Download
module 2 n.
Skip this Video
Loading SlideShow in 5 Seconds..
MODULE 2 PowerPoint Presentation

MODULE 2

154 Views Download Presentation
Download Presentation

MODULE 2

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. MODULE 2 Protection Of Information Assets Samir Shah CA, CISA, DISA, CIA, CISSP, CFE Director – Eduassure Knowledge Solutions

  2. 4 Application Controls • Application controls pertain to individual business processes or application systems, including data edits, separation of business functions, balancing of processing totals, transaction logging, and error reporting. • The objective of application controls is to ensure that: • Input data is accurate, complete, authorized, and correct. • Data is processed in an acceptable time period. • Data stored is accurate and complete. • Outputs are accurate and complete. • A record is maintained to track the process of data from input to storage and to the eventual output. • From an organizational perspective, it is important that application controls: • Safeguard assets • Maintain data integrity • Achieve organisational goals effectively and efficiently

  3. Application Exposures Weak Security – increased end user access Unauthorized access or changes to Data or Programs Unauthorized remote access Inaccurate Information Erroneous or falsified data Input Misuse by authorized end users Incomplete processing Duplicate Transaction Processing Untimely processing Communication system failure

  4. Components of Application Controls Application controls can be broadly classified as follows Boundary Controls Input Controls Processing Controls Datafile / storage controls Output Controls

  5. Application Boundary Controls The objective of boundary controls is to prevent unauthorized access to applications and their data. Access controls may be implemented by using any of the logical security techniques embedded in the application software. The above objectives can be achieved by adopting logical security techniques like: Using logon ids and passwords Providing access to application from specified terminals only Using Cryptographic Controls Using audit trails

  6. Input Controls Input controls are responsible for ensuring accuracy and completeness of data and instruction input into an application system. a. Source Document Design b. Data entry screen design c. Data code controls d. Batch Controls e. Data Input Validation Controls f. Data Input Error Handling and Reporting g. Instruction Input Controls

  7. a. Source Document Design Source documents are used as an intermediary medium to record data before being used for data entry (input) into the system Reduces data entry errors Increases speed of data entry Ensures better control over the process Assists subsequent reference Source document design includes the following: Material to be used for the source document Layout and style of the source document For designing the layout of the source document, the following should be kept in mind Include instructions for completing the form. Minimize the amount of handwriting. Data to be entered (keyed. be sequenced so that it can be read like a book: that is, top-to-bottom and left-to-right. Capture only variable data. Not to capture data that can be calculated or stored in computer programs as constants. Use organization-wide consistent business codes for appropriate attributes.

  8. b. Data entry screen design Screen organization – symmetric, uncluttered, tie with source document Caption design Data entry field design – to the right of caption or below Tabbing and skipping Colour Display rate Prompting and help facilities

  9. c. Data code controls Types of data coding errors: Addition Truncation Transcription Transposition Double transposition Factors affecting coding errors are Length of the code Alphabetic numeric mix Choice of characters Mixing uppercase/lowercase fonts Sequence of characters

  10. d. Batch Controls Batch controls group input transactions into logical or physical batches. • Control over physical batches is ensured through batch header forms, which are data preparation sheets containing control information about the batch. • Types of batch controls • Total financial amount • Total items • Hash totals • Total documents

  11. e. Data Input Validation Controls One of the important objectives of application controls is to ensure that the data that is input into the application is valid and , this can be ensured by: • Manual signatures on input document • In case of online inputs, input menu is available for specified logins • Restricting certain types of input to be enabled on a unique password at the input menu/form level. • Scanned Input using OCR (Optical Character Recognition), Barcode Readers, MICR (Magnetic Ink Character Recognition), etc Edit Control: Edit controls are the principal data validation controls and are used to validate data. They contain the following: • Sequence checks • Range & limit checks • Missing data check • Duplicate checks • Programmed Validity Check • Dependent Match • Completeness check • Reasonableness check • Table lookups

  12. f. Data Input Error Handling and Reporting Input errors can be handled in the following ways: • Rejecting only transaction with errors • Reject the whole batch of transactions • Accepting batch in suspense • Accepting the batch and marking error transactions

  13. g. Instruction Input Controls Validating instructions is more difficult than validating data. This is because the instruction input requires more user interaction and decision discretion than in the case of data input Instruction input methods Menu Driven Applications: These applications provide a set of instructions that are fixed and the users only need to choose the actions to be done depending on the options available in the menu. Question Answer dialogs: These interfaces ask a series of questions to the user and provide a set of options from which the user is required to make a selection. For example, a financial software may ask the user a series of questions regarding present value, interest rate, periodicity of payment, etc. and the then provide the requisite output. Command Languages: These are languages which require users to specify commands to the system to complete a set of processes. The DOS operating system is an example of a command based instruction input. Reporting Instruction Input Errors Error messages and procedural instructions need to be communicated to users at the instance of a possible error occurrence. The error message must be complete and meaningful and help the user correct it immediately. Different error messages may be given based on the expertise of a user

  14. Processing Controls Data processing controls perform validation checks to identify errors during the processing of data • Data processing controls • Run-to-run totals • Reasonableness verification • Edit checks • Field initialization • Exception reports • Datafile Controls • Version usage • Internal and external labelling • Data file security • Before and after image and logging • File updating and maintenance authorization • Parity Checking

  15. Output Controls Output controls ensure that the data delivered to users will be presented, formatted and delivered in a consistent and secured manner Storage and Logging of sensitive, critical forms Logging of Output program executions Spooling / Queuing Controls over printing Report distribution and collection controls Retention controls

  16. Existence Controls in Application Systems Existence controls ensure the continued availability of the application system and data in a consistent manner to the users. Includes backup and recovery procedures of data