ACCT10003 Lecture Notes - Lecture 8: Cloud Computing, Isaca, Malware
19 Jun 2018
School
Department
Course
Professor
Accounting Processes and Analysis
Lecture 8: Information Security and Computer Fraud
LO#1 Describe the risks related to information security and systems integrity
Information security management is “an integrated, systematic approach that co- ordinates people,
policies, standards, processes and controls used to safeguard critical systems and information from internal
& external security threats” [AICPA]
Information security is critical to maintaining the systems integrity. The purpose of information security
management is to protect the CIA of a firm’s information:
Confidentiality – information is not accessible to unauthorised individuals or processes
Integrity – information is accurate & complete
Availability – information & systems are accessible on demand
Understand the following:
Malware- code designed to damage, disrupt or steal data or disrupt computer systems & networks
E.g. Viruses (A self-replication program that runs and spreads by modifying other programs or files).
Worms- A self-replicating, self-propagating, self- contained program that uses networking mechanisms to
spread itself.
E.g. The blaster worm
Trojans- A non-self-replicating program that seems to have a useful purpose in appearance, but in reality,
has a different malicious purpose
E.g. OSX/RSPlug Trojan for Apple
Bots- A collection of software robots that overruns computers to act automatically in response to the bot-
herder’s control inputs through the internet
Additionally; there is spam, phishing, pharming, hacking, social engineering and identity theft to be aware
of.
Denial-of-service (DoS) – The prevention of authorized access to resources (such as servers) or the delaying
of time-critical operations. [“#censusfail”?]
Spyware – Software that is secretly installed into an information system to gather information on
individuals or organizations without their knowledge; a type of malicious code.
Spoofing – Sending a network packet that appears to come from a source other than its actual source.
LO#2 Understand the concepts of encryption and authentication
Encryption is a preventive control providing confidentiality and privacy for data transmission and storage.
There are two algorithmic schemes that encode plaintext into non-readable form or cyphertext:
- Symmetric-key encryption methods
- Asymmetric-key encryption methods
Authentication is a process that establishes the origin of information or determines the identity of a user,
process, or device. It is critical in e-business because it can prevent repudiation while conducting
transactions online.
LO#3 Describe computer fraud and misuse of AIS and corresponding risk mitigation techniques
find more resources at oneclass.com
find more resources at oneclass.com
Fraud- means an intentional act by one or more individuals among management, those charged with
governance, employees or third parties, involving the use of deception to obtain an unjust or illegal
advantage.
Emphasis is placed on the detection and deterrence of fraud.
The Global Technology Audit Guidelines (GTAG)- theft, misuse and misappropriation of computer software
and hardware.
Computer fraud risk assessment is a systematic process that assists management and internal auditors in
discovering where and how fraud may occur and whom may commit the specific fraud. Often a component
of a firms enterprise risk management (ERM) program.
Steps in computer fraud risk assessment are as follows:
1. Identifying relevant IT fraud risk factors.
2. Identifying potential IT fraud schemes and prioritizing them based on likelihood and impact.
3. Mapping existing controls to potential fraud schemes and identifying gaps.
4. Testing operating effectiveness of fraud prevention and detection controls.
5. Assessing the likelihood and business impact of a control failure and/or a fraud incident.
A fraud prevention program starts with a fraud risk assessment across the entire firm, taking into
consideration the firm’s critical business divisions, processes, and accounts, performed by the
management.
The audit committee often works with the internal audit group to ensure that the fraud prevention and
detection program remains an ongoing effort.
Communicating the firm’s policy file to employees is one of the most important responsibilities of
management.
A fraud detection program should include an evaluation by internal auditors on the effectiveness of
business processes, along with an analysis of transaction-level data to obtain evidence on the effectiveness
of internal controls and to identify indicators of fraud risk or actual fraudulent activities. An effective
approach is to have a continuous monitoring system with embedded modules to create detailed logs for
transaction-level testing.
IT Application controls:
Input controls:
find more resources at oneclass.com
find more resources at oneclass.com
Document Summary
Lo#1 describe the risks related to information security and systems integrity. Information security management is an integrated, systematic approach that co- ordinates people, policies, standards, processes and controls used to safeguard critical systems and information from internal. Information security is critical to maintaining the systems integrity. The purpose of information security management is to protect the cia of a firm"s information: Confidentiality information is not accessible to unauthorised individuals or processes. Availability information & systems are accessible on demand. Malware- code designed to damage, disrupt or steal data or disrupt computer systems & networks. Viruses (a self-replication program that runs and spreads by modifying other programs or files). Worms- a self-replicating, self-propagating, self- contained program that uses networking mechanisms to spread itself. Trojans- a non-self-replicating program that seems to have a useful purpose in appearance, but in reality, has a different malicious purpose.
