, and floors, and having a good drainage system.

Dust Damage

Dust can damage storage devices and cause read/write errors.

Pollution Damage

Eating, drinking, and smoking should be prohibited in the information processing facility to minimize the risk of contaminating equipment.

Physical Access Controls

Physical access controls are measures to protect tangible resources and data stored on physical media.

Objectives of Controls

Controls aim to prevent, detect, correct, direct, or influence a system's activities to meet objectives.

Classification of Controls

Controls categorized based on their nature, such as: Preventive (stopping issues before they occur), Detective (identifying issues that have already happened), Corrective (fixing problems once identified), Directive (guiding actions within the system), and Environmental (creating a favorable environment for good practices).

Nature of IS Resources

IS resources (Information System) are the assets used to process and manage information, encompassing hardware, software, data, networks, staff, and procedures.

IS Resource Controls

Controls are implemented to safeguard IS resources from unauthorized access and use. Physical Access controls protect against physical tampering or intrusion, while Logical Access controls regulate user access to data and systems.

Control Frameworks

A Framework provides a structured approach to manage a system; it defines roles, responsibilities, and procedures. An Application Control Framework focuses on specific applications, while a Management Control Framework oversees the system's overall management.

Audit Perspective on Controls

From an auditor's perspective, controls ensure reliability and accuracy of information, effectiveness of operations, and compliance with relevant laws.

Control Activities

Control activities are the actions taken to ensure controls work effectively. Information Technology Control Activities focus on technology-related aspects, while Physical Activities are tangible actions taken to safeguard resources.

Control Examples: ABC Hospital

Case studies like ABC Multispecialty Hospital demonstrate the importance of controls in real-world organizations. Their use of software for financial transactions highlights the need for robust controls to protect sensitive data.

Communication Controls

Controls implemented to protect communication channels and data transmission, including physical security measures and error detection mechanisms.

Physical Component Controls

Controls aimed at safeguarding the physical components of the communication system, like servers and network devices, from damage or unauthorized access.

Line Error Controls

Controls used for detecting and correcting errors in data transmission over communication lines.

Output Controls

Controls implemented to ensure the accuracy, completeness, and proper format of the data delivered to users.

Data Processing Controls

Controls used during data processing to catch and correct errors, ensuring data integrity is maintained.

Stringent Authentication

Strong authentication methods like Biometric Authentication and Digital Certificates used to secure access to systems based on risk assessment.

Password Management System

The operating system enforces the use of complex passwords to improve system security.

System Utilities

System utilities are programs that manage critical functions of the operating system, like adding or removing users. Access is restricted to administrators.

Duress Alarm

A system feature that alerts authorities when an individual is being forced to perform unauthorized actions.

Terminal Time Out

Automated logout of a user if the terminal remains inactive for a set time to prevent unauthorized access.

Limitation of Connection Time

Limits access to systems outside specific time slots, preventing unauthorized entry.

Information Access Restriction

Application-specific menus that restrict access to system functions based on user roles to control information access.

Application Access Control

Controlling access to applications and modules used to access, process, and communicate information.

Top Management Controls

Controls implemented by management to ensure the organization's IT systems function correctly and meet strategic business objectives.

Management Control Framework

A framework designed to assess the effectiveness of IT controls within an organization. It looks at the management's role in setting up, maintaining, and reviewing these controls.

Information Security

The practice of safeguarding information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

Logical Access Control

Protecting access to information systems through methods like passwords, multi-factor authentication, and user permissions.

Hybrid Security Approach

A combination of physical and logical security measures that protect an organization's information systems.

Data Encryption

Encrypting sensitive data carried on portable computers to protect it from unauthorized access.

Biometric and Smart Card Authentication

Using advanced authentication methods like fingerprint, iris scans, and smart cards to ensure access to information systems is only granted to authorized individuals.

Study Notes

UNIT - III INFORMATION SYSTEMS' CONTROLS

• Information systems controls are a crucial aspect of any organization
• Understanding the Internal Control Framework and its components is essential
• Various control types exist, categorized by different parameters
• Controls are classified based on the 'Objective of Controls', 'Nature of information system resources', and 'Audit Perspective'
• Auditors play a key role in inspecting and evaluating these controls
• A detailed understanding of control activities is vital

CHAPTER 8 INFORMATION SYSTEMS' CONTROL AND ITS CLASSIFICATION

• Learning Outcomes:
  • Establish an understanding of Internal Control Framework and its components
  • Build a detailed understanding of various control types
  • Comprehend controls based on 'Objective of Controls'
  • Classify controls based on 'Nature of information system resources'
  • Understand controls based on 'Audit perspective'
  • Understand controls based on 'Control Activities'
  • Know the role of auditors while inspecting controls

CHAPTER OVERVIEW

• Objectives of Controls:
  • Preventive
  • Detective
  • Corrective
  • Directive
• Nature of IS Resources:
  • Environmental
  • Physical Access
  • Logical Access
• Classification Criteria
• Audit Perspective
• Application Control Framework
• Management Control Framework
• Information Technology
• Control Activities
• Physical Activities

ILLUSTRATION: ABC MULTISPECIALTY HOSPITAL

• ABC Multispecialty Hospital is a prominent national hospital and medical college
• Has 250 patient beds and over 3000 employees
• Market leader in critical care, ambulatory care, and home health care
• Used specific software for daily financial transactions, upgraded regularly
• Faced challenges in regulatory compliances and market factors leading to falling annual profits
• Implemented a Business Process Re-engineering effort to reduce operating costs by 10%

PROBLEM RAISED

• Falling annual profits due to regulatory changes and market factors
• Increasing competition, pressure to reduce operating costs

SOLUTION FOUND

• Formed ten groups (finance, information systems, nursing, ancillary services, laboratory, administrative, pharmacy, radiology, supportive services, and physician services) to review overall hospital operations
• Conducted a three-day orientation and training session for the groups, with a management consulting company
• The Accounts department studied and improved the Financial Accounting System; Reduced staff by removing unnecessary positions
• Resolved vendor payment issues and resolved conflict over slow payments
• Found a qualified candidate to fill a vacant position, who was the son of existing hospital staff

ISSUES FOUND BY STAKE HOLDERS

• Internal audit department (CISA) conducts internal audits on various hospital business processes, including finance
• This identified that Mr. Mahesh's father worked in hospital as well
• The situation in the accounts department conflicted with the hospital's policy against nepotism

DISCOVERY OF FRAUD

• CFO discovered six cash disbursements totaling ₹80,000 made to Mr. Mahesh
• Internal Audit Manager, Mr. Pankaj, investigated
• Mr. Mahesh had forged six cash disbursement forms, including vendor invoices
• Mr. Mahesh input fraudulent data into the accounts payable module under his own vendor account
• Assigned responsibility for semi-weekly cash disbursement and created fraudulent cheques
• Successfully performed this fraud by utilizing hospital’s standard operating procedure for all employees in the IT and Finance departments