AdU AIS Ch10

8/11/2019 AdU AIS Ch10

1/30

Protection of Systems and Data

with Personnel Policies

with Technology andFacilities

8/11/2019 AdU AIS Ch10

2/30

Protection of Systems and Datawith Personnel Policies

CREATINGthe system

INPUTTINGdata into the system

SURPERVISINGdata processing

DISTRIBUTINGprocessed data

USING APPROVED CONTROLS

Why it is needed?

8/11/2019 AdU AIS Ch10

3/30


SEPARATION OF DUTIES

USE OF COMPUTER ACCOUNTS

IDENTIFYING SUSPICIOUS BEHAVIOR

General Controls:

8/11/2019 AdU AIS Ch10

4/30


SEPARATION OF DUTIES

Accounting and IT subsystems

Responsibilities within the

IT environment

8/11/2019 AdU AIS Ch10

5/30


Separate Accounting and IT Subsystems

1. User subsystems initiate and authorize

2. Asset custody

3. Corrections for errors detected are entered

on an entry log

4. Changes to existing systems

8/11/2019 AdU AIS Ch10

6/30


Separate Responsibilities within

IT Environment

1. System Analysis Function2. Data Control Function

3. Programming Function

4. Computer Operations Function5. Transaction Authorization Function

6. AIS Library Function

8/11/2019 AdU AIS Ch10

7/30



IT Environment

System Analysis Function

Analyze information

Process needs

Design/modify applications programs

8/11/2019 AdU AIS Ch10

8/30



IT Environment

Data Control Function

Use a data control group

Maintain registers of computer access codes

Help acquire new accounting softwareCoordinate security controls

8/11/2019 AdU AIS Ch10

9/30



IT Environment

Programming Function

Require formal authorizations for programs

changes

Submit written description of changes Test changes to programs prior to

implementation

8/11/2019 AdU AIS Ch10

10/30



IT Environment

Computer Operations Function

Rotate computer operators among jobs to avoid

any single operator always overseeing the same

application

8/11/2019 AdU AIS Ch10

11/30



IT Environment

Transaction Authorization Function

For each batch of input data, user subsystems

submit signed form to verify input data are

authorized and proper batch control totals arecompiled

8/11/2019 AdU AIS Ch10

12/30



IT Environment

AIS Library Function

Maintain custody of files, databases, and

computer programs in separate storage called the

AIS Library

8/11/2019 AdU AIS Ch10

13/30


Use of Computer Accounts

Limit user access to particular computer

files or programs

Protect files from unauthorized use

Biometric Identification

8/11/2019 AdU AIS Ch10

14/30


Identifying Suspicious Behavior

38% Living beyond their means

34% Financial Difficulties

20% Wheeler-dealer Attitudes

19% Unwilling to share duties (control issues)

17% Family/Marriage Problems*2008 ACFE Survey

8/11/2019 AdU AIS Ch10

15/30


Identifying Suspicious Behavior

29%Highest percentage of fraud involving

the accounting department*2008 ACFE Survey

8/11/2019 AdU AIS Ch10

16/30


Safeguarding Files

1. Not human-readable

2. Vast amounts of data3. Very compact format

4. Permanent only

5. Confidential

6. Reconstruction of file data is costly7. File information is an asset of an company

8/11/2019 AdU AIS Ch10

17/30

Protection of Systems and Datawith Technologies and Facilities

File Security Controls

The purpose of file security controls is to

protect computer files from:

Accidental abuse

Intentional abuse

8/11/2019 AdU AIS Ch10

18/30


File Security Controls

External File Labels

Internal File Labels

Lockout Procedures

Read-only File designation

8/11/2019 AdU AIS Ch10

19/30


Business Continuity

Planning

Disaster Recovery

COMPREHENSIVE APPROACH tomaking sure organizational activities

continue normally.

Involves the PROCESSESAND PROCEDURES thatorganizations follow to resume

business after a disruptive

event.

8/11/2019 AdU AIS Ch10

20/30


Business Continuity Planning

Power Failures

IT System Crashes

Natural Disasters

Supply Chain Problems

8/11/2019 AdU AIS Ch10

21/30


Disaster Recovery

Fires

Floods

Hurricanes

EarthquakesMan-made Catastrophes

8/11/2019 AdU AIS Ch10

22/30


Disaster Recovery

Hot site

Flying-start Site

Cold Site

8/11/2019 AdU AIS Ch10

23/30


Fault-Tolerant Systems

Designed to tolerate computer errors

and keep functioning Often based on the concept of redundancy

Created by instituting duplicate communication

paths and communications processors

8/11/2019 AdU AIS Ch10

24/30


Fault-Tolerant Systems

Redundancy in CPU process ing can be

achieved with consensus-based protocols

with a second watchdog processor

Disks can be made fault-tolerant by a process called disk mirroring

by rollback processing

8/11/2019 AdU AIS Ch10

25/30


Backup

Essential for vital documents

Batch processed using Grandfather-parent-childprocedure

Can be electronically transmitted

to remote sites (electronic vault ing)

Needs an uninterruptible power system (UPS) as anauxiliary power supply

8/11/2019 AdU AIS Ch10

26/30

8/11/2019 AdU AIS Ch10

27/30


Backup

Similar to the redundancy concept in

fault-tolerant systems

Hot backup is performed while the database

is online and available for read/write

Cold backup is performed while the database is

offline and unavailable to its users

8/11/2019 AdU AIS Ch10

28/30


Computer Facility Controls

Locate the Data Processing Center in a

safe place wherePublic does not have access

Guarded by personnel

Limited number of secured entrances

Protection against natural disasters

8/11/2019 AdU AIS Ch10

29/30



Limit employee access by

Incorporating magnetic, electronic,or optical coded identification badges

Man Trap

8/11/2019 AdU AIS Ch10

30/30



Buy Insurance

Last resort in protecting data/files

Insurance policies for computer damages are

usually LIMITEDin coverage

AdU AIS Ch10

Documents

Transcript of AdU AIS Ch10