Controlling Computer-Based Information Systems, Part I Chapter 15 Controlling Computer-Based Information Systems, Part I 1

Controls, CBIS & SAS 78 Transaction authorization may be embedded into the programs Segregation of duties Duties that must be separated in a manual system may be combined in a computerized setting. The computer-based functions of programming, processing, and maintenance must be separated. 2 2

Segregation of Duties Authorization Processing Control Objective 1 Custody Recording Custody Recording Authorization Task 1 Task 2 Control Objective 3 Task 3 Task 4 TRANSACTION 4

General Control Framework for CBIS Exposures 10 control components need to be addressed: operating system data management organizational structure systems development systems maintenance computer center security internet and Intranet EDI personal computer applications 8 8

General Control Framework for CBIS Exposures Organizational Structure Internet & Intranet Data Management Internet & Intranet Operating System Systems Development Systems Maintenance Personal Computers EDI Trading Partners Applications Computer Center Security General Control Framework for CBIS Exposures

Operating System Controls The operating systems performs three main tasks: translates high-level languages into the machine-level language allocates computer resources to user applications manages the tasks of job scheduling and multiprogramming. 10

Operating System Security Log-On Procedure first line of defense--user IDs and passwords Access Token contains key information about the user Access Control List defines access privileges of users Discretionary Access Control allows user to grant access to another user 13

Operating System Control Techniques Access privilege controls determine who can access what data in the system Password controls reusable passwords one-time passwords Malicious and destructive programs controls protection against virus, worms, logic bombs, etc. System audit trail controls keystroke monitoring event monitoring 18

Operating System Control Dangers Browsing looking through memory for sensitive information (e.g., in the printer queue) Masquerading pretend to be an authorized user by getting id and passwords Virus & Worms foreign programs that spread through the system virus must attach to another program, worms are self-contained 12 12

Operating System Control Dangers Trojan Horse foreign program that conceals itself with another legitimately imported program Logic Bomb foreign programs triggered by a specific event Back Door alternative entry into system 12 12

Anti-Virus Software can prevent the initial infection by write protecting the file can detect the infection of known viruses can sometimes remove the infection must stay current

Data Management Controls Two crucial control issues: Access controls Backup controls 21 21

Subschema Restricting Access

Computer Resource Authority Table List Resource Employee Line Cash Receipts AR File File Printer Program User Read data Change Add Delete Ticket User 1 No Access Use No Access Read code No Access Use Modify Delete Read only User 2 User 3 No Access Read only Use No Access 15

Data Management Controls Backup options: grandparent-parent-child backup - the number of generations to backup is a policy issue direct access file backup - back-up master-file at pre-determined intervals off-site storage - guard against disasters and/or physical destruction 21 21

Organizational Structure Controls The two main CBIS environments have different exposures and IC requirements: Centralized DP Distributed DP 25 25

President CENTRALIZED COMPUTER SERVICES FUNCTION VP Marketing VP Computer Services VP Operations VP Finance Systems Development Database Administration Data Processing New Systems Development Data Control Data Preparation Data Library Systems Maintenance Computer Operations DISTRIBUTED ORGANIZATIONAL STRUCTURE President VP Marketing VP Finance VP Administration VP Operations Manager Plant X Manager Plant Y Treasurer Controller IPU IPU IPU IPU IPU IPU

Centralized DP Organizational Controls In centralized IS, need to separate: systems development from computer operations database administrator and other computer service functions especially database administrator (authorizing) and systems development (processing) DBA authorizes access maintenance and new systems development data library and operations 26

Distributed DP Organizational Controls Distributed Data Processing: despite many advantages of this approach, control implications are present incompatible software among the various work centers data redundancy may result consolidation of incompatible tasks difficulty hiring qualified professionals lack of standards 28 28

Systems Development Life Cycle Business Needs and Strategy Legacy Situation Business Requirements 1. Systems Strategy - Assessment - Develop Strategic Plan Feedback: User requests for New Systems System Interfaces, Architecture and User Requirements High Priority Proposals undergo Additional Study and Development 2. Project Initiation - Feasibility Study - Analysis - Conceptual Design - Cost/Benefit Analysis Feedback: User requests for System Improvements and Support Selected System Proposals go forward for Detailed Design NOTE: This is used also as Figure 14-1. 3. In-house Development - Construct - Deliver 4. Commercial Packages - Configure - Test - Roll-out New and Revised Systems Enter into Production 5. Maintenance & Support - User help desk - Configuration Management - Risk Management & Security

Systems Development Controls New systems must be authorized. User needs and requests should be formally documented. Technical design activities should be documented. Internal auditors should participate in the development process. All program modules must be thoroughly tested before they are implemented. Individual modules must be tested by a team of users, internal audit staff, and systems professionals. 30 30

Computer Center Controls Considerations: location away from human-made and natural hazards utility and communications lines underground windows closed and air filtration systems in place access limited to the operators and other necessary workers; others required to sign in and out fire suppressions systems should be installed backup power supplies 36

Disaster Recovery Planning Disaster recovery plan (DRP) all actions to be taken before, during, and after a disaster Disaster Recovery Team (DRT) identified critical applications must be identified restore these applications first Backups & off-site storage procedures databases and applications documentation supplies 37

Second-Site Disaster Backups The Empty Shell - involves two or more user organizations that buy or lease a building and remodel it into a computer site, but without computer equipment The Recovery Operations Center - a completely equipped site; very costly and typically shared among many companies Internally Provided Backup - companies with multiple data processing centers may create internal excess capacity 38