Chapter-5 - History of SFACO-AA

Document Sample
Chapter-5 - History of SFACO-AA Powered By Docstoc
                                         IT Application
                                  Controls and standards

Computer security:
Computer security includes the policies, procedures, tools and techniques designed to protect an
organization's computer assets from accidental, intentional or natural disasters including accidental
input or output errors, theft, breakings, physical damage and illegal access or manipulation.
Computer security is a complex and pervasive problem that often stumps many organizations, which
struggle to balance proper security against the cost and inconvenience of providing it. It cannot be
achieved through automation or sophisticated equipment alone; it also requires the active participation
of employees with common sense, good judgment and high moral values, because security is
ultimately the responsibility of the individual using the computer. Therefore, it is not surprising that
organizations that promote creativity, innovation, trust and high ethical standards appear to be more
successful in enforcing computer security than organizations with stifling cultures.

Security issues:
The security issues of a computerized system can be discussed by dividing them in four related
issues and these are as follows.
     Security;
     Integrity;
     Privacy; and
     Confidentiality.
Each issue is discussed below:
Security: It can be classified as follows:
System Security: It refers to the technical innovations and procedures applied to the hardware and
operating systems to protect against deliberate or accidental damage from a defined threat.
Data Security: It refers to the protection of data from loss, unauthorized disclosure and modification,
processing errors and destruction.
Integrity: It has also two sides:
System Integrity: It refers to the proper functioning of hardware and programs appropriate physical
security and safety against external threats.
Data Integrity: Data Integrity makes sure that the data do not differ from its original form and have not
been accidentally or intentionally destroyed, altered or disclosed without proper authorization.
Privacy: It defines the rights of the users or Enterprise to determine what information they are willing
to share with or accept from others and how the Enterprise can be protected against unwelcome
unfair information.
Confidentiality: This is a special status given to sensitive information in a database to minimize the
possible invasion of privacy.

Security controls:
Computer security controls are policies, procedures, tools and techniques designed to reduce security
breaches and system destruction to prevent errors in data, software and systems to protect systems
from accidental, intentional and natural disasters and to continually enhance system security. In other
word, security controls are safeguards or countermeasures to avoid, counteract or minimize security
risks. Controls may be manual or automated. Effective controls provide information system security
that is the accuracy, integrity and safety information system activities and resources. An effective
control also provides quality assurance for information systems. That is, they can make computer
based information system more free of errors and fraud and able to provide information products of
higher quality than manual types of information processing. The IS controls in the audit program have
been grouped into four general types that must be developed to ensure the quality and security of
information systems. These are:
      Physical security control;
      Logical security control;
      Environmental control;
      IS operating control.

                       S. F. Ahmed & Co. Articled Association (34th Association)
Physical security controls:
The primary goal of physical facilities control is to protect the physical facilities that house the
computer and other related assets from theft, unauthorized access, natural disasters and vandalism
through measures such as posting security personnel, installing fire alarms, hidden cameras and
requiring users to wear badges or use smart cards to gain access to the building. Physical security
controls pertain to the protection over computer hardware, components and the facilities within which
they reside. Though the reliability of physical support facilities is often overlooked, but it is an
important part of the system security, particularly for real time system. Physical security control also
protect equipment against physical damage resulting from natural disasters such as earthquakes,
hurricanes, tornadoes, flood etc. as well as other danger like bombings, fires, power surges, theft,
vandalism and unauthorized tampering. There are various types of physical security controls should
be adopted within an organization. Some of them are as follows:
     Physical locks;
     Security guards;
     Video surveillance cameras;
     General emergency and detection control;
     Heating, ventilation and cooling system;
     Insurance coverage;
     Periodic back-up;
     Emergency power and uninterruptible power supply system;
     Business resumption program;
     Back-up system security administrator.

Physical locks: This is the first step of physical security that is established usually using various
types of locks on doors to the rooms that includes the main computer room where file server,
gateways, routers and other telecommunication equipments are located. Various types of physical
locks are conventional key locks, electronic access badge, cipher locks, combination locks, biometric
locks etc. Biometrics lock is fast growing area of computer security. These are security measures
provided by computer devices that measure physical traits that make each individual unique. This
includes voice verification, fingerprints, hand geometry and signature dynamics, keystroke analysis.

Security guards: Employment of security guard is one of the common practice for physical control. It
reduces the chances of crime and they also help in monitoring the video camera. The incident report
prepare by the security guard can be the crucial evidence in case of criminal prosecution and/or
employee misconduct.

Video surveillance cameras: Basically this type of camera has been positioned in strategic locations
of the organization that afford full views of the IT system and perform as an additional control to
protect unauthorized activities and also provide recording evidence with mentioning time, date etc.

General emergency and detection control: In many organizations alarm system is used for safety
and security reason. Through this system unauthorized person, unauthorized devices can be detected
and at the same time natural disaster like fire, smoke etc. can be notified to management in early
stage for prevention by automated way.

Heating, ventilation and cooling system: Computer survives best in a cool, dry, dust-free
environment. Through HVAC systems it can be maintained and it should be audited periodically to
ensure the environment.

Insurance coverage: Main purpose of insurance is to spread the economic cost and the risk of loss
from an individual or business to a large number of people. This is accomplished through the use of
an insurance policy. Policies are contracts that obligate the insurer to indemnify the policyholder or
some third party from specific risks in return for the payment of a premium. Policies usually can be
obtained to cover the following resources:
     Equipment;
     Facilities;
     Storage media;
     Business interruption;
     Extra expenses;
     Valuable papers;
     Accounts receivable;
     Media transportation;
     Malpractice, errors.
                        S. F. Ahmed & Co. Articled Association (34th Association)
Periodic back-up: A better back-up policy is to perform periodically (every day, weekly, monthly) of
all types of software, programs, data etc. by using the different types of back-up media. The back-up
media must be logged and stored both inside and off-site location and also make provision for
periodic audit for evolution the adequacy of physical controls.

Emergency power and uninterruptible power supply system: An emergency power system and
an uninterruptible power supply system should be designed into every information processing facility.
An emergency power system consists of a generator and the necessary hardware to provide limited
electrical power to critical operational areas within areas within a facility. In the event of a power loss,
the emergency power system should activate automatically. A UPS system consists of an
arrangement of batteries and supporting hardware components that are configured to provide smooth,
continuous power to computer equipment. During an audit of physical security at one information
processing center, a description of the emergency power system and UPS system was prepared and
key aspects of the systems were tested.

Business resumption programs: BRP refers as disaster recovery plan. It must include the
      List of key contract personnel of the organization;
      Identify and rank operational area;
      Brief description of events of BRP;
      Concise description of action actions taken at that time;
      Potential psychological impact of the disaster and necessary assistance of BRP.

Back-up system security administrator:
    Granting complete control over a computer system to one individual is one of the most
      common control weaknesses in the real world;
    The system security administrator could be involved in an accident, have to leave work
      unexpectedly, or may be at a location where he or she cannot be reached;
    Thus, the organization might not be able to restore operations adequately in a timely manner.

Logical security control:
Logical security control restricts the access capabilities of users of the system and prevents
unauthorized users from accessing the system. It may exist within the operating system, database
management system, application program and/or all the three. It includes system access capabilities
of users, system access profiles and parameters and logging mechanisms. The major logical security
controls are as follows:
     User IDs and passwords;
     Remote access control;
     Computer operations audit;
     Back-up and recovery procedures;
     Integrity/completeness checks.

    Application program → Database management system → Operating system
                              Fig: Logical control

User IDs and passwords: Password should be in minimum length. The system should reject any
user attempts to enter passwords with fewer characters than the parameter settings. For most
commercial system, a minimum password length of eight characters is sufficient. The system should
be programmed so that the system user ID cannot be deleted and allow only certain user IDs to sign
on from workstation.

Remote access controls: Today more and more users are requiring the ability to sign on remotely
using laptops, personal digital assistants (PDAs) and some kinds of cell phones. The most common
remote access controls include dedicated leased lines, automatic dial back; secure sockets layer
(SSL) sessions, multifactor authentication and virtual private networks (VPNs). This control may be
made by using the following networking systems:
     Dedicated leased lines;
     Automatic dial-back;
     Secure sockets layer;
     Multifactor authentication;
     Virtual Private Networks.
                       S. F. Ahmed & Co. Articled Association (34th Association)
Computer operations audit: A computer operations audit assessments of internal controls that
ensures the production jobs are completed in a timely manner and production capacity is sufficient to
meet short- and long-range processing needs; output media are distributed in a timely, accurate and
secure manner; back-up and recovery procedures adequately protect data and programs against
accidental or international loss or destruction; problem management procedures ensure that system
problems are documented and resolved in a timely and effective manner.

Back-up and recovery procedures: The primary controls to provide this protection are to perform
periodic (daily, weekly, monthly) backups of system software, application programs and data as well
as storage and rotation of the back-up media such as magnetic tapes, disks and compact disks (CDs)
to a secure offsite location; Daily backups are usually necessary only for data since the application
programs and system software do not charge significantly. Management should ensure that tests are
performed to confirm that system operations can in fact be fully restored using the back-up media.

Integrity/completeness checks:
When large volumes of data are electronically imported from or exported to other systems, data
integrity and completeness controls can provide reasonable assurance that the recipient has received
all the data intact without any alterations or missing information. Control totals are the most common
form of integrity/completeness check. The sender provides the recipient with control totals, such as
the total number of records in the data file and the total amount of the records.

Environmental control:
Environmental control include IS security policies, standards and guidelines, the reporting structures
within the IS processing environment, the financial condition of the service organizations and vendors,
vendors software license, maintenance and support agreements and warranties and the status of
computing system, policies and procedures placed in operation of the service organization.

IS operating control:
Information system operating controls are designed to ensure that the information system is operating
efficiently and effectively. These controls include the timely and accurate completion of production
jobs, distribution of output media, performance of back-up and recovery procedures, performance of
maintenance procedures, documentation and resolution of system problems and monitoring of central
processing unit and data storage capacity utilization.
Information system security policy:
A security policy consists of statements ranking information risks, identifying acceptable security goals
and identifying the mechanisms for achieving these goals. Security policies must be approved by the
top management and specify the persons responsibility for its implementation but it should not specify
the detailed control. An IS security policy is divided into five sections:

Purpose and responsibility: The purpose of the Organization’s Information Systems Security Policy
is to provide the essential guidelines for efficient electronic transaction processing and reporting
services, management information systems and appropriate customer information capabilities for top
level management to effectively operate the Organization.

System procurement and development: The computing systems of the Organization shall be
constantly monitored to identify the current and future needs. The Organization should follow the
system life-cycle evaluation steps like problem definition, requirement analysis, feasibility study,
design, development, testing, monitoring, review etc.

Access terminals: Management is authorized to install other dial-up access online terminals as may
be required in operations of the Organization.

Equipment and information security: Equipment and Information security can be further divided
into 3 categories. They are as follows:
      Equipment and environmental security;
      Information and communication security;
      Contingency and recovery.

                       S. F. Ahmed & Co. Articled Association (34th Association)
Service bureau programs: The Organization’s service Bureau agreements shall be drafted to
require that such bureaus retained by the Organization indicate a commitment to developing and
maintaining computer application software in such a manner that system capabilities, as specified by
the Organization, are ensured and that appropriate record-keeping checks and balances are in place.

Information system security standard:
Information system security standard are minimum criteria, rules and procedures established by the
senior management that must be implemented to help ensure the achievement of IS security policy.
The following minimum IS security standards have been approved by senior management and are to
be applied to applicable information systems within the organization:
     Upon completion of initial installation of software, the maiden password shall be changed by
        the system security administrator;
     A back-up system security administrator shall be designated and trained to ensure continued
        operation of the system, even in the absence of the primary system security administrator;
     System security administrators shall set parameters to require passwords to be a minimum of
        8 alphanumeric, case-sensitive characters in length;
     Systems shall be designed so that passwords are masked (i.e. invisible) on workstation
        screens as they are entered by users;
     Systems shall be designed so that password files are encrypted by a secure algorithm so that
        nobody, including system security administrator, can view them;
     System security administrators shall set passwords to automatically expire within 60 days or
     User IDs shall be suspended after three consecutive unsuccessful sign on attempts;
     User sessions shall be terminated after 5 minutes of inactivity;
     Users shall not be allowed concurrent sign on sessions;
     Systems security administrator shall move the user IDs of terminated or transferred users
        immediately upon notification from the user department manager and/or the human resource
     Department managers shall be responsible for training users not to share or divulged the
        password to anyone, write them down, post them in the work stations, store them in an
        electronic file or perform in any other act that could potentially result in their password being
     System security administrators shall request user department management to review user
        access capabilities and certify in writing that the access capabilities of the users in their
        department are necessary to perform normal duties;
     Logical security related events shall be logged by the system and the log shall be
        continuously monitored by system security administrators for potential acts of unauthorized
     Business resumption procedures shall be fully developed, tested and documented by
        management in collaboration with system security administrator and other key staff members;
     Adequate insurance coverage shall be maintained over the hardware, Operating system,
        application software and data. Hardware should be covered at replacement cost;
     Vendor-developed applications acquired in the future should be contractually required to
        improve programming that enabled standards to be deployed upon installation;
     Confidential information including passwords shall be encrypted by a secure algorithm during
        electronic transmission;
     System security administrators shall install software that automatically checks for viruses
        using a current virus pattern file.

Control and standards for information integrity:
Information integrity provides reasonable assurance that the data recipients have received all the data
intact. It has follows components:
     System and information integrity policy and procedures;
     Flaw remediation;
     Malicious code protection;
     Security alerts and advisories;
     Security functionality verification;
     Software and information integrity;
     Spam protection;
     Information input restrictions;
     Information input accuracy, completeness, validity and authenticity.
                         S. F. Ahmed & Co. Articled Association (34th Association)
System and information integrity policy and procedures: A control system including information
integrity increases assurance that sensitive data have neither been modified nor deleted in an
unauthorized or undetected manner. The security controls described under the system and
information integrity family provide policy and procedure for indentifying, reporting and correcting
control system flaws. For this reason the organization develops, disseminates and periodically
reviews and updates formal, documented, system and control integrity policy that addresses purpose,
scope, roles, responsibilities, management commitment, coordination among organizational entities
and compliance.

Flaw remediation: The organization centrally manages the flaw remediation process and installs
updates automatically. For this reason organization should consider the risk of employing automated
flaw remediation process on a control system. To control the flaw remediation the organization must,
identifies, reports and corrects system flaws; tests software updates related to flaw remediation for
effectiveness and potential side effects on organizational systems before installation and incorporates
flaw remediation into the organizational configuration management process as an emergency change.

Malicious code protection: To protect the system from malicious code, the organization should
employs malicious code protection mechanism at system entry and exit points and at workstations,
servers, or mobile computing devices on the network. Updates malicious code protection
mechanisms, whenever new releases are available in accordance with organizational configuration
management policy and procedures.

Security alerts and advisories: To implement security alerts and advisories the organization
receives system security alerts, advisories and directives from designated external organizations on
an ongoing basis and generates those as deemed necessary. Disseminate security alerts, advisories
and directives to an organization-defined list of personnel.

Security functionality verification: The organization verifies the correct operation of security
functions within the control system upon system startup and restart, upon command by user with
appropriate privilege, periodically and/or at defined time periods. The control system notifies the
system administrator when anomalies are discovered.

Software and information integrity: The system monitors and detects unauthorized changes to
software and information. The organization reassesses the integrity of software and information by
performing on organization-defined frequency scans of the system and uses the scans with extreme
caution on designated high-availability systems.

Spam protection: To control the unwanted spam messages the organization should employs spam
protection mechanisms at system entry points and at workstations, servers or mobile computing
devices on the network to detect and take action on unsolicited messages transported by electronic
mail, electronic mail attachments, web accesses or other common means.

Information input restrictions:
The organization implements security measures to restrict information input to the control system to
authorized personnel only. Restrictions on personnel authorized to input information to the control
system may extend beyond the typical access requirements employed by the system and include
limitations based on specific operational or project responsibilities.

Information input accuracy, completeness, validity and authenticity: The Control system
employs mechanisms to check information for accuracy, completeness, validity and authenticity.

Control and standards for information access control:
Access control is used to provide authorized access to the information system that means ensure
resources are only accessed by the appropriate personnel and that personnel are correctly identified.
The major mechanisms of access control are as follows:
     Access control policy and procedures;
     Identification and authentication policy and procedures;
     Account management;
     Account review;
     User identification and authentication;
     Device identification and authentication;
     Passwords.
                      S. F. Ahmed & Co. Articled Association (34th Association)
Access control policy and procedures: The Organization should develops, disseminates and
periodically reviews and updates a formal, documented, access control policy that addresses
purpose, scope, roles, responsibilities, management commitment, coordination among organizational
entities and compliance.

Identification and authentication policy and procedures: The organization should develops,
disseminates and periodically reviews and updates a formal, documented, identification and
authentication policy that addresses purpose, scope, roles, responsibilities, management
commitment, coordination among organizational entities and compliance.

Account management: The organization manages the following controls for system accounts:
    Identifying account types (i.e., individual, group and system);
    Establishing conditions for group membership;
    Requiring appropriate approvals for requests to establish accounts.
    Authorizing, establishing, activating, modifying, disabling and removing accounts

Account review: The organization manages reviews and analyzes system audit records on an
organization-defined frequency for indications of inappropriate or unusual activity and report findings
to designated organizational officials.

User identification and authentication: The system uniquely identifies and authenticates
organizational users by using the following controls:
     The system employs multifactor authentication for remote access and for access to privileged
     The system employs multifactor authentication for network access and for access to privileged
     The system employs multifactor authentication for local and network access.

Device identification and authentication: The system uniquely identifies and authenticates an
organization defined list of devices before establishing a connection. The system authenticates
devices before establishing remote network connections using bi-directional authentication between
devices that is cryptographically based.

Password: Password is the key to electronic account at the office. Selecting a good password is the
single most important thing that does to protect the security of an electronic account. The organization
develops and enforces policies and procedures for control system users concerning the generation
and use of passwords.

How does one choose a good password?
It is often said that choosing a good password will be the hardest thing that one does all day and it's
true. Choosing a password that is both easy to remember and difficult to guess is not a small task.
However, there are some popular methods of choosing passwords which are usually considered fairly
One such method is to use the first letter from each word in a phrase, including punctuation and
capitalization and using numbers or symbols to represent words in the phrase.
Another method is to start with two or more unrelated words and then abbreviate or mangle them in
some manner, such that no part will be found in the dictionary. Make sure the two words aren’t easily
In addition to these methods, some rules that prevent the user from choosing passwords with the bad
traits described above. Specifically, the user passwords must have the following characteristics:
       Must be at least 6 characters long;
       Must contain at least 1 character from each of at least 3 different character classes. The
          character classes are:
               - lowercase letters;
               - uppercase letters;
               - numbers;
               - punctuation (printable characters other than letters or numbers);
               - all other characters (control characters).
       Must not appear to be systematic ("abcdef" will be rejected);
       Must not be based on anything in the user password file entry (name, login name, user id
       Must not be based on a dictionary word or a reversed dictionary word. A complete word as a
          substring will cause the user password to be rejected.
                          S. F. Ahmed & Co. Articled Association (34th Association)
Protecting measures of password (individual):
Password is a secret which only should be known by the user. If anybody else learns password, the
user’s security has been compromised. Here are some measures for protect the user’s password:
     Never tell the password to anyone;
     Do not write down the password;
     Never put the password in electronic mail to anyone (including system administrators or those
        who claim to be system administrators). If ever gets mail from anyone asking for the
        password, please send mail to lab immediately. Do not include the password;
     Change the password frequently, but choose a password that is easy to remember, so that
        users don’t have to write it down;
     Do not type password on any system that will put the password over a potentially insecure
        network in clear text.
Control measures of password (corporate):
     Default passwords of different systems or programs must be changed immediately after
     Organization replaces default user names whenever possible;
     Organization develops policies that stipulated the complexity level of the password for each
        critical level;
     Good security practices need to be followed in the generation of passwords;
     Password must be transferred to the users via source media;

Control and standards for computer audit:

Information system audit:
Information systems audit is a part of the overall audit process, which is one of the facilitators for good
corporate governance. There is no universal definition of IS audit. A famous information technologist
“Ron Weber” defined IS audit as “the process of collecting and evaluating evidence to determine
whether a computer system (information system) safeguards assets, maintains data integrity,
achieves organizational goals efficiently and consumes resources efficiently.”

Importance of IS audit:
Information system is the lifeblood of any large business. Information system not only record business
transactions, but actually drives the key business process of the enterprise. The purpose of IS audit is
to review and provide feedback, assurances and suggestions. IS audit is important, because
      to ensure the availability of information for the business at all times when required;
      to ensure the system is well protected against all types of losses and disasters;
      to establish the confidentiality of the system;
      to check whether the system is always be accurate, reliable and timely;
      to ensure that no unauthorized modification can be made to the data or the software in the

IS audit standard:
IS an audit standard provides audit professionals a clear idea of the minimum level of acceptance
performance essential to discharge their responsibilities effectively. Audit objectives in a computer
information system environment & elaborates on the following:
      The auditors responsibility in gaining sufficient understanding & assurance on the adequacy
        of accounting and internal controls that protect against the inherent & control risks in a CIS
        and the resulting considerations to be taken while designing audit procedures;
      The potential impact of auditing in a CIS on the assessment of control & audit risks;
      The auditor is required to determine the following factors to determine the effect of CIS
        environment on the audit arising from:
             The extent to which the CIS is used for recording, compiling & analyzing accounting
             The system of internal controls relating to the authorized, complete, accurate & valid
                processing & reporting procedures.
             The impact of CIS accounting system on the audit trail.
      The standard also requires the auditor to have sufficient knowledge of the CIS possess
        appropriate specialized skills to enable him to plan, direct, supervise, control & review the
        work performed.
                        S. F. Ahmed & Co. Articled Association (34th Association)
The IS audit process:
The purpose of IS audit is to review and provide fee back, assurance and suggestions. These
concerns can be grouped under three board heads:
Availability: Will the information systems on which the business is heavily dependent be available for
the business at all times when required? Are the systems well protected against all types of losses
and disasters?
Confidentiality: Will the Information in the systems be disclosed only to those who have a need to
see and use it and not to anyone else?
Integrity: Will the information provided by the systems always be accurate reliable and timely? What
ensures that no unauthorized modification can be made to the data or the software in the systems?

Elements of IS audit:
An information system is not just a computer. Today’s information systems are complex and have
many components that piece together to make a business solution. Assurance about an information
system can be obtained only if all the components are evaluated and secured. The proverbial weakest
link is the total strength of the chain. The major elements of IS audit can be broadly classified:
Physical and environmental review: This includes physical security power supply and conditioning,
humidity control and other environmental factors;
System administration review: This includes security review of the operating systems database
management systems. All system administration procedures and compliance;
Application software review: The business application could be payroll invoicing a web-based
customer order processing system or an enterprise resource planning system that actually runs
business. Review of such application software includes access control and authorizations.
Validations, error and exception handling, business process flows within the application software and
complementary manual controls and procedures. Additionally a review of the system development
lifecycle should be completed.
Network security review: Review of internal and external connections to the system perimeter
security, firewall review, router access control lists, port scanning and intrusion detection are some
typical areas of coverage.
Business continuity review: This includes existence and maintenance of fault tolerant and
redundant hardware, backup procedures and storage and documented and tested disaster recovery
business continuity plan.
Data integrity review: The purpose of this is scrutiny of live data to verify adequacy of controls and
impact of weaknesses, as noticed from any of the above reviews. Such substantive testing can be
done using generalized audit software (e.g., computer assisted audit techniques).

Events of computer audit:
Computer audit examines the systems record and activities to determine the systems security and the
security breaches. It includes the following events:
     Audit and accountability policy and procedures;
     Auditable events;
     Content of audit records;
     Audit storage capacity;
     Response to audit processing failure;
     Audit monitoring, analysis and reporting;
     Time stands;
     Protection of audit information;
     Audit generation.
Audit and accountability policy and procedures: The Organization develops, disseminates and
periodically updates a formal, documented, audit and accountability policy that addresses purpose,
scope, roles, responsibilities, management commitment, coordination among organizational entities
and compliance.

Auditable events: The organization maintains some policies for auditable events, such as
determines, based on a risk assessment in conjunction with mission/business needs, which system-
related events required auditing. Ensures that auditable event is adequate to support after the-fact
investigations of security incident and includes execution of privileged functions in the list of event to
be audited by the system.

                        S. F. Ahmed & Co. Articled Association (34th Association)
Content of audit records: Controls for purpose of audit records are the system produces audit
record that content sufficient information to establish what events occurred, when the events
occurred, where the events occurred, the sources of the event and the outcomes of the event.

Audit storage capacity: The Organization allocates sufficient audit record storage capacity and
configures auditing to reduce the likelihood of such capacity being exceed.

Response to audit processing failure: The controls for response to audit failures are the system
provides a warning when allocated audit record storage. Volume reaches an organization define
percentage of maximum audit record storage capacity.

Audit monitoring, analysis and reporting: The controls for audit monitoring, analysis and reporting
are the system reviews and analyzes system audit records on an organization-defined frequency for
indications of in appropriate or unusual activity and report findings to designated organizational
officials. The organizational analyzes and correlates audit records across different repository to gain
organization-wide situational awareness.

Time stands: The controls are the system uses internal system clocks to generate time stamps for
audit records. The system synchronizes internal system clocks on an organization-define frequency.

Protection of audit information: The control system protects audit information and audit rules for
unauthorized access, modification and deletion.

Audit generation: Audit generation is the system provides audit record generation capability for the
auditable events. It allows authorized users to select which auditable events are to be audited by
specific components of the system. It generates audit records for the selected list of auditable events.

Control and standards for system implementation phases:
System implementation phase’s controls are the control of an information system from analysis to
implementation of the system. It includes the following:
     System Installation;
     System Testing;
     Documentation;
     Training;
     File Conversion and change-over

System installation: An implementation plan should be documented, communicated and approved.

System testing: A test plan/methodology should exist for managing and monitoring the testing effort
to provide reasonable assurance that the system functionality is fully tested.

Documentation: Documentation is one of the most important tools for control. System documentation
should include the following:
System descriptions: System descriptions provide narrative explanations of operating environments
and the interrelated input, processing and output functions of integrated application systems.
System documentation: System documentation includes system flowcharts and models that identify
the source and type of input information, processing and control actions and the nature and location of
output information.
System file layouts: System file layouts describe collections of related records generated by
individual processing applications.

Training: Personnel training are important for the successful implementation of information system
because through this organizational employees can easily cope up with the new system. Without
knowing the full process of the system a person cannot handle all the functionalities of the information
system. For better understanding with the information system implemented, organizational employees
must have to be oriented with the new system by training. Training should be necessary for both
system operators as well as the users. The types of training they require are as follows:

System operator needed the following training:
     System training;
     Network training;
     Hardware training;
                     S. F. Ahmed & Co. Articled Association (34th Association)
    Security training;
    Maintenance training;
    Data recovery or back-up training;
    System software training; etc.
Users need the following training:
    System software training;
    Facilities training;
    Operating system training; etc.

File conversion and change-over: In case of implementation of an automated or new system,
existing old file must be included in the new system. This file can be in a manual or an automated
form. The tasks in this section are twofold:
     Data input of the file;
     Data verification of the file.
In case of replacing the manual file, hard copy of data need to be entered into the system and verify
the accuracy of input data. For this organization employ parallel conversion methodology. Parallel
operations consist of running the old process or system and the new system simultaneously until the
new system is certified.

Control and standards for system maintenance and evaluation:
Computer system maintenance procedures should adequately protect computer hardware against
failure over the expected useful life of the equipment and should be serviced according to
manufacturer’s recommendation as specified in the contract with vendor. Control and standards for
system maintenance and evaluation process includes the followings:
      System maintenance policy and procedures;
      Legacy system upgrades;
      System monitoring and evaluation;
      Backup and recovery;
      Unplanned system maintenance;
      Periodic system maintenance;
      Post implementation review.
System maintenance policy and procedures: A system maintenance policy is a formal,
documented, control system maintenance policy that addresses purpose, scope, roles, responsibility,
management commitment, coordination among organizational entities and compliance. The
organization ensures the control system maintenance policy and procedures are consistent with
applicable laws, directives, policies, regulations, standards and guidance and it should be included as
part of the general information security policy for the organization. System maintenance procedures
should be developed for the security program in general and for a particular control system when

Legacy system upgrades: The organization develops policies and procedures to upgrade existing
legacy control systems to include security mitigating measures commensurate with the organization’s
risk tolerance and the risk to the system and processes controlled.

System monitoring and evaluation: The organization conducts periodic security vulnerability
assessments according to the risk management plan and accordingly it should be monitored and
evaluated periodically to identify vulnerabilities or conditions that might affect the security of a control

Back-up and recovery: The organization makes and secures backups of critical system software,
applications and data for use if the control system operating system software becomes corrupted or

Unplanned system maintenance: Unplanned maintenance is required to support control system
operation in the event of system/component malfunction or failure. Security requirements necessitate
that all unplanned maintenance activities use approved contingency plans and document all actions
taken to restore operability to the system.

Periodic system maintenance: The system schedules, performs, documents and reviews records of
maintenance and repairs on system components in accordance with manufacturer or vendor
specifications and/or organizational requirements and it must be done periodically to verify that the
controls are still functioning properly following maintenance or repair actions.
                          S. F. Ahmed & Co. Articled Association (34th Association)
Post implementation review: Organizations implement various IT solutions to meet their business
requirements. Once the solutions are implemented, post implementation reviews are generally carried
out by IS auditors to assess the effectiveness and efficiency of the IT solutions and their
implementation, initiate actions to improve the solution (where necessary) and serve as a learning tool
for the future.

Risks to IT systems:

IT risk assessment:
Before an organization commits resources to controls, it must know which assets require protection
and the extent to which these assets are vulnerable. A risk assessment helps answer these questions
and also helps the firm determine the most cost-effective set of controls for protecting assets. A risk
assessment determines the level of risk to the firm if a specific activity or process is not properly
controlled. Business managers working with information systems specialists can determine the value
of information assets, points of vulnerability, the likely frequency of a problem and the potential for
One problem with risk assessment and other methods for quantifying security costs and benefits is
that organizations do not always know the precise probability of threats occurring to their information
systems and they may not be able to quantify the impact of such events accurately. Nevertheless,
some effort to anticipate, budget for and control direct and indirect security costs will be appreciated
by management in this case.
The end product of risk assessment is a plan to minimize overall cost and maximize defenses. To
decide which controls to use, information systems builders must examine various control techniques
in relation to each other and to their relative cost-effectiveness. A control weakness at one point may
be offset by a strong control at another. It may not be cost-effective to build tight controls at every
point in the processing cycle if the areas of greatest risk are secure or if compensating controls-exist
elsewhere. The combination of all of the controls developed for a particular application determines the
applications overall level of control. The areas to be focused upon are:
     1. Prioritization;
     2. Identifying critical applications;
     3. Assessing their impact on the organization:
     4. Determining recovery time-frame;
     5. Assess insurance coverage.

What is a computer virus? What precautions a business can take to circumvent virus?
Viruses are a form of high-tech maliciousness. It is the cause of destruction of data and software. One
of the most destructive examples of computer crime involves the creation of computer viruses. Virus is
the more popular term but technically a virus is a program code that cannot work without being
inserted into another program. These programs copy annoying or destructive routines into the
networked computer systems of anyone who accesses computers infected with the virus or who uses
copies of magnetic disks taken from infected computers. Thus, a computer virus can spread
destruction among many users. Though they sometimes display only humorous messages, they more
often destroy the contents of memory, hard disks and other storage devices. Copy routines in the
virus or worm spread the virus and destroy the data and software of many computer users. In a word,
a computer virus is a rouge software program that attaches itself to other software programs or data
files in order to be executed usually without user knowledge or permission.
When a virus-infected is run the virus which has modified its host is able to replicate itself. Some
viruses are merely annoying, such as the one which cause a small dot to wander randomly or deleted.
There are many virus detention packages on the market today. These can be used to detect, control
or remove viruses from the computer system. For the increasing use of intranets and extranets in
business the security problems arises for the computer virus. For this data security, system security,
integrity, privacy and confidentiality are affected very much. In this situation to safeguard the computer
systems from virus infection, the following certain precautions should be taken to circumvent them:
      Install virus detection, control and removal programs in the computer system;
      Use only licensed and authorized programs. Avoid printed programs;
      Screen all disks through anti-virus programs and minimize disk swapping into the system;
      Anti-virus system should be active during use of a network or Internet;
      Update anti-virus system with the latest available device;
      Maintain backup copies of Important and critical data files and programs to safeguard from a
          disaster; etc.
                         S. F. Ahmed & Co. Articled Association (34th Association)
Typical symptoms of virus activity are:
    OS loading may slow;
    Opening a file is slow;
    Opening a program is slow;
    Logging may not happen;
    Internet may not available or disturbing;
    Message while booting (hardware failure);
    Font of document may change;
    Hard disk failure; etc.

Hacking remains the most common form of cyber crime and it continues to grow in popularity. A
hacker is someone who uses a computer and network or Internet connection to intrude into another
computer or system to perform an illegal act. This may amount to simple trespassing or acts that
corrupt destroy or change data.
In another form, hacking can be the basis for a Distributed Denial of Service (DDOS) attack, in which
a hacker hides malicious code on the PCs of many unsuspecting victims. This code may enable the
hacker to take over the infected PCs or simply use them to send requests to a Web Server.
Successful DDOS attacks can cost targeted companies millions of dollars. The extent of the problem
is not known simply because it is so widespread. PricewaterhouseCoopers estimates that viruses and
hacking alone cost the world economy upwards of $1.6 trillion in 2003.
At one time, a hacker was just a person who understood computers well; however, hacking now refers
to criminal or antisocial activity. Today, hackers’ activities are usually categorized by their intent:
      Recreation attacks;
      Business or financial attacks;
      Intelligence attacks;
      Grudge and military attacks;
      Terrorist attacks.
Other than posing an invasion of privacy, recreational hacking is relatively harmless. In most cases,
recreational hackers just attempt to prove their abilities without doing any damage. In business,
financial or intelligence attacks, however, hackers often engage in data diddling-forging or changing
records for personal gain or attempting to copy the data from the penetrated system. Grudge attacks
are carried out by hackers with a grievance against an individual or organization and such attacks are
frequently destructive. The harm from terrorist attacks could be catastrophic. The industrial world is
highly dependent on its computers and there is evidence that this type of attack may be the tool of
future war.

Common hacking methods:
Hackers use a variety of methods to break into computer systems. These methods fall into three
broad categories:
Sniffing: The term sniffing refers to finding a user's password. There are three ways to sniff a
password: password sharing, password guessing and password capture. Password sharing is the
most common and occurs when a victim simply discloses his or her password to a hacker. Passwords
are shared out of simple ignorance, when victims do not realize that the password might be used
against their wishes or in ways they would never intend. Password guessing is done exactly as the
term implies: a hacker tries to guess a user's password and keeps trying until he or she gets it right.
Users can safeguard against password guessing by using complex Passwords. Network
administrators can prevent guessing by limiting the number of attempts anyone can make to log into
the network. In password capture, a password is obtained by some type of malware program and
forwarded to the hacker. Passwords may be captured electronically if they are sent as text that is not
encrypted. For example, during a login session, a hacker may intercept the password data when it is
sent to a server even if it is encrypted within the system itself.
Social Engineering: Social engineering used to be called "running a confidence game." The hacker
may use any number of frauds to "con" victims out of their passwords. It might be as simple as
dumpster diving. Just as in identity theft, a password thief searches the victim's trash in order to find
useful access information. Another form of social engineering is the "phone survey," the "application"
and the "emergency situation." In these situations, a hacker may contact potential victims by phone or
e-mail and ask the victims to provide password information for an apparently legitimate reason. This
method is sometimes referred to as phishing.
                         S. F. Ahmed & Co. Articled Association (34th Association)
Spoofing: Hackers may alter an e-mail header to make it appear that a request for information
originated from another address. This is called spoofing. They can gain electronic entry by pretending
to be at a legitimate computer, which is called 1P spoofing. Using this technique, the hacker intercepts
a message or gains access to the system by posing as an authorized user. On a network, this is done
by altering the message information to make it appear that it originated from a trusted computer.

How to prevent system from hacker:
The following measures may be taken to prevent information system from hacker:
    Implement firewalls;
    Develop a corporate security policy;
    Install anti-virus software;
    Keep operating system up to date;
    Do not run unnecessary network services;
    Conduct a vulnerability test;
    Avoid scam/spammy websites;
    Securing the ports;

Controls for personal systems:
An effective control system provides reasonable, but not absolute assurance for the safeguarding of
assets, the reliability of financial information and the compliance with laws and regulation. The degree
of control employed is a matter of good business judgment. Two categories of control over personal
systems to ensure processing, integrity, security and safeguarding of IT resources and they are:
      General controls;
      Application controls
General controls: It represents the foundation of the IT control structure. It help to ensure the
reliability of data generated by IT systems and support the assertion that systems operate as intended
and that output is reliable. General controls include:
      Access security, data & program security, physical security;
      Software development & program change controls;
      Data center operations;
      Disaster recovery.

Application controls: Application or program controls are to ensure the complete and accurate
processing of data from input through output. These controls are basically varied based on the
business purpose of the specific application. Applications are the programs and processes, including
manual processes that enable us to conduct essential activities:
      Buying products;
      Paying people;
      Accounting for research costs
      Forecasting and monitoring budgets.
Application controls apply to application systems and include input controls (e.g., edit checks),
processing controls (e.g., record counts) and output controls (e.g. error listings), they are specific to
individual applications. Application controls Include:
      Input controls;
      Authorization;
      Validation;
      Error notification and correction;
      Processing controls;
      Output controls.
They consist of the mechanisms in place over each separate system that ensures that authorized
data is completely and accurately processed.

What are the possible categories of risk when the company starts to use the customized
account software? What measures can you take to encounter the risk?
The possible categories of risk when the multinational company starts to use the customized
accounting software are as follows:
Customization: Without ensuring proper customization, the accounting system cannot bring better
result for the organization. It includes financial report, input screen, forms, source code etc.
Proper documentation: Proper documentation of the system record is very much important;
otherwise improvement of the system is under threat.

                       S. F. Ahmed & Co. Articled Association (34th Association)
Training: Before implementing new system training is important to familiar the system to the
employees which ensures the accurate and optimum use of the system.
Vendor reliability: To ensure good accounting system, users must rely on continued support from
the vendor. For this reason, vendor should be reliable and will be available when needed.
Environment: Organizational environment is a great risk factor because without ensuring proper
environment for the accounting system, it is very difficult to implement and run it.
Security issue: System security which ensures data integrity, privacy and confidentiality is the big
risk factor for an accounting system.
Proper maintenance: Maintenance of the system is another risk. It helps in minor modifications to
the system to optimize performance, improve its usability or accommodate small changes in the
environment will have to be made from time to time, whilst the system is operational.

Measures that can be taken to encounter the risk are as follows:
    To ensure proper customization, continuous review of the system is necessary;
    Documentation of the system must be preserved carefully;
    Employees training and work environment must be created;
    System should be developed by the reliable vendor;
    Proper security measures must be ensured;
    Provision for continuous maintenance with expert should be made.

The reasons of people resist imposed change:
The reasons why people resist imposed change and not change that they initiate can largely be
attributed to fear. This applies in case of computerization at the organization. Specifically what
individuals fear is related to their security and the uncertainly of the impact that change will have upon
them personally. It is necessary to somehow make the employees overcome the fear complex in
order to introduce changes smoothly. Employees will accept computerization easily when they are
taken in confidence. In respect of employees in general, do the following:
 Inform them;
 Indicate benefits to them;
 Be honest with them;
 Get employees opinion;
 Involve employees in discussion;
 Use subcommittees;
 Use a third party;
 Assess management style;
 Don’t delay decision making;
 Get feedback from employees;
 Consider alternatives;
 Possibly try a “pilot implementation”.
When the management ignores these actions then the change process will be a bumpy ride with
unpredictable results.

Ethics in business:
Ethics in business means the principles of right and wrong that can be used by business and user
acting as free moral agent to make choices to guide their behavior. Organizations must provide
employees with clear guidelines for conduct and encourage them to uphold high ethical standards in
their everyday business practice. There are three sources that can be assessed ethical behavior:
      the law and regulations that specify codes of conduct;
      the explicit ethical guidelines established by an organization; and
      the ethical and moral code of conduct of an individual.

Ethical problem in business issue:
Now computer represent new ethical problems in business issue that are:
     Privacy: People desire to be in full control of what and how much information they want to
        share and some don’t want to share without the permission of the individuals.
     Security: Computer security is an attempt to avoid such undesirable events as a loss of
        confidentiality of or data integrity.
     Ownership of property: Laws designed to preserve real property rights have been extended to
        cover what is referred to as intellectual property that is software.
     Equity and access: Some barriers to access are intrinsic to the technology of information
        systems, but some avoidable through careful system design.

                                               The end
                        S. F. Ahmed & Co. Articled Association (34th Association)

Shared By: