Controlling Computer-Based Information Systems, Part I - PowerPoint PPT Presentation

1 / 45
About This Presentation
Title:

Controlling Computer-Based Information Systems, Part I

Description:

A corporate computer services function/information center may help to alleviate ... User help desk - Configuration Management - Risk Management & Security ... – PowerPoint PPT presentation

Number of Views:134
Avg rating:3.0/5.0
Slides: 46
Provided by: patrickwhe
Category:

less

Transcript and Presenter's Notes

Title: Controlling Computer-Based Information Systems, Part I


1
Chapter 15
  • Controlling Computer-Based Information
    Systems, Part I

2
Objectives for Chapter 15
  • Features of a CBIS environment and the control
    objectives in SAS 78
  • Threats to the operating system and controls used
    to minimize exposures
  • Techniques used to control access to the database
  • Incompatible functions in a CBIS environment
  • Controls necessary to regulate systems
    development and maintenance activities
  • Controls of an organizations computer facilities
    and the disaster recovery options

3
Controls, CBIS SAS 78
  • Transaction authorization
  • may be embedded into the programs
  • Segregation of duties
  • Duties that must be separated in a manual system
    may be combined in a computerized setting.
  • The computer-based functions of programming,
    processing, and maintenance must be separated.

4
Segregation of Duties Control Objectives
  • Transaction authorization is separate from
    transaction processing.
  • Asset custody is separate from record-keeping
    responsibilities.
  • The sub-tasks needed to process the transactions
    are separated so that no individual or group is
    responsible for transaction authorization,
    transaction recording, and asset custody.

5
Segregation of Duties
Processing
Control Objective 1
Custody
Recording
Control Objective 2
Custody
Recording
Control Objective 3
Task 3
Task 4
TRANSACTION
6
Controls, CBIS SAS 78
  • Supervision - more supervision is typically
    necessary in a CBIS because
  • highly skilled employees generally have a higher
    turnover rate
  • highly skilled employees are often in positions
    of authority
  • physical observation of employees working with
    the system is often difficult or impractical

7
Controls, CBIS SAS 78
  • Accounting records
  • Source documents and ledgers may be stored
    magnetically with no paper trail.
  • Expertise is required to understand the links.
  • Access control
  • Tight control is necessary over access to
    programs and files.
  • Fraud is easier to commit since records are
    located in one data repository.

8
Controls, CBIS SAS 78
  • Independent verification
  • need to review the internal logic of programs and
    comparison of accounting records and physical
    assets
  • management must assess
  • the performance of individuals
  • the integrity of the transaction processing
    system
  • the correctness of data contained in accounting
    records

9
General Control Framework for CBIS Exposures
  • 10 control components need to be addressed
  • operating system
  • data management
  • organizational structure
  • systems development
  • systems maintenance
  • computer center security
  • internet and Intranet
  • EDI
  • personal computer
  • applications

10
Organizational Structure
Internet Intranet
Data Management
Operating System
Systems Development
Personal Computers
Systems Maintenance
EDI Trading Partners
Applications
Computer Center Security
General Control Framework for CBIS Exposures
11
Organizational Structure
Internet Intranet
Data Management
Operating System
Systems Development
Personal Computers
Systems Maintenance
EDI Trading Partners
Applications
Computer Center Security
General Control Framework for CBIS Exposures
12
Operating System Controls
  • The operating systems performs three main tasks
  • translates high-level languages into the
    machine-level language
  • allocates computer resources to user applications
  • manages the tasks of job scheduling and
    multiprogramming.

13
For An Operating System To Perform These Tasks
Consistently And Reliably, It Must
  • protect itself from tampering from users
  • be able to prevent users from tampering with the
    programs of other users
  • be able to safeguard users applications from
    accidental corruption
  • be able to safeguard its own programs from
    accidental corruption
  • be able to protect itself from power failures or
    other disasters

14
Operating System Security
  • Log-On Procedure
  • first line of defense--user IDs and passwords
  • Access Token
  • contains key information about the user
  • Access Control List
  • defines access privileges of users
  • Discretionary Access Control
  • allows user to grant access to another user

15
Operating System Control Techniques
  • Access privilege controls
  • determine who can access what data in the system
  • Password controls
  • reusable passwords
  • one-time passwords
  • Malicious and destructive programs controls
  • protection against virus, worms, logic bombs,
    etc.
  • System audit trail controls
  • keystroke monitoring
  • event monitoring

16
Operating System Control Dangers
  • Browsing
  • looking through memory for sensitive information
    (e.g., in the printer queue)
  • Masquerading
  • pretend to be an authorized user by getting id
    and passwords
  • Virus Worms
  • foreign programs that spread
    through the system
  • virus must attach to another program,
    worms are self-contained

17
Operating System Control Dangers
  • Trojan Horse
  • foreign program that conceals itself with another
    legitimately imported program
  • Logic Bomb
  • foreign programs triggered by a specific event
  • Back Door
  • alternative entry into system

18
Anti-Virus Software
  • can prevent the initial infection
    by write protecting the file
  • can detect the infection of known viruses
  • can sometimes remove the infection
  • must stay current

19
Organizational Structure
Internet Intranet
Data Management
Operating System
Systems Development
Personal Computers
Systems Maintenance
EDI Trading Partners
Applications
Computer Center Security
General Control Framework for CBIS Exposures
20
Data Management Controls
  • Two crucial control issues

Access controls Backup controls
21
Access Controls
  • User views - based on sub-schemas
  • Database authorization table - allows greater
    authority to be specified
  • User-defined procedures - user to create a
    personal security program or routine
  • Data encryption - encoding algorithms
  • Biometric devices - fingerprints, retina prints,
    or signature characteristics
  • Inference controls - necessary in systems which
    allow queries

22
Subschema Restricting Access
23
Computer Resource Authority Table
List
Resource
Employee Line Cash Receipts AR File
File Printer Program
User
Read data Change Add Delete
User 1
Ticket
No Access Use No Access
Read code No Access Use Modify Delete
Read only
User 2
No Access Read only Use No Access
User 3
24
Data Management Controls
  • Backup options
  • grandparent-parent-child backup - the number of
    generations to backup is a policy issue
  • direct access file backup - back-up master-file
    at pre-determined intervals
  • off-site storage - guard against
    disasters and/or physical destruction

25
Backup Controls
  • Database environment
  • database backup - automatic periodic backup
  • transaction log (journal) - a list of
    transactions which provides an audit trail of all
    processed transactions
  • checkpoint features - suspends all data
    processing while the system performs
    reconciliation
  • recovery module - restarts the system after a
    failure

26
Organizational Structure
Internet Intranet
Data Management
Operating System
Systems Development
Personal Computers
Systems Maintenance
EDI Trading Partners
Applications
Computer Center Security
General Control Framework for CBIS Exposures
27
Organizational Structure Controls
  • The two main CBIS environments have different
    exposures and IC requirements
  • Centralized DP Distributed DP

28
President
CENTRALIZED COMPUTER SERVICES FUNCTION
VP Marketing
VP Computer Services
VP Operations
VP Finance
Database Administration
Data Processing
Systems Development
New Systems Development
Data Control
Data Preparation
Data Library
Systems Maintenance
Computer Operations
DISTRIBUTED ORGANIZATIONAL STRUCTURE
President
VP Marketing
VP Finance
VP Operations
VP Administration
Manager Plant X
Manager Plant Y
Treasurer
Controller
IPU
IPU
IPU
IPU
IPU
IPU
29
Centralized DP Organizational Controls
  • In centralized IS, need to separate
  • systems development from computer operations
  • database administrator and other computer service
    functions
  • especially database administrator (authorizing)
    and systems development (processing)
  • DBA authorizes access
  • maintenance and new systems development
  • data library and operations

30
Distributed DP Organizational Controls
  • Distributed Data Processing despite many
    advantages of this approach, control implications
    are present
  • incompatible software among the various work
    centers
  • data redundancy may result
  • consolidation of incompatible tasks
  • difficulty hiring qualified professionals
  • lack of standards

31
Organizational Structure Controls
  • A corporate computer services function/information
    center may help to alleviate the potential
    problems associated with DDP by providing
  • central testing of commercial hardware and
    software
  • a user services staff
  • a standard-setting body
  • reviewing technical credentials of prospective
    systems professionals

32
Organizational Structure
Internet Intranet
Data Management
Operating System
Systems Development
Personal Computers
Systems Maintenance
EDI Trading Partners
Applications
Computer Center Security
General Control Framework for CBIS Exposures
33
Systems Development Life Cycle
Business Needs and Strategy
Legacy Situation
Business Requirements
1. Systems Strategy - Assessment - Develop
Strategic Plan
FeedbackUser requests for New Systems
System Interfaces, Architecture and User
Requirements
High Priority Proposals undergo Additional Study
and Development
2. Project Initiation - Feasibility Study -
Analysis - Conceptual Design -
Cost/Benefit Analysis
FeedbackUser requests for System Improvements
and Support
Selected System Proposals go forward for Detailed
Design
3. In-house Development - Construct -
Deliver
4. Commercial Packages - Configure - Test -
Roll-out
New and Revised Systems Enter into Production
5. Maintenance Support - User help desk -
Configuration Management - Risk Management
Security
34
Systems Development Controls
  • New systems must be authorized.
  • User needs and requests should be formally
    documented.
  • Technical design activities should be documented.
  • Internal auditors should participate in the
    development process.
  • All program modules must be thoroughly tested
    before they are implemented.
  • Individual modules must be tested by a team of
    users, internal audit staff, and systems
    professionals.

35
Organizational Structure
Internet Intranet
Data Management
Operating System
Systems Development
Personal Computers
Systems Maintenance
EDI Trading Partners
Applications
Computer Center Security
General Control Framework for CBIS Exposures
36
System Maintenance Controls
  • Last, longest and most costly phase of SDLC
  • 80-90 of entire cost of a system
  • All maintenance actions should require
  • technical specifications
  • testing
  • documentation updates
  • formal authorizations for any changes made

37
SPL
  • Source program library (SPL)
  • library of applications and software
  • place where programs are developed and modified
  • once compiled into machine language, no longer
    vulnerable

38
Uncontrolled Access to the Source Program Library
39
A Controlled SPL Environment
  • An SPL Management System (SPLMS) can be used to
    protect the SPL environment by controlling the
    following functions
  • storing programs on the SPL
  • retrieving programs for maintenance purposes
  • deleting obsolete programs from the library
  • documenting program changes to provide an audit
    trail of the changes

40
Source Program Library under the Control of SPL
Management Software
41
SPL Control Features
  • Password control
  • Separation of test libraries
  • Reports that enhance management control and the
    audit function
  • Assigns program version numbers automatically
  • Controlled access to maintenance commands
  • Documentation and authorization of changes

42
Organizational Structure
Internet Intranet
Data Management
Operating System
Systems Development
Personal Computers
Systems Maintenance
EDI Trading Partners
Applications
Computer Center Security
General Control Framework for CBIS Exposures
43
Computer Center Controls
  • Considerations
  • location away from human-made and natural hazards
  • utility and communications lines underground
  • windows closed and air filtration systems in
    place
  • access limited to the operators and other
    necessary workers others required to sign in and
    out
  • fire suppressions systems should be installed
  • backup power supplies

44
Disaster Recovery Planning
  • Disaster recovery plan (DRP)
  • all actions to be taken before, during, and after
    a disaster
  • Disaster Recovery Team (DRT) identified
  • critical applications must be identified
  • restore these applications first
  • Backups off-site storage procedures
  • databases and applications
  • documentation
  • supplies

45
Second-Site Disaster Backups
  • The Empty Shell - involves two or more user
    organizations that buy or lease a building and
    remodel it into a computer site, but without
    computer equipment
  • The Recovery Operations Center - a completely
    equipped site very costly and typically shared
    among many companies
  • Internally Provided Backup - companies with
    multiple data processing centers may create
    internal excess capacity
Write a Comment
User Comments (0)
About PowerShow.com