Kode Etik, Standar ISACA bagi Auditor SI dan Tabel Audit
Members and ISACA Certification holders shall:
■ Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems.
■ Perform their duties with due diligence and professional care, in accordance with professional standards and best practices.
■ Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.
■ Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
■ Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence.
■ Inform appropriate parties of the results of work performed; revealing all significant facts known to them.
■ Support the professional education of stakeholders in enhancing their understanding of information systems security and control.
RELATIONSHIP OF STANDARDS TO GUIDELINES AND PROCEDURES
IS Auditing Standards are mandatory requirements for certification holders’ reports on the audit and its findings. IS Auditing Guidelines and Procedures are detailed guidance on how to follow those standards. The IS Auditing Guidelines are guidance an IS Auditor will normally follow with the understanding that there may be situations where the auditor will not follow that guidance. In this case, it will be the IS Auditor’s responsibility to justify the way in which the work is done. The procedure examples show the steps performed by an IS Auditor and are more informative than IS Auditing Guidelines. The examples are constructed to follow the IS Auditing Standards and the IS Auditing Guidelines and provide information on following the IS Auditing Standards. To some extent, they also establish best practices for procedures to be followed.
AUDIT TABLES:
- Audit table for Application
- Audit table for Control Access
- Audit table for UNIX/LINUX Environments
- Audit table for Window XP/2000 Environments
ISACA Code of Ethics and All table could be found here
19 Langkah2 Umum Program Audit Sistem Informasi
The audit program is designed to address the primary risks of virtually all computing systems. Therefore, the objective statement and steps in the program are general by design. Obviously, computing systems can have many different applications running on them, each with its own unique set of controls. However, the controls surrounding all computing systems are very similar. The IS controls in the audit program have been grouped into four general categories:
Objective:
- To assess the adequacy of environmental, physical security, logical security, and operational controls designed to protect IS hardware, software, and data against unauthorized access and accidental or intentional destruction or alteration, and
- to ensure that information systems are functioning in an efficient and effective manner to help the organization achieve its strategic objectives.
TESTS OF ENVIRONMENTAL CONTROLS
Step 1. Assess the adequacy and effectiveness of the organization’s IS security policy. In addition, assess whether the control requirements specified in the organization’s IS security standards adequately protect the information assets of the organization. At a minimum, the standards should specify the following controls and require them to
be applicable to all information systems:
a. The maiden password should be changed after the system is installed.
b. There is a minimum password length of eight or more characters.
c. Passwords require a combination of alpha and numeric characters.
d. The password is masked on the screen as it is entered.
e. The password file is encrypted so nobody can read it.
f. There is a password expiration period of 60 days or less.
g. Three or fewer unsuccessful sign-on attempts are allowed, then the user ID is suspended.
h. User sessions are terminated after a specified period of inactivity (e.g., five minutes or less).
i. Concurrent sign-on sessions are not allowed.
j. Procedures are in place to remove user IDs of terminated users in a timely manner.
k. Users are trained not to share or divulge their passwords with other users, post them in their workstations, store them in eletronic files, or perform any other act that could divulge theirpasswords.
l. Unsuccessful sign-on attempts and other logical security-related events (e.g., adding and deleting users, resetting passwords, restarting the system) are logged by the system, and the log is reviewed regularly by system security staff.
m. Fully developed and tested backup and recovery procedures exist to help ensure uninterrupted business resumption in the event of a full or partial disaster.
n. New information systems are required to be designed to enable the aforementioned controls to be implemented by system security administrators. New systems include those developed in house, those purchased from vendors, and third-party processor systems. In the case of software vendors and third-party processors,the above control requirements should be specified as requirements in the contract.
Step 2. For service organization applications, examine the most recent report in the policies and procedures placed in operation at the vendor’s data processing site as prepared by its external auditors. In the United States, the format and testing requirements are dictated by Statement on Auditing Standards 70 (SAS 70), issued by the American Institute of Certified Public Accountants.
Step 3. If the system was purchased from and supported by a vendor, assess the financial stability of the system vendor using the most recent audited financial statements prepared by the vendor’s external auditors.
Step 4. Examine the vendor software license agreement and any agreements for ongoing maintenance and support to ensure that they are current, address service needs, and do not contain or omit any wording that could be detrimental to your organization.
TESTS OF PHYSICAL SECURITY CONTROLS
Step 5. Assess the adequacy of physical security over the computer system hardware and storage media.
Step 6. Determine whether an adequately trained backup system security administrator has been designated.
Step 7. Assess the adequacy and effectiveness of the written business resumption plan, including the results of mock disaster tests that have been performed.
Step 8. Assess the adequacy of insurance coverage over the hardware, operating system, application software, and data.
TESTS OF LOGICAL SECURITY CONTROLS
Step 9. Determine whether the maiden password for the system has been changed and whether controls exist to change it on a periodic basis in conformity with the computing system security policy, standards, or guidelines identified in Step 1.
Step 10. Observe the system security administrator sign on and print a list of current system users and their access capabilities. Alternatively, if you can obtain appropriate system access, you can obtain the list of users independently.
Step 11. Document and assess the reasonableness of the default system security parameter settings. The settings should conform to the organization’s computing system security policy, standards, or guidelines tested in Step 1. (Be alert to the fact that in some systems, individual user parameter settings override the default system security
parameter settings.)
Step 12. Test the functionality of the logical security controls of the system (e.g., password masking, minimum password length, password expiration, user ID suspended after successive invalid sign-on attempts, log-on times allowed, and session time-outs).
Step 13. Determine whether the file containing user passwords is encrypted and cannot be viewed by anyone, including the system security administrator.
Step 14. Determine whether sensitive data, including passwords, are adequately
encrypted throughout their life cycles, including during storage, transmission through any internal or external network or telecommunications devices, and duplication on any backup media.
Step 15. Assess the adequacy of procedures to review the log of system security-related events (e.g., successive invalid sign-on attempts, system restarts, changes to user access capabilities and user parameter settings).
Step 16. Assess the adequacy of remote access controls (e.g., virtual private networks [VPNs], token devices [CRYPTOCard, SecurID, etc.], automatic dial-back, secure sockets layer [SSL]).
TESTS OF INFORMATION SYSTEMS OPERATING CONTROLS
Step 17. Determine whether duties are adequately segregated in the operating
areas supporting the information system (e.g., transactions should be authorized only by the originating department, programmers should not have the capability to execute production programs, procedures should be adequately documented, etc.).
Step 18. Determine whether there have been any significant software problems with the system. Assess the adequacy, timeliness, and documentation of resolution efforts.
Step 19. Assess the adequacy of controls that help ensure that IS operations are functioning in an efficient and effective manner to support the strategic objectives and business operations of the organization (e.g., system operators should be monitoring CPU processing and storage capacity utilization throughout each day to ensure that adequate reserve capacities exist at all times).
more details read here (pdf)
Experimental Realization of Deutsch’s Algorithm in a One-way Quantum Computer
M. S. Tame, R. Prevedel, M. Paternostro, P. Böhi, M. S. Kim, A. Zeilinger
Abstract: We report the first experimental demonstration of an all-optical one-way implementation of Deutsch’s quantum algorithm on a four-qubit cluster state. All the possible configurations of a balanced or constant function acting on a two-qubit register are realized within the measurement-based model for quantum computation. The experimental results are in excellent agreement with the theoretical model, therefore demonstrating the successful performance of the algorithm.
Comment from Physorg.com here
Quantum computer set up. Image credit: Mark Tame.
Finding a way to build a quantum computer that works more efficiently than a classical computer has been the holy grail of quantum information processing for more than a decade. “There is quite a strong competition at the moment to realize these protocols,” Mark Tame tells PhysOrg.com.
The latest experiment performed as a collaboration by a Queen’s University theoretical group and an experimental group in Vienna has “allowed us to pick up the pace” of quantum computing.
The joint project’s experiment is reported in Physical Review Letters in an article titled, “Experimental Realization of Deutsch’s Algorithm in a One-Way Quantum Computer.”
“This is the first implementation of Deutsch’s Algorithm for cluster states in quantum computing,” Tame explains. Tame along with members of the Queen’s group in Belfast, including Mauro Paternostro and Myungshik Kim joined a group from the University of Vienna, including Robert Prevedel, Pascal Böhi, and Anton Zeilinger (who is also associated with the Institute for Quantum Optics and Quantum Information at the Austrian Academy of Sciences) to perform this experiment. see more http://www.physorg.com/printnews.php?newsid=96107220
Quantum Discrete Cosine Transform for Image Compression
Chao Yang Pang, et.al
Abstract: Discrete Cosine Transform (DCT) is very important in image compression. Classical 1-D DCT and 2-D DCT has time complexity O(NlogN) and O(N²logN) respectively. This paper presents a quantum DCT iteration, and constructs a quantum 1-D and 2-D DCT algorithm for image compression by using the iteration. The presented 1-D and 2-D DCT has time complexity O(sqrt(N)) and O(N) respectively. In addition, the method presented in this paper generalizes the famous Grover’s algorithm to solve complex unstructured search problem.
Memories of Feynman
Articles (more detail download here)
In this memoir, written in 1983, a contemporary and close friend of Richard Feynman’s recalls the blossoming of Feynman’s genius with vignettes from college, Los Alamos, and afterward.
Theodore A. Welton
Almost 50 years ago, in September 1935, unnoticed among the as-yet-undifferentiated horde of entering freshmen at MIT were two ambitious, rather diffident physicists-to-be. One was Dick Feynman and the other was the author of these recollections. Initially unknown to one another, we remained so for the freshman year, since MIT grouped its students into classes by major. I was Course VIII (physics) from the beginning, while Feynman briefly vacillated, finding electrical engineering too practical after one semester and mathematics too abstract after another semester. My first hint of what was to come was on the occasion of the annual spring open house in 1936, when I found at one of the mathematics exhibits a fresh-faced kid (almost precisely my age, actually) who seemed to have a thorough comprehension of the concept of the Fourier transform and of the operation of the mechanical harmonic analyzer. Up to this point, I had nourished the fond, if secret, belief that I was the only freshman competent to handle such esoteric matters. Thus began my true education!
By the end of the summer of 1936, I had passed exams in the required mathematics courses for sophomore and junior physics majors and thus had available some interesting gaps in my schedule, which I promptly filled by signing up for the course Introduction to Theoretical Physics, taught from the book of the same name by John Slater and Nathaniel Frank. Before the first lecture, I had gone to the physics library and taken out Tullio Levi-Civita’s book The Absolute Differential Calculus, which I hoped would reveal some further secrets of differential geometry not covered in Arthur Eddington’s book The Mathematical Theory of Relativity, which I had read the previous year. Then on to class, where I discovered the mathematics whiz of the previous spring, apparently also prepared to do battle with theoretical physics. As I sat next to him, he glanced over at my books and immediately announced (in a somewhat raucous Far Rockaway version of standard English) that he had been trying to get hold of Levi-Civita and could he see it when I had finished. My interest piqued, I noticed that his stack contained Albert Wills’s Vector Analysis, with an Introduction to Tensor Analysis, so he must be the reason I had been unable to find it in the library. Since we were, I think, the only two sophomores in that class, it apparently simultaneously occurred to the two of us that cooperation in the struggle against a crew of aggressive-looking seniors and graduate students might be mutually beneficial. Our friendship dated from that almost instantaneous recognition, and recollections from that period have enriched (and sometimes complicated) my life ever since.
Quantum cryptography using qutrits
Quantum cryptography using qutrits by ZDNet‘s Roland Piquepaille — Physicists from the University of Wien, Austria, are testing quantum cryptography (QC) systems based on qutrits instead of the more common qubits. These qutrits can simultaneously exist in three basic states. This means that QC systems based on qutrits will inherently be more secure.
A. B. Mutiara 