Chapter 16 IT Controls, Asset Protection, and Security

Introduction  Managers who own or use IT assets are responsible for securing them  With interconnected enterprises (B2B), intrusion at a partner may result in business compromise locally  Security is an integrated, continuous process that takes place at all levels

The Meaning and Importance of Control  Control is a primary management responsibility  Managers must have routine methods for comparing actual and planned performance  “Planning and control are inseparable”  IT controls are critical because other parts of the organization use computer generated reports as the basis of their control activities

Why Controls are Important to Managers 1.Control is a primary management responsibility 2.Uncontrolled events can be very damaging 3.The firm relies on IT for many control processes 4.U.S. law requires certain control measures in public corporations 5.Controls assist organizations in protecting assets 6.Technology introduction requires controlled processes

Business Control Principles  The primary job of all managers is to take charge of the assets entrusted to them, capitalize on these assets to advance their part of the business, and grow, develop, or add value to them  managers entrusted with information assets must control and protect them  implementing business controls is an ethical responsibility

Asset Identification and Classification  Managers must know what assets they own or control, and their value  Tangible – Physical assets – routers, PCs servers, telephones  Intangible – Intellectual assets – operating systems, databases, applications  Managers must inventory and value items

Separation of Duties  Several individuals are involved in transaction processing  In order for fraud to occur, several individuals must work together  Control can be made even more effective by routinely changing job duties of these transaction tasks  Must validate output with input

Efficiency and Effectiveness of Controls  Controls are best when they are simple and are easily understood  They are most effective when they are part of the routine and produce action in a timely manner  Control cost and overhead must be balanced vs. risk and magnitude of loss  Managers must analyze the application and use good judgment

Control Responsibilities 1.The application program owner (almost always a manager) 2.Application users (some applications have many) 3.The application’s programming manager 4.The individual providing the computing environment 5.The IT manager (in either the line or staff role)

Owner and User Responsibilities  Owners are responsible for providing business direction for their applications  authorizes the program’s use  classifies the associated data  stipulates program and data access controls  Users are individuals or groups authorized by owners to use applications according to owners’ specifications  They are required to protect the data in accordance with the owners’ classification

IT Managers’ Responsibilities  All IT managers have control responsibilities in conjunction with their operating responsibilities  The responsibility of organizing and managing application development, maintenance, or enhancement resides with IT programming managers  The supplier of computing services is responsible for providing the computing environment within which the application is processed

Application Controls  Necessary to ensure that applications function properly on a regular basis  These controls are most effective when they are built into the applications and generate documentation validating proper operation  Automated and manual control mechanisms should be classified as confidential information  Separation of duties principle applies to an application and its associated data handling

Application Processing Controls  Application control and protection consist of two duties:  Ensuring that application programs perform according to management-established specifications  Maintaining program and data integrity  To support these requirements, applications must have auditability features and control points built in

System Control Points  Control points are locations in program or process flow where control exposures exist and control actions and auditing activities can be done  Transaction origination is one of the most critical points  It is a manual activity and can be subject to human error or fraud  Online operations make the system more complex and require even greater controls

System Control Points

Control Actions at Transaction Origination

Input Data Controls

Processing, Storage, and Output Controls  Operating systems and the applications themselves enhance the validation processes of program processing  Program execution is accompanied by subroutines that validate that processing is complete and that program execution occurred correctly  Application program source code and executables must be treated as classified information

Program Processing Controls

Data Output Handling

Application Program Audits  An application system is auditable if the application owner can establish easily and with high confidence that the system continually performs specified functions  Auditable systems contain functions and features that let owners determine if applications are processing data correctly  Program testing that ensures auditability is vital  Test data should be archived

Controls in Production Operations  Well-disciplined production operations maintain sound control over performance objectives  They ensure sufficient system capacity for application operations  They allow batch and online systems processing to function as designed  Accurate scheduling and rigorous online management provide controlled environments for application processing

Controls in Client/Server Operations  Organizations that move applications from secured centralized systems to distributed systems must understand the different exposures and vulnerabilities  Client/server systems and e-business systems have more points of vulnerability, so control and asset protection are more difficult  Special effort must be taken to design in controls and continuously assess vulnerabilities in the system over time

Network Controls and Security  Networks face passive threats and active threats  Passive threats are attempts to monitor network data transmission in order to read messages or obtain information about network traffic  Active threats are attempts to alter, destroy, or divert message data, or to pose as network nodes

Network Controls and Security  Network managers must control system and data access and must secure data in transit  The first step in controlling system access is physical security  Rooms containing controllers, routers, or servers must be tightly secured

Network Controls and Security  Managers must establish user identification and verification processes  This usually means that users sign on to the system with a name followed by a password  Some firms require “two-factor identification”  The two factors are usually something you have and something you know – fingerprint, token or smartcard + PIN  The two-factor system only erects higher barriers to entry

Data Encryption  It is often necessary to protect critical data in transit  Before transmission, encryption programs use an algorithm and a key to change the message character stream into a different character stream  When received, the algorithm and key decode or decipher the message  Encryption changes the risk of data loss to risk of key loss

Firewalls and Other Security Considerations  A firewall is a specialized computer inserted between internal and external networks and through which all incoming and outgoing traffic must pass  Intended to screen incoming and outgoing messages and prohibit any traffic deemed illegitimate  Firewalls are only the first line of defense against external intrusion

Network Security Measures

Additional Control and Protection Measures 1.Only people who work in the data center should be allowed routine access to the facility 2.Data center workers must wear special badges that identify them on sight 3.Physical access should be controlled by electronic code locks rather than mechanical key locks; this simplifies key management and hastens key changes

Additional Control and Protection Measures 4.The identity and authorization of all visitors to the center must be validated, and they must sign in and out 5.Duties within the center should be separated so that operators who initiate or control programs cannot access data stores

Managing Sensitive Programs  IT managers must, with help from other department managers, identify and maintain an inventory of these applications.  The owner must prescribe protection and security conditions covering storage, operation, and maintenance  Program source code, load modules, and test data must be classified as sensitive information and protected accordingly  Datasets must be protected as well

Controls for E-Business Applications  Due to the integrated nature of e- business, security is a shared concern  All the partners must have documented security policies, secure application development practices, and satisfactory access control and user authorization procedures  Partners must establish encryption standards, develop responses to security breaches, and schedule compliance audits

Keys to Effective Control  Managers must understand their control responsibilities and know:  The assets for which they are responsible  The value of those assets and protect the assets accordingly  Managers must be involved in the control processes  Involvement must be timely and responsive  Must follow through to ensure effectiveness

Summary  No organization is safe from computer crime  Business controls, asset protection, and security are fundamental to business operations  Managers must know what their assets are and each asset’s estimated value  Assets must be classified and protected in accordance with their relative worth