Computer Based Information Systems

Computer Based Information Systems Control

Computer Controls and Security

 

The Four Principles of a Reliable System

1. Availability of the system when needed.

2. Security of the system against unauthorized physical and logical access.

3. Maintainability of the system as required without affecting its availability, security, and integrity.

4. Integrity of the system to ensure that processing is complete, accurate, timely, and authorized.

 

Controls Related to More Than One Reliability Principle

◼ Strategic Planning & Budgeting

◼ Developing a Systems Reliability Plan

◼ Documentation

 

Developing a Security Plan

Developing and continuously updating a comprehensive security plan is one of the

most important controls a company can identify.

▪ What questions need to be asked?

▪ Who needs access to what information?

▪ When do they need it?

▪ On which systems does the information reside?

 

Segregation of Duties Within the Systems Function

◼ In a highly integrated AIS, procedures that used to be performed by separate individuals are combined.

◼ Any person who has unrestricted access to the computer, its programs, and live data could have the opportunity to both perpetrate and conceal fraud.

◼ To combat this threat, organizations must implement compensating control procedures.

◼ Authority and responsibility must be clearly divided among the following functions:

1. Systems administration

2. Network management

3. Security management

4. Change management

5. Users

6. Systems analysis

7. Programming

8. Computer operations

9. Information system library

10. Data control

◼ It is important that different people perform these functions.

◼ Allowing a person to perform two or more of them exposes the company to the possibility of fraud.

 

Physical Access Controls

How can physical access security be achieved?

– Place computer equipment in locked rooms and restrict access to authorized personnel

– Have only one or two entrances to the computer room

– Require proper employee ID

– Require that visitors sign a log

– Use a security alarm system

– Restrict access to private secured telephone lines and terminals or PCs.

– Install locks on PCs.

– Restrict access of off-line programs, data and equipment

– Locate hardware and other critical system components away from hazardous materials.

– Install fire and smoke detectors and fire extinguishers that don not damage computer equipment.

 

Logical Access Controls

◼ Users should be allowed access only to the data they are authorized to use and then only to perform specific authorized functions.

◼ What are some logical access controls?

– passwords

– physical possession identification

– biometric identification

– compatibility tests

 

Protection of PCs and Client/Server Networks

◼ Many of the policies and procedures for mainframe control are applicable to PCs and networks.

◼ The following controls are also important:

▪ Train users in PC-related control concepts.

▪ Restrict access by using locks and keys on PCs.

▪ Establish policies and procedures.

 

Internet and e-Commerce Controls

◼ Why caution should be exercised when conducting business on the Internet.

– the large and global base of people that depend on the Internet

– the variability in quality, compatibility, completeness, and stability of network products and services.

– access of messages by others

– security flaws in Web sites

– attraction of hackers to the Internet

◼ What controls can be used to secure Internet activity?

– passwords

– encryption technology

– routing verification procedures

◼ Another control is installing a firewall, hardware and software that control

communications between a company’s internal network (trusted network) and an external network.

▪ The firewall is a barrier between the networks that does not allow information to flow into and out of the trusted network.

◼ Electronic envelopes can protect e-mail messages

 

Integrity

◼ A company designs general controls to ensure that its overall computer system

is stable and well managed.

◼ Application controls prevent, detect and correct errors in transactions as they flow through the various stages of a specific data processing program.

 

Integrity: Source Data Controls

Companies must establish control procedures to ensure that all source documents are authorized, accurate , complete and properly accounted for, and entered into the system or sent ot their intended destination in a timely manner.

Source data controls include:

❑ Forms design

❑ Prenumbered forms sequence test

❑ Turnaround documents

❑ Cancellation and storage of documents

❑ Authorization and segregation of duties

❑ Visual scanning

❑ Check digit verification

❑ Key verification

 

Integrity: Input Validation Routines

Input validation routines are programs the check the integrity of input data. They include:

❑Limit check

❑Range check

❑Reasonableness test

❑Redundant data check

❑Sequence check

❑Field check

❑Sign check

❑Validity check

❑Capacity check

 

Integrity: On-line Data Entry Controls

The goal of on-line data entry control is to ensure the integrity of transaction data entered from on-line terminals and PCs by minimizing errors and omissions.

They include:

◼ Field, limit, range, reasonableness, sign, validity, redundant data checks

◼ User ID numbers

◼ Compatibility tests

◼ Automatic entry of transaction data, where possible

◼ Prompting

◼ Pre-formatting

◼ Completeness check

◼ Closed-lop verification

◼ Transaction log

◼ Error messages

◼ Retain data for legal purposes

 

Integrity: Data Processing and Storage Controls

Controls to help preserve the integrity of data processing and stored data:

❑ Policies and procedures

❑ Data control function

❑ Reconciliation procedure

❑ External data reconciliation

❑ Exception reporting

❑ Data currency checks

❑ Default values

❑ Data matching

❑ File labels

❑ Write protection mechanisms

❑ Database protection mechanisms

❑ Data conversion controls

❑ Data security

 

Integrity: Output Controls

◼ The data control functions should review all output for reasonableness and proper format and should reconcile corresponding output and input control

totals.

◼ Data control is also responsible for distributing computer output to the appropriate user departments.

◼ Users are responsible for carefully reviewing the completeness and accuracy of all computer output that they receive.

◼ A shredder can be used to destroy highly confidential data.

 

Integrity: Data Transmission Controls

◼ To reduce the risk of data transmission failures, companies should monitor the

network.

◼ How can data transmission errors be minimized?

– using data encryption (cryptography)

– implementing routing verification procedures

– adding parity

– using message acknowledgment techniques

Data Transmission Controls take on added importance in organizations that utilize  electronic data interchange (EDI) or electronic funds transfer (EFT).

 

Data Transmission Controls

◼ In these types of environments, sound internal control is achieved using the following control procedures:

1. Physical access to network facilities should be strictly controlled.

2. Electronic identification should be required for all authorized network terminals.

3. Strict logical access control procedures are essential, with passwords and dial-in phone numbers changed on a regular basis.

 

Conclusion: Computer Based Information Systems Control Computer Controls and Security.

Share this post