Week 4 Planning Controls in a
Computer Environment
Controls – Def per ISA315 Policies or procedures that an entity
establishes to achieve the control objectives of management or
those charged with governance. In this context:
(i) Policies = statements of what should, or should not, be done
within the entity to effect control.
(ii) Procedures = actions to implement policies.
General IT Controls
Access General info:
Controls
Prevents unauthorised persons from gaining access + limiting
activities to certain areas.
Least privilege principle: person only given access to what they
need in order to do their duties properly.
Preventative Controls:
Security policy: document that contains all risks identified as well as
the responsibility of each employee to act in conscious manner.
Physical access:
1. Limit access to physical premises by:
a. have high electric fences
b. install security gates and doors by which they may only be
opened by means of tag, pin or biometric access.
c. have security guard
d. visitors must sign register
e. doors should remain locked at all times
f. premises must be monitors by means of TV (cameras installed)
g. hardware and important documents must be locked away in
dedicated room
h. logs and registers must be reviewed regularly of visitors or
employees entering
2. Limit access to computer terminals by having:
, a. Should only have 1 access point to enter and exit
b. Manager should supervise activities on computer
c. Access to computer should be limited to office hours
d. Computer and hardware must be secured to table or desk by
using cable or metal
e. logs and activity registers must be regularly reviewed.
3. Access to sensitive information limited by:
a. storing devices away in locked room/ cupboard
b. employ data librarian to keep track of sensitive files. She could
use a register which can be signed
Logical Access controls
1. Identification
a. ID number or username
b. magnetic cards
c. biometric techniques
2. Authentication
a. ask specific questions that only user would know (name of
favourite high school teacher)
b. fingerprint or face scan
c. unique password that must meet the following criteria
-not obvious or easy to guess
-remain confidential
-be at least the minimum length prescribed
-contain variety of characters such as letters, numbers and
symbols
-changed frequently
-don’t display on screen
-must be removed from system if employee/ user resigns from
company
-if unsuccessful 3 times when entering password, should
blocked (full safe).
3. Authorisation
a. access to system and data files must be limited to what user
needs to do duties (least privilege principle).
b. access rights are set up once new user is added.
Computer Environment
Controls – Def per ISA315 Policies or procedures that an entity
establishes to achieve the control objectives of management or
those charged with governance. In this context:
(i) Policies = statements of what should, or should not, be done
within the entity to effect control.
(ii) Procedures = actions to implement policies.
General IT Controls
Access General info:
Controls
Prevents unauthorised persons from gaining access + limiting
activities to certain areas.
Least privilege principle: person only given access to what they
need in order to do their duties properly.
Preventative Controls:
Security policy: document that contains all risks identified as well as
the responsibility of each employee to act in conscious manner.
Physical access:
1. Limit access to physical premises by:
a. have high electric fences
b. install security gates and doors by which they may only be
opened by means of tag, pin or biometric access.
c. have security guard
d. visitors must sign register
e. doors should remain locked at all times
f. premises must be monitors by means of TV (cameras installed)
g. hardware and important documents must be locked away in
dedicated room
h. logs and registers must be reviewed regularly of visitors or
employees entering
2. Limit access to computer terminals by having:
, a. Should only have 1 access point to enter and exit
b. Manager should supervise activities on computer
c. Access to computer should be limited to office hours
d. Computer and hardware must be secured to table or desk by
using cable or metal
e. logs and activity registers must be regularly reviewed.
3. Access to sensitive information limited by:
a. storing devices away in locked room/ cupboard
b. employ data librarian to keep track of sensitive files. She could
use a register which can be signed
Logical Access controls
1. Identification
a. ID number or username
b. magnetic cards
c. biometric techniques
2. Authentication
a. ask specific questions that only user would know (name of
favourite high school teacher)
b. fingerprint or face scan
c. unique password that must meet the following criteria
-not obvious or easy to guess
-remain confidential
-be at least the minimum length prescribed
-contain variety of characters such as letters, numbers and
symbols
-changed frequently
-don’t display on screen
-must be removed from system if employee/ user resigns from
company
-if unsuccessful 3 times when entering password, should
blocked (full safe).
3. Authorisation
a. access to system and data files must be limited to what user
needs to do duties (least privilege principle).
b. access rights are set up once new user is added.
