Chapter 16

IT Controls, Asset Protection, and Security

IT Controls, Asset Protection, and Security

Introduction

Managers who own or use IT assets are responsible for securing them

With interconnected enterprises (B2B), intrusion at a partner may result in business compromise locally

Security is an integrated, continuous process that takes place at all levels

The Meaning and Importance of Control Control is a primary management

responsibility Managers must have routine methods

for comparing actual and planned performance

“Planning and control are inseparable” IT controls are critical because other

parts of the organization use computer generated reports as the basis of their control activities

Why Controls are Important to Managers1. Control is a primary management

responsibility2. Uncontrolled events can be very

damaging3. The firm relies on IT for many control

processes4. U.S. law requires certain control

measures in public corporations5. Controls assist organizations in

protecting assets6. Technology introduction requires

controlled processes

Business Control Principles The primary job of all managers is

to take charge of the assets entrusted to them, capitalize on these assets to advance their part of the business, and grow, develop, or add value to them managers entrusted with information

assets must control and protect them implementing business controls is an

ethical responsibility

Asset Identification and Classification Managers must know what assets

they own or control, and their value Tangible – Physical assets – routers, PCs

servers, telephones Intangible – Intellectual assets –

operating systems, databases, applications

Managers must inventory and value items

Separation of Duties

Several individuals are involved in transaction processing In order for fraud to occur, several

individuals must work together Control can be made even more

effective by routinely changing job duties of these transaction tasks

Must validate output with input

Efficiency and Effectiveness of Controls Controls are best when they are

simple and are easily understood They are most effective when they

are part of the routine and produce action in a timely manner

Control cost and overhead must be balanced vs. risk and magnitude of loss

Managers must analyze the application and use good judgment

Control Responsibilities

1. The application program owner (almost always a manager)

2. Application users (some applications have many)

3. The application’s programming manager4. The individual providing the computing

environment5. The IT manager (in either the line or

staff role)

Owner and User Responsibilities Owners are responsible for providing

business direction for their applications authorizes the program’s use classifies the associated data stipulates program and data access controls

Users are individuals or groups authorized by owners to use applications according to owners’ specifications They are required to protect the data in

accordance with the owners’ classification

IT Managers’ Responsibilities All IT managers have control

responsibilities in conjunction with their operating responsibilities The responsibility of organizing and

managing application development, maintenance, or enhancement resides with IT programming managers

The supplier of computing services is responsible for providing the computing environment within which the application is processed

Application Controls

Necessary to ensure that applications function properly on a regular basis These controls are most effective when they

are built into the applications and generate documentation validating proper operation

Automated and manual control mechanisms should be classified as confidential information

Separation of duties principle applies to an application and its associated data handling

Application Processing Controls Application control and protection

consist of two duties: Ensuring that application programs

perform according to management-established specifications

Maintaining program and data integrity

To support these requirements, applications must have auditability features and control points built in

System Control Points

Control points are locations in program or process flow where control exposures exist and control actions and auditing activities can be done Transaction origination is one of the most

critical points It is a manual activity and can be subject to

human error or fraud

Online operations make the system more complex and require even greater controls

System Control Points

Control Actions at Transaction Origination

Input Data Controls

Processing, Storage, and Output Controls Operating systems and the

applications themselves enhance the validation processes of program processing Program execution is accompanied by

subroutines that validate that processing is complete and that program execution occurred correctly

Application program source code and executables must be treated as classified information

Program Processing Controls

Data Output Handling

Application Program Audits An application system is auditable if the

application owner can establish easily and with high confidence that the system continually performs specified functions

Auditable systems contain functions and features that let owners determine if applications are processing data correctly

Program testing that ensures auditability is vital Test data should be archived

Controls in Production Operations Well-disciplined production

operations maintain sound control over performance objectives They ensure sufficient system capacity

for application operations They allow batch and online systems

processing to function as designed Accurate scheduling and rigorous online

management provide controlled environments for application processing

Controls in Client/Server Operations Organizations that move applications

from secured centralized systems to distributed systems must understand the different exposures and vulnerabilities Client/server systems and e-business

systems have more points of vulnerability, so control and asset protection are more difficult

Special effort must be taken to design in controls and continuously assess vulnerabilities in the system over time

Network Controls and Security Networks face passive threats and

active threats Passive threats are attempts to monitor

network data transmission in order to read messages or obtain information about network traffic

Active threats are attempts to alter, destroy, or divert message data, or to pose as network nodes

Network Controls and Security

Network managers must control system and data access and must secure data in transit The first step in controlling system

access is physical security Rooms containing controllers, routers,

or servers must be tightly secured

Network Controls and Security Managers must establish user

identification and verification processes This usually means that users sign on to the

system with a name followed by a password Some firms require “two-factor

identification” The two factors are usually something you have

and something you know – fingerprint, token or smartcard + PIN

The two-factor system only erects higher barriers to entry

Data Encryption

It is often necessary to protect critical data in transit Before transmission, encryption

programs use an algorithm and a key to change the message character stream into a different character stream

When received, the algorithm and key decode or decipher the message

Encryption changes the risk of data loss to risk of key loss

Firewalls and Other Security Considerations A firewall is a specialized computer

inserted between internal and external networks and through which all incoming and outgoing traffic must pass Intended to screen incoming and

outgoing messages and prohibit any traffic deemed illegitimate

Firewalls are only the first line of defense against external intrusion

Network Security Measures

Additional Control and Protection Measures1. Only people who work in the data

center should be allowed routine access to the facility

2. Data center workers must wear special badges that identify them on sight

3. Physical access should be controlled by electronic code locks rather than mechanical key locks; this simplifies key management and hastens key changes

Additional Control and Protection Measures4. The identity and authorization of

all visitors to the center must be validated, and they must sign in and out

5. Duties within the center should be separated so that operators who initiate or control programs cannot access data stores

Managing Sensitive Programs IT managers must, with help from

other department managers, identify and maintain an inventory of these applications. The owner must prescribe protection

and security conditions covering storage, operation, and maintenance

Program source code, load modules, and test data must be classified as sensitive information and protected accordingly

Datasets must be protected as well

Controls for E-Business Applications Due to the integrated nature of e-

business, security is a shared concern All the partners must have documented

security policies, secure application development practices, and satisfactory access control and user authorization procedures

Partners must establish encryption standards, develop responses to security breaches, and schedule compliance audits

Keys to Effective Control Managers must understand their control

responsibilities and know: The assets for which they are responsible The value of those assets and protect the

assets accordingly

Managers must be involved in the control processes Involvement must be timely and responsive Must follow through to ensure effectiveness

Summary

No organization is safe from computer crime

Business controls, asset protection, and security are fundamental to business operations

Managers must know what their assets are and each asset’s estimated value

Assets must be classified and protected in accordance with their relative worth