1 / 44

CBIS Controls and SAS 78: Ensuring Security and Compliance

Explore the features of a CBIS environment, threats to operating systems, techniques to control database access, and controls for systems development and maintenance. Learn how transaction authorization and segregation of duties are vital control objectives. Understand the importance of supervision, accounting records, independent verification, and the general control framework.

taylorw
Download Presentation

CBIS Controls and SAS 78: Ensuring Security and Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 15 Controlling Computer-Based Information Systems, Part I

  2. Objectives for Chapter 15 • Features of a CBIS environment and the control objectives in SAS 78 • Threats to the operating system and controls used to minimize exposures • Techniques used to control access to the database • Incompatible functions in a CBIS environment • Controls necessary to regulate systems development and maintenance activities • Controls of an organization’s computer facilities and the disaster recovery options

  3. Controls, CBIS & SAS 78 • TRANSACTION AUTHORIZATION • may be embedded into the programs • SEGREGATION OF DUTIES • Duties that must be separated in a manual system may be combined in a computerized setting. • The computer-based functions of programming, processing, and maintenance must be separated.

  4. Segregation of Duties Control Objectives • Transaction authorization is separate from transaction processing. • Asset custody is separate from recordkeeping responsibilities. • The sub-tasks needed to process the transactions are separated so that no individual or group is responsible for transaction authorization, transaction recording, and asset custody.

  5. Authorization Authorization Journals Task 1 Task 2 Segregation of Duties Processing Control Objective 1 Control Objective 2 Custody Recording Custody Recording Control Objective 3 Task 3 Task 4 TRANSACTION

  6. Controls, CBIS & SAS 78 • SUPERVISION - more supervision is typically necessary in a CBIS because: • highly skilled employees generally have a higher turnover rate • highly skilled employees are often in positions of authority • physical observation of employees working with the system is often difficult or impractical

  7. Controls, CBIS & SAS 78 • ACCOUNTING RECORDS • Source documents and ledgers may be stored magnetically with no “paper trail.” • Expertise is required to understand the links. • ACCESS CONTROL • Tight control is necessary over access to programs and files. • Fraud is easier to commit since records are located in one data repository.

  8. Controls, CBIS & SAS 78 (continued) • INDEPENDENT VERIFICATION • need to review the internal logic of programs and comparison of accounting records and physical assets • management must assess: • the performance of individuals • the integrity of the transaction processing system • the correctness of data contained in accounting records

  9. General Control Framework for CBIS Exposures 10 control components need to be addressed: • Operating system • Data management • Organizational structure • Systems development • Systems maintenance • Computer center security • Internet and Intranet • EDI • Personal computer • Applications

  10. Organizational Structure Internet & Intranet Internet & Intranet Data Management Operating System Systems Development Personal Computers Systems Maintenance EDI Trading Partners Applications Computer Center Security General Control Framework for CBIS Exposures

  11. Organizational Structure Internet & Intranet Internet & Intranet Data Management Operating System Systems Development Personal Computers Systems Maintenance EDI Trading Partners Applications Computer Center Security General Control Framework for CBIS Exposures

  12. Operating System Controls • The operating systems performs three main tasks: • It translates high-level languages into the machine-level language. • It allocates computer resources to user applications. • It manages the tasks of job scheduling and multiprogramming.

  13. For An Operating System To Perform These Tasks Consistently And Reliably, It Must • protect itself from tampering from users • be able to prevent users from tampering with the programs of other users • be able to safeguard users’ applications from accidental corruption • be able to safeguard its own programs from accidental corruption • be able to protect itself from power failures or other disasters

  14. Operating System Security • Log-On Procedure • first line of defense--user IDs and passwords • Access Token • contains key information about the user • Access Control List • defines access privileges of users • Discretionary Access Control • allows user to grant access to another user

  15. Other Good Security Policies • Formalized procedures for software acquisition • Security clearances of prospective employees • Formal acknowledgment by users of their responsibilities to the company • Security group to monitor security violations • Formalpolicy for taking disciplinary action against security violators • Use of one-time passwords

  16. Operating System Control Dangers • Browsing • looking through memory for sensitive information (e.g., in the printer queue) • Masquerading • pretend to be an authorized user by getting id and passwords • Virus & Worms • foreign programs that spread through the system • virus must attach to another program, worms are self-contained

  17. Operating System Control Dangers • Trojan Horse • foreign program that conceals itself with another legitimately imported program • Logic Bomb • foreign programs triggered by a specific event • Back Door • alternative entry into system

  18. Anti-Virus Software • can prevent the initial infection by write protecting the file • can detect the infection of known viruses • can sometimes remove the infection • must stay current

  19. Organizational Structure Internet & Intranet Internet & Intranet Data Management Operating System Systems Development Personal Computers Systems Maintenance EDI Trading Partners Applications Computer Center Security General Control Framework for CBIS Exposures

  20. Data Management Controls Two crucial control issues: Access controls Backup controls

  21. Access Controls • User views - based on sub-schemas • Database authorization table - allows greater authority to be specified • User-defined procedures - user to create a personal security program or routine • Data encryption - encoding algorithms • Biometric devices - fingerprints, retina prints, or signature characteristics • Inference controls - necessary in systems which allow queries

  22. Data Management Controls • Backup options: • Grandparent-parent-child backup - the number of generations to backup is a policy issue • Direct access file backup - back-up master-file at pre-determined intervals • Off-site storage- guard against disasters and/or physical destruction

  23. Computer Resource Authority Table List Resource Employee Line Cash Receipts AR File File Printer Program User Read data Change Add Delete Ticket User 1 No Access Use No Access Read code No Access Use Modify Delete Read only User 2 No Access Read only Use No Access User 3

  24. Backup Controls • Flat-file environment • grandparent-parent-child (GPC) used in sequential file batch systems • direct access backup called destructive replacement • offsite storage • Database environment • database backup - automatic periodic backup • transaction log (journal) - a list of transactions which provides an audit trail of all processed transactions • checkpoint features - suspends all data processing while the system performs reconciliation • recovery module - restarts the system after a failure

  25. Organizational Structure Internet & Intranet Internet & Intranet Data Management Operating System Systems Development Personal Computers Systems Maintenance EDI Trading Partners Applications Computer Center Security General Control Framework for CBIS Exposures

  26. Organizational Structure Controls The two main CBIS environments have different exposures and IC requirements: Centralized DPDistributed DP

  27. President CENTRALIZED COMPUTER SERVICES FUNCTION VP Marketing VP Computer Services VP Operations VP Finance Systems Development Database Administration Data Processing New Systems Development Data Control Data Preparation Data Library Systems Maintenance Computer Operations DISTRIBUTED ORGANIZATIONAL STRUCTURE President VP Marketing VP Finance VP Administration VP Operations Manager Plant X Manager Plant Y Treasurer Controller IPU IPU IPU IPU IPU IPU

  28. Centralized DP Organizational Controls • In centralized IS, need to separate: • systems development from computer operations • database administrator and other computer service functions • especially database administrator (authorizing) and systems development (processing) • DBA authorizes access • maintenance and new systems development • data library and operations

  29. Distributed DP Organizational Controls • Distributed Data Processing: despite many advantages of this approach, control implications are present • incompatible software among the various work centers • data redundancy may result • consolidation of incompatible tasks • difficulty hiring qualified professionals • lack of standards

  30. Organizational Structure Controls • A corporate computer services function/information center may help to alleviate the potential problems associated with DDP by providing: • central testing of commercial hardware and software • a user services staff • a standard setting body • reviewing technical credentials of prospective systems professionals

  31. Organizational Structure Internet & Intranet Internet & Intranet Data Management Operating System Systems Development Personal Computers Systems Maintenance EDI Trading Partners Applications Computer Center Security General Control Framework for CBIS Exposures

  32. SDLC SYSTEMS DEVELOPMENT LIFE CYCLE New Systems Development Systems Planning Systems Analysis Conceptual Design System Selection Detailed Design System Implementation Maintenance

  33. Systems Development Controls • New systems must be authorized. • User needs and requests should be formally documented. • Technical design activities should be documented. • Internal auditors should participate in the development process. • New programs must be thoroughly tested before they are implemented. • New systems must be tested by a team of users, internal audit staff, and systems professionals.

  34. Organizational Structure Internet & Intranet Internet & Intranet Data Management Operating System Systems Development Personal Computers Systems Maintenance EDI Trading Partners Applications Computer Center Security General Control Framework for CBIS Exposures

  35. System Maintenance Controls • Last, longest and most costly phase of SDLC • 80-90% of entire cost of a system • All maintenance actions should require • technical specifications • testing • documentation updates • formal authorizations for any changes made

  36. SPL • Source program library (SPL) • library of applications and software • place where programs are developed and modified • once compiled into machine language, no longer vulnerable

  37. Uncontrolled Access to the Source Program Library Source Program Library Systems Development Programmers Production Load Library Compiler Program Object Module Link Edit Program Program Load Module Source Program Systems Maintenance Programmers Production Application

  38. A Controlled SPL Environment • An SPL Management System (SPLMS) can be used to protect the SPL environment by controlling the following functions: • storing programs on the SPL • retrieving programs for maintenance purposes • deleting obsolete programs from the library • documenting program changes to provide an audit trail of the changes

  39. Source Program Library under the Control of SPL Management Software SPL Management System Systems Development Test Library SPL Systems Development Programmers Application Program 00 Compile and Link Edit Application Program 05 Systems Maintenance Test Library Maintenance Request Systems Maintenance Programmers Application Program 05 Program Listing Application Load Module 05 Program Change Report Load Library Documen- tation File Production

  40. SPL Control Features • Password control • Separation of test libraries • Reports that enhance management control and the audit function • Assigns program version numbers automatically • Controlled access to maintenance commands • Documentation and authorization of changes

  41. Organizational Structure Internet & Intranet Internet & Intranet Data Management Operating System Systems Development Personal Computers Systems Maintenance EDI Trading Partners Applications Computer Center Security General Control Framework for CBIS Exposures

  42. Computer Center Controls Considerations: • location away from human-made and natural hazards • utility and communications lines underground • windows closed and air filtration systems in place • access limited to the operators and other necessary workers; others required to sign in and out • fire suppressions systems should be installed • backup power supplies

  43. Disaster Recovery Planning • Disaster recovery plan (DRP) • all actions to be taken before, during, and after a disaster • Disaster Recovery Team (DRT) identified • critical applications must be identified • restore these applications first • Backups and off-site storage procedures • databases and applications • documentation • supplies

  44. Second-Site Disaster Backups • Mutual Aid Pact - an agreement between two or more organizations (with compatible computer facilities) to aid each other with their data processing needs • The Empty Shell - involves two or more user organizations that buy or lease a building and remodel it into a computer site, but without computer equipment • The Recovery Operations Center - a completely equipped site; very costly and typically shared among many companies • Internally Provided Backup - companies with multiple data processing centers may create internal excess capacity

More Related