| Term | Definition |
|---|
| IT Resources | Application, information, infrastructure, people |
| Applications | automated systems and manual procedures that process information |
| Information | data, in all forms, that are input, processed, and output by information systems |
| Infrastructure | technology and facilities (hardware, operating systems) that enable the processing of the applications |
| People | personnel who plan, organize, acquire, implement, deliver, support, monitor and evaluate information systems and services |
| People | The biggest problem in IT resources |
| Hypothetical Computer System | computer system consisting of one or more servers, in a computer room within the headquarters, connected to printers, external storage devices and PCs (clients), all connectors are via networks (LAN, WAN), and finally connected via the internet and through firewalls |
| Client Server | "thin", all processing and data are on the server, (slave, dummy, terminal), computers were called "Big Iron" |
| Distributive Processing | "thick", some processing and some data on client or all processing and most data |
| COBIT | supports IT governance by providing a framework to ensure that IT is aligned with the business, enables the business and maximizes benefits, resources are used responsibly, and risks are managed appropriately |
| IT Control Processes | Plan & Organize, Acquire & Implement, Deliver & Support, Monitor & Evaluate |
| Plan and Organize | 1) Establish strategic vision for IT. (plans and goals, IT strategy for organization, understand physical layout of the system, identify risk, monitor) 2) Develop tactics to plan, communicate, and manage the vision. (project management--determine when/where to spend money, to move from AS-IS to 2-B, establish a code of ethics and conduct, have adequate staffing |
| As-Is | inventory of the current information systems capabilities |
| 2-B | where we want to go, implement strategy |
| Segregation of Duties | Custody, authorization, and record keeping |
| Segregation of Duties with IT | Data, programming, operations |
| Acquire and Implement | 3) Identify automated solutions (define information requirements, form courses of action, assess risks; solutions should be consistent) 4) Develop and acquire IT solutions. (canned, custom, both) 5) Integrate IT solutions into operational processes. 6) Manage change to IT systems (very high risk area. Must be monitored carefully and controlled. Make sure to update documentation of business processes) |
| Parallel Conversion | Run both old and new IT systems. Both produce output. Compare the output, make sure it is equal. |
| Cold Turkey Conversion | "Flip the switch." Install the new IT system and switch over. |
| Roll Out Conversion | Run either parallel or cold turkey |
| Delivery and Support | 7) Deliver required IT services (establish service levels, minimum quantity and quality of services. Allocate cost of IT services) 8) Ensure security & continuous service (disaster recovery planning. Always prepare for the worst case scenario) 9) Provide support services (ex. live chat) |
| Profit Center | charge for IT services |
| Cost Center | Overhead allocation |
| Reasons to Plan for Disasters | Minimize threats to IT assets, minimize losses when disaster strikes, minimize liability from internal & external users |
| Hot Site | fully functioning IT system waiting for data, fully redundant systems (2 systems running parallel; immediate) |
| Cold Site | building or rental location wired but no hardware/software (1-3 weeks). You must test it, back it up at another corporate location (reciprocal agreements) |
| Biometrics | controls for restricting acess (ex. fingerprint scan) |
| Restricting Access | perimeter controls, building controls, computer facility contols |
| Security Module | identification, authentication, access rights, threat monitoring |
| Strong authentication | 2 of the following: something you have, something you know, something you are |
| Monitor and Evaluate Domain | 10) Monitor and evaluate the processes. Ongoing process to maintain control (security, availability, processing integrity, online privacy, confidentiality) |
| Personnel Control Plans | Selection & hiring, retention, personnel development, personnel management |
| Selection and hiring | qualified, technical background, honest, excellent, if you don't do it right you won't be successful |
| Retention | keeping excellent people is just as hard as attracting them. Pay adequately & provide challenging work and advancement opportunities |
| Personnel Development | keep people trained |
| Personnel Management | terminate systematic process. In an IT environment turn them off before they're fired. Rotation of duties (difficult to do now), forced vacations (reduced opportunity, do at end of month), offer fidelity bonds (insurance) |
| Once and only once | Valid and accurate data should be entered |
| The Sarbanes-Oxley Act of 2002 | Federal law that resulted from Enron, et. al. |
| Ensure security of resources | If you label a check "For deposit only", you are doing this type of control |
| Capacity for Risk | Exploit opportunities, resilience to market setbacks and disasters. |
Combine with other sets
Share on Facebook
Share on MySpace