chapter 15 · ppt file · web view2003-09-06 · title: chapter 15 subject: hall ais 4th edition...
TRANSCRIPT
Chapter 15
Controlling Computer-Based
Information Systems, Part I
Objectives for Chapter 15• Features of a CBIS environment and the control
objectives in SAS 78• Threats to the operating system and controls used
to minimize exposures• Techniques used to control access to the database• Incompatible functions in a CBIS environment• Controls necessary to regulate systems
development and maintenance activities• Controls of an organization’s computer facilities and
the disaster recovery options
Controls, CBIS & SAS 78
• Transaction authorization – may be embedded into the programs
• Segregation of duties – Duties that must be separated in a manual
system may be combined in a computerized setting.
– The computer-based functions of programming, processing, and maintenance must be separated.
Segregation of Duties Control Objectives
• Transaction authorization is separate from transaction processing.
• Asset custody is separate from record-keeping responsibilities.
• The sub-tasks needed to process the transactions are separated so that no individual or group is responsible for transaction authorization, transaction recording, and asset custody.
Segregation of Duties
Authorization
Authorization
Authorization
Processing
Custody Recording
Task 1 Task 2 Task 3 Task 4
Custody Recording
Control Objective 1
Control Objective 3
Control Objective 2
TRANSACTION
Controls, CBIS & SAS 78
• Supervision - more supervision is typically necessary in a CBIS because:– highly skilled employees generally have a
higher turnover rate– highly skilled employees are often in positions
of authority– physical observation of employees working
with the system is often difficult or impractical
Controls, CBIS & SAS 78
• Accounting records – Source documents and ledgers may be stored
magnetically with no “paper trail.” – Expertise is required to understand the links.
• Access control – Tight control is necessary over access to
programs and files.– Fraud is easier to commit since records are
located in one data repository.
Controls, CBIS & SAS 78 • Independent verification
– need to review the internal logic of programs and comparison of accounting records and physical assets
– management must assess: the performance of individuals the integrity of the transaction processing system the correctness of data contained in accounting
records
General Control Framework for CBIS Exposures
10 control components need to be addressed:– operating system– data management– organizational structure – systems development – systems maintenance– computer center security– internet and Intranet– EDI– personal computer– applications
Operating System
Data Management
Systems Development
Systems Maintenance
Organizational Structure
Internet
& Intranet
EDI Trading Partners
Personal Computers
Computer Center Security
Applications
Internet
& Intranet
General Control Framework for CBIS Exposures
Operating System
Data Management
Systems Development
Systems Maintenance
Organizational Structure
Internet
& Intranet
EDI Trading Partners
Personal Computers
Computer Center Security
Applications
Internet
& Intranet
General Control Framework for CBIS Exposures
Operating System Controls• The operating systems performs three
main tasks:– translates high-level languages into the
machine-level language– allocates computer resources to user
applications– manages the tasks of job scheduling and
multiprogramming.
For An Operating System To Perform These Tasks Consistently And Reliably, It Must…
• protect itself from tampering from users• be able to prevent users from tampering
with the programs of other users• be able to safeguard users’ applications
from accidental corruption• be able to safeguard its own programs
from accidental corruption• be able to protect itself from power failures
or other disasters
Operating System Security
• Log-On Procedure – first line of defense--user IDs and passwords
• Access Token– contains key information about the user
• Access Control List– defines access privileges of users
• Discretionary Access Control – allows user to grant access to another user
Operating System Control Techniques
• Access privilege controls – determine who can access what data in the system
• Password controls– reusable passwords– one-time passwords
• Malicious and destructive programs controls – protection against virus, worms, logic bombs, etc.
• System audit trail controls– keystroke monitoring– event monitoring
Operating System Control Dangers
• Browsing – looking through memory for sensitive information (e.g.,
in the printer queue)• Masquerading
– pretend to be an authorized user by getting id and passwords
• Virus & Worms – foreign programs that spread
through the system– virus must attach to another program,
worms are self-contained
Operating System Control Dangers
• Trojan Horse– foreign program that conceals itself with
another legitimately imported program• Logic Bomb
– foreign programs triggered by a specific event
• Back Door – alternative entry into system
can prevent the initial infection by write protecting the filecan detect the infection of known virusescan sometimes remove the infectionmust stay current
Anti-Virus Software
Operating System
Data Management
Systems Development
Systems Maintenance
Organizational Structure
Internet
& Intranet
EDI Trading Partners
Personal Computers
Computer Center Security
Applications
Internet
& Intranet
General Control Framework for CBIS Exposures
Data Management Controls
Two crucial control issues:
Access controls Backup controls
Access Controls• User views - based on sub-schemas• Database authorization table - allows greater
authority to be specified• User-defined procedures - user to create a
personal security program or routine • Data encryption - encoding algorithms• Biometric devices - fingerprints, retina prints, or
signature characteristics• Inference controls - necessary in systems which
allow queries
Subschema Restricting Access
Computer Resource Authority Table
Resource
User Employee Line Cash Receipts
AR File File Printer Program
Read dataChangeAddDelete
No Access Use No Access
Read only Read code No Access Use Modify
Delete
No Access Read only Use No Access
User 1
User 3
User 2
Ticket
List
Data Management Controls• Backup options:
– grandparent-parent-child backup - the number of generations to backup is a policy issue
– direct access file backup - back-up master-file at pre-determined intervals
– off-site storage - guard against disasters and/or physical destruction
Backup Controls
• Database environment– database backup - automatic periodic backup – transaction log (journal) - a list of transactions
which provides an audit trail of all processed transactions
– checkpoint features - suspends all data processing while the system performs reconciliation
– recovery module - restarts the system after a failure
Operating System
Data Management
Systems Development
Systems Maintenance
Organizational Structure
Internet
& Intranet
EDI Trading Partners
Personal Computers
Computer Center Security
Applications
Internet
& Intranet
General Control Framework for CBIS Exposures
Organizational Structure Controls
The two main CBIS environments have different exposures and IC requirements:
Centralized DP Distributed DP
President
VPMarketing
VP ComputerServices
VPOperations
VPFinance
SystemsDevelopment
DatabaseAdministration
DataProcessing
New SystemsDevelopment
SystemsMaintenance
DataControl
DataPreparation
ComputerOperations
DataLibrary
President
VPMarketing
VPFinance
VPOperations
IPU IPU IPU IPU IPU IPU
VPAdministration
Treasurer Controller ManagerPlant X
ManagerPlant Y
CENTRALIZED COMPUTER SERVICES FUNCTION
DISTRIBUTED ORGANIZATIONALSTRUCTURE
Centralized DP Organizational Controls
• In centralized IS, need to separate:– systems development from computer
operations– database administrator and other computer
service functions• especially database administrator (authorizing) and
systems development (processing)• DBA authorizes access
– maintenance and new systems development– data library and operations
Distributed DP Organizational Controls
• Distributed Data Processing: despite many advantages of this approach, control implications are present– incompatible software among the various
work centers – data redundancy may result– consolidation of incompatible tasks– difficulty hiring qualified professionals– lack of standards
Organizational Structure Controls
• A corporate computer services function/information center may help to alleviate the potential problems associated with DDP by providing:– central testing of commercial hardware and
software– a user services staff– a standard-setting body – reviewing technical credentials of prospective
systems professionals
Operating System
Data Management
Systems Development
Systems Maintenance
Organizational Structure
Internet
& Intranet
EDI Trading Partners
Personal Computers
Computer Center Security
Applications
Internet
& Intranet
General Control Framework for CBIS Exposures
Systems Development Life Cycle
1. Systems Strategy - Assessment - Develop Strategic Plan
2. Project Initiation - Feasibility Study - Analysis - Conceptual Design - Cost/Benefit Analysis
3. In-house Development - Construct - Deliver
4. Commercial Packages - Configure - Test - Roll-out
5. Maintenance & Support - User help desk - Configuration Management - Risk Management & Security
SSystemystem Interfaces, Architecture Interfaces, Architecture and Uand User ser RRequirementsequirements
BBusiness usiness RRequirementsequirements
High Priority Proposals undergo High Priority Proposals undergo Additional Study and DevelopmentAdditional Study and Development
FeedbackFeedback::User requests for New SystemsUser requests for New Systems
Selected System Proposals Selected System Proposals go forward for Detailed go forward for Detailed
DesignDesign
New and Revised New and Revised Systems Enter into Systems Enter into
ProductionProduction
Business Needs and Strategy
Legacy Situation
FeedbackFeedback::User requests for System User requests for System Improvements and SupportImprovements and Support
Systems Development Controls
• New systems must be authorized.• User needs and requests should be formally
documented.• Technical design activities should be documented.• Internal auditors should participate in the
development process.• All program modules must be thoroughly tested
before they are implemented.• Individual modules must be tested by a team of
users, internal audit staff, and systems professionals.
Operating System
Data Management
Systems Development
Systems Maintenance
Organizational Structure
Internet
& Intranet
EDI Trading Partners
Personal Computers
Computer Center Security
Applications
Internet
& Intranet
General Control Framework for CBIS Exposures
System Maintenance Controls• Last, longest and most costly phase
of SDLC– 80-90% of entire cost of a system
• All maintenance actions should require– technical specifications– testing– documentation updates– formal authorizations for any changes
made
SPL
• Source program library (SPL) – library of applications and software– place where programs are developed and
modified– once compiled into machine language, no longer
vulnerable
Uncontrolled Access to the Source Program Library
A Controlled SPL Environment
• An SPL Management System (SPLMS) can be used to protect the SPL environment by controlling the following functions:– storing programs on the SPL– retrieving programs for maintenance
purposes– deleting obsolete programs from the library– documenting program changes to provide an
audit trail of the changes
Source Program Library under the Control of SPL Management Software
SPL Control Features• Password control• Separation of test libraries• Reports that enhance management control and
the audit function• Assigns program version numbers automatically• Controlled access to maintenance commands• Documentation and authorization of changes
Operating System
Data Management
Systems Development
Systems Maintenance
Organizational Structure
Internet
& Intranet
EDI Trading Partners
Personal Computers
Computer Center Security
Applications
Internet
& Intranet
General Control Framework for CBIS Exposures
Computer Center Controls
Considerations:• location away from human-made and natural
hazards• utility and communications lines underground • windows closed and air filtration systems in place• access limited to the operators and other necessary
workers; others required to sign in and out• fire suppressions systems should be installed• backup power supplies
Disaster Recovery Planning
• Disaster recovery plan (DRP)– all actions to be taken before, during, and after
a disaster– Disaster Recovery Team (DRT) identified– critical applications must be identified
• restore these applications first
• Backups & off-site storage procedures– databases and applications– documentation– supplies
Second-Site Disaster Backups• The Empty Shell - involves two or more user
organizations that buy or lease a building and remodel it into a computer site, but without computer equipment
• The Recovery Operations Center - a completely equipped site; very costly and typically shared among many companies
• Internally Provided Backup - companies with multiple data processing centers may create internal excess capacity