Chapter 16 by yurtgc548


									         Chapter 16

IT Controls, Asset Protection, and
• Managers who own or use IT assets are
  responsible for securing them
• With interconnected enterprises (B2B),
  intrusion at a partner may result in
  business compromise locally
• Security is an integrated, continuous
  process that takes place at all levels
  The Meaning and Importance of
• Control is a primary management
  – Managers must have routine methods for
    comparing actual and planned performance
  – “Planning and control are inseparable”
  – IT controls are critical because other parts of
    the organization use computer generated
    reports as the basis of their control activities
   Why Controls are Important to
1. Control is a primary management responsibility
2. Uncontrolled events can be very damaging
3. The firm relies on IT for many control
4. U.S. law requires certain control measures in
   public corporations
5. Controls assist organizations in protecting
6. Technology introduction requires controlled
   Business Control Principles
• The primary job of all managers is to take
  charge of the assets entrusted to them,
  capitalize on these assets to advance their
  part of the business, and grow, develop, or
  add value to them
  – managers entrusted with information assets
    must control and protect them
  – implementing business controls is an ethical
        Asset Identification and
• Managers must know what assets they
  own or control, and their value
  – Tangible – Physical assets – routers, PCs
    servers, telephones
  – Intangible – Intellectual assets – operating
    systems, databases, applications
  – Managers must inventory and value items
        Separation of Duties
• Several individuals are involved in
  transaction processing
  – In order for fraud to occur, several individuals
    must work together
  – Control can be made even more effective by
    routinely changing job duties of these
    transaction tasks
  – Must validate output with input
   Efficiency and Effectiveness of
• Controls are best when they are simple
  and are easily understood
• They are most effective when they are part
  of the routine and produce action in a
  timely manner
• Control cost and overhead must be
  balanced vs. risk and magnitude of loss
• Managers must analyze the application
  and use good judgment
      Control Responsibilities
1. The application program owner (almost
   always a manager)
2. Application users (some applications
   have many)
3. The application’s programming manager
4. The individual providing the computing
5. The IT manager (in either the line or staff
 Owner and User Responsibilities
• Owners are responsible for providing
  business direction for their applications
  – authorizes the program’s use
  – classifies the associated data
  – stipulates program and data access controls
• Users are individuals or groups authorized
  by owners to use applications according to
  owners’ specifications
  – They are required to protect the data in
    accordance with the owners’ classification
  IT Managers’ Responsibilities
• All IT managers have control
  responsibilities in conjunction with their
  operating responsibilities
  – The responsibility of organizing and managing
    application development, maintenance, or
    enhancement resides with IT programming
  – The supplier of computing services is
    responsible for providing the computing
    environment within which the application is
        Application Controls
• Necessary to ensure that applications
  function properly on a regular basis
  – These controls are most effective when they
    are built into the applications and generate
    documentation validating proper operation
  – Automated and manual control mechanisms
    should be classified as confidential
  – Separation of duties principle applies to an
    application and its associated data handling
Application Processing Controls
• Application control and protection consist
  of two duties:
  – Ensuring that application programs perform
    according to management-established
  – Maintaining program and data integrity
• To support these requirements,
  applications must have auditability
  features and control points built in
       System Control Points
• Control points are locations in program or
  process flow where control exposures
  exist and control actions and auditing
  activities can be done
  – Transaction origination is one of the most
    critical points
     • It is a manual activity and can be subject to human
       error or fraud
  – Online operations make the system more
    complex and require even greater controls
System Control Points
Control Actions at Transaction
Input Data Controls
 Processing, Storage, and Output
• Operating systems and the applications
  themselves enhance the validation
  processes of program processing
  – Program execution is accompanied by
    subroutines that validate that processing is
    complete and that program execution
    occurred correctly
  – Application program source code and
    executables must be treated as classified
Program Processing Controls
Data Output Handling
   Application Program Audits
• An application system is auditable if the
  application owner can establish easily and
  with high confidence that the system
  continually performs specified functions
• Auditable systems contain functions and
  features that let owners determine if
  applications are processing data correctly
• Program testing that ensures auditability is
  – Test data should be archived
 Controls in Production Operations
• Well-disciplined production operations
  maintain sound control over performance
  – They ensure sufficient system capacity for
    application operations
  – They allow batch and online systems
    processing to function as designed
  – Accurate scheduling and rigorous online
    management provide controlled environments
    for application processing
       Controls in Client/Server
• Organizations that move applications from
  secured centralized systems to distributed
  systems must understand the different
  exposures and vulnerabilities
  – Client/server systems and e-business
    systems have more points of vulnerability, so
    control and asset protection are more difficult
  – Special effort must be taken to design in
    controls and continuously assess
    vulnerabilities in the system over time
 Network Controls and Security
• Networks face passive threats and active
  – Passive threats are attempts to monitor
    network data transmission in order to read
    messages or obtain information about
    network traffic
  – Active threats are attempts to alter, destroy, or
    divert message data, or to pose as network
 Network Controls and Security
• Network managers must control system
  and data access and must secure data in
  – The first step in controlling system access is
    physical security
  – Rooms containing controllers, routers, or
    servers must be tightly secured
 Network Controls and Security
• Managers must establish user
  identification and verification processes
  – This usually means that users sign on to the
    system with a name followed by a password
  – Some firms require “two-factor identification”
     • The two factors are usually something you have
       and something you know – fingerprint, token or
       smartcard + PIN
  – The two-factor system only erects higher
    barriers to entry
            Data Encryption
• It is often necessary to protect critical data
  in transit
  – Before transmission, encryption programs use
    an algorithm and a key to change the
    message character stream into a different
    character stream
  – When received, the algorithm and key decode
    or decipher the message
  – Encryption changes the risk of data loss to
    risk of key loss
    Firewalls and Other Security
• A firewall is a specialized computer
  inserted between internal and external
  networks and through which all incoming
  and outgoing traffic must pass
  – Intended to screen incoming and outgoing
    messages and prohibit any traffic deemed
  – Firewalls are only the first line of defense
    against external intrusion
Network Security Measures
 Additional Control and Protection
1. Only people who work in the data center
   should be allowed routine access to the
2. Data center workers must wear special
   badges that identify them on sight
3. Physical access should be controlled by
   electronic code locks rather than
   mechanical key locks; this simplifies key
   management and hastens key changes
 Additional Control and Protection
4. The identity and authorization of all
   visitors to the center must be validated,
   and they must sign in and out
5. Duties within the center should be
   separated so that operators who initiate
   or control programs cannot access data
 Managing Sensitive Programs
• IT managers must, with help from other
  department managers, identify and maintain
  an inventory of these applications.
  – The owner must prescribe protection and
    security conditions covering storage, operation,
    and maintenance
  – Program source code, load modules, and test
    data must be classified as sensitive information
    and protected accordingly
  – Datasets must be protected as well
       Controls for E-Business
• Due to the integrated nature of e-business,
  security is a shared concern
  – All the partners must have documented
    security policies, secure application
    development practices, and satisfactory
    access control and user authorization
  – Partners must establish encryption standards,
    develop responses to security breaches, and
    schedule compliance audits
     Keys to Effective Control
• Managers must understand their control
  responsibilities and know:
  – The assets for which they are responsible
  – The value of those assets and protect the
    assets accordingly
• Managers must be involved in the control
  – Involvement must be timely and responsive
  – Must follow through to ensure effectiveness
• No organization is safe from computer
• Business controls, asset protection, and
  security are fundamental to business
• Managers must know what their assets
  are and each asset’s estimated value
• Assets must be classified and protected in
  accordance with their relative worth

To top