Chapter 8: Information Systems Controls for System Reliability— Part 1: Information Security
• COSO and COSO-ERM address general internal control
• COBIT addresses information technology internal control
Information for Management Should Be:
o Information must be relevant and timely.
o Information must be produced in a cost-effective manner.
o Sensitive information must be protected from unauthorized disclosure.
o Information must be accurate, complete, and valid.
o Information must be available whenever needed.
o Controls must ensure compliance with internal policies and with external legal
and regulatory requirements.
o Management must have access to appropriate information needed to conduct
daily activities and to exercise its fiduciary and governance responsibilities.
• Plan & organize Acquire & Implement Deliver & Support Monitor & Evaluate
• Management develops plans to organize information resources to provide the
information it needs. • Management authorizes and oversees efforts to acquire (or build internally) the desired
• Management ensures that the resulting system actually delivers the desired information.
• Management monitors and evaluates system performance against the established
• Cycle constantly repeats, as management modifies existing plans and procedures or
develops new ones to respond to changes in business objectives and new
developments in information technology.
• 210 controls for ensuring information integrity
o Subset is relevant for external auditors
IT control objectives for Sarbanes-Oxley, 2nd Edition
• AICPA and CICA information systems controls
o Controls for system and financial statement reliability
Trust Services Framework
o Access to the system and its data is controlled and restricted to legitimate users.
o Sensitive organizational information (e.g., marketing plans, trade secrets) is
protected from unauthorized disclosure.
o Personal information about customers is collected, used, disclosed, and
maintained only in compliance with internal policies and external regulatory
requirements and is protected from unauthorized disclosure.
• Processing Integrity
o Data are processed accurately, completely, in a timely manner, and only with
• Availability o The system and its information are available to meet operational and contractual
Security / Systems Reliability
• Foundation of the Trust Services Framework
o Management issue, not a technology issue
SOX 302 states:
• CEO and the CFO responsible to certify that the financial
statements fairly present the results of the company’s activities.
• The accuracy of an organization’s financial statements depends
upon the reliability of its information systems.
• Defense-in-depth and the time-based model of information security
o Have multiple layers of control
Management’s Role in IS Security
• Create security aware culture
• Inventory and value company information resources
• Assess risk, select risk response
• Develop and communicate security:
o Plans, policies, and procedures
• Acquire and deploy IT security r