Information Function Audit M.C. Juan Carlos Olivares Rojas Department of Computer and System...
-
Upload
severiano-limes -
Category
Documents
-
view
219 -
download
0
Transcript of Information Function Audit M.C. Juan Carlos Olivares Rojas Department of Computer and System...
Information Function Audit
M.C. Juan Carlos Olivares Rojas
Department of Computer and SystemInstituto Tecnológico de Morelia
[email protected] lat, -101.1848 long
DisclaimerSome material in this presentation has been obtained from various sources, each of which has intellectual property, so in this presentation will only have some rights reserved.
These slides are free, so you can add, modify, and delete slides (including this one) and slide content to suit your needs. They obviously represent a lot of work on my part. In return for use, I only ask the following: if you use these slides (e.g., in a class) in substantially unaltered form, that you mention their source.
OutlineCompilation of Organizational Information
Human Resources Assesment
Interviews with Informatic Personal
Budget and financial Situation.
Budgets
Financial and material Resources.
Objectives of the Session• The students will know the basis of Informatic
Function Audit
Compilation of Organizational Information
• It’s important for the correct management of Auditing Process.
• Before of making a Report is necessary the information that sustain the ideas. This information is knowed such as Evidence.
• Remeber the first step is know the organizational context of a Firm.
Compilation of Organizational Information
• It’s important to manage an eficient way to recollect information such as logs, databases, control sheet and cross-documents.
• The retrieval information must be the most quickly as posible.
• In the research process this activity is highly-consumer of time (Theoretical Frame and State-of-Art)
Human Resources Assesment
• This action is very important because some firms have and excelente organization and planning but in practice have a bad execution and directions (CONTROL)
• There are two kinds of human resources evalution:
• Activity and Resposability of a Employee in an organization (For Example a Bad Director or Boss).
Human Resources Assesment• Assesment of Organization about their People
(asking about a good working conditions).
• One technique of Human Resources Assesment is the elaboration and application of questionaries.
• Questionaries are a good option when there are not enough time, but are dificult because it needs a correct design and processing.
Interviews with Informatic Personal
• Interview is a vital process inside auditing.
• We must recollect and store this information such as Evidence but in most of the time is dificult because it’s not a legal process and some Employee can’t or doesn’t like talking about some topic in these circunstances.
• Interviews are dificult in design and application but are crucial.
Interviews with Informatic Personal
• Interviews provide the correct specification about a process. Auditors could be aimed by Personal in some process which are dficult to understand.
• There are a lot of kinds of Interviews. The most important thing in Interview Process is the script. The interviewer should be and excelent improviser and carismatic person.
Activity• Example of Human Resource Assement*
• Make a control sheet (check list) indicating the elements which are present.
• Compare the control list with the control sheet and define what elements are present such as Evidence are not registred in the Documentation.
• Pairs, thirds or quatrains (Delivery a Report)
Homework• Make a Interview with some Person in Digital
way such as: audio (podcasting) and video over Internet (videocasting).
• The interview must contain a script (duplex way)
• It contains a Syndication RSS
• You can interview a classmate (pair) about their future job.
Budget and Financial Situation
• Budget is an important element because Auditors have some constraints, and the most important is Financial.
• Ideally, the audit budget should be created after the audit schedule is determined.
API BruteForce• Develop a Java program which can access in a
System with Login Screen (Username and Password).
• The user must indicate the initial point or area of the first field. Must indicate the max length of words (update it for variable length*)
• Probe it with a Real Program or Simulate Program. If the screen changed the program has entered (consider a delay for authentication).
API Brute Force• Optional make a statistic module for calculating
iterations and time of obtaininig pasword.
• Optional Include a Search Dicctionary (depends of Language).
Jawa.awt.Robot
M.C. Juan Carlos Olivares Rojas
Introducción
• La clase java.awt.Robot permite definir un objeto que puede realizar acciones de manera automatizada sobre la interfaz gráfica del sistema.
• Cuenta en general con métodos para mover el ratón, presionar botones del ratón, presionar teclas, capturar imágenes, entre otras funcionalidades.
Ejemploimport java.awt.AWTException;
import java.awt.Robot;
import java.awt.event.InputEvent;
import java.awt.event.KeyEvent;
public class Aplicacion {
public static void main (String args []) { new Aplicacion(); }
EjemploAplicacion() {
try {
Robot robot = new Robot();
// Simula un click con el ratón
robot.mousePress(InputEvent.BUTTON1_MASK);
robot.mouseRelease(InputEvent.BUTTON1_MASK);
// Simula presionar una tecla
Ejemplo robot.keyPress(KeyEvent.VK_O);
robot.keyRelease(KeyEvent.VK_O);
} catch (AWTException e) {
e.printStackTrace();
}
}
}
API• La clase cuenta con dos constructores:
• Robot() sin argumentos crea un objeto que opera en toda la pantalla.
• Robot(GraphicsDevice screen) Construye un objeto Robot en las coordenadas indicadas.
• A continuación se describe cada uno de los métodos de la clase.
API• java.awt.image.BufferedImage
createScreenCapture(Rectangle s) Crea una imagen de las coordenadas indicadas.
• void delay(int ms) El objeto se duerme un tiempo especificado de ms milisegundos.
• int getAutoDelay() Obtiene el tiempo en que el Robot se está durmiendo.
API• Color getPixelColor(int x, int y) Reegresa el
color del punto señalado.
• boolean isAutowaitForIdle() Checa si el Robot ejecuta waitForIdle() después de un evento.
• void keyPress(int keycode) Presiona una tecla.
API• void keyRelease(int keycode) Libera una tecla.
• void mouseMove(int x, int y) Mueve el puntero del ratón a las coordenadas indicadas.
• void mousePress(int buttons) Presiona uno o más botones del ratón.
API• void mouseRelease(int buttons) Ocurre
cuando se libera un botón del ratón.
• void mouseWheel(int wheelAmt) Ocurre cuando gira la rueda del ratón.
• void setAutoDelay(int ms) Configura el tiempo de retardo que existe entre cada evento del Robot.
API• void setAutowaitForIdle(boolean isOn)
Configura el tiempo en que el Robot ejecuta un waitForIdle().
• java.lang.String toString() Convierte el Robot en una cadena de texto.
• void waitForIdle() Espera a que todos los eventos de la cola de eventos hayan sido despacahdos.
Brute Force Attack• Moodle Case
• http://antares.itmorelia.edu.mx/~jcolivar/moodle
• Exist many user created by machines (spam)
• Solutions?
• What happend with Eco Server Audit Case?
Budgets
The most important thing is budget coordination.
Budget is an important constraint tha auditor should considered in the assesment. For example a small ofice (PyME) doesn’t have enough money to buy a Hardware Firewall and the small company only implement a individual Firewall through Operating System.
Financial and material Resources.
• Those elements are important because we need it for working in auditing.
• Material Resources used by an Auditor could be: Papers Formats (collection), PDA, Mobile Phone, Laptop or Notebook (paper).
• Depending of the information assest the tools are variable for example a cable testing in Computer Network Audits.
ERP Case• Reading the papers “RECREATION, INC. AN
INFORMATION TECHNOLOGY RISK ASSESSMENT CASE STUDYOF ENTERPRISE RESOURCE PLANNING (ERP) SYSTEMS” and IT Audit Basics Auditing Security and Privacy in ERP Applications
• In 3-Person Teams redacts a Wiki (paper format). The wiki must contain 5 good ideas and 5 bad ideas.
• Homework: bring a cup of coffe, tomorrow
ERP Case
Exam• Finish the Planning and Organization of Audit
Project in ITM.
• The exam is individual and must include:
• WBS/ Time Matrix / Gantt Chart
• Estimation time, resources, cost (budget)
• Organization
• Indicate in complete form how will assesment each information assest.
Exam• Grading:
• Planning and Organization 50%
• Assesment Methodology 50%
• Deadline: Monday, March 30
• Document Printed
RubricRubric
• Una rúbrica es un elemento que nos permite definir en forma tabular los requisitos que debe tener un producto en general y evaluarlos en base a un criterio determinado.
Ejemplo de RúbricaEjemplo de Rúbrica
ActividadActividad• Definir una rúbrica para evaluar galletas de
chispas de chocolate, definir al menos 5 características, ubicar porcentajes a cada una.
• Distribuir la rúbrica a sus demás compañeros para que puedan evaluar y sacar un promedio de las especificaciones.
• Competencias a Desarrollar: Trabajo en Equipo, Análisis y Síntesis, Evaluación cuantitativa y cualitativa, Redacción.
References• Senft, S. And Gallegos, F. (2008) Information
Technology Control and Audit, Third Edition, CRC Press, United States
¿Preguntas?