1、SysTrust Introduction,SYSTRUST COURSE,February 2001,SysTrust History,SYSTRUST COURSE,February 2001,Agenda,Vision Task Force Membership SysTrust Roll-out Activities Task Forces Due Diligence Support Tools Successes to Date Feedback to Date Future Enhancements,Vision,Task Force Membership,Thomas E.Wal
2、lace, Chair J. Efrim Boritz Robert Parker Robert J. Reimer George H. Tucker III Miklos A. Vasarhelyi Sander Wexler Dan White,CICA Staff Bryan Walker, Principal, Research Studies AICPA Staff Erin P. Mackler, Technical Manager Assurance Services Judith M. Sherinsky, Technical Manager Audit and Attest
3、Standards,SysTrust Roll-out Activities 1,11/99,7/99,9/99,Issued,Exposure,Development,Supporting Tools,SysTrust Roll-out Activities 2,SCAS/TFAS 1996 - 1997 Version 1 - Jan/88 - Nov/89 Development - Jan/88 - April/99 Review - April/99 - June/99 Exposure Draft - July/99 - September/99 Final issuance -
4、Fall 1999 Training courses - Fall 1999 Version 2 - Jan - July 2000 Version 3 - Jan - ? 2001,Task Forces Due Diligence,Review of draft conducted by: Associates - practitioners, academics Institutes technical committees Ev Johnson - Chair of eComm Committee Selective members of Institutes ASB Industry
5、 - Internal Audit, CFO, CIO Considered: market and need, completeness and relevance of principles & criteria, & other comments,Support Tools 1,Competency Model - What skills are needed for SysTrust Training Courses - SysTrust Overview How to Perform a SysTrust Engagement In-Depth Training in SysTrus
6、t Principles & Criteria Information Systems Audit & Control Association (ISACA) courses,Support Tools 2,Practitioners Aids - Workplans Engagement letters Representation letters Checklists Practice guides Marketing ideas,Support Tools 3,Marketing Conceptual Marketing Plan by AICPA articles/ads e.g. J
7、ournal of Accountancy, CA Magazine, ISACA AICPA and CICA websites pilot project testimonials by practitioners conferences and training (UWCISA/JIS) related organizations; e.g. ISACA Alliances,Successes to Date,Approx. 40 engagements Typically $100 - 200,000 range Many pre-implementation/readiness re
8、views Industries: Government, Banks, Utilities .Coms: L, A Adoption by Internal Audit departments,Feedback to Date,Like framework: Need flexibility in use: ability to report on less than all principles ability to issue a point in time report Clarify privacys impact on reliability: in - confidentiali
9、ty of private information out - accuracy of data, consent, individuals right to view, remediation, etc,Future Enhancements,Versions 3.0 & 4.0? enhancements to principles & criteria enhancements to reporting point in time, “seal” program, holistic continuous auditing & reporting Buy-in by industry ma
10、nagement, internal audit, developers Buy-in by Practitioners,SysTrust!,SysTrust Overview,SYSTRUST COURSE,February 2001,Agenda,Systems Reliability in Business What is SysTrust? Positioning SysTrust SysTrust Framework System Reliability Criteria Controls,Systems Reliability in Business,Growth Profitab
11、ility Mkt Share,SPEED, COST & QUALITY,Drivers of Need,Like a weak link in a chain, an unreliable system can fail the entire business,Recent Headlines,“Security rated top on-line fear”,“Computer woeshalt TSE trading”,“eBay waives $3-5 million listing fees after service outage”,“Rail companys unreliab
12、le system causes rail cars to stack up, shipping delays and shipments gone astray”,“Worm.Explore.Zip virus forces shutdown of companies systems”,“Computer errors decimate managed care companys stock”,Reliability & the Market,E*Trade Publicized Network Failures & Resulting Market Cap Decreases,E*Trad
13、e Stock Price(EGRP),$767m,$737m,$ 2.5b,Factors of Unreliability,Denial of Service system failures, crashes, capacity issues Unauthorized Access Viruses, hackers, loss of confidentiality Loss of Data Integrity corrupted, incomplete, fictitious data Maintenance problems unintended impact of system cha
14、nges Failure to fulfill commitments,Need for SysTrust,What We Found:,No Common Definition of Reliability e.g. is security in or out? No Basis for Comparison at what point is reliability achieved Differing levels of Objectivity & Rigor how much and how good is assessment,What is “SysTrust” ?,SysTrust
15、 - A CA/CPAs assurance report on a systems reliability US - SSAE #1 Canada -section 5025 Opinion on controls using framework of 4 principles & 58 criteria on reliability To earn SysTrust opinion, a system must meet all criteria for principles reported on,A “SysTrust” Opinion.,“ We have audited the a
16、ssertion by mgmt that. ABC company maintained effective controls. over system availability, security, processing integrity and maintainability. based on SysTrust principles & criteria” “ In our opinion mgmts assertion is fairly stated in all material respects.”,Components of “SysTrust”,Positioning “
17、SysTrust” 1,SysTrust,Positioning “SysTrust” 2,Non- Financial,Financial,Internal Users,External Users,Definitions,“SYSTEM” “RELIABILITY” “CRITERIA” “CONTROLS” (vs. internal control),“SYSTEM” 1,A SYSTEM is an organized collection of software, infrastructure, people, procedures and data that, together
18、within a business context, produces information,SYSTEM,“SYSTEM” 2,infrastructure (facilities, equipment and networks) software (systems, applications, utilities) people (developers, operators, users and managers) procedures (automated and manual) data (transaction streams, data bases and tables),“RE
19、LIABILITY”,Reliable System defined as: “A system that operates without material error, fault or failure during a specified time in a specified environment.” Four Principles:- Availability - Security- Integrity - Maintainability,“Reliability” Framework,“CRITERIA”,Each Principle has series of Criteria
20、 Criteria categories: policies exist and are appropriate policies are implemented and operate adherence to policy is monitored Definition of Criteria: - measurable - relevant - objective - complete,Structure of Criteria 1,Structure of Criteria 2,Example: Availability,Principle: The system is availab
21、le for operation and use at times set forth in service level statements or agreements. Criteria Categories: The entity has defined and communicated performance objectives, policies, and standards for system availability.The entity utilizes processes, people, software, data, and infrastructure to ach
22、ieve system availability objectives in accordance with established policies and standards.The entity monitors the system and takes action to achieve compliance with system availability objectives, policies, and standards.,Example: Availability (contd),“CONTROLS”,primary evidential basis for evaluati
23、ng whether criteria, hence, reliability principles satisfied assurance provider assesses controls deemed relevant to concluding whether Criteria met may supplement with direct tests of Criteria require judgment to determine nature and extent of evidence required to verify existence, effectiveness an
24、d continuity of controls,Illustrative Controls 1,CICAs ITCG comprehensive coverage risk management & control, IT planning, IS acquisition, development & maintenance, operations & support, security, business continuity & recovery, etc.,Illustrative Controls 2,ISACFs COBIT also comprehensive planning
25、& organization, acquisition & implementation, delivery & support, monitoring, etc.,Example: Availability (contd),Principles & Criteria,SYSTRUST COURSE,February 2001,SysTrust Principles,The system is available for operation and use at times set forth in service level statements or agreements. The sys
26、tem is protected against unauthorized physical and logical access. System processing is complete, accurate, timely and authorized. The system can be updated when required in a manner that continues to provide for system availability, security, and integrity.,Security Principle,Category S1: The entit
27、y has defined and communicated performance objectives, policies, and standards for system security.,Security Principle,S1.1: The system security requirements of authorized users, and the system security objectives, policies and standards are identified and documented. S1.2: The documented system sec
28、urity objectives, policies, and standards have been communicated to authorized users. S1.3: Documented system security objectives, policies, and standards are consistent with system security requirements defined in contractual, legal, and other service level agreements and applicable laws and regula
29、tions. S1.4: Responsibility and accountability for system security have been assigned. S1.5: Documented system security objectives, policies, and standards are communicated to entity personnel responsible for implementing them.,Security Principle,Category S2: The entity utilizes processes, people, s
30、oftware, data, and infrastructure to achieve system security objectives in accordance with established policies and standards.,Security Principle,S2.1: Acquisition, implementation, configuration and management of system components related to system security are consistent with documented system secu
31、rity objectives, policies, and standards. S2.2: There are procedures to identify and authenticate all users accessing the system. S2.3: There are procedures to grant system access privileges to users in accordance with the policies and standards for granting such privileges.,Security Principle (cont
32、.),S2.4: There are procedures to restrict access to computer processing output to authorized users. S2.5: There are procedures to restrict access to files on off-line storage media to authorized users. S2.6: There are procedures to protect external access points against unauthorized electronic acces
33、s. S2.7: There are procedures to protect the system against infection by computer viruses, malicious codes, and unauthorized software. S2.8: Threats of sabotage, terrorism, vandalism and other physical attacks have been considered when locating the system.,Security Principle (cont.),S2.9: There are
34、procedures to segregate incompatible functions within the system through security authorizations. S2.10: There are procedures to protect the system against unauthorized physical access. S2.11: There are procedures to ensure that personnel responsible for the design, development, implementation and o
35、peration of system security are qualified to fulfil their responsibilities.,Security Principle,Category S3: The entity monitors the system and takes action to achieve compliance with system security objectives, policies, and standards.,Security Principle,S3.1: System security performance is periodic
36、ally reviewed and compared with documented system security requirements of authorized users and contractual, legal, and other service level agreements. S3.2: There is a process to identify potential impairments to the systems ongoing ability to address the documented security objectives, policies, a
37、nd standards, and to take appropriate action. S3.3: Environmental and technological changes are monitored and their impact on system security is periodically assessed on a timely basis.,Principle: Integrity,System processing is complete, accurate, timely and authorized.,Integrity Principle,Category
38、I1: The entity has defined and communicated performance objectives, policies, and standards for system processing integrity.,Integrity Principle,I1.1: The system processing integrity requirements of authorized users and the system processing integrity objectives, policies, and standards are identifi
39、ed and documented. I1.2: Documented system processing integrity objectives, policies, and standards have been communicated to authorized users. I1.3: Documented system processing integrity objectives, policies, and standards are consistent with system processing integrity requirements defined in con
40、tractual, legal, and other service level agreements and applicable laws and regulations.,Integrity Principle (cont.),I1.4: There is assignment of responsibility and accountability for system processing integrity. I1.5: Documented system processing integrity objectives, policies, and standards are co
41、mmunicated to entity personnel responsible for implementing them.,Integrity Principle,Category I2: The entity utilizes processes, people, software, data, and infrastructure to achieve system processing integrity objectives in accordance with established policies and standards.,Integrity Principle,I2
42、.1: Acquisition, implementation, configuration and management of system components related to system processing integrity are consistent with documented system processing integrity objectives, policies, and standards. I2.2: The information processing integrity procedures related to information input
43、s are consistent with the documented system processing integrity requirements. I2.3: There are procedures to ensure that system processing is complete, accurate, timely, and authorized.,Integrity Principle (cont.),I2.4: The information processing integrity procedures related to information outputs a
44、re consistent with the documented system processing integrity requirements. I2.5: There are procedures to ensure that personnel responsible for the design, development, implementation and operation of the system are qualified to fulfil their responsibilities. I2.6: There are procedures to enable tra
45、cing of information inputs from their source to their final disposition and vice versa.,Integrity Principle,Category I3: The entity monitors the system and takes action to achieve compliance with system integrity objectives, policies, and standards.,Integrity Principle,I3.1: System processing integr
46、ity performance is periodically reviewed and compared to the documented system processing integrity requirements of authorized users and contractual, legal and other service level agreements. I3.2: There is a process to identify potential impairments to the systems ongoing ability to address the doc
47、umented processing integrity objectives, policies, and standards and take appropriate action. I3.3: Environmental and technological changes are monitored and their impact on system processing integrity is periodically assessed on a timely basis.,Principle: Maintainability,The system can be updated w
48、hen required in a manner that continues to provide for system availability, security, and integrity.,Maintainability Principle,Category M1: The entity has defined and communicated performance objectives, policies, and standards for system maintainability.,Maintainability Principle,Category M2: The e
49、ntity utilizes processes, people, software, data, and infrastructure to achieve system maintainability objectives in accordance with established policies and standards.,Maintainability Principle,Category M3: The entity monitors the system and takes action to achieve compliance with maintainability objectives, policies, and standards.,SysTrust!,
