Computer Based Information Systems Control
Computer Controls and Security
The Four Principles of a Reliable System
1. Availability of the system when needed.
2. Security of the system against unauthorized physical and logical
access.
3. Maintainability of the system as required without affecting
its availability, security, and integrity.
4. Integrity of the system to ensure that processing is complete,
accurate, timely, and authorized.
Controls Related to More Than One Reliability Principle
◼ Strategic Planning & Budgeting
◼ Developing a Systems
Reliability Plan
◼ Documentation
Developing a Security Plan
Developing and continuously updating a comprehensive
security plan is one of the
most important controls a company can identify.
▪ What questions need to be asked?
▪ Who needs access to what information?
▪ When do they need it?
▪ On which systems does the information reside?
Segregation of Duties Within the Systems Function
◼ In a highly integrated AIS,
procedures that used to be performed by separate individuals are combined.
◼ Any person who has unrestricted
access to the computer, its programs, and live data could have the opportunity
to both perpetrate and conceal fraud.
◼ To combat this threat,
organizations must implement compensating control procedures.
◼ Authority and responsibility
must be clearly divided among the following functions:
1. Systems administration
2. Network management
3. Security management
4. Change management
5. Users
6. Systems analysis
7. Programming
8. Computer operations
9. Information system library
10. Data control
◼ It is important that different
people perform these functions.
◼ Allowing a person to perform
two or more of them exposes the company to the possibility of fraud.
Physical Access Controls
How can physical access security be achieved?
– Place computer equipment in locked rooms and restrict
access to authorized personnel
– Have only one or two entrances to the computer room
– Require proper employee ID
– Require that visitors sign a log
– Use a security alarm system
– Restrict access to private secured telephone lines and
terminals or PCs.
– Install locks on PCs.
– Restrict access of off-line programs, data and equipment
– Locate hardware and other critical system components away from
hazardous materials.
– Install fire and smoke detectors and fire extinguishers
that don not damage computer equipment.
Logical Access Controls
◼ Users should be allowed access
only to the data they are authorized to use and then only to perform specific authorized
functions.
◼ What are some logical access
controls?
– passwords
– physical possession identification
– biometric identification
– compatibility tests
Protection of PCs and Client/Server Networks
◼ Many of the policies and
procedures for mainframe control are applicable to PCs and networks.
◼ The following controls are also
important:
▪ Train users in PC-related control concepts.
▪ Restrict access by using locks and keys on PCs.
▪ Establish policies and procedures.
Internet and e-Commerce Controls
◼ Why caution should be exercised
when conducting business on the Internet.
– the large and global base of people that depend on the
Internet
– the variability in quality, compatibility, completeness,
and stability of network products and services.
– access of messages by others
– security flaws in Web sites
– attraction of hackers to the Internet
◼ What controls can be used to
secure Internet activity?
– passwords
– encryption technology
– routing verification procedures
◼ Another control is installing a
firewall, hardware and software that control
communications between a company’s internal network (trusted
network) and an external network.
▪ The firewall is a barrier between the networks that does
not allow information to flow into and out of the trusted network.
◼ Electronic envelopes can
protect e-mail messages
Integrity
◼ A company designs general
controls to ensure that its overall computer system
is stable and well managed.
◼ Application controls prevent,
detect and correct errors in transactions as they flow through the various
stages of a specific data processing program.
Integrity: Source Data Controls
Companies must establish control procedures to ensure that
all source documents are authorized, accurate , complete and properly accounted
for, and entered into the system or sent ot their intended destination in a
timely manner.
Source data controls include:
❑ Forms design
❑ Prenumbered forms sequence
test
❑ Turnaround documents
❑ Cancellation and storage of
documents
❑ Authorization and segregation
of duties
❑ Visual scanning
❑ Check digit verification
❑ Key verification
Integrity: Input Validation Routines
Input validation routines are programs the check the integrity
of input data. They include:
❑Limit check
❑Range check
❑Reasonableness test
❑Redundant data check
❑Sequence check
❑Field check
❑Sign check
❑Validity check
❑Capacity check
Integrity: On-line Data Entry Controls
The goal of on-line data entry control is to ensure the
integrity of transaction data entered from on-line terminals and PCs by
minimizing errors and omissions.
They include:
◼ Field, limit, range,
reasonableness, sign, validity, redundant data checks
◼ User ID numbers
◼ Compatibility tests
◼ Automatic entry of transaction
data, where possible
◼ Prompting
◼ Pre-formatting
◼ Completeness check
◼ Closed-lop verification
◼ Transaction log
◼ Error messages
◼ Retain data for legal purposes
Integrity: Data Processing and Storage Controls
Controls to help preserve the integrity of data processing
and stored data:
❑ Policies and procedures
❑ Data control function
❑ Reconciliation procedure
❑ External data reconciliation
❑ Exception reporting
❑ Data currency checks
❑ Default values
❑ Data matching
❑ File labels
❑ Write protection mechanisms
❑ Database protection mechanisms
❑ Data conversion controls
❑ Data security
Integrity: Output Controls
◼ The data control functions
should review all output for reasonableness and proper format and should
reconcile corresponding output and input control
totals.
◼ Data control is also
responsible for distributing computer output to the appropriate user
departments.
◼ Users are responsible for
carefully reviewing the completeness and accuracy of all computer output that
they receive.
◼ A shredder can be used to
destroy highly confidential data.
Integrity: Data Transmission Controls
◼ To reduce the risk of data
transmission failures, companies should monitor the
network.
◼ How can data transmission
errors be minimized?
– using data encryption (cryptography)
– implementing routing verification procedures
– adding parity
– using message acknowledgment techniques
Data Transmission Controls take on added importance in
organizations that utilize electronic
data interchange (EDI) or electronic funds transfer (EFT).
Data Transmission Controls
◼ In these types of environments,
sound internal control is achieved using the following control procedures:
1. Physical access to network facilities should be strictly controlled.
2. Electronic identification should be required for all authorized
network terminals.
3. Strict logical access control procedures are essential, with
passwords and dial-in phone numbers changed on a regular basis.
Conclusion: Computer Based Information Systems Control Computer Controls and Security.