IS Security Control & Management

Overview n Why worry? n Sources, frequency and severity of problems n Risks to computerized vs. manual systems n Purpose of control mechanisms n Types of controls: General & Application n Developing and managing control systems

Why Worry? n Computer Viruses –Rogue software programs that are difficult to detect that spread rapidly through computer systems, destroying data or disrupting processing and memory systems Example: ILOVEYOU virus n Hackers –People who gains unauthorized access

Why Worry? n Information System Outages –Studies show that: companies would sustain critical loss of business operations within 15 days of an information system outage At that point, firms would have less than a 25% chance of ever recovering

Need for Information System Audits n Continuous improvement in hardware performance and capabilities n Decreasing hardware costs n Availability of application and database software with more functionality n Advances in communication n Sophistication of users n Demand for greater control of information

Management’s Concerns Regarding Information Systems n Loss or misstatement of data n Unauthorized access to data n Loss of confidentiality of data n Fraud n Errors and omissions n Computer downtime/damage n Corruption of data

Threats to Systems n Natural disasters n Sabotage and theft n Operational errors n Upgrades & conversions (including fixes!)

Primary Concerns by Disaster Type

Natural Disasters n Broader impact than other types –business and employees both impacted –typically many systems fail at once –often others in the area have the same problems and are therefore seeking the same resources for recovery n Focus on reasonability of backup and recovery plans

Sabotage or Theft n Points of risk –Layoffs and firings –Mergers & reorganizations n In Fortune 500 companies with over 1,000 laptops, 14 lost per year n Often not covered by insurance n Data loss worse than equipment loss

Operational Errors n Hardware failures –Risks with outdated hardware –Impact for e-commerce activities –Reliance on network connections n User generated failures (32% of all data losses involving disks and tapes are caused by user errors) n Mistakes made in attempts to recover lost or damaged data

Upgrades and Conversions n The solution causes the problem! n Problem with suppliers and buyers n Time lost in conversions often not considered in cost of “upgrades”

Severity of Problems: The Firm n In 1997, Nations Bank, the 4th largest bank in the U.S. at the time, reviewed their vulnerability, they estimated that their exposure was: –$50 million in financial losses –for an interruption of more than 24 hours –where existing plans would take 2-5 days to restore operations

Severity of Problems: The Individual n A Fortune 500 CFO lost five years’ worth of accounting and stockholder data on a Friday afternoon; he needed it Monday for an annual stockholder’s meeting. n Twice daily backups didn’t help: the backup media had never been tested. When it was proven to be faulty, the CFO thought his career was over. n Data recovery specialists managed to rescue the information in time for the CFO’s Monday morning presentation

System Vulnerability n Complex IS cannot be easily replicated manually n Once an IS has been built, can be hard to decipher processes again n Probability of disasters is the same, but impact may be greater with IS failures n Security in a networked system is significantly more complicated

Quality Assurance vs. Control n Quality assurance as the prevention of errors n Quality control as the identification of errors after they occur n Data vs. system quality –Is the information stored and secured correctly? –Are things processed correctly?

Quality Assurance in IS n Use of appropriate methods & documentation n Test plans & testing n Complete the circle with customer & employee feedback n Communication, communication, communication

Cost to Fix Mistakes After Implementation versus Before

Testing Approaches n Test plans n Manual approaches –Usability tests (handout) –Testers vs. users as guinea pigs! n Automated testing –Main benefits simulation of large volumes of users can be run on many configurations of hardware –Requires tools & expertise

Testing and Quality n Types of testing: Unit, System, Acceptance n Inability to prove correctness n At design phase: test with walkthrough –Is it what they want? n During construction: debugging n Pre-implementation: verify goals met

Purpose of Control Mechanisms n Reduce risk of loss of business continuity and legal liability through controls n Methods, policies, and organizational procedures that assure: –Safety of organizational assets –Accuracy & reliability of records –Adherence to organizational standards

Types of Controls n General controls –Design, security & use of IS –Accomplished through system software and manual procedures n Application controls –Specific to given applications –Accomplished through application software

General Controls n Controls over system development processes n Software system level controls n Hardware controls (secure & accurate) n Computer operations controls n Data security controls n Administrative controls (segregation of functions, adherence to policies, etc.)

Application Controls n Based on I-P-O model n Input controls –Control totals, data validations, authorization n Processing controls –Run control totals and “Computer matching” of values (redundancy checks) n Output controls –Reconciliation and Appropriate distribution of information

Developing Control Systems n Risk analysis and assessment –Financial valuations of business interruptions –Non-financial valuations legal & regulatory compliance Other benefits n Need for upper management support

Risk Analysis Steps -Identifying and valuing assets; -Identifying threats (whether caused by people or natural disasters); -Identifying vulnerabilities (i.e., design, configurations, or procedures that make assets subject to threats); -Estimating risks (calculating probabilities); -Calculating statistically expected losses; and -Identifying potential protective measures.

Testing & Audits of Control Systems n Backups & recovery plans must be tested to be relied upon –5 - 25% of firms that do not have plans are not in business within a year of a major disaster n Major consulting firms such as Ernst & Young have thriving business sectors in IS auditing –Verify general & application controls –Similar to accounting audits but for information systems