1 / 42

Chapter 2: Computer Operations

Chapter 2: Computer Operations. STRUCTURING THE IT FUNCTION. Centralized data processing (as opposed to DDP) Database administrator Data processing manager/dept. Data control Data preparation/conversion Computer operations Data library. STRUCTURING THE IT FUNCTION.

ishi
Download Presentation

Chapter 2: Computer Operations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 2:Computer Operations

  2. STRUCTURING THE IT FUNCTION • Centralized data processing (as opposed to DDP) • Database administrator • Data processing manager/dept. • Data control • Data preparation/conversion • Computer operations • Data library

  3. STRUCTURING THE IT FUNCTION • Segregation of incompatible IT functions • Systems development & maintenance • Participants • End users • IS professionals • Auditors • Other stakeholders

  4. STRUCTURING THE IT FUNCTION • Segregation of incompatible IT functions • Objectives: • Segregate transaction authorization from transaction processing • Segregate record keeping from asset custody • Divide transaction processing steps among individuals to force collusion to perpetrate fraud • Separating systems development from computer operations

  5. STRUCTURING THE IT FUNCTION • Segregation of incompatible IT functions • Separating DBA from other functions • DBA is responsible for several critical tasks: • Database security • Creating database schema and user views • Assigning database access authority to users • Monitoring database usage • Planning for future changes

  6. STRUCTURING THE IT FUNCTION • Segregation of incompatible IT functions • Alternative 1: segregate systems analysis from programming • Two types of control problems from this approach: • Inadequate documentation • Is a chronic problem. Why? • Not interesting • Lack of documentation provides job security • Assistance: Use of CASE tools • Potential for fraud • Example: Salami slicing, trap doors

  7. STRUCTURING THE IT FUNCTION • Segregation of incompatible IT functions • Segregate data library from operations • Physical security of off-line data files • Implications of modern systems on use of data library: • Real-time/online vs. batch processing • Volume of tape files is insufficient to justify full-time librarian • Alternative: rotate on ad hoc basis • Custody of on site data backups • Custody of original commercial software and licenses

  8. STRUCTURING THE IT FUNCTION • Segregation of incompatible IT functions • Audit procedures: • Obtain and review security policy • Verify policy is communicated • Review relevant documentation (org. chart, mission statement, key job descriptions) • Review systems documentation and maintenance records (using a sample) • Verify whether maintenance programmers are also original design programmers • Observe segregation policies in practice • Review operations room access log • Review user rights and privileges

  9. Computing Models • Centralized Processing • Client Server Processing • thin or fat clients • 2 to n tiered • Distributed Computing • using idle processing time • Distributed Database Computing • replicated or divided

  10. STRUCTURING THE IT FUNCTION • The distributed model • Risks associated with DDP • Inefficient use of resources • Mismanagement of resources by end users • Hardware and software incompatibility • Redundant tasks • Destruction of audit trails • Inadequate segregation of duties • Hiring qualified professionals • Increased potential for errors • Programming errors and system failures • Lack of standards

  11. STRUCTURING THE IT FUNCTION • The distributed model • Advantages of DDP • Cost reduction • End user data entry vs. data control group • Application complexity reduced • Development and maintenance costs reduced • Improved cost control responsibility • IT critical to success then managers must control the technologies • Improved user satisfaction • Increased morale and productivity • Backup flexibility • Excess capacity for DRP

  12. STRUCTURING THE IT FUNCTION • Controlling the DDP environment • Audit objectives: • Conduct a risk assessment • Verify the distributed IT units employ entity-wide standards of performance that promotes compatibility among hardware, operating software, applications, and data

  13. STRUCTURING THE IT FUNCTION • Controlling the DDP environment • Audit procedures: • Verify corporate policies and standards are communicated • Review current organization chart, mission statement, key job descriptions to determine if any incompatible duties exist • Verify compensating controls are in place where incompatible duties do exist • Review systems documentation • Verify access controls are properly established

  14. THE COMPUTER CENTER • Computer center controls • Physical location • Avoid human-made and natural hazards • Example: Chicago Board of Trade • Construction • Ideally: single-story, underground utilities, windowless, use of filters • If multi-storied building, use top floor (away from traffic flows, and potential flooding in a basement) • Access • Physical: Locked doors, cameras • Manual: Access log of visitors

  15. THE COMPUTER CENTER • Computer center controls • Air conditioning • Especially mainframes • Amount of heat even from a group of PCs • Fire suppression • Automatic: usually sprinklers • Gas, such as halon, that will smother fire by removing oxygen can also kill anybody trapped there • Sprinklers and certain chemicals can destroy the computers and equipment • Manual methods • Power supply • Need for clean power, at a acceptable level • Uninterrupted power supply

  16. THE COMPUTER CENTER • Computer center controls • Audit objectives • Verify physical security controls are reasonable • Verify insurance coverage is adequate • Verify operator documentation is adequate in case of failure • Audit procedures • Tests of physical construction • Tests of fire detection • Tests of access control • Tests of backup power supply • Tests for insurance coverage • Tests of operator documentation controls

  17. PC SYSTEMS • Control environment for PCs • Controls • Risk assessment • Inherent weaknesses • Weak access control • Inadequate segregation of duties • Multilevel password control – multifaceted access control • Risk of physical loss • Laptops, etc. can “walk off” • Risk of data loss • Easy for multiple users to access data • End user can steal, destroy, manipulate • Inadequate backup procedures • Local backups on appropriate medium • Dual hard drives on PC • External/removable hard drive on PC

  18. PC SYSTEMS • Control environment for PCs • Risk associated with virus infection • Policy of obtaining software • Policy for use of anti-virus software • Verify no unauthorized software on PCs • Risk of improper SDLC procedures • Use of commercial software • Formal software selection procedures

  19. PC SYSTEMS • PC systems audit • Audit objectives • Verify controls are in place to protect data, programs, and computers from unauthorized access, manipulation, destruction, and theft • Verifythat adequate supervision and operating procedures exist to compensate for lack of segregation between the duties of users, programmers, and operators • Verifythat backup procedures are in place to prevent data and program loss due to system failures, errors • Verifythat systems selection and acquisition procedures produce applications that are high quality, and protected from unauthorized changes • Verifythe system is free from viruses and adequately protected to minimize the risk of becoming infected with a virus or similar object

  20. FIGURE 2.8 – Password Policy Proper Dissemination – Promote it, use it during employee training or orientation, and find ways to continue to raise awareness within the organization. Proper Length: Use at least 8 characters. The more characters, the more difficult to guess or crack. Eight characters is an effective length to prevent guessing, if combined with below. Proper Strength: Use alphabet (letters), numbers (at least 1), and special characters (at least 1). The more non-alpha, the harder to guess or crack. Make them case sensitive and mix upper and lower case. A “Strong” password for any critical access or key user. Password CANNOT contain a real word in the content. Proper Access Levels or Complexity: Use multiple levels of access requiring multiple passwords. Use a password matrix of data to grant read-only, read/write, or no access per data field per user. Use biometrics {such as fingerprints, voice prints}. Use supplemental access devices, such as smart cards, or beeper passwords in conjunction with remote logins. Use user-defined procedures. Proper Timely Changes: At regular intervals, make employees change their passwords. Proper Protection: Prohibit the sharing of passwords or “post-its” with passwords located near one’s computer. Proper Deletion: Require the immediate deletion of accounts for terminated employees, to prevent an employee from being able to perpetrate adverse activities.

  21. SYSTEM-WIDE CONTROLS • E-mail risks • Spoofing • Spamming • Hoax virus warnings • Flaming • Malicious attachments (e.g., viruses) • Phishing • Pharming

  22. SYSTEM-WIDE CONTROLS • Malicious objects risk • Virus • Worm • Logic bomb • Back door / trap door • Trojan horse • Potential control procedures • Audit objective • Audit procedures

  23. SYSTEM-WIDE CONTROLS • Controlling electronic audit trails • Keystroke monitoring (keystroke log) • Event monitoring (key events log) • Audit trail objectives • Detecting unauthorized access • Reconstructing events • Personal accountability • Implementing an audit trail • Transaction logs

  24. SYSTEM-WIDE CONTROLS • Disaster recovery planning • Critical applications identified and ranked • Create a disaster recovery team with responsibilities

  25. SYSTEM-WIDE CONTROLS • Disaster recovery planning • Site backup • “Hot site” – Recovery Operations Center • “Cold site” – empty shell • Mutual aid pact • Internally provided backup • Other options

  26. SYSTEM-WIDE CONTROLS • Disaster recovery planning • Audit objectives • Verifymanagement’s DRP is adequate • Audit procedures • Verifya second-site backup is adequate • Reviewthe critical application list for completeness • Verifybackups of application software are stored off-site • Verifythat critical data files are backed up and readily accessible to DRP team • Verifyresources of supplies, documents, and documentation are backed up and stored off-site • Verifythat members listed on the team roster are current employees and that they are aware of their responsibilities

  27. SYSTEM-WIDE CONTROLS • Fault tolerance • Definition • 44% of IS down-time attributable to system failures! • Controls • Redundant systems or parts • RAID • UPS • Multiprocessors • Audit objective • To ensure the organization is employing an appropriate level of fault tolerance • Audit procedures • Verify proper level of RAID devices • Review procedures for recovery from system failure • Verify boot disks are secured

  28. Client Server Systems

  29. Firewalls

  30. Proxy Servers

  31. Demilitarized Zone

  32. Chapter 2:Computer Operations

  33. Excerpts from … An Introduction to Computer Auditing (online reading)

  34. Computer Auditing Examples of Computer Abuse • Unauthorized disclosure of confidential information • Unavailability of key IT systems • Unauthorized modification of IT systems • Theft of IT hardware and software • Theft of IT data files • Use of IT resources for personal use

  35. Problems with Computer Auditing • Technology continually evolves • IT can be a black box and attacks may not be apparent • Auditors lack of IT skills • Data can be difficult to access • Computer logs and audit trails may be incomplete • On-line real time systems can support frauds that occur rapidly without sufficient time to react • Electronic evidence is volatile

  36. Systems Development • Use of project management • Use of methodology such as SDLC, RAD • Steering Committee • Continuous monitoring of progress (milestones) • Prototyping

  37. IT Application Controls • Input Controls: all data entered is authorized, complete, accurate, and entered only once • Processing Controls: transactions are processed completely, accurately, and in a timely manner • Output Controls: results are communicated to the authorized persons in a timely and efficient manner

  38. General Controls • Identification, prioritization and development of new systems and modification of existing systems • Ongoing operations and maintenance • Physical access • Access rights and privileges • Change management control • Segregation of incompatible duties • Contingency planning

  39. The basic principles of good project management are: • clearly defined management responsibility • clear objectives and scope • effective planning and control • clear lines of accountability • steering committee oversight • milestones

  40. good project management (cont.) • end-user involvement • methodology such as SDLC or RAD • possible use of prototypes • possible use of phased development

  41. Be sure to read the entire article!

More Related