420 likes | 671 Views
Chapter 2: Computer Operations. STRUCTURING THE IT FUNCTION. Centralized data processing (as opposed to DDP) Database administrator Data processing manager/dept. Data control Data preparation/conversion Computer operations Data library. STRUCTURING THE IT FUNCTION.
E N D
STRUCTURING THE IT FUNCTION • Centralized data processing (as opposed to DDP) • Database administrator • Data processing manager/dept. • Data control • Data preparation/conversion • Computer operations • Data library
STRUCTURING THE IT FUNCTION • Segregation of incompatible IT functions • Systems development & maintenance • Participants • End users • IS professionals • Auditors • Other stakeholders
STRUCTURING THE IT FUNCTION • Segregation of incompatible IT functions • Objectives: • Segregate transaction authorization from transaction processing • Segregate record keeping from asset custody • Divide transaction processing steps among individuals to force collusion to perpetrate fraud • Separating systems development from computer operations
STRUCTURING THE IT FUNCTION • Segregation of incompatible IT functions • Separating DBA from other functions • DBA is responsible for several critical tasks: • Database security • Creating database schema and user views • Assigning database access authority to users • Monitoring database usage • Planning for future changes
STRUCTURING THE IT FUNCTION • Segregation of incompatible IT functions • Alternative 1: segregate systems analysis from programming • Two types of control problems from this approach: • Inadequate documentation • Is a chronic problem. Why? • Not interesting • Lack of documentation provides job security • Assistance: Use of CASE tools • Potential for fraud • Example: Salami slicing, trap doors
STRUCTURING THE IT FUNCTION • Segregation of incompatible IT functions • Segregate data library from operations • Physical security of off-line data files • Implications of modern systems on use of data library: • Real-time/online vs. batch processing • Volume of tape files is insufficient to justify full-time librarian • Alternative: rotate on ad hoc basis • Custody of on site data backups • Custody of original commercial software and licenses
STRUCTURING THE IT FUNCTION • Segregation of incompatible IT functions • Audit procedures: • Obtain and review security policy • Verify policy is communicated • Review relevant documentation (org. chart, mission statement, key job descriptions) • Review systems documentation and maintenance records (using a sample) • Verify whether maintenance programmers are also original design programmers • Observe segregation policies in practice • Review operations room access log • Review user rights and privileges
Computing Models • Centralized Processing • Client Server Processing • thin or fat clients • 2 to n tiered • Distributed Computing • using idle processing time • Distributed Database Computing • replicated or divided
STRUCTURING THE IT FUNCTION • The distributed model • Risks associated with DDP • Inefficient use of resources • Mismanagement of resources by end users • Hardware and software incompatibility • Redundant tasks • Destruction of audit trails • Inadequate segregation of duties • Hiring qualified professionals • Increased potential for errors • Programming errors and system failures • Lack of standards
STRUCTURING THE IT FUNCTION • The distributed model • Advantages of DDP • Cost reduction • End user data entry vs. data control group • Application complexity reduced • Development and maintenance costs reduced • Improved cost control responsibility • IT critical to success then managers must control the technologies • Improved user satisfaction • Increased morale and productivity • Backup flexibility • Excess capacity for DRP
STRUCTURING THE IT FUNCTION • Controlling the DDP environment • Audit objectives: • Conduct a risk assessment • Verify the distributed IT units employ entity-wide standards of performance that promotes compatibility among hardware, operating software, applications, and data
STRUCTURING THE IT FUNCTION • Controlling the DDP environment • Audit procedures: • Verify corporate policies and standards are communicated • Review current organization chart, mission statement, key job descriptions to determine if any incompatible duties exist • Verify compensating controls are in place where incompatible duties do exist • Review systems documentation • Verify access controls are properly established
THE COMPUTER CENTER • Computer center controls • Physical location • Avoid human-made and natural hazards • Example: Chicago Board of Trade • Construction • Ideally: single-story, underground utilities, windowless, use of filters • If multi-storied building, use top floor (away from traffic flows, and potential flooding in a basement) • Access • Physical: Locked doors, cameras • Manual: Access log of visitors
THE COMPUTER CENTER • Computer center controls • Air conditioning • Especially mainframes • Amount of heat even from a group of PCs • Fire suppression • Automatic: usually sprinklers • Gas, such as halon, that will smother fire by removing oxygen can also kill anybody trapped there • Sprinklers and certain chemicals can destroy the computers and equipment • Manual methods • Power supply • Need for clean power, at a acceptable level • Uninterrupted power supply
THE COMPUTER CENTER • Computer center controls • Audit objectives • Verify physical security controls are reasonable • Verify insurance coverage is adequate • Verify operator documentation is adequate in case of failure • Audit procedures • Tests of physical construction • Tests of fire detection • Tests of access control • Tests of backup power supply • Tests for insurance coverage • Tests of operator documentation controls
PC SYSTEMS • Control environment for PCs • Controls • Risk assessment • Inherent weaknesses • Weak access control • Inadequate segregation of duties • Multilevel password control – multifaceted access control • Risk of physical loss • Laptops, etc. can “walk off” • Risk of data loss • Easy for multiple users to access data • End user can steal, destroy, manipulate • Inadequate backup procedures • Local backups on appropriate medium • Dual hard drives on PC • External/removable hard drive on PC
PC SYSTEMS • Control environment for PCs • Risk associated with virus infection • Policy of obtaining software • Policy for use of anti-virus software • Verify no unauthorized software on PCs • Risk of improper SDLC procedures • Use of commercial software • Formal software selection procedures
PC SYSTEMS • PC systems audit • Audit objectives • Verify controls are in place to protect data, programs, and computers from unauthorized access, manipulation, destruction, and theft • Verifythat adequate supervision and operating procedures exist to compensate for lack of segregation between the duties of users, programmers, and operators • Verifythat backup procedures are in place to prevent data and program loss due to system failures, errors • Verifythat systems selection and acquisition procedures produce applications that are high quality, and protected from unauthorized changes • Verifythe system is free from viruses and adequately protected to minimize the risk of becoming infected with a virus or similar object
FIGURE 2.8 – Password Policy Proper Dissemination – Promote it, use it during employee training or orientation, and find ways to continue to raise awareness within the organization. Proper Length: Use at least 8 characters. The more characters, the more difficult to guess or crack. Eight characters is an effective length to prevent guessing, if combined with below. Proper Strength: Use alphabet (letters), numbers (at least 1), and special characters (at least 1). The more non-alpha, the harder to guess or crack. Make them case sensitive and mix upper and lower case. A “Strong” password for any critical access or key user. Password CANNOT contain a real word in the content. Proper Access Levels or Complexity: Use multiple levels of access requiring multiple passwords. Use a password matrix of data to grant read-only, read/write, or no access per data field per user. Use biometrics {such as fingerprints, voice prints}. Use supplemental access devices, such as smart cards, or beeper passwords in conjunction with remote logins. Use user-defined procedures. Proper Timely Changes: At regular intervals, make employees change their passwords. Proper Protection: Prohibit the sharing of passwords or “post-its” with passwords located near one’s computer. Proper Deletion: Require the immediate deletion of accounts for terminated employees, to prevent an employee from being able to perpetrate adverse activities.
SYSTEM-WIDE CONTROLS • E-mail risks • Spoofing • Spamming • Hoax virus warnings • Flaming • Malicious attachments (e.g., viruses) • Phishing • Pharming
SYSTEM-WIDE CONTROLS • Malicious objects risk • Virus • Worm • Logic bomb • Back door / trap door • Trojan horse • Potential control procedures • Audit objective • Audit procedures
SYSTEM-WIDE CONTROLS • Controlling electronic audit trails • Keystroke monitoring (keystroke log) • Event monitoring (key events log) • Audit trail objectives • Detecting unauthorized access • Reconstructing events • Personal accountability • Implementing an audit trail • Transaction logs
SYSTEM-WIDE CONTROLS • Disaster recovery planning • Critical applications identified and ranked • Create a disaster recovery team with responsibilities
SYSTEM-WIDE CONTROLS • Disaster recovery planning • Site backup • “Hot site” – Recovery Operations Center • “Cold site” – empty shell • Mutual aid pact • Internally provided backup • Other options
SYSTEM-WIDE CONTROLS • Disaster recovery planning • Audit objectives • Verifymanagement’s DRP is adequate • Audit procedures • Verifya second-site backup is adequate • Reviewthe critical application list for completeness • Verifybackups of application software are stored off-site • Verifythat critical data files are backed up and readily accessible to DRP team • Verifyresources of supplies, documents, and documentation are backed up and stored off-site • Verifythat members listed on the team roster are current employees and that they are aware of their responsibilities
SYSTEM-WIDE CONTROLS • Fault tolerance • Definition • 44% of IS down-time attributable to system failures! • Controls • Redundant systems or parts • RAID • UPS • Multiprocessors • Audit objective • To ensure the organization is employing an appropriate level of fault tolerance • Audit procedures • Verify proper level of RAID devices • Review procedures for recovery from system failure • Verify boot disks are secured
Excerpts from … An Introduction to Computer Auditing (online reading)
Computer Auditing Examples of Computer Abuse • Unauthorized disclosure of confidential information • Unavailability of key IT systems • Unauthorized modification of IT systems • Theft of IT hardware and software • Theft of IT data files • Use of IT resources for personal use
Problems with Computer Auditing • Technology continually evolves • IT can be a black box and attacks may not be apparent • Auditors lack of IT skills • Data can be difficult to access • Computer logs and audit trails may be incomplete • On-line real time systems can support frauds that occur rapidly without sufficient time to react • Electronic evidence is volatile
Systems Development • Use of project management • Use of methodology such as SDLC, RAD • Steering Committee • Continuous monitoring of progress (milestones) • Prototyping
IT Application Controls • Input Controls: all data entered is authorized, complete, accurate, and entered only once • Processing Controls: transactions are processed completely, accurately, and in a timely manner • Output Controls: results are communicated to the authorized persons in a timely and efficient manner
General Controls • Identification, prioritization and development of new systems and modification of existing systems • Ongoing operations and maintenance • Physical access • Access rights and privileges • Change management control • Segregation of incompatible duties • Contingency planning
The basic principles of good project management are: • clearly defined management responsibility • clear objectives and scope • effective planning and control • clear lines of accountability • steering committee oversight • milestones
good project management (cont.) • end-user involvement • methodology such as SDLC or RAD • possible use of prototypes • possible use of phased development