conference reports: compacs' 88
TRANSCRIPT
Nick Pattenden is a senior manager with Chartered Accountants DeloitteHaskins & Sells. Now engaged in development and implementation ofauditsupport software. In this capacity, he was involved In the development of anew stockbroking system for an Australian client, involving automatictransmission of confirmatory telexes, a risk analysis syste"m for a majorinternational banking group and in the design and development of Deloitte'sown microcomputer security package.
UPDATE on Computer Audi~ Control and Security
(MICROCOMPUTER SECURITY
(CONFERENCE REPORTSCompacs' 88
)
)
Nearly a thousand day delegates attended the TwelfthInternational Conference on Computer Audit Controland Security ('COMPACS') run by the Institute of InternalAuditors- United Kingdom from the 22 - 25 March 1988 atthe London Hilton. The formula forthe conference was thesame as previously with a number of day themes contributing to the overall conference theme. During the courseof the four days a number of major Issues were addressedby high quality speakers from the United States and theUnited Kingdom.
The overall conference theme was'The Impact of EmergingTechnologies on Auditors'. This was also the theme of thefirst day. The second day was devoted to control and auditissues of systems developmenl Other themes related tothe security and audit of systems software, mIcrocomputersand Electronic Data Transfer.
Control and audit Issues of systems development
The top attraction measured by day bookings went to theday devotedto the control and audit Issues of systemsdevelopmenl The day started with a presentation on 'TheRisks of Uncontrolled Systems Development' by RainerBurchett a Consultant and Director of Learmonth andBurchett Management Systems. He began by examiningthe risks in systems development which he Identified as:
i The risk of identifying the wrong applications to bedeveloped in the first place - that is applicationswhich do not meet the true needs of the business.
ll The danger that much of the potential value ofstrategic applications will not be achieved becauseof a failure to plan and control the integration of thevarious applications and to create an appropriateinfrastructure.
iii The risks of late systems, systems over budget,systems unsatisfactory to the user or full of errorsand difficult to maintain and enhance - all riskscaused by a lack of a good disciplined, structureddevelopment approach.
To overcome the first problem he suggested a need for asystematlcwayof identifying and ranking those applicationswhich would most benefit the organisation. Integratedarchitecture planning was needed to establish a consistent data model that all applications would use to overcome
Volume 1 Number 1 July/August 1988
the problem of badly Integrated systems. The key to thethird problem was the need for a structured method ofsystems development which Incorporated notional techniques to facilitate understanding between the analystand the user, working practices to encourage mutualinvolvement and discussion all the way through the requirements definition process, and a structured developmentprocess which includes proper management review points.
The second speaker on Systems Development was CarolWestwood, a Systems and Process Quality AssuranceManager within the Unlpart Group of Companies. Shedescribed the quality assurance role as essentially tooverview the process of systems developmenl This didnot diminish the role and responsibilities of the projectmanagers or users involved. A basic requirement forcontrol was to have defined standards and procedures Inplace which were fit for their purpose, suitable for thetechnology and the organisation, Integrated and regularlyused. In addition to being the final signatory within theapproval process, Quality Assurance should produce highlevel independent reports to senior managementon systemsfunctions performance, monitor the project managementprocess, and carry out reviews during the systems development and on a post implementation basis to ensure thatthe system was delivering the benefits required andexpected.Other Quality Assurance activities would Includeensuring that change controls are effectively operated,ensuring that quality was optimised and confirming that asatisfactory level of testing was taken.
The third speaker on the topic was Jerry Fitzgerald fromthe USA who was concerned with the methodology fordesigning controls during new systems developmenlFitzgerald, an internationally respected Consultant,presented a session In two parts. First he demonstratedthe process of building up a control matrix. He stressedthe need to review controls during the design phases toensure that the necessary controls were built Into the newsystem before it was Implemented. In the second part ofhis presentation he demonstrated the use of softwarepackages to automate this process,
Future technology
In the opening session of the conference Bill H. Murray, aConsultant and Management TraIner with Ernst and
15
UPDATE on Computer Audit, Control and Security
Whinney, had examined the impact of the convergence ofcomputing, recording and communications technologieson computer audit control and security. The history ofmanual processing and the early stages of computerprocessing had seen data security attained by a combination of control over the media and the processing environment. A well controlled computer system could restrictaccess to data and provide greater accountability byrecording who had access to data and when. Thisapproach however would not be adequate for the future.He argued that the new problem which had arisen wasthat the boundaries of the controlled environment mayno longer be coincident with the boundaries of a singlesystem or a single organisation or institution. Thiswould make it increasingly difficult for anyone to have thenecessary knowledge and influence to specify controlsand access rules. Controls for the integrity and confidentiality of data will need to be independent of both themedia and the environment. He concluded that controlcould only be achieved in this type of environment by theapplication of cryptography and forecast that this wouldbe the major issue for the next two decades.
Computer security
Computer Security was addressed in three separatesessions. Professor Krlsh Bhaskar, Director of theComputer Industry Research Unit at the University of EastAnglia, considered the topic of 'A Secure Workstation forthe 1990's'. Based on research work which he had undertaken, he considered that the commercial products available at present were limited in the security that theyprovlded, Most software packages for microcomputersystems offer little or no inherent security measures.There is a need to adopt a threaVcountermeasures matrixapproach and to use risk analysis to consider the probabilityof threats and the cosVbenefit measurement of alternativesolutions. At the present time he considered that standardsof security were Jow and would remain row until userawareness of computer crimes was increased and thedemand for improved provisions would then rise accordingly.Clive Blatchford of ICl and Richard Sizerof logica SDSLtd were in agreement that the security of informationsystems had been approached in the past in a piece-mealad-hoc fashion. Both also referred to the perpetration ofcrimes by technical competent staff. Richard Sizerwarnedthat part of the problem was that the financial domain did
Quality assurance surveymakes depressing reading.A recent survey by BCC and PA Computers and Telecommunications was designed to investigate the extentto which quality management practices have been adoptedby the date processing (DP)departments of UKcompanies.An analysis was made of 100 replies received fromorganisations employing over 50 data processing staff.
The results show that systematic procedures to ensurequality are exceptional. That this should be so is hardlysurprising when one learns that many comments fromparticipants in the survey indicate that their attitudes to
16
not have a strong security culture in the United Kingdomso far as information technology was concerned.Computer security appeared to be taken more seriously Inthe USA where there was a statutory obligation for fraudand embezzlement to be reported.
Systems software
COMPACS '88 continued the tradition of its predecessorsby having a day devoted to technical sessions on systemssoftware topics. For IBM users, Mike Kerford-Byrnesdescribed the controls that auditors should look for whenreviewing the procedures for the amendment of systemssoftware. The remainder of the IBM stream examined theaudit and control issues of IBM's Customer InformationControl System (CICS). P.J. Corum reviewed the CICSarchitecture and control tables, highlighted specific auditand security concerns and provided guidelines on how toperform a CICS control survey. Peter Wild, a SeniorManager with the Auditing Directorate of Coopers andLybrand described how to audit CICS using a relationaldatabase model on a microcomputer.
For ICl users, Adrian Lawes presented a review of theaudit and control issues of ICl's VME Utilities and SystemControl language (SCl).
David Bentley
Alan E Brill, Director of Information Systems Security,New York City Dept of Investigation highlighted thereasons why there are so few successful prosecutionsfor computer crime, while speaking at CorporateComputer Security '88:
You have to discoversomething has actually happened.You have to show how it happened.You have to show it was a crime.You have to have established that there are grounds fora prosecution. .You have to know who did it.You have to be able to prove it.Yourcompany has to be willing to back you in going to law.You have to find competent counsel.You have to have evidence which will stand up in courtYou have to get the evidence across to a non-expertjudge and jury.
their customers (users) are not 'ideal'. As quality management programmes are 'customer defined' this makessuccessful quality programmes unattainable.Having come to this basic analysis, the survey wentfurther by trying to identify the major problem areas.These were:1. System changes required by customers run at too high
a level. This was often the result of poor originalspecification requirements compounded by the lengthof time it may take to develop DP systems. In themeantime the user's needs may have changed.
2. late delivery of systems - in many large corporationsthere are estimated to be waiting lists of up to threeyears.
Volume 1 Number 1 July/August 1988