Page 103 - CITP Review
P. 103
Exhibit 3-4 — Data focused risk assessment
Data
Applications
Operating
system
Network
The application and data are housed in an operating system (see exhibit 3-4). That operating system
(O/S), for the most part, controls who can obtain access to the applications — assuming the entity uses
whatever access control is made available by the operating system.
Unfortunately, the data can be accessed directly by the operating system as well (known as the “back
door”). Administrators of the O/S must be able to keep it working properly, and like a DBA, present a high
IR. Administrators with unrestricted access to the O/S are said to have “the keys to the kingdom” because
they can access any data anywhere. Unauthorized access to the O/S also presents a high IR of access to
data. Thus, tight controls are needed over the O/S to mitigate these kinds of risky access to the
database.
Operating systems are housed in networks. It is the network level of an entity where users gain access,
and the front door for unauthorized users who try to break into the system. Passwords and other logical
access controls generally originate at the network level to control access to operating systems and
applications.
By illustration, if the controls at the application level are strong, then there is less concern about
unauthorized access at the network level. If an intruder did get in at the network level, they would likely be
stymied by the strong access controls at the application level, or even the operating system level above it,
if properly secured.
© 2019 Association of International Certified Professional Accountants. All rights reserved. 3-19
