computer controls and security
DESCRIPTION
Computer Controls and Security. Learning Objectives. Identify and explain the four principles of systems reliability and the three criteria used to evaluate whether the principles have been achieved. Identify and explain the controls that apply to more than one principle of reliability. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/1.jpg)
8-1Anup Kumar Saha
Computer Controls and Security
![Page 2: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/2.jpg)
8-2Anup Kumar Saha
Learning Objectives
1. Identify and explain the four principles of systems reliability and the three criteria used to evaluate whether the principles have been achieved.
2. Identify and explain the controls that apply to more than one principle of reliability.
3. Identify and explain the controls that help explain that a system is available to users when needed.
![Page 3: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/3.jpg)
8-3Anup Kumar Saha
Learning Objectives4. Identify and explain the security controls
that prevent unauthorized access to information, software, and other system resources.
5. Identify and explain the controls that help ensure that a system can be properly maintained, while still providing for system availability, security, and integrity.
6. Identify and explain the integrity controls that help ensure that system processing is complete, accurate, timely, and authorized.
![Page 4: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/4.jpg)
8-4Anup Kumar Saha
Introduction
During his fifth month at Northwest Industries, Jason Scott is assigned to audit Seattle Paper Products (SPP).
Jason’s task is to review randomly selected payable transactions, track down all supporting documents, and verify that all transactions have been properly authorized.
![Page 5: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/5.jpg)
8-5Anup Kumar Saha
Introduction Jason is satisfied that many of the
transactions are valid and accurate. However, some transactions involve the
purchase of services from Pacific Electric.
These transactions were processed on the basis of vendor invoices approved by management.
Five of these invoices bear the initials “JLC.”
![Page 6: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/6.jpg)
8-6Anup Kumar Saha
Introduction JLC is Jack Carlton, the general
supervisor. Carlton denies initialing the invoices,
and claims he has never heard of Pacific Electric.
What questions does Jason have?Is Carlton telling the truth?If Carlton is not telling the truth, what
is he up to?
![Page 7: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/7.jpg)
8-7Anup Kumar Saha
Introduction
If Pacific Electric is a fictitious company, how could SPP’s control systems allow its invoices to be processed and approved for payment?
This chapter discusses the many different types of controls that companies use to ensure the integrity of their AIS.
![Page 8: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/8.jpg)
8-8Anup Kumar Saha
Learning Objective 1
Identify the four principles of systems reliability and the three criteria used to evaluate whether or not the principles have been achieved.
![Page 9: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/9.jpg)
8-9Anup Kumar Saha
The Four Principles of a Reliable System
1. Availability of the system when needed.
2. Security of the system against unauthorized physical and logical access.
3. Maintainability of the system as required without affecting its availability, security, and integrity.
4. Integrity of the system to ensure that processing is complete, accurate, timely, and authorized.
![Page 10: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/10.jpg)
8-10Anup Kumar Saha
The Criteria Used To Evaluate Reliability Principles
For each of the four principles of reliability, three criteria are used to evaluate whether or not the principle has been achieved.1. The entity has defined, documented, and
communicated performance objectives, policies, and standards that achieve each of the four principles.
2. The entity uses procedures, people, software, data, and infrastructure to achieve each principle in accordance with established policies and standards.
3. The entity monitors the system and takes action to achieve compliance with the objectives, policies, and standards for each principle.
![Page 11: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/11.jpg)
8-11Anup Kumar Saha
Learning Objective 2
Identify and explain the controls that apply to more than one principle of reliability.
![Page 12: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/12.jpg)
8-12Anup Kumar Saha
Controls Related to More Than One Reliability Principle
Strategic Planning & Budgeting Developing a Systems Reliability Plan Documentation
![Page 13: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/13.jpg)
8-13Anup Kumar Saha
Controls Related to More Than One Reliability Principle Documentation may be classified into three
basic categories: Administrative documentation: Describes the
standards and procedures for data processing.
Systems documentation: Describes each application system and its key processing functions.
Operating documentation: Describes what is needed to run a program.
![Page 14: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/14.jpg)
8-14Anup Kumar Saha
Learning Objective 3
Identify and explain the controls that help explain that a system is available to users when needed.
![Page 15: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/15.jpg)
8-15Anup Kumar Saha
Availability Availability
Minimizing Systems Downtime• Preventive maintenance
• UPS• Fault tolerance
• Disaster Recovery Plan• Minimize the extent of disruption, damage,
and loss• Temporarily establish an alternative means of
processing information• Resume normal operations as soon as
possible
![Page 16: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/16.jpg)
8-16Anup Kumar Saha
Availability Disaster Recovery, continued• Train and familiarize personnel with emergency
operations• Priorities for the recovery process• Insurance• Backup data and program files
• Electronic vaulting• Grandfather-father-son concept• Rollback procedures
• Specific assignments• Backup computer and telecommunication facilities• Periodic testing and revision• Complete documentation
![Page 17: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/17.jpg)
8-17Anup Kumar Saha
Learning Objective 4
Identify and explain the security controls that prevent unauthorized access to information, software, and other system resources.
![Page 18: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/18.jpg)
8-18Anup Kumar Saha
Developing a Security Plan
Developing and continuously updating a comprehensive security plan is one of the most important controls a company can identify.What questions need to be asked?Who needs access to what information? When do they need it?On which systems does the information
reside?
![Page 19: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/19.jpg)
8-19Anup Kumar Saha
Segregation of Duties Withinthe Systems Function In a highly integrated AIS, procedures that
used to be performed by separate individuals are combined.
Any person who has unrestricted access to the computer, its programs, and live data could have the opportunity to both perpetrate and conceal fraud.
To combat this threat, organizations must implement compensating control procedures.
![Page 20: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/20.jpg)
8-20Anup Kumar Saha
Segregation of Duties Withinthe Systems Function Authority and responsibility must be clearly divided
among the following functions:
1. Systems administration2. Network management3. Security management4. Change management5. Users6. Systems analysis7. Programming8. Computer operations9. Information system library10. Data control
![Page 21: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/21.jpg)
8-21Anup Kumar Saha
Segregation of Duties Withinthe Systems Function
It is important that different people perform these functions.
Allowing a person to perform two or more of them exposes the company to the possibility of fraud.
![Page 22: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/22.jpg)
8-22Anup Kumar Saha
Physical Access Controls How can physical access security be achieved?
– Place computer equipment in locked rooms and restrict access to authorized personnel
– Have only one or two entrances to the computer room– Require proper employee ID– Require that visitors sign a log– Use a security alarm system– Restrict access to private secured telephone lines and
terminals or PCs.– Install locks on PCs.– Restrict access of off-line programs, data and equipment– Locate hardware and other critical system components
away from hazardous materials.– Install fire and smoke detectors and fire extinguishers
that don not damage computer equipment
![Page 23: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/23.jpg)
8-23Anup Kumar Saha
Logical Access Controls
Users should be allowed access only to the data they are authorized to use and then only to perform specific authorized functions.
What are some logical access controls?– passwords– physical possession identification– biometric identification– compatibility tests
![Page 24: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/24.jpg)
8-24Anup Kumar Saha
Protection of PCs and Client/Server Networks
Many of the policies and procedures for mainframe control are applicable to PCs and networks.
The following controls are also important: Train users in PC-related control concepts. Restrict access by using locks and keys on
PCs. Establish policies and procedures.
![Page 25: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/25.jpg)
8-25Anup Kumar Saha
Protection of PCs and Client/Server Networks
Portable PCs should not be stored in cars. Keep sensitive data in the most secure environment
possible. Install software that automatically shuts down a
terminal after its been idle for a certain amount of time.
Back up hard disks regularly. Encrypt or password protect files. Build protective walls around operating systems. Ensure that PCs are booted up within a secure
system. Use multilevel password controls to limit employee
access to incompatible data. Use specialists to detect holes in the network.
![Page 26: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/26.jpg)
8-26Anup Kumar Saha
Internet and e-Commerce Controls
Why caution should be exercised when conducting business on the Internet.– the large and global base of people
that depend on the Internet– the variability in quality, compatibility,
completeness, and stability of network products and services
![Page 27: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/27.jpg)
8-27Anup Kumar Saha
Internet and e-Commerce Controls
– access of messages by others– security flaws in Web sites– attraction of hackers to the Internet
What controls can be used to secure Internet activity?– passwords– encryption technology– routing verification procedures
![Page 28: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/28.jpg)
8-28Anup Kumar Saha
Internet and e-Commerce Controls Another control is installing a firewall,
hardware and software that control communications between a company’s internal network (trusted network) and an external network. The firewall is a barrier between the
networks that does not allow information to flow into and out of the trusted network.
Electronic envelopes can protect e-mail messages
![Page 29: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/29.jpg)
8-29Anup Kumar Saha
Learning Objective 5
Identify and explain the controls that help ensure that a system can be properly maintained, while still providing for system availability, security, and integrity.
![Page 30: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/30.jpg)
8-30Anup Kumar Saha
Maintainability
Two categories of controls help ensure the maintainability of a system:Project development and acquisition
controlsChange management controls
![Page 31: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/31.jpg)
8-31Anup Kumar Saha
Project Development and Acquisition Controls
Project development and acquisition controls include:Strategic Master PlanProject ControlsData Processing ScheduleSystem Performance MeasurementsPostimplementation Review
![Page 32: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/32.jpg)
8-32Anup Kumar Saha
Change Management Controls Change management controls include: Periodically review all systems for needed
changes Require all requests to be submitted in
standardized format Log and review requests form authorized
users for changes and additions to systems Assess the impact of requested changes on
system reliability objectives, policies and standards
![Page 33: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/33.jpg)
8-33Anup Kumar Saha
Change Management Controls, continued
Categorize and rank all changes using established priorities
Implement procedures to handle urgent matters
Communicate all changes to management Require IT management to review, monitor,
and approve all changes to software, hardware and personnel responsibilities
Assign specific responsibilities to those involved in the change and monitor their work.
![Page 34: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/34.jpg)
8-34Anup Kumar Saha
Change Management Controls, continued
Control system access rights to avoid unauthorized systems and data access
Make sure all changes go through the appropriate steps
Test all changes Make sure there is a plan for backing our of
any changes in the event they don’t work properly
Implement a quality assurance function Update all documentation and procedures
when change is implemented
![Page 35: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/35.jpg)
8-35Anup Kumar Saha
Learning Objective 6
Identify and explain the integrity controls that help ensure that system processing is complete, accurate, timely, and authorized.
![Page 36: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/36.jpg)
8-36Anup Kumar Saha
Integrity
A company designs general controls to ensure that its overall computer system is stable and well managed.
Application controls prevent, detect and correct errors in transactions as they flow through the various stages of a specific data processing program.
![Page 37: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/37.jpg)
8-37Anup Kumar Saha
Integrity: Source Data Controls
Companies must establish control procedures to ensure that all source documents are authorized, accurate , complete and properly accounted for, and entered into the system or sent ot their intended destination in a timely manner.
Source data controls include:
![Page 38: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/38.jpg)
8-38Anup Kumar Saha
Integrity: Source Data Controls Forms design Prenumbered forms sequence test Turnaround documents Cancellation and storage of documents Authorization and segregation of duties Visual scanning Check digit verification Key verification
![Page 39: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/39.jpg)
8-39Anup Kumar Saha
Integrity:Input Validation Routines
Input validation routines are programs the check the integrity of input data. They include:
Limit check
Range check
Reasonableness test
Redundant data check
Sequence check
Field check
Sign check
Validity check
Capacity check
![Page 40: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/40.jpg)
8-40Anup Kumar Saha
Integrity: On-line Data Entry Controls
The goal of on-line data entry control is to ensure the integrity of transaction data entered from on-line terminals and PCs by minimizing errors and omissions.
They include:
![Page 41: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/41.jpg)
8-41Anup Kumar Saha
Integrity: On-line Data Entry Controls Field, limit, range, reasonableness, sign, validity,
redundant data checks User ID numbers Compatibility tests Automatic entry of transaction data, where possible Prompting Preformatting Completeness check Closed-lop verification Transaction log Error messages Retain data for legal purposes
![Page 42: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/42.jpg)
8-42Anup Kumar Saha
Integrity: Data Processing and Storage Controls
Controls to help preserve the integrity of data processing and stored data:
Policies and procedures Data control function Reconciliation procedure External data reconciliation Exception reporting
![Page 43: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/43.jpg)
8-43Anup Kumar Saha
Integrity: Data Processing and Storage Controls, continued
Data currency checks Default values Data matching File labels Write protection mechanisms Database protection mechanisms Data conversion controls Data security
![Page 44: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/44.jpg)
8-44Anup Kumar Saha
Output Controls
The data control functions should review all output for reasonableness and proper format and should reconcile corresponding output and input control totals.
Data control is also responsible for distributing computer output to the appropriate user departments.
![Page 45: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/45.jpg)
8-45Anup Kumar Saha
Output Controls
Users are responsible for carefully reviewing the completeness and accuracy of all computer output that they receive.
A shredder can be used to destroy highly confidential data.
![Page 46: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/46.jpg)
8-46Anup Kumar Saha
Data Transmission Controls
To reduce the risk of data transmission failures, companies should monitor the network.
How can data transmission errors be minimized?– using data encryption (cryptography)– implementing routing verification
procedures– adding parity– using message acknowledgment
techniques
![Page 47: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/47.jpg)
8-47Anup Kumar Saha
Data Transmission Controls
Data Transmission Controls take on added importance in organizations that utilize electronic data interchange (EDI) or electronic funds transfer (EFT).
![Page 48: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/48.jpg)
8-48Anup Kumar Saha
Data Transmission Controls
In these types of environments, sound internal control is achieved using the following control procedures:1 Physical access to network facilities should be
strictly controlled.2 Electronic identification should be required for all
authorized network terminals.3 Strict logical access control procedures are
essential, with passwords and dial-in phone numbers changed on a regular basis.
![Page 49: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/49.jpg)
8-49Anup Kumar Saha
Data Transmission Controls
Control procedures, continued4 Encryption should be used to secure
stored data as well as data being transmitted.
5 Details of all transactions should be recorded in a log that is periodically reviewed.
![Page 50: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/50.jpg)
8-50Anup Kumar Saha
Case Conclusion
Were Jason and his supervisor able to identify the source of the fictitious invoices? No.
They asked the police to identify the owner of the Pacific Electric bank account. What did the police discover? Patricia Simpson, a data entry clerk at SPP, was the owner of the account.
![Page 51: Computer Controls and Security](https://reader036.vdocuments.us/reader036/viewer/2022062408/56813b38550346895da40b5e/html5/thumbnails/51.jpg)
8-51Anup Kumar Saha
End