IT Change Management

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to Lesson

Podcast

Play an AI-generated podcast conversation about this lesson
Download our mobile app to listen on the go
Get App

Questions and Answers

Within IT change management, what is the primary risk associated with inadequately tested changes to existing IT application programs?

  • Unauthorized developers moving untested changes into production.
  • Changes not functioning as described or requested. (correct)
  • Configuration changes being made by unauthorized personnel.
  • Multiple instances of the same IT application not remaining identical.

Why is it important to validate changes immediately after installation within IT change management?

  • To permit developers to move unauthorized changes.
  • To identify and rectify any discrepancies or failures promptly. (correct)
  • To ensure changes are approved by business management.
  • To avoid reviewing and updating the SDLC process periodically.

What is the purpose of restricting programs in the test environment to a limited number of authorized personnel?

  • To prevent inappropriate or unauthorized changes to configurations.
  • To ensure developers can move unauthorized changes into the production environment.
  • To prevent unauthorized access and modifications by individuals without development responsibilities. (correct)
  • To allow changes to be pushed to all instances at the same time.

What control should be implemented to ensure configuration changes are appropriate and authorized?

<p>Logging and reviewing configurations regularly. (C)</p> Signup and view all the answers

Why is it vital to ensure that multiple instances of the same IT application remain identical?

<p>To ensure consistent functionality and data integrity across the organization. (A)</p> Signup and view all the answers

Which ITGC is MOST directly related to ensuring that changes to IT systems do not adversely affect financial reporting?

<p>Change Management (B)</p> Signup and view all the answers

What is the primary purpose of IT access controls?

<p>To ensure that only authorized users have appropriate access to IT resources. (D)</p> Signup and view all the answers

Why is segregation of duties a critical concern in IT access management?

<p>To prevent any single individual from having excessive control over critical processes. (C)</p> Signup and view all the answers

Why are authentication and validation important concepts in IT access controls?

<p>To restrict authorized users to performing appropriate actions aligned with their roles. (B)</p> Signup and view all the answers

What type of control requires passwords to be reset every 90 days?

<p>Access control. (C)</p> Signup and view all the answers

What is the purpose of periodically reviewing user access rights?

<p>To validate that access levels still align with current job responsibilities. (B)</p> Signup and view all the answers

Which common ITGC deficiency relates to inconsistent enforcement of IT policies and standards across the organization?

<p>Lack of consistent IT governance (A)</p> Signup and view all the answers

What does Identity Management primarily define?

<p>The who, what, where, and how of an identity within an organization (D)</p> Signup and view all the answers

Which of the following is a common example of outsourcing?

<p>IT services such as data storage and network support (B)</p> Signup and view all the answers

Which of the following is a benefit of outsourcing for an organization?

<p>Elimination of the need for capital expenditures on hardware and software (C)</p> Signup and view all the answers

Which of the following is a key risk associated with outsourcing?

<p>Vendor exploitation (B)</p> Signup and view all the answers

What is Infrastructure as a Service (IaaS)?

<p>Renting the IT infrastructure, such as servers and storage (D)</p> Signup and view all the answers

What is the primary focus of a SOC 2 report?

<p>Controls relevant to security, availability, processing integrity, confidentiality, or privacy (A)</p> Signup and view all the answers

What does CUEC stand for and what is its significance in the context of SOC reports?

<p>Complimentary User Entity Controls; outlines controls that user entities must implement (C)</p> Signup and view all the answers

What are CSOCs in the context of SOC reports?

<p>Controls assumed to be implemented by the subservice organization. (B)</p> Signup and view all the answers

Flashcards

IT Change Management

Ensures changes to IT systems are properly tested, approved, and implemented to avoid disruptions or errors.

Risk: Insecure Programs

Programs aren't safe, allowing unauthorized or untested changes to be moved into the production environment.

IT Access Management

Ensures that access to IT systems and data is limited to authorized individuals, preventing unauthorized access or data breaches.

Risk: Inadequate Authentication

Risks that people who don't belong in the IT environment are there because security settings or authentication is bad.

Signup and view all the flashcards

Segregation of Duties

Ensures duties are divided so no single person can compromise a critical process.

Signup and view all the flashcards

Authentication/Validation

Confirms IT access is restricted to appropriate users.

Signup and view all the flashcards

Password Reset Control

A control requires users to reset passwords periodically, (e.g., every 90 days).

Signup and view all the flashcards

IDM System

An information system used for identity management across an enterprise or network.

Signup and view all the flashcards

Outsourcing

Using external resources for specific business functions or processes.

Signup and view all the flashcards

Examples of Outsourcing

IT services, HR, or bookkeeping

Signup and view all the flashcards

Benefit of Outsourcing: Costs

The business doesn't need capital expenditures such as: hardware, software, site data centers, etc.

Signup and view all the flashcards

Benefit of Outsourcing: Reliability

Data backup, disaster recovery, and business continuity is easier and less expensive.

Signup and view all the flashcards

Risks of Outsourcing: Costs

Your costs could exceed benefits.

Signup and view all the flashcards

Risks of Outsourcing: Vendor Exploitation

The vendor is exploited due to reduced security

Signup and view all the flashcards

Public Cloud

A cloud computing service provided by a third party

Signup and view all the flashcards

Hybrid Cloud

Combine public and private cloud deployments together.

Signup and view all the flashcards

Private Cloud

Cloud computing recourses used exclusively by a single business

Signup and view all the flashcards

IaaS

Rent the IT infrastructure

Signup and view all the flashcards

PaaS

Supply an on-demand environment for developing, testing, delivering, and managing software applications

Signup and view all the flashcards

SaaS

A method for delivering software applications over the internet

Signup and view all the flashcards

Study Notes

ITGCs - IT Manage Change

  • New IT applications or changes may fail due to inadequate testing
  • Control: Changes should be validated directly after installation
  • Test: Obtain a list of changes
  • New IT applications or changes may be unsuitable for the business or IT environment
  • Control: Changes need approval and testing by business management before implementation
  • Test: Inspect evidence and lists of changes
  • Programs in production may be unsecured, leading to unauthorized or untested changes
  • Control: Test environment programs needs limited access to authorized personnel without development duties
  • Test: Review lists of user IDs
  • Configuration changes by IT staff may be inappropriate or unauthorized
  • Control: Configurations are logged and reviewed
  • Test: Check configuration settings
  • Multiple instances of an IT application should be identical
  • Control: Changes gets pushed to every instance simultaneously; comparisons should occur periodically
  • Test: Inspect settings
  • Implementation failures of new systems, upgrades, or key integrations can impact financial reporting controls
  • Control: The SDLC process is reviewed/updated periodically

ITGCs - IT Access (aka Manage Access or Logical Access)

  • Typical risks include users of the IT environment being unintended due to inadequate authentication and security
  • Access granted might not match approved access levels, or users may be generally inappropriate
  • Concerns arise in segregation of duties due to IT user access
  • Combining IT application functions into roles can cause segregation of duties issues, risking misstatements
  • Direct data changes are made without authorization
  • Authentication and validation concepts are in place for authorized users
  • Validated users are restricted to authorized actions aligned with their roles (authorization/access rights)
  • Controls, such as password resets every 90 days and annual user access reviews, need evaluation

Deloitte Review Slides - Considerations for Acceptable Deviation Levels

  • Risk associated with the control
  • Complexity
  • Extent of reliance on the control
  • Testing approach
  • Nature of the control

Common GITC (ITGC) Deficiency Themes

  • Lack of consistent IT governance
  • Cybersecurity breach leading to compromise of financial systems
  • Management of end-user segregation of duties
  • Highly privileged access management
  • Developer access to production environments
  • SDLC failures due to major system implementation issues

Identity Management

  • Defines who, what, where, and how of an identity within an organization
  • It defines what an identity is, what it can do, and how to track and report on the entity
  • IDM systems include info systems used for enterprise or cross-network identity management

Third-Party Risk

  • Outsourcing includes IT services, HR functions, and bookkeeping
  • Benefits include lower capital expenditures on hardware, software, and data centers
  • Global scale provides the right amount of IT resources and capacity
  • Regularly updated cloud services improves performance
  • Updated security via a broad set of policies and technologies
  • Speed provides vast computing resources on demand
  • Productivity enables focus on core business goals by removing the need to "rack and stack" additional resources
  • Reliability with built-in data backup, disaster recovery, and business continuity
  • Risks include costs exceeding benefits and failure to perform
  • Vendor exploitation and reduced security can occur
  • A loss of strategic advantage and reduced ability to reestablish outsourced function is a possibility
  • Lower employee loyalty, quality, consistency, and oversight issues are risks

Cloud Computing/Service Types

  • Public clouds are owned and operated by a third-party cloud provider
  • Hybrid clouds combine public and private clouds, sharing data via technology
  • Private clouds are exclusively for a single business or organization
  • IaaS is the most basic, involving renting IT infrastructure
  • PaaS supplies an on-demand environment for developing, testing, delivering, and managing applications
  • SaaS is a method for delivering software applications over the internet

SOC Reports

  • SOC reports are included under the SOC Suite of Service Offerings
  • Organizations may need SOC reports for various reasons
  • SOC 1 reports are used by customers and auditors to conduct audits of financial statements
  • SOC 1 includes ICFR, Type 1 (as of a specific date), and Type 2 (throughout a period)
  • SOC 2 reports on controls related to security, availability, processing integrity, confidentiality, or privacy
  • SOC 2 includes Type 1 (design of controls) and Type 2 (design and operating effectiveness)
  • Customers utilize these reports to understand processing controls
  • SOC 2+ includes the criteria of SOC 2 alongside additional criteria
  • SOC 3 reports provide confidence to stakeholders regarding a service organization's systems
  • SOC 3 reports are intended for general use
  • Trust Services Criteria are used in SOC 2 and 3 engagements
  • SOC 1 and SOC 2 reports have 5 sections
  • CUECs are complimentary user entity controls, where the service organization assumes controls will be implemented by user entities
  • CUECs Example: User Access, Sign-on credentialing such as PWs and multifactor authentication
  • CSOCs are supplementary subservice organization controls, where the service organization assumes controls will be implemented by the subservice organization
  • CSOCs Example: Physical Security, Data Backup and Recovery

Studying That Suits You

Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

Quiz Team

Related Documents

More Like This

Use Quizgecko on...
Browser
Browser