1. Liquid fire should be ideally suppressed by agents like Dry powders and/or Carbon Dioxide.
2. Data Link(OSI Layer 2) handles bridging work.
3. Business Impact Analysis (BIA) phase of BCP must include end users.
4. Source codes of Live environment should be periodically checked/audited to find out any unauthorized changes to live environment.
5. Continuity Plan maintenance for BCP should be periodically reviewed and analysed.
CISA Quick Tips 08-1811
Tuesday, November 18, 2008
11:57 AM | Labels: CISA - Quick Tips | 0 Comments
CISA Quick Tips 08-1711
Monday, November 17, 2008
1. Proper access control policy should be framed with regard to data file access and directory access while implementing Database Management system (DBMS).
2. Segregation of duties is a key area to be audited while auditing IT Operations.
3. In case of outsourced network operations, the logs of network devices should be secured and only accessed by the organization/third party(other than network vendor).
4. CAAT provides reasonable assurance that audit objectives will be achieved.
5. IT Governance ensures appropriate and suitable controls are being followed as per Standard practices by the organization
5:36 PM | Labels: CISA - Quick Tips | 0 Comments
How to select a CAAT
Friday, November 14, 2008
CAAT stands for Computer Assisted Audit Techniques
This is a common thing of discussion among IS Auditors is "which one is best - CAATs or Manual method of IS Audit". Sometimes manual method is not enough to find out effective and efficient IS Audit results. On the other hand in many instances use of CAATs gives less efficient results than corresponding manual IS Audit methods.
It is always recommended to use a mix of CAATs and manual method for optimal results.
"What should be the criteria to select CAATs?" is another question many IS Auditors ask.
Following are some of the important points an Organization should see before selecting CAATs.
1.End User of CAAT
End user of CAAT/IS Auditors should be able to handle almost all operational and related aspects of the CAAT.
2.Cost Benefit analysis
Cost benefit analysis over similar manual process should be analysed. Cost of control should never be much more than the loss due to risks.
3.System Impact analysis.
This is particularly useful for the CAAT that is integrated to main system. Use of CAAT should never degrade the system performance beyond a certain limit.
4.Compatibility of CAAT
CAAT should ideally be compatible in all hardwares/softwares and available infrastructure.
5.Efficiency, Accuracy & Speed of results
This is the most important aspect of CAAT selection. An efficient, accurate and speedy results producing CAATs are generally preferred.
6.Support from the CAAT vendor
This is equally important criteria for CAAT selection.
7.Limitations and Inherent risks within CAAT.
This should be confirmed and evaluated at the time of decision making for CAAT selection.
8.Security of data processed by CAAT
An important criteria which should be evaluated by Information Security Administrator.
9.Validity Tests
Results of the CAATs should be validated as against corresponding processes. A wide variety of test and live data should be evaluated.
Be careful while analyzing test CAAT data in live environment for validity of CAAT results. Make necessary arrangements to separate test data in live environment.
10.Regulatory and legal requirement (if any)
Do consider regulatory and legal requirements wherever applicable.
11:05 AM | Labels: IS Audit Process | 0 Comments
Subscribe to:
Posts (Atom)
