File Content -
3. Protection of Information Systems
3.1 Need for Protection of Information Systems
Information systems and communications that deliver the information are truly pervasive
throughout organizations from the user's platform to local and wide area networks to servers.
Executive management has a responsibility to ensure that the organization provides all users with
a secure information processing environment.
Information security failures may result in both financial losses and/or intangible losses such as
unauthorized disclosure of competitive or sensitive information.
Threats to information systems may arise from intentional or unintentional acts and may come
from internal or external sources. The threats may emanate from technical conditions, natural
disasters, environmental conditions, human factors, unauthorized access, or viruses.
These risks have led to a gap between the need to protect systems and the degree of protection
applied. This gap is caused by:
Widespread use of technology;
Interconnectivity of systems;
Elimination of distance, time, and space as constraints;
Unevenness of technological changes;
Devolution of management and control;
Attractiveness of conducting unconventional electronic attacks over more conventional
physical attacks against organizations; and
External factors such as legislative, legal & regulatory obligation or technological development
3.2 Information System Security
Information security refers to the protection of valuable assets against loss, disclosure, or damage.
Securing valuable assets from threats, sabotage, or natural disaster with physical safeguards such
as locks, perimeter fences, and insurance is commonly implemented by most of the organizations.
This concept of information security applies to all information. The protection is achieved through
a layered series of technological and non-technological safeguards.
Information Security Objective –
The objective of information system security is “the protection of the interests of those relying
on information, and protect the information systems and communications that deliver the
information from harm resulting from failures of confidentiality, integrity, and availability”.
For any organization, the security objective comprises three universally accepted attributes:
i). Confidentiality: Prevention of the unauthorized disclosure of information;
ii). Integrity: Prevention of the unauthorized modification of information; and
iii). Availability: Prevention of the unauthorized withholding of information.
3.2.1 What Information is Sensitive?
The following examples highlight some of the factors, necessary for an organization to succeed.
The common aspect in each case is the critical information that each organization generates.
i). Strategic Plans –
Most of the organizations readily acknowledge that strategic plans are crucial to the success
of a company. But many of them fail to really make an effort to protect these plans.
For example: a competitor learns that a company is testing a new product line in a specific
geographic location. The competitor removes its product from that location, creating an
illusionary demand for the product. When the positive results of the test marketing are
provided to the company's executives, they decide to roll the product out nationwide. Only
then company discover that in all other geographic regions the competition for their product
was intense. The result is that company lost several million as its product sales faltered.
=n today’s global environment, the search for competitive advantage has never been greater.
The advantages of achieving insight into a competitor's intentions can be substantial.
ii). Business Operations –
Business operations consist of an organization’s process and procedures, most of which are
deemed to be proprietary. As such, they may provide a market advantage to organization.
This is the case when one company can provide a service profitably at a lower price than the
competitor. While many organizations prohibit the sharing of such data, carelessness often
results in its compromise.
iii). Finances –
Financial information, such as salaries and wages, are very sensitive and should not be made
public. This information if available can help competitive enterprises to understand and re-
configure their salary structure accordingly.
Similarly, availability of information about product pricing may also be used by competitive
enterprises to price its products, competitively.
3.3 Information Security Policy
An Information Security Policy is the statement of intent by the management about how to protect
a company’s information assets. An information security policy should be in written form.
=t provides instructions to employees about ‘what kinds of behaviour or resource usage are
required and acceptable’, and about ‘what is unacceptable’.
In its basic form, an information security policy is a document that describes an organization’s
information security controls and activities.
An Information Security Policy is the essential foundation for an effective and comprehensive
information security program.
=t is the primary way in which management’s information security concerns are translated into
specific measurable and testable goals and objectives.
It provides guidance to the people, who build, install, and maintain information systems.
Information Security policy invariably includes rules intended to:
Preserve and protect information from any unauthorized modification, access or disclosure;
Limit or eliminate potential legal liability from employees or third parties; and
Prevent waste or inappropriate use of the resources of an organization.
3.3.1 Tools to Implement Policy: Standards, Guidelines, and Procedures
Organizations develop standards, guidelines, and procedures that offer users, managers and
others a clearer approach to implementing policy and meeting organizational goals.
Standards –
Standards specify technologies and methodologies to be used to secure systems.
Standards, guidelines, and procedures should be promulgated throughout an organization
through handbooks or manuals.
Organizational standards specify uniform use of specific technologies across the organization.
Standards are compulsory within an organization.
Guidelines –
Guidelines help in smooth implementation of information security policy. Guidelines assist
users, systems personnel, and others in effectively securing their systems.
Guidelines are used to ensure that specific security measures are not overlooked, although they
can be implemented, and correctly so, in more than one way.
Procedures –
Procedures are more detailed steps to be followed to accomplish particular security related
tasks. Procedures assist in implementing applicable information security Policy.
These are detailed steps to be followed by users, system operations personnel, and others to
accomplish a particular task.
Some organizations issue overall computer security manuals, regulations, handbooks, or similar
documents.
3.3.2 Issues to address
Information Security Policy does not need to be extremely extensive, but clearly state senior
management's commitment to information security and be signed by appropriate senior manager.
The policy should at least address the following issues:
A definition of information security,
Reasons why information security is important to the organization, and its goals & principles,
A brief explanation of the security policies, principles, standards and compliance requirement,
Definition of all relevant information security responsibilities; and
Reference to supporting documentation.
The auditor should ensure that the policy is readily accessible to all employees and that all
employees are aware of its existence and understand its contents.
3.3.3 Members of Security Policy
Security has to encompass managerial, technological and legal aspects.
Security policy broadly comprises the following three groups of management:
Management members who have budget and policy authority,
Technical group who know what can and cannot be supported, and
Legal experts who know the legal ramifications of various policy charges.
3.3.4 Information Security Policies and their Hierarchy
Information Security Policy –
This policy provides a definition of Information Security, its overall objective and the importance
that applies to all users.
Various types of information security policies are:
i). User Security Policies –
These include User Security Policy and Acceptable Usage Policy.
a) User Security Policy –
This policy sets out the responsibilities and requirements for all IT system users. It
provides security terms of reference for Users, Line Managers and System Owners.
b) Acceptable Usage Policy –
This sets out the policy for acceptable use of email, Internet service & other IT resource.
ii). Organization Security Policies –
These include Organizational Information Security Policy, Network & System Security Policy
and Information Classification Policy.
a) Organizational Information Security Policy –
This policy sets out the Group policy for the security of its information assets and the
Information Technology (IT) systems processing this information.
b) Network & System Security Policy –
This policy sets out detailed policy for system and network security and applies to IT
department users.
c) Information Classification Policy –
This policy sets out the policy for the classification of information.
iii). Conditions of Connection –
This policy sets out the Group policy for connecting to the network.
It applies to all organizations connecting to the Group, and relates to the conditions that
apply to different suppliers’ systems.
3.3.5 Components of the Security Policy
A good security policy should clearly state the following:
Purpose and Scope of the Document and the intended audience;
The Security Infrastructure;
Security policy document maintenance and compliance requirements;
Incident response mechanism and incident reporting;
Security organization Structure;
Inventory and Classification of assets;
Description of technologies and computing structure;
Physical and Environmental Security;
Identity Management and access control;
IT Operations management;
IT Communications;
System Development and Maintenance Controls;
Business Continuity Planning;
Legal Compliances; and
Monitoring and Auditing Requirements.
3.4 Information Systems Controls
Control is defined as Policies, procedures, practices and enterprise structure that are designed to
provide reasonable assurance that business objectives will be achieved and undesired events are
prevented, detected and corrected.
This is achieved by designing and effective information control framework, which comprise
policies, procedures, practices, and organization structure.
3.4.1 Need for Controls in Information Systems
Without adequate controls, anyone could look at the records and make amendments, some of
which could remain undetected.
The goals to reduce the probability of organizational costs of data loss, computer loss, computer
abuse, incorrect decision making and to maintain the privacy; an organization’s management must
set up a system of internal controls.
IS control procedure may include:
Strategy and direction,
General Organization and Management,
Access to IT resources, including data and programs,
System development methodologies and change control,
Operation procedures,
System Programming and technical support functions,
Quality Assurance Procedures,
Physical Access Controls,
BCP and DRP,
Network and Communication,
Database Administration, and
Protective and detective mechanisms against internal and external attacks.
3.4.2 Objectives of Controls
The basic purpose of information system controls in an organization is to ensure that the business
objectives are achieved and undesired risk events are prevented, detected and corrected.
The objective of controls is to reduce or if possible eliminate the causes of the exposure to
potential loss. Exposures are potential losses due to threats materializing.
Some categories of exposures are:
Errors or omissions in data, procedure, processing, judgment and comparison;
Improper authorizations and improper accountability with regards to procedures, processing,
judgment and comparison; and
Inefficient activity in procedures, processing and comparison.
Some of the critical control lacking in a computerized environment are:
Lack of management understanding of IS risks and related controls;
Absence or inadequate IS control framework;
Absence of weak general controls and IS controls;
Lack of awareness and knowledge of IS risks and controls amongst business users and IT staff;
Complexity of implementation of controls in distributed computing environments and
extended enterprises;
Lack of control features or their implementation in highly technology driven environments; and
Inappropriate technology implementations or inadequate security functionality in technologies
implemented.
The control objectives serve two main purposes:
Outline the policies of the organization as laid down by the management; and
A benchmark for evaluating whether control objectives are met.
3.4.3 Components of Internal Controls
In a computerised environment, the goals of asset safeguarding, data integrity, system efficiency
and system effectiveness can be achieved only if management sets up a system of internal control.
Internal controls comprise of the following five interrelated components:
i). Control Environment –
Elements that establish the control context in which specific accounting systems and control
procedures must operate.
The control environment is manifested in management’s operating style, the ways authority
and responsibility are assigned, the functional method of the audit committee, the methods
used to plan and monitor performance and so on.
ii). Risk Assessment –
Elements that identify and analyze the risks faced by an organisation and the way the risk
can be managed.
Both external and internal auditors are concerned with errors or irregularities that cause
material losses to an organisation.
iii). Control Activities –
Elements that operate to ensure transaction are authorized, duties are segregated, adequate
documents and records are maintained, assets & records are safeguarded and independent
checks on performance and valuation of records. These are called accounting controls.
iv). Information and Communication –
Elements, in which information is identified, captured and exchanged in a timely and
appropriate form to allow personnel to discharge their responsibilities.
v). Monitoring –
The best internal controls are worthless if the company does not monitor them and make
changes when they are not working.
3.4.4 Impact of Technology on Internal Controls
These are discussed as follows:
1) Competent and Trustworthy Personnel –
Personnel should have proper skill and knowledge to discharge their duties. But ensuring that
an organization has competent and trustworthy information system personnel is a difficult task.
2) Segregation of Duties –
In a computerised system, the auditor should be concerned with the segregation of duties
within the IT department. Segregation of duties prevents or detects errors or irregularities.
3) Authorization Procedures –
In computer systems, authorization procedures are embedded within a computer program. For
example: In some on-line transaction systems, written evidence of individual data entry
authorisation, may be replaced by computerised authorisation controls.
4) Adequate Documents and Records –
In computer systems, documents might not be used to support the initiation, execution and
recording of some transaction. Thus, if the control over the protection & storage of documents,
transaction details, and audit trails etc. are placed properly, it will not be a problem for auditor.
5) Physical Control over Assets and Records –
Physical control over access and records is critical in computer systems. Computerised financial
systems have not changed the need to protect the data. The nature and types of control
available have changed to address these new risks.
6) Adequate Management Supervision –
In computer system, data communication facilities can be used to enable employees to be
closer to customers they service. So supervision of employees might have carried out remotely.
7) Independent Checks on Performance –
If the program code in a computer system is authorized, accurate, and complete, the system
will always follow the designated procedures in the absence of some other type of failure like
hardware or systems software failure.
8) Comparing Recorded Accountability with Assets –
In a computer system, software is used to prepare the data. So, internal controls must be
implemented to ensure the veracity of program code, because traditional separation of duties
no longer applies to the data being prepared for comparison purposes.
9) Delegation of Authority and Responsibility –
In a computer system, delegating authority and responsibility in an unambiguous way might be
difficult because some resources are shared among multiple users.
3.5 Classification of Information Systems Controls
Internal controls can be classified into various categories to illustrate the interaction of various
groups in the enterprise and their effect on information systems on different basis.
3.5.1 Classification on the basis of “Objective of Controls”
The controls can be classified as under:
1) Preventive Controls –
Preventive Controls are those inputs, which are designed to prevent an error, omission or
malicious act occurring.
Any control can be implemented in both manual and computerized environment for the same
purpose.
The broad characteristics of preventive controls are as follows:
A clear-cut understanding about the vulnerabilities of the asset;
Understanding probable threat; and
Provision of necessary controls for probable threats from materializing.
Example of preventive controls are given as follows –
Employ qualified personal,
Segregation of duties
Access control
Vaccination against diseases
Documentation
Prescribing appropriate books for the course
Training and retraining of staff
Authorization of transaction
Validity, edit checks in the application
Firewalls
Passwords
Antivirus Software
The following Table shows how the same purpose is achieved by using manual & computerized
controls.
Purpose Manual Control Computerised Control
Restrict unauthorized
entry into the premises
Build a gate and post a security
guard.
Use access control software,
smart card, biometrics, etc
Restrict unauthorized
entry into the software
applications
Keep the computer in a secured
location and allow only authorised
person to use the applications.
Use access control, viz. user
id, password, smart card, etc.
2) Detective Controls –
Detective controls are designed to detect errors, omissions or malicious acts that occur and
report the occurrence.
The main characteristics of detective controls are given as follows:
Clear understanding of lawful activities so that anything which deviates from these is
reported as unlawful, malicious, etc;
An established mechanism to refer the reported unlawful activities to appropriate person;
Interaction with the preventive control to prevent such acts from occurring; and
Surprise checks by supervisor.
Examples of detective controls include:
Hash totals,
Check points in production jobs,
Echo control in telecommunications,
Error message over tape labels,
Duplicate checking of calculations,
Periodic performance reporting with variances,
Past-due accounts report,
The internal audit functions,
Intrusion detection system,
Cash counts and bank reconciliation, and
Monitoring expenditures against budgeted amount.
3) Corrective Controls –
Corrective controls are designed to reduce impact or correct an error once it has been detected.
Corrective controls may include use of default dates on invoices where an operator has tried to
enter incorrect date. A Business Continuity Plan (BCP) is considered to be a corrective control.
The main characteristics of the corrective controls are:
Minimizing the impact of the threat;
Identifying the cause of the problem;
Providing Remedy to the problems discovered by detective controls;
Getting feedback from preventive and detective controls;
Correcting error arising from a problem; and
Modifying the processing systems to minimize future occurrences of the incidents.
Examples of Corrective Controls are given as follows:
Contingency planning,
Backup procedure,
Rerun procedures,
Change input value to an application system, and
Investigate budget variance and report violations.
4) Compensatory Controls –
Controls are basically designed to reduce the probability of threats, which can exploit the
vulnerabilities of an asset and cause a loss to that asset.
While designing the appropriate control one thing should be kept in mind - “The cost of the lock
should not be more than the cost of the assets it protects.”
There should be adequate compensatory measures, which may although not be as efficient as
the appropriate control, but reduce the probability of loss to the assets. Such measures are
called compensatory controls.
3.5.2 Classification on the basis of “Nature of Information System Resources”
These are given as follows:
1) Environmental Controls –
These are the controls relating to IT environment such as power, air-conditioning, UPS, smoke
detection, fire-extinguishers, dehumidifiers etc.
This section deals with the external factors in the Information System and preventive measures
to overcome these conflicts.
i). Environmental Issues and Exposures –
Environmental exposures are primarily due to elements of nature.
Common occurrences are Fire, Natural disasters-earthquake, volcano, hurricane, tornado,
Power spike, Air conditioning failure, Electrical shock, Equipment failure, Water
damage/flooding-even with facilities located on upper floors of high buildings.
Other environmental issues and revelations include the following:
Is the power supply to the compiler equipment properly controlled so as to ensure that it
remains within the manufacturer’s specification?
Are the air conditioning, humidity and ventilation control systems protected against the
effects of electricity using static rug or anti-static spray?
Is consumption of food, beverage and tobacco products prohibited, by policy, around
computer equipment?
Are backup media protected from damage due to variation in temperatures or are they
guarded against strong magnetic fields and water damage?
Is the computer equipment kept free from dust, smoke and other particulate matter?
From the perspective of environmental exposures and controls, Information systems
resources may be categorized as follows (with the primarily focus on facilities):
a) Hardware and Media –
Includes Computing Equipment, Communication equipment, and Storage Media.
b) Information Systems Supporting Infrastructure or Facilities –
This typically includes the following:
Physical Premises like Computer Rooms, Cabins, Server Rooms, Data Centre premises,
Printer Rooms, Remote facilities, Staging Room, and Storage Areas,
Communication Closets,
Cabling ducts,
Power Source, and
Heating, Ventilation and Air Conditioning (HVAC).
c) Documentation –
Physical and geographical documentation of computing facilities with emergency
excavation plans and incident planning procedures.
d) Supplies –
The third party maintenance procedures and civil contractors whose entry and assess
with respect to their scope of work assigned are to be monitored and logged.
e) People –
The employees, visitors, supervisors and third party maintenance personnel are to be
made responsible and accountable for environmental controls in their respective
Information Processing Facility (IPF).
ii). Controls for Environmental Exposures
These are given as follows:
Water Detectors –
In the computer room, water detectors should be placed under the raised floor and near
drain holes. For easy identification, the location of the water detectors should be marked.
When activated, the detectors should produce an audible alarm that can be heard by
security and control personnel.
Hand-Held Fire Extinguishers –
Fire extinguishers should be in calculated locations throughout the area. They should be
tagged for inspection and inspected at least annually.
Manual Fire Alarms –
Hand-pull fire alarms should be purposefully placed throughout the facility. The resulting
audible alarm should be linked to a monitored guard station.
Smoke Detectors –
Smoke detectors are positioned at places above and below ceiling tiles. Upon activation,
detectors should produce an audible alarm and must be linked to a monitored station.
Fire Suppression Systems –
The alarms are activated when extensive heat is generated due to fire. The system should
be segmented into zones so that fire in one part of facility does not activate entire system.
The fire suppression techniques vary upon situation but it is usually one of the following:
a) Dry-Pipe sprinkling systems –
These are typically referred to as sprinkler systems.
These pipes remain dry and upon activation by the electronic fire alarm water is sent
through the pipe.
Dry pipe systems have the advantage that any failure in the pipe will not result in
water leaking into sensitive equipment.
b) Water based systems –
These also function similar to the sprinkler systems.
These systems are effective but also are unpopular because they damage equipment
and property in the case of leakage or breakage of pipes facilities.
c) Halon –
Halon systems contain pressurized Halon gases that remove oxygen from the air.
Halon is preferred because of its inertness and does not damage equipment like water
does. There should be an audible alarm and brief delay before discharge to permit
personnel time to evacuate the area and disconnect system in case of false alarm.
The drawback is, since Halon adversely affects the ozone layer, its usage is banned.
Strategically Locating the Computer Room –
To reduce the risk of flooding, the computer room should not be located in the basement
or ground floor of a multi-storey building.
Regular Inspection by Fire Department –
An annual inspection by the fire department should be carried out to ensure that all fire
detection systems act in accordance with building codes.
Fireproof Walls, Floors and Ceilings surrounding the Computer Room –
Information processing facility should be surrounded by walls that should control or block
fire from spreading.
Electrical Surge Protectors –
The risk of damage due to power spikes can be reduced by using electrical surge protector.
Uninterruptible Power System (UPS)/Generator –
A UPS system consists of a battery or gasoline powered generator that interfaces between
the main electrical power entering the facility and the electrical power supplied to the
computer. The system cleanses the power to ensure wattage into computer is consistent.
Power Leads from Two Substations –
Electrical power lines that are exposed to many environmental dangers such as waters
fire, lightning, cutting due to careless digging etc.
Emergency Power-Off Switch –
When there arise a necessity of immediate power shut down, an emergency power-off
switch at the strategic locations would serve the purpose.
Wiring Placed in Electrical Panels and Conduit –
Electrical fires are always a risk. To reduce the risk of such a fire occurring and spreading,
wiring should be placed in the fire resistant panels and conduit.
Prohibitions against Eating, Drinking and Smoking within Information Processing Facility –
These activities should be prohibited from the information processing facility.
Fire Resistant Office Materials –
The materials used in the information processing facility such as Wastebaskets, curtains,
desks, cabinets and other general office materials should be fire proof.
Documented and Tested Emergency Evacuation Plans –
Relocation plans should emphasize human safety, but should not leave information
processing facilities physically unsecured.
2) Physical Access Controls –
These are the controls relating to physical security of the tangible IS resources and intangible
resources stored on tangible media. Such controls include Access control doors, Security
guards, door alarm, restricted entry to secure areas, visitor logged access, CCTV monitoring etc.
i). Physical Access Issues and Exposures
The following points elaborate the results due to accidental or intentional violation of the
access paths:
Abuse of data processing resources,
Blackmail,
Embezzlement,
Damage, vandalism or theft to equipments or documents,
Public disclosure of sensitive information, and
Unauthorized entry.
Possible perpetrators –
Perpetrations may be because of employees, who are:
Accidental ignorant-someone who outrageously violates rules,
Addicted to a substance or gambling,
Discontented,
Experiencing financial or emotional problems,
Former employee,
Interested outsiders, such as competitors, thieves, organized crime and hackers,
Notified for their termination,
On strike, and
Threatened by disciplinary action or dismissal.
Exposures to confidential matters may be in form the unaware, accidental or anonymous
persons. Other areas of concern include the following:
How far the hardware facilities are controlled to reduce the risk of unauthorized access?
Are the hardware facilities protected against forced entry?
Are intelligent computer terminals locked or otherwise secured to prevent illegal removal of
physical components like boards, chips and the computer itself?
When there is a need for the removal of computer equipment from its normal secure
surroundings, are authorized equipment passes required for the removal?
The facilities that need to be protected from the auditor’s perspective are as follows:
Communication channels,
Computer room,
Control units and front-end processors,
Dedicated telephones/telephone lines,
Disposal sites,
Input/output devices,
Local area networks,
Microcomputers and personal computers,
Minicomputer establishments,
Off-site backup file storage facility,
On-site and remote printers,
Operator consoles and terminals,
Portable equipment,
Power sources,
Programming area,
Storage rooms and supplies,
Tape library, tapes, disks and all magnetic media, and
Telecommunications equipment.
ii). Controls for Physical Access Exposures
Physical access controls are designed to protect the organization from unauthorized access or
to prevent illegal entry. The authorization given by the management should be explicit.
Some of the more common access control techniques are discussed categorically as follows:
a) Locks on Doors –
These are given as follows:
i). Cipher locks (Combination Door Locks) –
The cipher lock consists of a pushbutton panel that is mounted near the door outside of a
secured area. To enter, a person presses a four digit number and the door will unlock for a
predetermined period of time.
Cipher locks are used in low security situations or when a large number of entrances and
exits must be usable all the time.
ii). Biometric Door Locks –
These locks are extremely secure where an individual’s unique body features, such as voice,
retina, fingerprint or signature, activate these locks.
This system is used in extremely sensitive facilities to protect sensitive data.
iii). Bolting Door Locks –
A special metal key is used to gain entry when the lock is a bolting door lock. To avoid illegal
entry the keys should be not be duplicated.
iv). Electronic Door Locks –
A magnetic or embedded chip-based plastics card key or token may be entered into a
reader to gain access in these systems.
b) Physical Identification Medium –
These are discussed below:
i). Personal Identification numbers (PIN) –
A secret number will be assigned to the individual, in conjunction with some means of
identifying the individual, serves to verify the authenticity of the individual.
ii). Plastic Cards –
These cards are used for identification purposes. Customers should safeguard their card so
that it does not fall into unauthorized hands.
iii). Identification Badges –
Special identification badges can be issued to personnel as well as visitors. For easy
identification purposes, their colour of the badge can be changed.
c) Logging on Facilities –
These are given as under:
i). Manual Logging: All visitors should be prompted to sign a visitor’s log indicating their name,
company represented, their purpose of visit, and person to see. Logging may happen at both
fronts - reception and entrance to the computer room. A valid and acceptable identification
such as a driver’s license, business card or vendor identification tag may also be asked for
before allowing entry inside the company.
ii). Electronic Logging: This feature is a combination of electronic and biometric security systems.
The users logging can be monitored and the unsuccessful attempts being highlighted.
d) Other means of Controlling Physical Access –
Other important means of controlling physical access are given as follows:
(i) Video Cameras –
Cameras should be placed at specific locations and monitored by security guards. The video
supervision recording must be retained for possible future play back.
(ii) Security Guards –
Extra security can be provided by appointing guards aided with CCTV feeds.
(iii) Controlled Visitor Access –
A responsible employee should escort all visitors. Visitors may be friends, maintenance
personnel, computer vendors, consultants and external auditors.
(iv) Bonded Personnel –
All service contract personnel, such as cleaning people and off-site storage services, should
be asked to sign a bond.
(v) Dead Man Doors –
These systems encompasses are a pair of doors that are found in entries to facilities such
as computer rooms and document stations. The first entry door must close and lock, for
the second door to operate, with the only one person permitted in the holding area.
(vi) Non–exposure of Sensitive Facilities –
There should be no explicit indication such as presence of windows of directional signs
hinting the presence of facilities such as computer rooms.
(vii) Computer Terminal Locks –
These lock ensure that the device to desk is not turned on or cut off by unauthorized person
(viii) Controlled Single Entry Point –
All incoming personnel can use controlled Single Entry Point. A controlled entry point is
monitored by a receptionist. Multiple entry points increase chances of unauthorized entry.
(ix) Alarm System –
Illegal entry can be avoided by linking alarm system to inactive entry point and the reverse
flows of enter or exit only doors, so as to avoid illegal entry.
(x) Perimeter Fencing –
Fencing at boundary of the facility may also enhance the security mechanism.
(xi) Control of out of hours of employee-employees –
Employees who are out of office for a longer duration during the office hours should be
monitored carefully. Their movements must be noted and reported to concerned officials.
(xii) Secured Report/Document Distribution Cart –
Secured carts, such as mail carts, must be covered & locked and should always be attended.
The following are the advantages of electronic door locks over bolting & combinational locks:
Through the special internal code, cards can be made to identity the correct individual.
Individuals access needs can be restricted through the special internal code & sensor devices.
Degree of duplication is reduced.
Card entry can be easily deactivated in the event an employee is terminated or a card is lost.
An administrative process, which may deal with Issuing, accounting for and retrieving the
card keys, are also parts of security.
3) Logical Access Controls –
Logical access controls are implemented to ensure that access to systems, data and programs is
restricted to authorized users so as to safeguard information against unauthorized use, disclosure
or modification, damage or loss.
Logical access controls are system-based mechanisms used to designate who or what is to have
access to a specific system resource and the type of transactions and functions that are permitted.
Assessing logical access controls involves evaluating the following critical procedures:
Logical access controls restrict users to authorized transactions and functions.
There are logical controls over network access.
There are controls implemented to protect the integrity of the application and the confidence
of the public when the public accesses the system.
Logical Access Paths
These are given as follows:
i). Online Terminals –
To access an online terminal, a user has to provide a valid login-ID and password. If additional
authentication mechanisms are added along with password, it will strengthen the security.
Operator Console – The operator console is one of the crucial places where any intruders
can play havoc. Hence, access to operator console must be restricted.
This can be done by:
Keeping the operator console at a place, which is visible, to all?
By keeping the operator console in a protected room accessible to selected personnel.
ii). Dial-up Ports –
Using a dial up port, user at one location can connect remotely to another computer present
at an unknown location via a telecommunication media.
A modem is a device, which can convert the digital data transmitted to analog data. Thus,
the modem can act as an interface between remote terminal and the telephone line.
Security is achieved by providing a means of identifying the remote user to determine
authorization to access.
iii). Telecommunication Network –
In a Telecommunication network, a number of computer terminals, Personal Computers etc.
are linked to the host computer through network or telecommunication lines.
Whether the telecommunication lines could be private or public, security is provided in the
same manner as it is applied to online terminals.
Logical Access Issues and Exposures
Controls that reduce the risk of misuse, theft, alteration or destruction should be used to
protect unauthorized and unnecessary access to computer files.
Access control mechanisms should be applied not only to computer operators but also to end
users programmers, security administrators, management or any other authorized user/s.
Access control mechanisms should provide security to the following applications:
Access control software,
Application software,
Data,
Data dictionary/directory,
Dial-up lines,
Libraries,
Logging files,
Operating systems Password library,
Procedure libraries,
Spool queues,
System software,
Tape files,
Telecommunication lines,
Temporary disk files, and Utilities.
Issues and Revelations related to Logical Access
Intentional or accidental exposures of logical access control encourage technical exposures and
computer crimes. These are given as follows:
A. Technical Exposures –
Technical exposures include unauthorized implementation or modification of data and
software. Technical exposures include the following:
i). Data Diddling –
Data diddling involves the change of data before or after they are entered into the system.
A limited knowledge is required and it occurs before computer security can protect data.
ii). Bomb –
Bomb is a piece of bad code deliberately planted by an insider or supplier of a program. An
event, which is logical, triggers a bomb or time based.
The bombs explode when the conditions of explosion get fulfilled causing the damage
immediately. However, these programs cannot infect other programs.
Bombs are generally of two types, which are given as follows:
a) Time Bomb –
This name has been borrowed from its physical counterpart because of mechanism of
activation. The computer time bomb causes a perverse activity, such as, disruption of
computer system, modification or destruction of stored information etc. on a particular
date and time for which it has been developed. The computer clock initiates it.
b) Logic Bomb –
They resemble time bombs in their destruction activity. Logic bombs are activated by
combination of events. These bombs can be set to go off at a future time or event.
For example, a code like; “=f a file named DELETENOT is deleted then destroy the
memory contents by writing ones.” This code segment, on execution, may cause
destruction of the contents of the memory on deleting a file named DELETENOT.
iii). Trojan Horse –
Typically, a Trojan horse is an illicit coding contained in a legitimate program and causes an
illegitimate action.
A Trojan may:
Change or steal the password or
May modify records in protected files or
May allow illicit users to use the systems.
Trojan Horses hide in a host and generally do not damage the host program. Trojans cannot
copy themselves to other software in the same or other systems.
The Trojans may get activated only if the illicit program is called explicitly. It can be
transferred to other system only if an unsuspecting user copies the Trojan program.
Christmas card is a well-known example of Trojan. It was detected on internal E-mail of IBM
system. On typing the word ‘Christmas’, it will draw the Christmas tree, but in addition, it
will send copies of similar output to all other users connected to the network. Because of
this message on other terminals, other users cannot save their half finished work.
iv). Worm –
A worm does not require a host program like a Trojan to relocate itself. Thus, a Worm
program copies itself to another machine on the network. Since, worms are stand-alone
programs, and they can be detected easily in comparison to Trojans and computer viruses.
Examples of worms are Existential Worm, Alarm clock Worm etc. The Alarm Clock worm
places wake-up calls on a list of users. Existential worm does not cause damage to the
system, but only copies itself to several places in a computer network.
v). Rounding Down –
This refers to rounding of small fractions of a denomination and transferring these small
fractions into an authorized account. As the amount is small, it gets rarely noticed.
vi). Salami Techniques –
This involves slicing of small amounts of money from computerized transaction or account.
Salami technique is slightly different from a rounding technique, as fix amount is deducted.
vii). Trap Doors –
Trap doors allow insertion of specific logic, such as program interrupts that permit a review
of data. They also permit insertion of unauthorized logic.
B. Computer Crime Exposures –
Computer systems are used to steal money, goods, software or corporate information. Crimes
are also committed when false data or unauthorized transaction is made.
Computer crimes generally result in Loss of customers, embarrassment to management and
legal actions against the organizations.
These are given as follows:
i). Financial Loss –
Financial losses may be direct like loss of electronic funds or indirect like expenditure
towards repair of damaged electronic components.
ii). Legal Repercussions –
An organization has to adhere to many laws while developing security policies and
procedures. The organizations will be exposed to lawsuits from investors and insurers if
there have no proper security measures.
iii). Loss of Credibility or Competitive Edge –
In order to maintain competitive edge, companies needs credibility and public trust. This
credibility will be shattered resulting in loss of business & prestige if security violation occur
iv). Blackmail/Industrial Espionage –
By knowing the confidential information, the perpetrator can obtain money from the
organization by threatening and exploiting the security violation.
v). Disclosure of Confidential, Sensitive or Embarrassing Information –
These events can spoil the reputation of the organization. Legal or regulatory actions
against the company may be also a result of disclosure.
vi). Sabotage –
People, who may not be interested in financial gain but who want to spoil the credibility of
the company or to will involve in such activities.
vii). Spoofing –
A spoofing attack involves forging one’s source address. One machine is used to
impersonate the other in spoofing technique.
Spoofing occurs only after a particular machine has been identified as vulnerable. A
penetrator makes the user think that s/he is interacting with the operating system.
C. Asynchronous Attacks –
Numerous transmissions must wait for the clearance of the line before data being transmitted.
Data that is waiting to be transmitted are liable to unauthorized access called asynchronous
attack. These attacks are hard to detect because they are usually very small pin like insertions.
There are many forms of asynchronous attacks; some of them are given as follows:
i). Data Leakage –
Data leakage involves leaking information out of the computer by means of dumping files to
paper or stealing computer reports and tape.
ii). Wire-tapping –
This involves spying on information being transmitted over telecommunication network.
iii). Piggybacking –
This is the act of following an authorized person through a secured door or electronically
attaching to an authorized telecommunication link that intercepts and alters transmissions.
This involves intercepting communication between the operating system and the user and
modifying them or substituting new messages. A special terminal is tapped into the
communication for this purpose.
iv). Shutting Down of the Computer/Denial of Service –
This is initiated through terminals or microcomputers that are directly or indirectly
connected to the computer. Individuals, who know the high-level systems log on-ID initiate
shutting down process.
The security measure will function effectively if there are appropriate access controls on the
logging on through a telecommunication network. When overloading happens some systems
have been proved to be vulnerable to shutting themselves.
Hackers use this technique to shut down computer systems over the Internet.
D. Remote and distributed data processing applications can be controlled in many ways.
Some of these are given as follows:
Remote access to computer and data files through the network should be implemented.
Having a terminal lock can assure physical security to some extent.
Applications that can be remotely accessed via modems and other devices should be controlled.
Terminal and computer operations at remote locations should be monitored carefully and
frequently for violations.
In order to prevent the unauthorized user’s access to the system, there should be proper
control mechanisms over system documentation and manuals.
Data transmission over remote locations should be controlled.
When replicated copies of files exist at multiple locations it must be ensured that all are
identical copies contain the same information.
Logical Access Violators are often the same people who exploit physical exposures, although
the skills needed to exploit logical exposures are more technical and complex.
They are mainly:
Hackers;
Employees (authorized or unauthorized);
IS Personnel;
End Users;
Former Employees;
Interested or Educated Outsiders;
Competitors;
Foreigners;
Organized criminals;
Crackers;
Part-time and Temporary Personnel;
Vendors and consultants; and
Accidental Ignorant – Violation done unknowingly.
Logical Access Control across the System
The purpose of logical access controls is to restrict access to information assets/resources.
They are expected to provide access to information resources on a need to know and need to
do basis using principle of least privileges.
The data, an information asset, can be:
Used by an application (Data at Process);
Stored in some medium (Back up) (Data at Rest);
Or it may be in transit (being transferred from one location to another).
3.5.3 Classification on the basis of “Functional Nature”
When reviewing a client’s control systems, the auditor will be able to identify three components
of internal control. Each component is aimed at achieving different objectives.
These controls are given as follows:
(i) Internal Accounting Controls –
The Controls which are intended to safeguard the client’s assets and ensure the reliability of
the financial records are called internal accounting controls.
(ii) Operational Controls –
These deals with the day-to-day operations, functions and activities to ensure that the
operational activities are contributing to business objectives.
(iii) Administrative Controls –
These are concerned with ensuring efficiency and compliance with management policies,
including the operational controls.
3.5.4 Classification on the basis of “Audit Functions”
Auditors have found two ways to be especially useful when conducting information systems audit.
These are discussed below:
1) Managerial Controls –
We shall examine controls over the managerial controls that must be performed to ensure
the development, implementation, operation and maintenance of information systems in a
planned and controlled manner in an organization.
The controls at this level provide a stable infrastructure in which information systems can be
built, operated, and maintained on a day-today basis as discussed in Table.
Management
Subsystem
Description of Subsystem
Top Management Top management must ensure that information systems function is well
managed. It is responsible primarily for long – run policy decisions on how
Information Systems will be used in the organization.
Information
Systems
Management
IS management has overall responsibility for the planning and control of all
information system activities. It also provides advice to top management in
relation to long;run policy decision making and translates long;run policies
into short;run goals and objectives<
Programming
Management
It is responsible for programming new system; maintain old systems and
providing general systems support software<
Systems
Development
Management
Systems Development Management is responsible for the design,
implementation, and maintenance of application systems.
Data
Administration
Data administration is responsible for addressing planning and control issues
in relation to use of an organization’s data.
Quality Assurance
Management
It is responsible for ensuring information system development,
implementation, operation and maintenance to established quality standards.
Security
Administration
It is responsible for access controls and physical security over the information
systems function.
Operations
Management
It is responsible for planning and control of the day-to-day operations of
information systems.
2) Application Controls –
These include the programmatic routines within the application program code.
The objective of application controls is to ensure that data remains complete, accurate and
valid during its input, update and storage.
Any function or activity that works to ensure the processing accuracy of the application can
be considered an application control.
The categories of Application controls are listed below in the Table.
Application
Subsystem
Description of Subsystem
Boundary Comprises the components that establish the interface between user & system.
Input Comprises the components that capture, prepare, and enter commands and data
into the system.
Communication Comprises the components that transmit data among subsystems and systems.
Processing Comprises the components that perform decision making, computation,
classification, ordering, and summarization of data in the system.
Database Comprises components that define, add, access, modify & delete data in system.
Output Comprises the components that retrieve and present data to users of the system.
3.6 Managerial Controls and their Categories
The controls at this level provide a stable infrastructure in which information systems can be built,
operated, and maintained on a day-to-day basis.
3.6.1 Top Management and Information Systems Management Controls
The senior manager who take responsibility for IS function in an organization face many challenge.
The major functions that a senior manager must perform are as follows:
i). Planning – determining the goals of the information systems function and the means of
achieving these goals;
ii). Organizing – gathering, allocating, and coordinating the resources needed to accomplish goals;
iii). Leading – motivating, guiding, and communicating with personnel; and
iv). Controlling – comparing actual performance with planned performance as a basis for taking
any corrective actions that are needed.
Top management must prepare two types of information systems plans for information systems
function: a Strategic plan and an Operational plan.
The strategic Plan is the long-run plan covering say next three to five years of operation whereas
the Operational Plan is the short-plan covering, say next one to three years of operation.
Both the plans need to be reviewed regularly and updated as the need arises. The planning
depends upon factors such as the importance of existing systems, the importance of proposed
information systems, and the extent to which IT has been integrated into daily operations
3.6.2 Systems Development Management Controls
Systems Development Management has responsibility for the functions concerned with analyzing,
designing, building, implementing, and maintaining information systems.
Three different type of audits may be conducted during system development process as follows -
i). Concurrent Audit
Auditors are members of the system development team. They assist the team in improving
quality of systems development for the specific system they are building and implementing.
ii). Post implementation Audit
Auditors seek to help an organization learn from its experiences in the development of a
specific application system. They might be evaluating whether the system needs to be
scrapped, continued, or modified in some way.
iii). General Audit
Auditors evaluate systems development controls overall. They seek to determine whether
they can reduce the extent of substantive testing needed to form an audit opinion about
management’s assertions.
3.6.3 Programming Management Controls
Primary objectives of this phase are to produce or acquire and to implement high-quality program.
The purpose of control phase during software development or acquisition is to monitor progress
against plan and to ensure software released for production use is authentic, accurate & complete.
The program development life cycle comprises six major phases – Planning; Design; Control;
Coding; Testing; and Operation and Maintenance.
Phases of Program Development Life Cycle
Phase Controls
Planning Techniques like Work Breakdown Structures, Gantt charts and PERT Charts can be
used to monitor progress against plan.
Design A systematic approach to program design, such as any of the structured design
approaches or object-oriented design is adopted.
Coding Programmers must choose a module implementation and integration strategy (like
Top-down, bottom-up and Threads approach), a coding strategy (that follows the
percepts of structured programming), and a documentation strategy (to ensure
program code is easily readable and understandable).
Testing These tests are to ensure that a developed or acquired program achieves its
specified requirements.
Three types of testing can be undertaken:
Unit Testing – which focuses on individual program modules;
Integration Testing – Which focuses in groups of program modules; and
Whole-of-Program Testing – which focuses on whole program.
Operation
and
Maintenance
Management establishes formal mechanisms to monitor the status of operational
programs so maintenance needs can be identified on a timely basis.
Three types of maintenance can be used –
Repair Maintenance – in which program errors are corrected;
Adaptive Maintenance – in which the program is modified to meet changing
user requirements; and
Perfective Maintenance - in which the program is tuned to decrease the
resource consumption.
3.6.4 Data Resource Management Controls
Many organizations now recognize that data is a critical resource that must be managed properly
and therefore, accordingly, centralized planning and control are implemented.
For data to be managed better users must be able to share data, data must be available to users
when it is needed, in the location where it is needed, and in the form in which it is needed.
It must be controlled carefully, because the consequences are serious if the data definition is
compromised or destroyed.
Careful control should be exercised over the roles by appointing senior, trustworthy persons,
separating duties to the extent possible and maintaining and monitoring logs of the data
administrator’s and database administrator’s activities.
3.6.5 Quality Assurance Management Controls
Organizations are increasingly producing safety-critical systems and users are becoming more
demanding in terms of the quality of the software.
Organizations are undertaking more ambitious information systems projects that require more
stringent quality requirements and are becoming more concerned about their liabilities if they
produce and sell defective software.
3.6.6 Security Management Controls
Information security administrators are responsible for ensuring that information systems assets
are secure.
Some of the major threats to the security of information systems and their controls are as follows:
Threat Control
Fire Well-designed, reliable fire-protection systems must be implemented.
Water Facilities must be designed and sited to mitigate losses from water damage.
Energy Variations Voltage regulator, circuit breaker, uninterruptible power supply can be used
Structural Damage Facilities must be designed to withstand structural damage.
Pollution Regular cleaning of facilities and equipment should occur.
Unauthorized
Intrusion
Physical access controls can be used.
Viruses and Worms Controls to prevent use of virus-infected programs and to close security
loopholes that allow worms to propagate.
Misuse of software,
data & services
Code of conduct to govern the actions of information systems employees.
Hackers Strong, logical access control to mitigate losses from the activities of hackers.
3.6.7 Operations Management Controls
Operations management is responsible for the daily running of hardware and software facilities.
Operations management typically performs controls over the functions like Computer Operations,
Communications Network Control, Data Preparation and Entry, Production control, File Library;
Documentation and Program Library; Technical support; and Performance Monitoring.
Operations management control must continuously monitor the performance of the hardware/
software platform to ensure that systems are executing efficiently, an acceptable response time
or turnaround time is being achieved, and an acceptable level of uptime is occurring.
3.7 Application Controls and their Categories
Application system controls are undertaken to accomplish reliable information processing cycles
that perform the processes across the enterprise.
Different Application Controls are as follows:
Boundary Controls
Input Controls
Communication Controls
Processing Controls
Database Controls
Output Controls
3.7.1 Boundary Controls
The major controls of the boundary system are the access control mechanisms. Access controls
mechanism links the authentic users to the authorized resources, they are permitted to access.
The access control mechanism has three steps of identification, authentication and authorization
with respect to the access control policy implemented.
The user can provide three factors of input information for the authentication process and gain
access to his required resources, which are descried as below –
Class of information Types of input
Personal Information Name, Birth date, account number, password, PIN
Personal characteristics Fingerprint, voice, hand size, signature, retinal pattern.
Personal objects Identification cards, badge, key, finger ring.
Major Boundary Control techniques are given as follows:
i). Cryptography –
It deals with programs for transforming data into cipher text that are meaningless to anyone,
who does not possess the authentication to access the respective system resource or file.
A cryptographic technique encrypts data (clear text) into cryptograms (cipher text) and its
strength depends on the time and cost to decipher the cipher text by a cryptanalyst.
Three techniques of cryptography are transposition (permute the order of characters within
a set of data), substitution (replace text with a key-text) and product cipher (combination of
transposition and substitution).
ii). Passwords –
User identification by an authentication mechanism with personal characteristics like name,
birth date, employee code, function, designation or a combination of two or more of these
can be used as a password boundary access control.
iii). Personal Identification Numbers (PIN) –
PIN is similar to a password assigned to a user by an institution a random number stored in
its database independent to a user identification details, or a customer selected number.
iv). Identification Cards –
Identification cards are used to store information required in an authentication process.
These cards are to be controlled through the application for a card, preparation of the card,
issue, use and card return or card termination phases.
v). Biometric Devices –
Biometric identification e.g. thumb and/or finger impression, eye retina etc. are also used as
boundary control techniques.
3.7.2 Input Controls
Input controls are responsible for ensuring the accuracy and completeness of data. Input controls
are important since substantial time is spent on input of data, involve human intervention and
are, therefore error and fraud prone.
Input controls are divided into the following broad classes:
Source Document Control,
Data Coding Controls
Batch Controls, and
Validation Controls.
The details of each aforementioned class are given as under:
1) Source Document Controls –
In systems that use physical source documents to initiate transactions, careful control must be
exercised over these instruments.
Source document fraud can be used to remove assets from the organization.
To control against this type of exposure, the organization must implement control procedures
over source documents to account for each document, as described below:
i). Use pre-numbered source documents –
Source documents should come pre-numbered from the printer with a unique sequential
number on each document.
Source document numbers enable accurate accounting of document usage and provide
an audit trail for tracing transactions through accounting records.
ii). Use source documents in sequence –
Source documents should be distributed to the users and used in sequence. This requires
adequate physical security be maintained over the source document inventory at user site
iii). Periodically audit source documents –
Missing source documents should be identified by reconciling document sequence
numbers. Documents not accounted for should be reported to management.
2) Data Coding Controls –
Two types of errors can corrupt a data code and cause processing errors. These are
transcription and transposition errors, which are as discussed below:
i). Transcription Errors
These fall into three classes:
Addition errors occur when an extra digit or character is added to the code. For example,
inventory item number 83276 is recorded as 832766.
Truncation errors occur when a digit or character is removed from the end of a code. In
this type of error, the inventory item above would be recorded as 8327.
Substitution errors are the replacement of one digit in a code with another. For example,
code number 83276 is recorded as 83266.
ii). Transposition Errors –
There are two types of transposition errors.
Single transposition errors occur when two adjacent digits are reversed. For instance,
12345 are recorded as 21345.
Multiple transposition errors occur when nonadjacent digits are transposed. For example,
12345 are recorded as 32154.
3) Batch Controls
Batching is the process of grouping together transactions that bear some type of relationship
to each other. Various controls can be exercises over the batch to prevent or detect errors.
Two types of batch controls occur:
i). Physical Controls –
These controls are groups of transactions that constitute a physical unit.
For example – source documents might be obtained via the email, assembled into
batches, spiked and tied together, and then given to a data-entry clerk to be entered into
an application system at a terminal.
ii). Logical Controls –
These are group of transactions bound together on some logical basis, rather than being
physically contiguous.
For example - different clerks might use the same terminal to enter transaction into an
application system. Clerks keep control totals of transactions into an application system.
To identify errors or irregularities in either a physical or logical batch, three types of control
totals can be calculated as shown in Table.
Control Total Type Explanation
Financial totals Grand totals calculated for each field containing money amounts.
Hash totals Grand totals calculated for any code on a document in the batch,
e.g., the source document serial numbers can be totaled.
Document/Record Counts Grand totals for the number of documents in record in the batch.
4) Validation Controls –
Validation controls are intended to detect errors in the transaction data before data are processed
There are three levels of input validation controls:
Field interrogation,
Record interrogation, and
File interrogation.
The details of the same are given as follows:
i). Field Interrogation –
It involves programmed procedures that examine the characters of the data in the field.
Various field checks used to ensure data integrity have been described below:
a) Limit Check –
This is a basic test for data processing accuracy and may be applied to both the input and
output data. The field is checked by the program against predefined limits to ensure that
no input/output error has occurred or at least no input error has exceeding certain limits.
b) Picture Checks –
These check against entry into processing of incorrect/invalid characters.
c) Valid Code Checks –
Checks are made against predetermined transactions codes, tables or order data to
ensure that input data are valid.
d) Check Digit –
A check digit is a control digit added to the code when it is originally assigned that allows
the integrity of the code to be established during subsequent processing. The check digit
can be located anywhere in the code, as a prefix, suffix or embedded someplace in middle.
e) Arithmetic Checks –
Simple Arithmetic is performed in different ways to validate the result of other
computations of the values of selected data fields.
f) Cross Checks –
It may be employed to verify fields appearing in different files to see that the result tally.
ii). Record Interrogation: These are discussed as follows:
a) Reasonableness Check –
Whether the value specified in a field is reasonable for that particular field?
b) Valid Sign –
The contents of one field may determine which sign is valid for a numeric field.
c) Sequence Check –
If physical records follow a required order matching with logical records.
iii). File Interrogation –
These are discussed as follows:
a) Version Usage –
Proper version of a file should be used for processing the data correctly.
b) Internal and External Labeling –
Labeling of storage media is important to ensure that proper files are loaded for process.
Where there is a manual process for loading files, external labeling is important. Where
there is an automated tape loader system, internal labeling is more important.
c) Data File Security –
Unauthorized access to data file should be prevented, to ensure its confidentiality, integrity
and availability. These controls ensure that the correct file is used for processing.
d) Before and after Image and Logging –
The application may provide for reporting of before and after images of transactions. These
images combined with the logging of events enable re-constructing the data file back to its
last state of integrity, after which the application can ensure that the incremental
transactions are rolled back or forward.
e) File Updating and Maintenance Authorization –
Sufficient controls should exist for file updating and maintenance to ensure that stored data
are protected.
f) Parity Check –
When programs or data are transmitted, additional controls are needed. Transmission
errors are controlled primarily by detecting errors or correcting codes.
3.7.3 Communication Controls
Three major types of exposure arise in the communication subsystem:
Transmission impairments can cause difference between the data sent and the data received;
Data can be lost or corrupted through component failure; and
A hostile party could seek to subvert data that is transmitted through the subsystem.
Communication controls are of following types –
a) Physical Component Controls
b) Line Error Controls
c) Flow Controls
d) Link Controls
e) Topological Controls
f) Channel Access Controls
g) Internet Working Controls
1) Physical Component Controls –
These controls incorporate features that mitigate the possible effects of exposures.
An overview of how physical components can affect communication subsystem reliability are –
i). Transmission Media
It is a physical path along which a signal can be transmitted between a sender and a receiver.
It is of two types:
Guided/Bound Media in which the signals are transported along an enclosed physical
path like – Twisted pair, coaxial cable, and optical fiber.
In Unguided Media, the signals propagate via free-space emission like – satellite
microwave, radio frequency and infrared.
ii). Communication Lines
The reliability of data transmission can be improved by choosing a private (leased)
communication line rather than a public communication line.
iii). Modem
Increases the speed with which data can be transmitted over a communication line.
Reduces the number of line errors that arise through distortion if they use equalization.
Reduces the number of line errors that arise through noise.
iv). Port Protection Devices
Used to mitigate exposures associated with dial-up access to a computer system. The port-
protection device performs various security functions to authenticate users.
v). Multiplexers And Concentrators
These allow the band width or capacity of a communication line to be used more effectively.
These share the use of a high-cost transmission line among many messages that arrive at the
multiplexer or concentration point from multiple low cost source lines.
2) Line Error Control –
Whenever data is transmitted over a communication line, recall that it can be received in error
because of attenuation distortion or noise that occurs on the line. These errors must be
detected and corrected.
Error Detection –
The errors can be detected by either using a loop (echo) check or building some form of
redundancy into the message transmitted.
Error Correction –
When line errors have been detected, they must then be corrected using either forward
error correcting codes or backward error correcting codes.
3) Flow Controls –
Flow controls are needed because two nodes in a network can differ in terms of the rate at
which they can send, received, and process data.
For example, a main frame can transmit data to a microcomputer terminal. The microcomputer
cannot display data on its screen at the same rate the data arrives from the main frame.
Flow controls will be used to prevent the mainframe swamping the microcomputer and, as a
result, data is lost.
4) Link Controls –
The link management components mainly use two common protocols HDLC (Higher Level Data
Link control) and SDLC (Synchronous Data Link Control).
5) Topological Controls –
A communication network topology specifies the location of nodes within a network, ways in
which these nodes will be linked and the data transmission capabilities of links between nodes.
a) Local Area Network Topologies –
Local Area Networks tend to have three characteristics:
They are privately owned networks;
They provide high-speed communication among nodes; and
They are confined to limited geographic areas.
Local Area Networks are implemented using four basic types of topologies –
(1) Bus topology, (2) Tree topology, (3) Ring topology, and (4) Star topology.
Hybrid topologies like the star-ring topology and the star-bus topology are also used.
b) Wide Area Network Topologies –
Wide Area Networks have the following characteristics:
They often encompass components that are owned by other parties;
They provide relatively low-speed communication among nodes; and
They span large geographic areas With the exception of the bus topology, all other
topologies that are used to implement LANs can also be used to implement WANs.
6) Channel Access Controls –
Two different nodes in a network can compete to use a communication channel. Whenever the
possibility of contention for the channel exists, some type of channel access control technique
must be used.
These techniques fall into two classes: Polling methods and Contention methods.
a) Polling:
Polling techniques establish an order in which a node can gain access to channel capacity.
b) Contention Methods:
Using contention methods, nodes in a network must compete with each other to gain
access to a channel. Each node is given immediate right of access to the channel.
Whether the node can use the channel successfully, depends on the actions of other
nodes connected to the channel.
7) Internetworking Controls –
Internetworking is the process of connecting two or more communication net-works together
to allow the users of one network to communicate with the users of other networks.
Three types of devices are used to connect sub-networks in an internet as follows –
a) Bridge –
A bridge connects similar local area networks.
b) Router –
A router performs all the functions of a bridge. In addition, it can connect heterogeneous
local area networks and direct network traffic over the fastest channel between two
nodes that reside in different sub-networks.
c) Gateway –
Gateways are the most complex of the three network connection devices.
Their primary function is to perform protocol conversion to allow different types of
communication architectures to communicate with one another.
The gateway maps functions performed in an application on one computer to the function
performed by a different application with similar functions on another computer.
3.7.4 Processing Controls
The processing subsystem is responsible for computing, sorting, classifying, and summarizing data.
Its major components are
the Central Processor in which programs are executed,
the real or virtual memory in which program instructions and data are stored,
the operating system that manages system resources, and
the application programs that execute instructions to achieve specific user requirements.
1) Processor Controls –
The processor has three components:
a) A Control unit, which fetches programs from memory and determines their type;
b) An Arithmetic and Logical Unit, which performs operations; and
c) Registers that are used to store temporary results and control information.
Four types of controls that can be used to reduce expected losses from errors and irregularities
associated with Central processors are explained below –
i). Error Detection and Correction Controls
Occasionally, processors might malfunction. The causes could be design error, damage,
manufacturing defects, fatigue, electromagnetic interference, and ionizing radiation.
ii). Multiple Execution States Controls
It is important to determine the number of and nature of the execution states enforced
by the processor. This helps auditors to determine which user processes will be able to
carry out unauthorized activities.
iii). Timing Controls
An operating system might get stuck in an infinite loop. In absence of any control, program
will retain use of processor & prevent other program from undertaking their work.
iv). Component Replication Controls
In some cases, processor failure can result in significant losses. If processor failure is
permanent in multicomputer or multiprocessor architecture, the system might
reconfigure itself to isolate the failed processor.
2) Real Memory Controls –
This comprises the fixed amount of primary storage in which programs or data must reside for
them to be executed or referenced by the central processor.
Real memory controls seek to detect and correct errors that occur in memory cells and to
protect areas of memory assigned to a program from illegal access by another program.
3) Virtual Memory Controls –
Virtual Memory exists when the addressable storage space is larger than the available real
memory space. To achieve this outcome, a control mechanism must be in place that maps
virtual memory addresses into real memory addresses.
4) Data Processing Controls –
These perform validation checks to identify errors during processing of data. They are required
to ensure both the completeness and the accuracy of data being processed. Normally, the
processing controls are enforced through database management system that stores the data.
Various processing controls are given as follows:
i). Run-to-run Totals –
These help in verifying data that is subject to process through different stages. A specific
record probably the last record can be used to maintain the control total.
ii). Reasonableness Verification –
Two or more fields can be compared and cross verified to ensure their correctness.
iii). Edit Checks –
Edit checks can used at the processing stage to verify accuracy and completeness of data.
iv). Field Initialization –
Data overflow can occur, if records are constantly added to a table or if fields are added
to a record without initializing it.
v). Exception Reports –
Exception reports are generated to identify errors in the data processed. Such exception
reports give the transaction code and why a particular transaction was not processed or
what is the error in processing the transaction.
Access Control Mechanisms:
An Access Control Mechanism is associated with identified, authorized users the resources they
are allowed to access and action privileges.
The mechanism processes the users request for Real time Memory and Virtual Memory
resources in three steps:
i). Identification –
First and foremost, the users have to identify themselves.
ii). Authentication –
Secondly, the users must authenticate themselves and the mechanism must authenticate
itself. The mechanism accesses previously stored information about users, the resources
they can access and the action privileges they have; then it permits or denies the request.
Users may provide four factor of authentication information as described below –
Remembered information – Name, Account number, passwords
Objects Possessed by the user – Badge, plastic card, key
Personal characteristics – Finger print, voice print, signature
Dialog – Through/around computer
iii). Authorization –
Third, the users request for specific resources, their need for those resources and their
areas of usage of these resources.
There are two approaches to implementing the authorization module in an access control
mechanism:
a) Ticket oriented approach
In a ticket-oriented approach to authorization, the access control mechanism assigns
users, a ticket for each resource they are permitted to access.
Ticket oriented approach operates via a row in the matrix. Each row along with the
user resources holds the action privileges specific to that user.
The primary advantage of the ticket oriented or capability system is its run-time
efficiency. When a user process is executing, its capability list can be stored in some
fast memory device. When the process seeks access to a resource, the access control
mechanism simply looks up the capability list to determine if the resource is present
in the list and whether if the user is permitted to take the desired action.
b) List oriented approach
In a list-oriented approach, the mechanism associates with each resource a list of
users who can access the resource and the action privileges that each user has with
respect to the resource. This mechanism operates via a column in the matrix.
The major advantage of list-oriented system is that it allows efficient administration
of capabilities. Each user process has a pointer to the access control list for a
resource. Thus, the capabilities for a resource can be controlled since they are stored
in one place.
3.7.5 Database Controls
Protecting the integrity of a database when application software acts as an interface to interact
between the user and the database, are called update controls and report controls.
Major update controls are given as follows:
a) Sequence Check between Transaction and Master Files –
Synchronization and the correct sequence of processing between the master file and
transaction file is critical to maintain the integrity of updation, insertion or deletion of
records in the master file with respect to the transaction records. .
b) Ensure All Records on Files are processed –
While processing, the transaction file records mapped to the respective master file, and the
end-of-file of the transaction file with respect to the end-of-file of master file is to be ensured
c) Process multiple transactions for a single record in the correct order –
Multiple transactions can occur based on a single master record (e.g. dispatch of a product
to different distribution centers).
d) Maintain a suspense account –
When mapping between the master record to transaction record results in a mismatch due
to failure in the corresponding record entry in the master record; then these transactions
are maintained in a suspense account.
Major Report controls are given as follows:
a) Standing Data –
Application programs use many internal tables to perform various functions like gross pay
calculation, billing calculation based on a price table, bank interest calculation etc. Periodic
monitoring of these internal tables by means of manual check or by calculating a control
total is mandatory.
b) Print-Run-to Run control Totals –
Run-to-Run control totals help in identifying errors like record dropped erroneously from a
transaction file, wrong sequence of updating or the application software processing errors.
c) Print Suspense Account Entries –
The suspense account entries are to be periodically monitors with the respective error file
and action taken on time.
d) Existence/Recovery Controls –
The back-up strategies are implemented using prior version and logs of transactions or
changes to the database.
Recovery strategies involve roll-forward (current state database from a previous version) or
the roll-back (previous state database from the current version) methods.
3.7.6 Output Controls
Output controls ensure that the data delivered to users will be presented, formatted and delivered
in a consistent and secured manner.
Whatever the type of output, it should be ensured that the confidentiality and integrity of the
output is maintained. Output controls have to be enforced both in batch-processing environment
as well as in an online environment.
Various Output Controls are given as follows:
i). Storage and logging of sensitive, critical forms –
Pre-printed stationery should be stored securely to prevent unauthorized destruction or
removal and usage. Only authorized persons should be allowed access to stationery supplies.
ii). Logging of output program executions –
When programs used for output of data are executed, these should be logged & monitored;
otherwise confidentiality/integrity of the data may be compromised.
iii). Spooling/queuing –
“Spool” is an acronym for “Simultaneous Peripherals Operations Online”.
This is a process used to ensure that the user is able to continue working, while the print
operation is getting completed. When a file is to be printed, the operating system stores the
data stream to be sent to the printer in a temporary file on the hard disk. This file is then
“spooled” to the printer as soon as the printer is ready to accept the data. This intermediate
storage of output could lead to unauthorized disclosure and/or modification.
A queue is the list of documents waiting to be printed on a particular printer; this should not
be subject to unauthorized modifications.
iv). Controls over printing –
Outputs should be made on the correct printer and it should be ensured that unauthorized
disclosure of information printed does not take place.
v). Report distribution and collection controls –
Distribution of reports should be made in a secure way to prevent unauthorized disclosure
of data.
A log should be maintained for reports that were generated and to whom these were
distributed. Uncollected reports should be stored securely.
vi). Retention controls –
Retention controls consider the duration for which outputs should be retained before being
destroyed. Various factors ranging from the need of the output, use of the output, to
legislative requirements would affect the retention period.
3.8 General Controls
Some of the general controls that are quite commonly used are as follows –
a) Organisational Controls
b) Management Controls
c) Financial Controls
d) BCP Controls
e) Operating System Controls
f) Data Management Controls
g) System Development Controls
h) Computer Centre Security Controls
i) Internet and Intranet Controls
j) Personal Computer Controls
3.8.1 Organizational Controls
These controls are concerned with the decision-making processes that lead to management
authorization of transactions.
In manual environment, the task may be segregated in the following manner:
Segregate the task of transaction authorization from transaction processing;
Segregate record keeping from asset custody; and
Divide transaction-processing tasks among individuals.
In a Computer Based Information System (CBIS), segregation is done at the following functional
levels, to adhere the following principles of internal controls:
Segregating the maker / creator from checker;
Segregating the asset record keeper from physical asset keeper; and
Regular checking of effectiveness of internal controls.
To save from compromises that occur due to above, it is required that following must be done:
Documentation is improved because the maintenance group requires documentation to
perform its maintenance duties.
The programmer is denied the access to the production environment, to mitigate the
programmed frauds.
Companies with large data processing facilities separate data processing from business units to
provide control over its costly hardware, software, and human resources.
Organizational control techniques include documentation of the following:
a) Reporting responsibility and authority of each function,
b) Definition of responsibilities and objectives of each functions,
c) Policies and procedures,
d) Job descriptions, and
e) Segregation of duties.
These are discussed as follows:
1) Responsibilities and objectives –
Each IS function must be clearly defined and documented including systems software,
application programming and system development, database administration, and operations.
The senior manager and managers of the individual groups make up the IS management team
responsible for the effective and efficient utilization of IS resources.
Their responsibilities include:
Providing information to senior management on the IS resources, to enable senior
management to meet strategic objectives;
Planning for expansion of IS resources;
Controlling the use of IS resources; and
Implementing activities and functions that support accomplishment of company’s strategic
plan.
2) Policies, standards, procedures and practices –
Policies establish the rules or boundaries of authority delegated to individuals in the
enterprise. These are the standards and instructions that all IS personnel must follows.
Procedures establish the instructions that individuals must follow to compete their daily
assigned tasks.
Documented policies should exist in IS for:
Use of IS resources,
Physical security,
Data security
On-line security,
Use of Information systems,
Reviewing, evaluating, and purchasing hardware and software,
System development methodology, and
Application program changes.
Documented procedures should exist for all data processing activities.
3) Job descriptions –
These communicate management’s specific expectations for job performance. Job procedures
establish instructions on how to do the job and policies define the authority of the employee.
Job descriptions establish responsibility and the accountability of the employee’s actions.
4) Segregation of duties –
Segregation of duties refers to the concept of distribution of work responsibilities such that
individual employees are performing only duties stipulated for their respective job & position.
The main purpose is to prevent or detect errors or irregularities by applying suitable controls.
It reduces the likelihood of errors and wrongful acts going undetected because the activities
of one group or individual will serve as a check on the activities of the other.
It is the responsibility of senior management to implement a division of role & responsibilities,
which should exclude the possibility for a single individual to subvert a critical process.
The irregularities are frauds due to various facts e.g.:
Theft of assets like funds, IT equipment, the data and programs;
Modification of the data leading to misstated and inaccurate financial statements; and
Modification of programs in order to enact irregularities like rounding down, salami etc.
The critical factors to be considered in segregation of duties in a computerized information
system are:
Nature of business operations;
Managerial policy;
Organization structure with job description; and
IT resources deployed such as: Operating system, Networking, Database, Application
software, Technical staff available, IT services provided in-house or outsourced, Centralized
or decentralized IT operations.
Examples of segregation of duties are:
Systems software programming group from the application programming group;
Database administration group from other data processing activities;
Computer hardware operations from the other groups;
Systems analyst function from the programming function;
Physical, data, and online security group(s) from the other IS functions; and
IS Audit from business operations groups.
From a functional perspective, segregation of duties should be maintained between the
following functions:
Information systems use,
Data entry,
Computer operation,
Network management,
System administration,
Systems development and maintenance,
Change management,
Security administration, and
Security audit.
There are various general guidelines, with reference to ‘Segregation of Duties’, which may be
followed in addition with concepts like, the maker should not be the checker:
Separate those, who can run live programs e.g. operations department, from those who can
change programs e.g. programmers. This is required in order to ensure that unauthorized
programs are prevented from running.
Separate those, who can access the data e.g. data entry and the DBA, from those who can run
programs e.g. computer operators. This is required in order to ensure that unauthorized data
entry cannot take place.
Separate those, who can input data e.g. data entry, from those, who can reconcile or approve
data e.g. data authorization persons. This is required in order to ensure that unauthorized data
entry cannot take place.
Separate those, who can test programs e.g. users, quality assurance and security, from those,
who can develop programs e.g. application programmers. This is required in order to ensure
that unauthorized programs cannot be allowed to run.
Separate those, who can enter errors in a log e.g. data entry operator, who transfer the data to
an error log, from those who can correct the errors like the end user departments. This is
required in order to ensure that unauthorized data entry cannot take place.
Separate those, who can enter data e.g. data entry personnel, from those who can access the
database e.g. the DBA. This is required in order to ensure that unauthorized data entry or data
modification cannot take place.
3.8.2 Management Controls
The controls adapted by the management of an enterprise are to ensure that the information
systems function correctly and they meet the strategic business objectives.
The management has the responsibility to determine whether the controls that the enterprise
system has put in place are sufficient to ensure that the IT activities are adequately controlled.
The controls flow from the top of an organization to down; the responsibility still lies with the
senior management.
The controls considerations while reviewing management controls in an IS system shall include:
i). Responsibility –
The strategy to have a senior management personnel responsible for the IS within the overall
organizational structure.
ii). An IT Organization Structure –
There should be a prescribed IT organizational structure with documented roles and
responsibilities and agreed job descriptions.
iii). An IT Steering Committee –
The steering committee shall comprise of representatives from all areas of the business, and
IT personnel. The committee would be responsible for the overall direction of IT. Here the
responsibility lies beyond just the accounting and financial systems; for example, the
telecommunications system (phone lines, videoconferencing) office automation, and
manufacturing processing systems.
3.8.3 Financial Controls
These controls are generally defined as the procedures exercised by the system user personnel
over source, or transactions origination, documents before system input.
These areas exercise control over transactions processing using reports generated by computer
applications to reflect un-posted item, non-monetary change, item count & amount of transaction
for settlement of transactions processed and reconciliation of applications to general ledger.
The financial control techniques are numerous and are highlighted here:
1) Authorization –
This entails obtaining the authority to perform some act typically accessing to such assets as
accounting or application entries.
2) Budgets –
These estimates of the amount of time or money expected to be spent during a particular
period, project, or event. Budgets must be compared with the actual performance, including
isolating differences and researching them for a cause and possible resolution.
3) Cancellation of documents –
This marks a document in such a way to prevent its reuse. This is a typical control over
invoices marking them with a “paid” or “processed” stamp or punching a hole in document.
4) Documentation –
This includes written or typed explanations of actions taken on specific transactions.
5) Dual control –
This entails having two people simultaneously access an asset. Dual access divides the access
function between two people: once access is achieved, only one person handles the asset.
6) Input/ output verification –
This entails comparing the information provided by a computer system to the input
documents. This is an expensive control that tends to be over-recommended by auditors.
7) Safekeeping –
This entails physically securing assets, such as computer disks, under lock and key, in a desk
drawer, file cabinet storeroom, or vault.
8) Sequentially numbered documents –
These are working documents with preprinted sequential numbers, which enables the
detection of missing documents.
9) Supervisory review –
This refers to review of specific work by a supervisor but this control requires a sign-off on
documents by supervisor, in order to provide evidence that supervisor at least handled them.
3.8.4 BCP (Business Continuity Planning) Controls
These controls are related to having an operational and tested IT continuity plan, which is in line
with the overall business continuity plan, and its related business requirements so as to make sure
IT services are available as required and to ensure a minimum impact in event of major disruption.
The controls include Critical Classification, alternative procedure, Back-up & Recovery, Systematic
and Regular Testing and Training, Monitoring and Escalation Processes, Internal and External
Organizational Responsibilities, Business Continuity Activation, Fallback and Resumption plans,
Risk Management Activities, Assessment of Single Points of Failure and Problem Management.
3.9.5 Operating System Controls
Operating System is the computer control program. It allows users and their applications to share
and access common computer resources, such as processor, main memory, database and printers.
Operating system performs the following major tasks:
i). Scheduling Jobs –
They can determine the sequence in which jobs are executed, using priorities established.
ii). Managing Hardware and Software Resources –
They can first cause the user’s application program to be executed by loading it into primary
storage and then cause the various hardware units to perform as specified by the application.
iii). Maintaining System Security –
They may require users to enter a password - a group of characters that identifies users as
being authorized to have access to the system.
iv). Enabling Multiple User Resource Sharing –
They can handle the scheduling and execution of the application programs for many users at
the same time, a feature called multiprogramming.
v). Handling Interrupts –
An interrupt is a technique used by the operating system to temporarily suspend the
processing of one program in order to allow another program to be executed.
vi). Maintaining Usage Records –
They can keep track of the amount of time used by each user for each system unit - the CPU,
secondary storage, and input and output devices.
Control Objectives –
Operating Systems being one of most critical software of any computer need to work in a well-
controlled environment. Following are the major control objectives:
Protect itself from user;
Protect user from each other;
Protect user from themselves;
The operating system must be protected from itself; and
The operating system must be protected from its environment.
Operating System Security –
Operating system security involves policy, procedure and controls that determine, ‘who can
access the operating system,’ ‘which resources they can access’ and ‘what action they can take’.
The following security components are found in secure operating system:
i). Log-in Procedure –
A log-in procedure is the first line of defense against unauthorized access.
When the user initiates the log-on process by entering user-id and password, the system
compares the ID and password to a database of valid users. If the system finds a match,
then log-on attempt is authorized, else the system should lock the user from the system.
ii). Access Token –
If the log on attempt is successful, the Operating System creates an access token that
contains key information about the user including user-id, password, user group and
privileges granted to the user. The information in the access token is used to approve all
actions attempted by the user during the session.
iii). Access Control List –
This list contains information that defines the access privilege for all valid user of resource.
When a user attempts to access a resource, the system compasses his or her user-id and
privileges contained in the access token with those contained in the access control list. If
there is a match, the user is granted access.
iv). Discretionary Access Control –
The system administrator usually determines; who is granted access to specific resources
and maintains the access control list.
Remedy from destructive programs –
The following can be used as remedies from destructive programs like viruses, worms etc.:
Purchase software from reputed vendor;
Examine all software before implementation;
Establish educational program for user awareness;
Install all new application on a standalone computer and thoroughly test them;
Make back up copy of key file; and
Always use updated anti-virus software.
3.8.6 Data Management Controls
These Controls fall in two categories:
Access Control, and
Backup Control.
1) Access Controls –
Access controls are designed to prevent unauthorized individual from viewing, retrieving,
computing or destroying the entity's data.
Controls are established in the following manner:
a) User Access Controls through passwords, tokens and biometric Controls; and
b) Data Encryption: Keeping the data in database in encrypted form.
2) Back-up Controls –
Backup controls ensure the availability of system in the event of data loss due to unauthorized
access, equipment failure or physical disaster; the organization can retrieve its file & database.
Backup refers to making copies of the data so that these additional copies may be used to
restore the original data after a data loss.
Various backup strategies are given as follows:
i). Dual recording of data –
Under this strategy, two complete copies of the database are maintained. The databases
are concurrently updated.
ii). Periodic dumping of data –
This strategy involves taking a periodic dump of all or part of the database.
The database is saved at a point in time by copying it onto some backup storage medium
– magnetic tape, removable disk, Optical disk. The dump may be scheduled.
iii). Logging input transactions –
This involves logging the input data transactions which cause changes to the database.
Normally, this works in conjunction with a periodic dump.
In case of complete database failure, the last dump is loaded and reprocessing of the
transactions are carried out which were logged since the last dump.
iv). Logging changes to the data –
This involves copying a record each time it is changed by an update action. The changed
record can be logged immediately before the update action changes the record,
immediately after, or both.
3.8.7 System Development Controls
System development controls are targeted to ensure that proper documentations and
authorizations are available for each phase of the system development process.
The six activities that deals with system development controls in IT setup are given as follows:
i). System Authorization Activities –
All systems must be properly authorized to ensure their economic justification and
feasibility. As with any transaction, system’s authorization should be formal.
This requires that each new system request be submitted in written form by users to systems
professionals who have both the expertise and authority to evaluate and approve (or reject).
ii). User Specification Activities –
Users must be actively involved in the systems development process. User involvement
should not be ignored because of a high degree of technical complexity in the system.
The creation of a user specification document often involves the joint efforts of the user and
systems professionals. It should describe the user's view of the problem, not that of the
systems professionals.
iii). Technical Design Activities –
The technical design activities in the SDLC translate the user specifications into a set of
detailed technical specifications of a system that meets the user's needs.
The scope of these activities includes systems analysis, general systems design, feasibility
analysis, and detailed systems design.
iv). Internal Auditor’s Participation –
The internal auditor plays an important role in the control of systems development activities,
particularly in organizations whose users lack technical expertise.
The auditor should become involved at the inception of the SDLC process to make conceptual
suggestions regarding system requirements and controls.
v). Program Testing –
All program modules must be thoroughly tested before implementation. The results of tests
are then compared against predetermined results to identify programming and logic errors.
Program testing is time-consuming, the principal task being creation of meaningful test data.
To facilitate the efficient implementation of audit objectives, test data prepared during the
implementation phase must be preserved for future use.
This will give the auditor a frame of reference for designing and evaluating future audit tests.
vi). User Test and Acceptance Procedures –
Just before implementation, the individual modules of the system must be tested as a unified
whole. A test team comprising user personnel, systems professionals, and internal audit
personnel subjects the system to rigorous testing.
Once the test team is satisfied that the system meets its stated requirements, the system is
formally accepted by the user department(s).
3.8.8 Computer Centre Security and Controls
These are of the following types:
Physical Security,
Software & Data Security, and
Data Communication Security.
1) Physical Security –
The security required for computer system can be categorized as security from accidental
breach and incidental breach.
Accidental breach of security due to such natural calamities as fire, flood and earthquake etc.
may cause total destruction of important data and information.
Incidental or fraudulent modification or tampering of financial records maintained by the
organization can cause considerable amount of money to be disbursed to fraudulent personnel.
Physical security includes arrangements for:
Fire detection and fire suppression systems,
Security from water damage,
Safeguards from power variation, and
Pollution and unauthorized intrusion.
These are discussed as follows:
a) Fire Damage –
It is a major threat to the physical security of a computer installation.
Some of the major features of a well-designed fire protection system are given below:
Both automatic and manual fire alarms are placed at strategic locations.
A control panel may be installed which shows where in the location an automatic or
manual alarm has been triggered.
Master switches may be installed for power and automatic fire suppression system.
Manual fire extinguishers can be placed at strategic locations.
Fire exits should be clearly marked. When a fire alarm is activated, a signal may be sent
automatically to permanently manned station.
All staff members should know how to use the system. The procedures to be followed
during an emergency should be properly documented are: Fire Alarms, Extinguishers,
Sprinklers, Instructions, Smoke detectors and Carbon dioxide based fire extinguishers.
Less Wood and plastic should be in computer rooms.
b) Water Damage –
Water damage to a computer installation can be the outcome of water pipes burst. Water
damage may also result from other resources such as cyclones, tornadoes, floods etc.
Some of the major ways of protecting the installation against water damage are as follows:
Wherever possible have waterproof ceilings, walls and floors;
Ensure an adequate positive drainage system exists;
Install alarms at strategic points within the installation;
In flood areas have the installation above the upper floors but not at the top floor;
Use a gas based fire suppression system;
Water proofing; and
Water leakage Alarms.
c) Power Supply Variation –
Voltage regulator and circuit breaker protect hardware from temporary increase or decrease
of power. UPS Battery back-up can be provided in case a temporary loss of power occurs.
A generator is needed for sustained losses in power for extended period.
d) Pollution Damage –
The major pollutant in a computer is dust. Dust caught between surfaces of magnetic tape
and reading/ writing heads may cause either permanent damage to data or read/ write error.
Regular cleaning of walls, floors and equipment etc. is essential. Only such materials and
finishing may be used inside the room, which enables it to remain dust free. These are:
Air conditions,
Dust protection, and
Regular cleaning.
e) Unauthorized Intrusion –
Unauthorized intrusion takes two forms.
First, the intruder by physically entering the room may steal assets or carry out sabotage.
Alternatively, the intruder may eavesdrop on the installation by wiretapping, installing an
electronic bug or using a receiver that picks up electro-magnetic signals.
Various devices are available to detect the presence of bugs by the intruder; these are:
Physically or Electronically logging,
Guard, dogs,
Entry in computer area restricted,
Log books,
Alarms,
Preventing wiretapping,
Physical Intrusion detectors, and
Security of Documents, data & storage media.
2) Software & Data Security –
Software and Data Security can be implemented through the following controls –
Authorization of persons to use data,
Passwords & PINs,
Monitoring after office hours activity,
Segregation, check & control over critical information,
Frequent audits,
Screening and background checks before recruitment,
Encryption of data – Viewing & recognition of data only by PINs & passwords,
Security software,
Management checks,
Back up of data/information, and
Antivirus software.
3) Data Communication Security –
Data Communication Security can be implemented through the following controls:
Audit trails of crucial network activities,
Sign on user identifier,
Passwords to gain access,
Terminal locks,
Sender & receiver authentications,
Check over access from unauthorized terminals,
Encryption of data / information,
Proper network administration,
Hardware & system software built in control,
Use of approved networks protocols,
Network administrations, and
Internally coded device identifier.
3.8.9 Internet and Intranet Controls
Major exposures in the communication sub-system including Internet & Intranet are as follows:
i). Component Failure –
Data may be lost or corrupted through component failure.
The primary components in the communication sub-systems are given as follows:
Communication lines viz. twisted pair, coaxial cable, fiber optics, microwave & satellite etc.
Hardware – ports, modems, multiplexers, switches and concentrators etc.
Software – Packet switching software, polling software, data compression software etc.
Due to component failure, transmission between sender and receiver may be disrupted,
destroyed or corrupted in the communication system.
ii). Subversive Threats –
An intruder attempts to violate the integrity of some components in the sub-system.
An intruder attempts to violate the integrity of some components in the sub-system by:
Invasive tap: By installing it on communication line, s/he may read and modify data.
Inductive tap: It monitors electromagnetic transmissions and allows data to be read only.
Denial of Service: When a user establishes a connection on Internet through TCP/IP, a three
way handshake takes place between Synchronize (SYN) packets, SYN ACK packets and ACK
packets. Computer hacker transmits hundreds of SYN packets to the receiver but never
responds with an ACK to complete the connection. As a result, the ports of the receiver’s
server are clogged with incomplete communication requests and legitimate requests are
prevented from access. This is known as Connection Flooding.
Controls for Subversive Threats
a) Firewall –
A Firewall is a system that enforce access control between two networks. To do this, all traffic
between the external network and the organization’s Intranet must pass through firewall.
The firewall must be immune to penetrate from both outside and inside the organization. In
addition to insulating the organization’s network from external networks, firewalls can be
used to insulate portions of the organization’s =ntranet from internal access also.
b) Encryption –
Encryption is the conversion of data into a secret code for storage in databases and
transmission over networks.
Sender uses an encryption algorithm and the original message called clear text is converted
into cipher text. This is decrypted at the receiving end. The encryption algorithm uses a key.
The more bits in the key, the stronger are the encryption algorithms. Two general
approaches are used for encryption viz. private key and public key encryption.
c) Recording of Transaction Log –
An intruder may penetrate system by trying different passwords and user ID combinations.
All incoming and outgoing requests along with attempted access should be recorded in a
transaction log. The log should record the user ID, the time of the access and the terminal
location from where the request has been originated.
d) Call Back Devices –
It is based on the principle that the key to network security is to keep the intruder off the
Intranet rather than imposing security measure after the criminal has connected to intranet.
The call- back device requires the user to enter a password and then the system breaks the
connection. If the caller is authorized, the call back device dials the caller’s number to
establish a new connection.
This limits access only from authorized terminals and prevents an intruder masquerading as
a legitimate user. This also helps to avoid the call forwarding and man-in-the middle attack.
3.8.10 Personal Computers Controls
Related risks are given as follows:
Personal computers are small in size and easy to connect and disconnect, they are likely to be
shifted from one location to another or even taken outside organization for theft of information
Pen drives can be very conveniently transported from one place to another, as a result of which
data theft may occur. Even hard disks can be ported easily these days.
Segregation of duty is not possible, owing to limited number of staff.
PC is basically a single user oriented machine and hence, does not provide inherent data
safeguards. Problems can be caused by computer viruses and pirated software.
Due to vast number of installations, the staff mobility is higher and hence becomes a source of
leakage of information.
The operating staff may not be adequately trained.
Weak access control.
The Security Measures that could be exercised to overcome above risks are given as follows:
Physically locking the system;
Proper logging of equipment shifting must be done;
Centralized purchase of hardware and software;
Standards set for developing, testing and documenting;
Uses of antimalware software;
The use of personal computer and their peripheral must have controls; and
Use of disc locks that prevent unauthorized access to the floppy disk or pen drive of a computer.
3.9 Controls over Data Integrity and Security
The classification of information and documents is essential if one has to differentiate between
that which is of little value, and that which is highly sensitive and confidential.
For many organizations, a simple 5 scale grade will suffice as follows:
i). Top Secret –
Highly sensitive internal information e.g. pending mergers or acquisitions; investment
strategies; plans or designs; that could seriously damage the organization if made public.
Information classified as Top Secret information has very restricted distribution and must be
protected at all times. Security at this level should be the highest possible.
ii). Highly Confidential –
Information that, if made public or even shared around the organization, could seriously
impede the organization’s operations and is considered critical to its ongoing operations.
Information would include accounting information, business plans, sensitive customer
information of banks, solicitors and accountants etc.
Such information should not be copied or removed from the organization’s operational
control without specific authority. Security at this level should be very high.
iii). Proprietary –
Information of a proprietary nature; procedures, operational work routines, project plans,
designs and specifications that define the way in which the organization operates.
Such information is used to authorized personnel only. Security at this level should be high.
iv). Internal Use only –
Information not approved for general circulation outside organization where its loss would
inconvenience the management but where disclosure is unlikely to result in financial loss.
Security at this level should controlled but normal.
Examples would include, internal memos, minutes of meetings, internal project reports.
v). Public Documents –
Information in the public domain; annual reports, press statements etc.; which has been
approved for public use. Security at this level should minimal.
3.9.1 Data Integrity
Data integrity is a reflection of the accuracy, correctness, validity, and currency of the data.
The primary objective of data integrity control techniques is to ensure the integrity of a specific
application’s inputs, stored data, programs, data transmissions, and outputs.
Data integrity controls protect data from accidental or malicious alteration or destruction and
provide assurance to the user that information meets expectations about its quality and integrity.
Assessing data integrity involves evaluating the following critical procedures:
Virus detection and elimination software is installed and activated.
Data integrity and validation controls are used to provide assurance that the information has
not been altered and the system functions as intended.
An auditor should be concerned with the testing of user-developed systems; changes or the
release of data, unknown to the user, could occur because of design flaw.
3.9.2 Data Integrity Policies
Major data integrity policies are given as under:
i). Virus-Signature Updating –
Virus signatures must be updated automatically when they are made available from the vendor
through enabling of automatic updates.
ii). Software Testing –
All software must be tested in a suitable test environment before installation on systems.
iii). Division of Environments –
The division of environment into Development, Test & Production is required for critical system.
iv). Offsite Backup Storage –
Backups older than one month must be sent offsite for permanent storage.
v). Quarter-End and Year-End Backups –
Quarter-end and year-end backups must be done separately from the normal schedule, for
accounting purposes.
vi). Disaster Recovery –
A comprehensive disaster-recovery plan must be used to ensure continuity of the corporate
business in the event of an outage.
3.9.3 Data Security
Data security encompasses the protection of data against accidental or intentional disclosure to
unauthorized persons as well as the prevention of unauthorized modification and deletion of data.
An IS auditor is liable to evaluate the following while reviewing adequacy of data security controls:
Who is responsible for the accuracy of the data?
Who is permitted to update data?
Who is permitted to read and use the data?
Who is responsible for determining who can read and update the data?
Who controls the security of the data?
If the IS system is outsourced, what security controls and protection mechanism does the
vendor have in place to secure and protect data?
Contractually, what penalties or remedies are in place to protect the tangible and intangible
values of the information?
The disclosure of sensitive information is a serious concern to the organization and is
mandatory on the auditor’s list of priorities.
3.10 Cyber Frauds
Fraud has been defined as “=ntentional Error”. Cyber Fraud shall mean frauds committed by use
of technology. Cyber fraud refers to any type of deliberate deception for unfair or unlawful gain
that occurs online. The most common form is online credit card theft.
One of the major reasons behind the rise of cyber frauds are:
i). Failure of internal control system,
ii). Failure of organizations to update themselves to new set of risk, and
iii). Smart fraudsters: These are people who are able to target the weaknesses in system, lacunae’s
in internal controls, even before the organization realizes that such gaps are there.
On the basis of the functionality, these are of two types:
a) Pure Cyber Frauds –
Frauds, which exists only in cyber world. They are borne out of use of technology. For
example: Website hacking.
b) Cyber Enabled Frauds –
Frauds, which can be committed in physical world also but with use of technology; the size,
scale and location of frauds changes. For example: Withdrawal of money from bank account
by stealing PIN numbers.
3.10.1 Cyber Attacks
Major cyber-attacks are discussed as follows:
i). Phishing –
It is the act of attempting to acquire information such as usernames, passwords, and credit card
details by masquerading as a trustworthy entity in an electronic communication.
Communications purporting to be from popular social web sites, auction sites, online payment
processors or IT administrators are commonly used to lure the unsuspecting public.
ii). Network Scanning –
It is a process to identify active hosts of a system, for purpose of getting information about IP
addresses etc.
iii). Virus/Malicious Code –
As per Section 43 of Information Technology Act, 2000, "Computer Virus" means any computer
instruction, information, data or program that destroys, damages, degrades or adversely affects
the performance of a computer resource or attaches itself to another computer resource and
operates when a program, data or instruction is executed in that computer resource;
iv). Spam –
E-mailing same message to everyone on one or more Usenet News Group is termed as spam.
v). Website Compromise/Malware Propagation –
It includes website defacements. Hosting malware on websites in an unauthorized manner.
vi). Others –
a) Cracking –
Crackers are hackers with malicious intentions.
b) Eavesdropping –
It refers to the listening of the private voice or data transmissions, often using a wiretap.
c) E-mail Forgery –
Sending e-mail messages that look as if someone else sent it is termed as E-mail forgery.
d) E-mail Threats –
Sending a threatening message to try and get recipient to do something that would make it
possible to defraud him is termed as E-mail threats.
e) Scavenging –
This is gaining access to confidential information by searching corporate records.
3.11.2 Impact of Cyber Frauds on Enterprises
The impact of cyber frauds on enterprises can be viewed under the following dimensions:
i). Financial Loss –
Cyber frauds lead to actual cash loss to target company/organization.
ii). Legal Repercussions –
Entities hit by cyber frauds are caught in legal liabilities to their customers.
Section 43A of the Information Technology Act, 2000, fixes liability for organizations having
secured data of customers. These entities need to ensure that such data is well protected.
iii). Loss of credibility or Competitive Edge –
News that an organizations database has been hit by fraudsters, leads to loss of competitive
advantage. This also leads to lose credibility.
iv). Disclosure of Confidential, Sensitive or Embarrassing Information –
Cyber-attack may expose critical information in public domain.
v). Sabotage –
The above situation may lead to misuse of such information by enemy country.
3.10.3 Techniques to Commit Cyber Frauds
Following are the major techniques to commit cyber frauds:
1. Hacking –
It refers to unauthorized access and use of computer systems, by means of personal computer
and a telecommunication network. Normally, hackers do not intend to cause any damage.
2. Cracking –
Crackers are hackers with malicious intentions. Hacking is general term, with two nomenclature
namely: Ethical and Un-ethical hacking. Un-ethical hacking is classified as Cracking.
3. Data Diddling –
Changing data before, during, or after it is entered into the system in order to delete, alter, or
add key system data is referred as data diddling.
4. Data Leakage –
It refers to the unauthorized copying of company data such as computer files.
5. Denial of Service (DoS) Attack –
It refers to an action or series of actions that prevents access to a system by its authorized users;
causes delay of its time-critical operations; or prevents any part of the system from functioning.
6. Internet Terrorism –
It refers to the using Internet to disrupt electronic commerce and to destroy company and
individual communications.
7. Logic Time Bombs –
These are the program that lies idle until some specified circumstances or a particular time
triggers it. Once triggered, the bomb sabotage the system by destroying programs, data or both.
8. Masquerading or Impersonation –
In this case, perpetrator gains access to the system by pretending to be an authorized user
9. Password Cracking –
=ntruder penetrates a system’s defense, steals the file containing valid passwords, decrypts
them and then uses them to gain access to system resources such as programs, files and data.
10. Piggybacking –
It refers to the tapping into a telecommunication line and latching on to a legitimate user before
s/he logs into the system.
11. Round Down –
Computer rounds down all interest calculations to 2 decimal places. Remaining fraction is
placed in account controlled by perpetrator.
12. Scavenging or Dumpster Diving –
It refers to the gaining access to confidential information by searching corporate records.
13. Social Engineering Techniques –
Perpetrator tricks an employee into giving out the information needed to get into the system.
14. Super Zapping –
It refers to the unauthorized use of special system programs to bypass regular system controls
and performs illegal acts.
15. Trap Door –
In this technique, perpetrator enters in the system using a back door that bypasses normal
system controls and perpetrates fraud.
3
CAclubindia
