Chapter 2: Computer Operations

STRUCTURING THE IT FUNCTION Centralized data processing [see Figure 2-1] Organizational chart [see Figure 2-2] Database administrator Data processing manager/dept. Data control Data preparation/conversion Computer operations Data library CDP: Data in, Information out. CHARGEBACK for costs. Organization Chart: VP Computer Services or CIO – Systems Development Manager, DBA, DP Manager 1. Data Control -- serves as liaison between end users and DP Manager 2. Data Conversion -- transcribes data from paper to electronic files or media (KP) 3. Computer Operations – processes computer files (data) into Info, manages the processes 4. Data Library – Safe offline storage of data files, software [data librarian] IT Auditing & Assurance, 2e, Hall & Singleton

STRUCTURING THE IT FUNCTION Segregation of incompatible IT functions Systems development & maintenance Participants End users IS professionals Auditors Other stakeholders IT Auditing & Assurance, 2e, Hall & Singleton

STRUCTURING THE IT FUNCTION Segregation of incompatible IT functions Objectives: Segregate transaction authorization from transaction processing Segregate record keeping from asset custody Divide transaction processing steps among individuals to force collusion to perpetrate fraud IT Auditing & Assurance, 2e, Hall & Singleton

STRUCTURING THE IT FUNCTION Segregation of incompatible IT functions Separating systems development from computer operations [see Figure 2-2] IT Auditing & Assurance, 2e, Hall & Singleton

STRUCTURING THE IT FUNCTION Segregation of incompatible IT functions Separating DBA from other functions DBA is responsible for several critical tasks: Database security Creating database schema and user views Assigning database access authority to users Monitoring database usage Planning for future changes IT Auditing & Assurance, 2e, Hall & Singleton

STRUCTURING THE IT FUNCTION Segregation of incompatible IT functions Alternative 1: segregate systems analysis from programming [see Figure 2-3] Two types of control problems from this approach: Inadequate documentation Is a chronic problem. Why? Not interesting Lack of documentation provides job security Assistance: Use of CASE tools Potential for fraud Example: Salami slicing, trap doors Salami slicing: A programmer wrote the software to calculate interest earned on savings accounts in a bank. He had the rounding feature round down if it should have rounded up, and deposit the penny in his account. Made thousands of dollars before caught. Trap door: Programmer writes code into the program that allows him to work around any or all controls in the system, and thus makes it easy to commit fraud. By typing the “Magic Word”, the programmer is unencumbered by application controls, and maybe system controls. IT Auditing & Assurance, 2e, Hall & Singleton

STRUCTURING THE IT FUNCTION Segregation of incompatible IT functions Alternative 2: segregate systems development from maintenance [see Figure 2-2] Two types of improvements from this approach: Better documentation standards Necessary for transfer of responsibility Deters fraud Possibility of being discovered IT Auditing & Assurance, 2e, Hall & Singleton

STRUCTURING THE IT FUNCTION Segregation of incompatible IT functions Segregate data library from operations Physical security of off-line data files Implications of modern systems on use of data library: Real-time/online vs. batch processing Volume of tape files is insufficient to justify full-time librarian Alternative: rotate on ad hoc basis Custody of on site data backups Custody of original commercial software and licenses IT Auditing & Assurance, 2e, Hall & Singleton

STRUCTURING THE IT FUNCTION Segregation of incompatible IT functions Audit objectives Risk assessment Verify incompatible areas are properly segregated How would an auditor accomplish this objective? Verify formal vs. informal relationships exist between incompatible tasks Why does it matter? Verify incompatible areas? - Observation, questionnaire, organization chart Formal vs. casual relationships between incompatible tasks? - formal supervision COMPENSATES for lack of proper segregation. Formal will require things in writing, reports, etc. IT Auditing & Assurance, 2e, Hall & Singleton

STRUCTURING THE IT FUNCTION Segregation of incompatible IT functions Audit procedures: Obtain and review security policy Verify policy is communicated Review relevant documentation (org. chart, mission statement, key job descriptions) Review systems documentation and maintenance records (using a sample) Verify whether maintenance programmers are also original design programmers Observe segregation policies in practice Review operations room access log Review user rights and privileges Colored text is to emphasize the action verbs that describe WHAT auditors do in actual audit procedures. IT Auditing & Assurance, 2e, Hall & Singleton

STRUCTURING THE IT FUNCTION The distributed model Distributed Data Processing (DDP) Definition [see figure 2-4] Alternative A: centralized Alternative B: decentralized / network DDP involves reorganizing the computer services function into small IT units that are placed under the control of end users. IT Auditing & Assurance, 2e, Hall & Singleton

STRUCTURING THE IT FUNCTION The distributed model Risks associated with DDP Inefficient use of resources Mismanagement of resources by end users Hardware and software incompatibility Redundant tasks Destruction of audit trails Inadequate segregation of duties Hiring qualified professionals Increased potential for errors Programming errors and system failures Lack of standards IT Auditing & Assurance, 2e, Hall & Singleton

STRUCTURING THE IT FUNCTION The distributed model Advantages of DDP Cost reduction End user data entry vs. data control group Application complexity reduced Development and maintenance costs reduced Improved cost control responsibility IT critical to success then managers must control the technologies Improved user satisfaction Increased morale and productivity Backup flexibility Excess capacity for DRP IT Auditing & Assurance, 2e, Hall & Singleton

STRUCTURING THE IT FUNCTION Controlling the DDP environment Need for careful analysis Implement a corporate IT function Central systems development Acquisition, testing, and implementation of commercial software and hardware User services Help desk: technical support, FAQs, chat room, etc. Standard-setting body Personnel review IT staff FAQs: Frequently-asked questions. Usually provided on the corporate intranet Help Desk: A general support function staffed by someone who can answer questions over the phone, or fix problems in person when necessary. Primarily, service is delivered remotely using instructions or the Internet (e.g., e-mail, FTP, etc.). Chat room: A variation on the old bulletin board service (BBS) where users could post questions and answers to technical or application issues. The point is to provide a forum where users can help each other, as well as having sufficient technical expertise available to solve technical problems. Standard Setting: For development of systems or technologies, or purchases thereof For programming, either by IT staff or end users For documentation, either by IT staff or end users For upgrades and updates to software and hardware (policies and procedures) IT Auditing & Assurance, 2e, Hall & Singleton

STRUCTURING THE IT FUNCTION Controlling the DDP environment Audit objectives: Conduct a risk assessment Verify the distributed IT units employ entity-wide standards of performance that promotes compatibility among hardware, operating software, applications, and data IT Auditing & Assurance, 2e, Hall & Singleton

STRUCTURING THE IT FUNCTION Controlling the DDP environment Audit procedures: Verify corporate policies and standards are communicated Review current organization chart, mission statement, key job descriptions to determine if any incompatible duties exist Verify compensating controls are in place where incompatible duties do exist Review systems documentation Verify access controls are properly established Policies/Standards (review, if exists) Procedures (observe, question/interview) Audit Trail (substantive procedures) Testing of Controls (verify) IT Auditing & Assurance, 2e, Hall & Singleton

IT Auditing & Assurance, 2e, Hall & Singleton THE COMPUTER CENTER Computer center controls Physical location Avoid human-made and natural hazards Example: Chicago Board of Trade Construction Ideally: single-story, underground utilities, windowless, use of filters If multi-storied building, use top floor (away from traffic flows, and potential flooding in a basement) Access Physical: Locked doors, cameras Manual: Access log of visitors IT Auditing & Assurance, 2e, Hall & Singleton

IT Auditing & Assurance, 2e, Hall & Singleton THE COMPUTER CENTER Computer center controls Air conditioning Especially mainframes Amount of heat even from a group of PCs Fire suppression Automatic: usually sprinklers Gas, such as halon, that will smother fire by removing oxygen can also kill anybody trapped there Sprinklers and certain chemicals can destroy the computers and equipment Manual methods Power supply Need for clean power, at a acceptable level Uninterrupted power supply IT Auditing & Assurance, 2e, Hall & Singleton

IT Auditing & Assurance, 2e, Hall & Singleton THE COMPUTER CENTER Computer center controls Audit objectives Verify physical security controls are reasonable Verify insurance coverage is adequate Verify operator documentation is adequate in case of failure Audit procedures Tests of physical construction Tests of fire detection Tests of access control Tests of backup power supply Tests for insurance coverage Tests of operator documentation controls IT Auditing & Assurance, 2e, Hall & Singleton

PERSONAL COMPUTER SYSTEMS PC operating systems PC systems risks & controls In general: Relatively simple to operate and program Controlled and operated by end users Interactive data processing vs. batch Commercial applications vs. custom Often used to access data on mainframe or network Allows users to develop their own applications Operating Systems: Are located on the PC (decentralized) O/S family dictates applications (e.g., Windows) IT Auditing & Assurance, 2e, Hall & Singleton

PERSONAL COMPUTER SYSTEMS Control environment for PCs Controls Risk assessment Inherent weaknesses Weak access control Inadequate segregation of duties Multilevel password control – multifaceted access control Risk of physical loss Laptops, etc. can “walk off” Risk of data loss Easy for multiple users to access data End user can steal, destroy, manipulate Inadequate backup procedures Local backups on appropriate medium Dual hard drives on PC External/removable hard drive on PC INHERENT WEAKNESSES: PCs were designed to be easy to use, single-user systems, facilitate access – not restrict it. Controlling PCs rests heavily on physical security controls & need for effective access control system WEAK ACCESS CONTROL: Booting from floppy or hard drive or CD-ROM to invoke logon security procedures. IT Auditing & Assurance, 2e, Hall & Singleton

PERSONAL COMPUTER SYSTEMS Control environment for PCs Risk associated with virus infection Policy of obtaining software Policy for use of anti-virus software Verify no unauthorized software on PCs Risk of improper SDLC procedures Use of commercial software Formal software selection procedures IT Auditing & Assurance, 2e, Hall & Singleton

PERSONAL COMPUTER SYSTEMS PC systems audit Audit objectives Verify controls are in place to protect data, programs, and computers from unauthorized access, manipulation, destruction, and theft Verify that adequate supervision and operating procedures exist to compensate for lack of segregation between the duties of users, programmers, and operators Verify that backup procedures are in place to prevent data and program loss due to system failures, errors Verify that systems selection and acquisition procedures produce applications that are high quality, and protected from unauthorized changes Verify the system is free from viruses and adequately protected to minimize the risk of becoming infected with a virus or similar object IT Auditing & Assurance, 2e, Hall & Singleton

PERSONAL COMPUTER SYSTEMS PC systems audit Audit procedures Verify that microcomputers and their files are physically controlled Verify from organizational charts, job descriptions, and observation that the programmers of applications performing financially significant functions do not also operate those systems. Confirm that reports of processed transactions, listings of updated accounts, and control totals are prepared, distributed, and reconciled by appropriate management at regular and timely intervals. Determine that multilevel password control or multifaceted access control is used to limit access to data and applications, where applicable. Verify that the drives are removed and stored in a secure location when not in use, where applicable. Verify that backup procedures are being followed. Verify that application source code is physically secured (such as in a locked safe) and that only the compiled version is stored on the micro­computer. Review systems selection and acquisition controls Review virus control techniques. WEAK ACCESS CONTROL: Booting from floppy or hard drive or CD-ROM to invoke logon security procedures. IT Auditing & Assurance, 2e, Hall & Singleton

IT Auditing & Assurance, 2e, Hall & Singleton OPERATING SYSTEM Operating system security Definition Translates high-level languages Compilers and interpreters Allocates IS/IT resources to users, groups, applications Manages the tasks of job scheduling and multiprogramming Five imperative control objectives Protect itself from users Protect users from each other Protect users from themselves Be protected from itself Protected from its environment IT Auditing & Assurance, 2e, Hall & Singleton

IT Auditing & Assurance, 2e, Hall & Singleton OPERATING SYSTEM Operating system security Logon procedure Access token [who] Access control list [what, when, where] Discretionary access control [delegated authority] Threats to operating system integrity IT Auditing & Assurance, 2e, Hall & Singleton

IT Auditing & Assurance, 2e, Hall & Singleton SYSTEM-WIDE CONTROLS Controlling access privileges Audit objectives Audit procedures IT Auditing & Assurance, 2e, Hall & Singleton

IT Auditing & Assurance, 2e, Hall & Singleton SYSTEM-WIDE CONTROLS Password control Definition Common forms of contra-security behavior Reusable passwords One-time passwords Password policy Audit objectives Audit procedures IT Auditing & Assurance, 2e, Hall & Singleton

FIGURE 2.8 – Password Policy Proper Dissemination – Promote it, use it during employee training or orientation, and find ways to continue to raise awareness within the organization. Proper Length: Use at least 8 characters. The more characters, the more difficult to guess or crack. Eight characters is an effective length to prevent guessing, if combined with below. Proper Strength: Use alphabet (letters), numbers (at least 1), and special characters (at least 1). The more non-alpha, the harder to guess or crack. Make them case sensitive and mix upper and lower case. A “Strong” password for any critical access or key user. Password CANNOT contain a real word in the content. Proper Access Levels or Complexity: Use multiple levels of access requiring multiple passwords. Use a password matrix of data to grant read-only, read/write, or no access per data field per user. Use biometrics {such as fingerprints, voice prints}. Use supplemental access devices, such as smart cards, or beeper passwords in conjunction with remote logins. Use user-defined procedures. Proper Timely Changes: At regular intervals, make employees change their passwords. Proper Protection: Prohibit the sharing of passwords or “post-its” with passwords located near one’s computer. Proper Deletion: Require the immediate deletion of accounts for terminated employees, to prevent an employee from being able to perpetrate adverse activities. IT Auditing & Assurance, 2e, Hall & Singleton

IT Auditing & Assurance, 2e, Hall & Singleton SYSTEM-WIDE CONTROLS E-mail risks Spoofing Spamming Chain letters Urban legends Hoax virus warnings Flaming Malicious attachments (e.g., viruses) IT Auditing & Assurance, 2e, Hall & Singleton

IT Auditing & Assurance, 2e, Hall & Singleton SYSTEM-WIDE CONTROLS Malicious objects risk Virus Worm Logic bomb Back door / trap door Trojan horse Potential control procedures Audit objective Audit procedures IT Auditing & Assurance, 2e, Hall & Singleton

IT Auditing & Assurance, 2e, Hall & Singleton SYSTEM-WIDE CONTROLS Controlling electronic audit trails Keystroke monitoring (keystroke log) Event monitoring (key events log) Audit trail objectives Detecting unauthorized access Reconstructing events Personal accountability Implementing an audit trail Keystroke monitoring: Equivalent of a telephone wiretap. Records both user’s keystrokes and system’s responses. Event Monitoring: Summarizes key events related to users. Records: ID, time and duration of session, programs that were executed during session, files – databases – printers – network resources used during session. ----------------------------------------- AUDIT TRAIL OBJECTIES: 1. Detecting Unauthorized Access: Can occur in REAL TIME of after the fact (POST HOC). Primary objective is to protect the system from outsiders who are attempting to breach system controls. Example: Real-time system performance that reports changes, might indicate adversarial activity. REAL TIME may slow down system’s overall performance. POST HOC detection logs, if properly designed, can determine if unauthorized access was attempted, accomplished, or failed. 2. Reconstructing Events: Reconstruct STEPS that led to events such as system failures, security violations, application processing errors. The audit trail can be used to reconstruct accounting data files that were corrupted by a system failure, natural disaster, accident, or hacker. 3. Personal Accountability: Used to influence human behavior – a deterrent to adverse activities. Less likely to violate SECURITY POLICY if they know their actions are being recorded in an audit log! Can be used to enforce SECURITY POLICY. ------------------------------------ IMPLEMENTING AN AUDIT TRAIL: Usefulness: measuring potential damage and financial loss associated with errors, abuse, unauthorized access; evidence of adequacy of controls; evidence to enforce policy or laws. However, they can generate an overwhelming amount of detail data. Therefore, the benefits must be balanced against the total costs of implementing them. IT Auditing & Assurance, 2e, Hall & Singleton

IT Auditing & Assurance, 2e, Hall & Singleton SYSTEM-WIDE CONTROLS Controlling electronic audit trails Audit objective Verify adequate audit trails and logs Audit procedures O/S audit log viewer ACL extraction of log data (see list) Sample organizational security group’s records ACL search of archived log files for: Unauthorized or terminated user Periods of inactivity Activity by user, workgroup, and department Logon and logoff times Failed logon attempts Access to specific files or applications IT Auditing & Assurance, 2e, Hall & Singleton

IT Auditing & Assurance, 2e, Hall & Singleton SYSTEM-WIDE CONTROLS Disaster recovery planning Types of disaster IT Auditing & Assurance, 2e, Hall & Singleton

IT Auditing & Assurance, 2e, Hall & Singleton

IT Auditing & Assurance, 2e, Hall & Singleton SYSTEM-WIDE CONTROLS Disaster recovery planning Definition A Disaster Recovery Plan {DRP} is a comprehensive statement of all actions to be taken before, during, and after a disaster, along with documented, tested procedures that will ensure the continuity of operations. Safe Location Resources Available Systematic Process for Recovery Reliable Plan (i.e., tested) IT Auditing & Assurance, 2e, Hall & Singleton

IT Auditing & Assurance, 2e, Hall & Singleton SYSTEM-WIDE CONTROLS Disaster recovery planning Critical applications identified and ranked Create a disaster recovery team with responsibilities IT Auditing & Assurance, 2e, Hall & Singleton

IT Auditing & Assurance, 2e, Hall & Singleton SYSTEM-WIDE CONTROLS Disaster recovery planning Site backup “Hot site” – Recovery Operations Center “Cold site” – empty shell Mutual aid pact Internally provided backup Other options At a minimum, Hot Site and Cold Site are subject to competing customers if the site signs multiple contracts for companies in the same geographic area. For example, EDS lost a roof to an ice storm in New York area. Had a hot site contract. Went to it only to discover it was in line behind other contract holders with same hot site who also got hit by the same storm. Lost millions while EDS scrambled to restore business operations. Others: Silo – ROC/Hot Site on wheels. Example, 18-wheeler with ROC inside and a generator, pulls up to the location that was destroyed by fire etc., so employees can generally come to same physical location (convenient). IT Auditing & Assurance, 2e, Hall & Singleton

IT Auditing & Assurance, 2e, Hall & Singleton SYSTEM-WIDE CONTROLS Disaster recovery planning Hardware backup (if NOT a hot site) Software backup: operating system (if NOT a hot site) Software backup: application software (based on critical application step) O/S includes Network Operating Systems (NOS) as well as Operating Environments such as Windows. IT Auditing & Assurance, 2e, Hall & Singleton

IT Auditing & Assurance, 2e, Hall & Singleton SYSTEM-WIDE CONTROLS Disaster recovery planning Data backup Supplies (on site) Documentation (on site) User manuals System and software technical manuals Test! Data backups need to be readily accessible in case of a real disaster. For example, store data backup media (tape, CD, DVD, etc.) at or near the site backup location. Data backups for disaster recovery should be an integral part of the Data Backup Plan for the enterprise. Example: Grandfather-Father-Child method of data backup could provide an extra copy of data backup for DRP. IT Auditing & Assurance, 2e, Hall & Singleton

Disaster Recovery Plan Critical Applications – Rank critical applications so an orderly and effective restoration of computer systems is possible. Create Disaster Recovery Team – Select team members, write job descriptions, describe recovery process in terms of who does what. Site Backup – a backup site facility including appropriate furniture, housing, computers, and telecommunications. Another valid option is a mutual aid pact where a similar business or branch of same company swap availability when needed. Hardware Backup – Some vendors provide computers with their site – known as a hot site or Recovery Operations Center. Some do not provide hardware – known as a cold site. When not available, make sure plan accommodates compatible hardware (e.g., ability to lease computers). System Software Backup – Some hot sites provide the operating system. If not included in the site plan, make sure copies are available at the backup site. Application Software Backup – Make sure copies of critical applications are available at the backup site Data Backup – One key strategy in backups is to store copies of data backups away from the business campus, preferably several miles away or at the backup site. Another key is to test the restore function of data backups before a crisis. Supplies – A modicum inventory of supplies should be at the backup site or be able to be delivered quickly. Documentation – An adequate set of copies of user and system documentation. TEST! – The most important element of an effective Disaster Recovery Plan is to test it before a crisis occurs, and to test it periodically (e.g., once a year). IT Auditing & Assurance, 2e, Hall & Singleton

IT Auditing & Assurance, 2e, Hall & Singleton SYSTEM-WIDE CONTROLS Disaster recovery planning Audit objectives Verify management’s DRP is adequate Audit procedures Verify a second-site backup is adequate Review the critical application list for completeness Verify backups of application software are stored off-site Verify that critical data files are backed up and readily accessible to DRP team Verify resources of supplies, documents, and documentation are backed up and stored off-site Verify that members listed on the team roster are current employees and that they are aware of their responsibilities IT Auditing & Assurance, 2e, Hall & Singleton

IT Auditing & Assurance, 2e, Hall & Singleton SYSTEM-WIDE CONTROLS Fault tolerance Definition 44% of time IS unavailable is due to system failures! Controls Redundant systems or parts RAID UPS Multiprocessors Audit objective To ensure the organization is employing an appropriate level of fault tolerance Audit procedures Verify proper level of RAID devices Review procedures for recovery from system failure Verify boot disks are secured ACL search of archived log files for: Unauthorized or terminated user Periods of inactivity Activity by user, workgroup, and department Logon and logoff times Failed logon attempts Access to specific files or applications IT Auditing & Assurance, 2e, Hall & Singleton

Chapter 2: Computer Operations