Chapter Eight

CBIS and Checklists

General Controls

• 12 controls

• Planning, controls, standards, security

• Continuous updating– e.g., C&L 66% of firms inadequate monitoring

• Plans made -- not implemented

Security Plans

• Who

• What

• When

• Which

Project Development Controls

• Long-range, 3-5 year, master plan– and, what happens next year?

• Project Development Plan - use milestones

• DP Schedule - comp resources as “scarce”

• Define responsibility / method of evaluation

• Postimplementation Review / Measure

IA DHS Revisited

• $12 million project development

• Failed (at point of success?)

• Funding ended

• Project development failure?

• Or, communication failure?

Mission Impossible

• Limit physical access

• Limit access to computer logic

• Problem - insiders– where are my tennis shoes?

• Security breaches– the Net?

Logic Controls• Passwords

– random assignment,

• ID cards– use your PIN number for CC purchases?– Active badges (as opposed to inactive?)

• Biometric Identification– permit or limit access– cocaine residue on a four year old– “sniffer” at the airport

More Logic Access Control

• Compatibility Tests– multiple layers of passwords for access to

records– screen passwords, e.g., payroll– print passwords, e.g., contracts– e-mail attachment controls?

Paranoia or Security?• Outside workers with access

– Webco customer list theft

• CIA director - national security on home PC

• Mattel stolen laptops

Simple Measures

• Property listing in files– resume example

• Floppy read/write limits

• File passwords

• Volume names

• External labels

Encryption• Private key only

– threat?

• Public key only– threat?

• Public and Private Keys– threat?

Routing Verification

• Great for phone callers– Too busy now, can I call you back?– Verify the caller’s identity and authorization

• Automated - as discussed in your text

Documentation• Administrative

– overall uses and change authorization

• System– flowcharts, narrative, libraries

• Operating– hardware & software program considerations

IC as Prevention

• UPS

• Preventive maintenance– RAM test– Microprocessor test– Hard and Removable Disk interfaces

“Every Day is Y2K”• Disaster Recovery Plans

– e.g., your grades– WTC bombing 43% of firms failed

• Electronic vaulting– “my computer” default and mail on a server– backup nightly

• Backup– Master Vs. Transaction files

When do you press the “save” key?

When should you complete

a system backup?

Disaster Recovery Plan

Press release: who, what, when, where, why

• Prioritize the process (what)

• Backup data and program files (when, where)

• Have specific assignments (who)

• Complete recovery documentation (why)

• Alternative (backup) telecommunication sites (where II)

Alternative Sites• Alliances

• Hot site– fully configured– current copies of most recent backups– access guaranteed, ready to run

• Cold site– no equipment in-place– contracts provided to provide service on-

demand

Internet Controls(a different “IC”)

• NWS - six Denmark hackers– NWS goes down, airlines stop flying– Anyone see a business opportunity here?

• Firewalls, tunneling,

• Separate systems– external (in-coming) internet site– internal intranet

Application Controls

Data entry and reporting controls

• Source Data Controls

• Input Validation Routines

• On-Line Data Entry Controls

• DP and File Maintenance Controls

• Output Controls

Auditor Usage

• Page 263 and 264