Transcript Chapter 9

Computer-Based Information
Systems Control
9-1
General Controls
l
l
A company designs general controls to
ensure that its overall computer system is
stable and well managed.
The following are categories of general
controls:
1 Developing a security plan
2 Segregation of duties within the systems
function
9-2
General Controls
3 Project development controls
4 Physical access controls
5 Logical access controls
6 Data storage controls
7 Data transmission controls
8 Documentation standards
9 Minimizing system downtime
9-3
General Controls
10
11
12
Disaster recovery plans
Protection of personal computers and
client/server networks
Internet controls
9-4
Developing a Security Plan
l
l
Developing and continuously updating a
comprehensive security plan is one of the
most important controls a company can
identify.
What questions need to be asked?
» Who needs access to what information?
» When do they need it?
» On which systems does the information
reside?
9-5
Segregation of Duties Within
the Systems Function
l
l
In a highly integrated AIS, procedures that
used to be performed by separate individuals
are combined.
Any person who has unrestricted access to the
computer, its programs, and live data could
have the opportunity to both perpetrate and
conceal fraud.
9-6
Segregation of Duties Within
the Systems Function
l
l
To combat this threat, organizations must
implement compensating control procedures.
Authority and responsibility must be clearly
divided among the following functions:
1 Systems analysis
2 Programming
3 Computer operations
9-7
Segregation of Duties Within
the Systems Function
l
l
4 Users
5 AIS library
6 Data control
It is important that different people perform
these functions.
Allowing a person to perform two or more of
them exposes the company to the possibility
of fraud.
9-8
Project Development Controls
l
l
To minimize failures, the basic principles of
responsibility accounting should be applied to
the AIS function.
What key elements are included in project
development control?
1 Long-range master plan
2 Project development plan
3 Data processing schedule
9-9
Project Development Controls
4
5
6
7
Assignment of responsibility
Periodic performance evaluation
Post-implementation review
System performance measurements
9 - 10
Physical Access Controls
l
How can physical access security be achieved?
– placing computer equipment in locked rooms
and restricting access to authorized personnel
– having only one or two entrances to the
computer room
– requiring proper employee ID
– requiring that visitors sign a log
– installing locks on PCs
9 - 11
Logical Access Controls
l
l
Users should be allowed access only to the
data they are authorized to use and then only
to perform specific authorized functions.
What are some logical access controls?
– passwords
– physical possession identification
– biometric identification
9 - 12
Data Storage Controls
l
l
l
Information is generally what gives a
company a competitive edge and makes it
viable.
A company should identify the types of data
maintained and the level of protection
required for each.
A company must also document the steps
taken to protect data.
9 - 13
Data Storage Controls
l
l
l
–
–
A properly supervised file library is one
essential means of preventing loss of data.
A file storage area should also be protected
against fire, dust, excess heat, or humidity.
Following are types of file labels that can be
used to protect data files from misuse:
external labels
internal labels (volume, header, trailer)
9 - 14
Data Transmission Controls
l
l
–
–
–
–
To reduce the risk of data transmission failures,
companies should monitor the network.
How can data transmission errors be
minimized?
using data encryption (cryptography)
implementing routing verification procedures
adding parity
using message acknowledgment techniques
9 - 15
Data Transmission Controls
l
l
1
Data Transmission Controls take on added
importance in organizations that utilize
electronic data interchange (EDI) or electronic
funds transfer (EFT).
In these types of environments, sound internal
control is achieved using the following control
procedures:
Physical access to network facilities should be
strictly controlled.
9 - 16
Data Transmission Controls
2
3
4
5
Electronic identification should be required
for all authorized network terminals.
Strict logical access control procedures are
essential, with passwords and dial-in phone
numbers changed on a regular basis.
Encryption should be used to secure stored
data as well as data being transmitted.
Details of all transactions should be recorded
in a log that is periodically reviewed.
9 - 17
Documentation Standards
l
l
1
2
3
Another important general control is
documentation procedures and standards to
ensure clear and concise documentation.
Documentation may be classified into three
basic categories:
Administrative documentation
Systems documentation
Operating documentation
9 - 18
Minimizing System Downtime
l
l
–
–
–
Significant financial losses can be incurred if
hardware or software malfunctions cause an
AIS to fail.
What are some methods used to minimize
system downtime?
preventive maintenance
uninterruptible power system
fault tolerance
9 - 19
Disaster Recovery Plan
l
l
1
2
Every organization should have a disaster
recovery plan so that data processing capacity
can be restored as smoothly and quickly as
possible in the event of a major disaster.
What are the objectives of a recovery plan?
Minimize the extent of the disruption,
damage, and loss.
Temporarily establish an alternative means of
processing information.
9 - 20
Disaster Recovery Plan
3
4
l
1
2
Resume normal operations as soon as
possible.
Train and familiarize personnel with
emergency operations.
A sound disaster plan should contain the
following elements:
Priorities for the recovery process
Backup data and program files
9 - 21
Disaster Recovery Plan
3
4
5
Specific assignments
Complete documentation
Backup computer and telecommunications
facilities
» reciprocal agreements
» hot and cold sites
9 - 22
Disaster Recovery Plan
l
l
l
l
There are other aspects of disaster recovery
planning that deserve mention:
The recovery plan is incomplete until it has
been satisfactorily tested by simulating a
disaster.
The recovery plan must be continuously
reviewed and revised to ensure that it reflects
current situation.
The plan should include insurance coverage. 9 - 23
Protection of PCs and
Client/Server Networks
l
Why are PCs more vulnerable to security risks
than are mainframes?
» It is difficult to restrict physical access.
» PC users are usually less aware of the
importance of security and control.
» Many people are familiar with the operation
of PCs.
» Segregation of duties is very difficult.
9 - 24
Application Controls
l
l
1
2
The primary objective of application controls
is to ensure the accuracy of a specific
application’s inputs, files, programs, and
outputs.
This section will discuss five categories of
application controls:
Source data controls
Input validation routines
9 - 25
Application Controls
3
4
5
On-line data entry controls
Data processing and file maintenance controls
Output controls
9 - 26
Source Data Controls
l
–
–
–
–
–
There are a number of source data controls
that regulate the accuracy, validity, and
completeness of input:
key verification
check digit verification
prenumbered forms sequence test
turnaround documents
authorization
9 - 27
Input Validation Routines
l
l
l
l
Input validation routines are programs that
check the validity and accuracy of input data
as it is entered into the system.
These programs are called edit programs.
The accuracy checks they perform are called
edit checks.
What are some edit checks used in input
validation routines?
9 - 28
Input Validation Routines
–
–
–
–
–
–
–
sequence check
field check
sign check
validity check
limit check
range check
reasonableness test
9 - 29
On-Line Data Entry Controls
l
l
–
–
–
–
The goal of on-line data entry controls is to
ensure the accuracy and integrity of transaction
data entered from on-line terminals and PCs.
What are some on-line data entry controls?
data checks
user ID numbers and passwords
compatibility tests
prompting
9 - 30
On-Line Data Entry Controls
–
–
–
–
–
preformatting
completeness check
automatic transaction data entry
transaction log
clear error messages
9 - 31
Data Processing and File
Maintenance Controls
l
–
–
–
–
What are some of the more common controls
that help preserve the accuracy and
completeness of data processing?
data currency checks
default values
data matching
exception reporting
9 - 32