AdU AIS Ch10
-
Upload
toffeeluk2004 -
Category
Documents
-
view
222 -
download
0
Transcript of AdU AIS Ch10
-
8/11/2019 AdU AIS Ch10
1/30
Protection of Systems and Data
with Personnel Policies
with Technology andFacilities
-
8/11/2019 AdU AIS Ch10
2/30
Protection of Systems and Datawith Personnel Policies
CREATINGthe system
INPUTTINGdata into the system
SURPERVISINGdata processing
DISTRIBUTINGprocessed data
USING APPROVED CONTROLS
Why it is needed?
-
8/11/2019 AdU AIS Ch10
3/30
Protection of Systems and Datawith Personnel Policies
SEPARATION OF DUTIES
USE OF COMPUTER ACCOUNTS
IDENTIFYING SUSPICIOUS BEHAVIOR
General Controls:
-
8/11/2019 AdU AIS Ch10
4/30
Protection of Systems and Datawith Personnel Policies
SEPARATION OF DUTIES
Accounting and IT subsystems
Responsibilities within the
IT environment
-
8/11/2019 AdU AIS Ch10
5/30
Protection of Systems and Datawith Personnel Policies
Separate Accounting and IT Subsystems
1. User subsystems initiate and authorize
2. Asset custody
3. Corrections for errors detected are entered
on an entry log
4. Changes to existing systems
-
8/11/2019 AdU AIS Ch10
6/30
Protection of Systems and Datawith Personnel Policies
Separate Responsibilities within
IT Environment
1. System Analysis Function2. Data Control Function
3. Programming Function
4. Computer Operations Function5. Transaction Authorization Function
6. AIS Library Function
-
8/11/2019 AdU AIS Ch10
7/30
Protection of Systems and Datawith Personnel Policies
Separate Responsibilities within
IT Environment
System Analysis Function
Analyze information
Process needs
Design/modify applications programs
-
8/11/2019 AdU AIS Ch10
8/30
Protection of Systems and Datawith Personnel Policies
Separate Responsibilities within
IT Environment
Data Control Function
Use a data control group
Maintain registers of computer access codes
Help acquire new accounting softwareCoordinate security controls
-
8/11/2019 AdU AIS Ch10
9/30
Protection of Systems and Datawith Personnel Policies
Separate Responsibilities within
IT Environment
Programming Function
Require formal authorizations for programs
changes
Submit written description of changes Test changes to programs prior to
implementation
-
8/11/2019 AdU AIS Ch10
10/30
Protection of Systems and Datawith Personnel Policies
Separate Responsibilities within
IT Environment
Computer Operations Function
Rotate computer operators among jobs to avoid
any single operator always overseeing the same
application
-
8/11/2019 AdU AIS Ch10
11/30
Protection of Systems and Datawith Personnel Policies
Separate Responsibilities within
IT Environment
Transaction Authorization Function
For each batch of input data, user subsystems
submit signed form to verify input data are
authorized and proper batch control totals arecompiled
-
8/11/2019 AdU AIS Ch10
12/30
Protection of Systems and Datawith Personnel Policies
Separate Responsibilities within
IT Environment
AIS Library Function
Maintain custody of files, databases, and
computer programs in separate storage called the
AIS Library
-
8/11/2019 AdU AIS Ch10
13/30
Protection of Systems and Datawith Personnel Policies
Use of Computer Accounts
Limit user access to particular computer
files or programs
Protect files from unauthorized use
Biometric Identification
-
8/11/2019 AdU AIS Ch10
14/30
Protection of Systems and Datawith Personnel Policies
Identifying Suspicious Behavior
38% Living beyond their means
34% Financial Difficulties
20% Wheeler-dealer Attitudes
19% Unwilling to share duties (control issues)
17% Family/Marriage Problems*2008 ACFE Survey
-
8/11/2019 AdU AIS Ch10
15/30
Protection of Systems and Datawith Personnel Policies
Identifying Suspicious Behavior
29%Highest percentage of fraud involving
the accounting department*2008 ACFE Survey
-
8/11/2019 AdU AIS Ch10
16/30
Protection of Systems and Datawith Personnel Policies
Safeguarding Files
1. Not human-readable
2. Vast amounts of data3. Very compact format
4. Permanent only
5. Confidential
6. Reconstruction of file data is costly7. File information is an asset of an company
-
8/11/2019 AdU AIS Ch10
17/30
Protection of Systems and Datawith Technologies and Facilities
File Security Controls
The purpose of file security controls is to
protect computer files from:
Accidental abuse
Intentional abuse
-
8/11/2019 AdU AIS Ch10
18/30
Protection of Systems and Datawith Technologies and Facilities
File Security Controls
External File Labels
Internal File Labels
Lockout Procedures
Read-only File designation
-
8/11/2019 AdU AIS Ch10
19/30
Protection of Systems and Datawith Technologies and Facilities
Business Continuity
Planning
Disaster Recovery
COMPREHENSIVE APPROACH tomaking sure organizational activities
continue normally.
Involves the PROCESSESAND PROCEDURES thatorganizations follow to resume
business after a disruptive
event.
-
8/11/2019 AdU AIS Ch10
20/30
Protection of Systems and Datawith Technologies and Facilities
Business Continuity Planning
Power Failures
IT System Crashes
Natural Disasters
Supply Chain Problems
-
8/11/2019 AdU AIS Ch10
21/30
Protection of Systems and Datawith Technologies and Facilities
Disaster Recovery
Fires
Floods
Hurricanes
EarthquakesMan-made Catastrophes
-
8/11/2019 AdU AIS Ch10
22/30
Protection of Systems and Datawith Technologies and Facilities
Disaster Recovery
Hot site
Flying-start Site
Cold Site
-
8/11/2019 AdU AIS Ch10
23/30
Protection of Systems and Datawith Technologies and Facilities
Fault-Tolerant Systems
Designed to tolerate computer errors
and keep functioning Often based on the concept of redundancy
Created by instituting duplicate communication
paths and communications processors
-
8/11/2019 AdU AIS Ch10
24/30
Protection of Systems and Datawith Technologies and Facilities
Fault-Tolerant Systems
Redundancy in CPU process ing can be
achieved with consensus-based protocols
with a second watchdog processor
Disks can be made fault-tolerant by a process called disk mirroring
by rollback processing
-
8/11/2019 AdU AIS Ch10
25/30
Protection of Systems and Datawith Technologies and Facilities
Backup
Essential for vital documents
Batch processed using Grandfather-parent-childprocedure
Can be electronically transmitted
to remote sites (electronic vault ing)
Needs an uninterruptible power system (UPS) as anauxiliary power supply
-
8/11/2019 AdU AIS Ch10
26/30
-
8/11/2019 AdU AIS Ch10
27/30
Protection of Systems and Datawith Technologies and Facilities
Backup
Similar to the redundancy concept in
fault-tolerant systems
Hot backup is performed while the database
is online and available for read/write
Cold backup is performed while the database is
offline and unavailable to its users
-
8/11/2019 AdU AIS Ch10
28/30
Protection of Systems and Datawith Technologies and Facilities
Computer Facility Controls
Locate the Data Processing Center in a
safe place wherePublic does not have access
Guarded by personnel
Limited number of secured entrances
Protection against natural disasters
-
8/11/2019 AdU AIS Ch10
29/30
Protection of Systems and Datawith Technologies and Facilities
Computer Facility Controls
Limit employee access by
Incorporating magnetic, electronic,or optical coded identification badges
Man Trap
-
8/11/2019 AdU AIS Ch10
30/30
Protection of Systems and Datawith Technologies and Facilities
Computer Facility Controls
Buy Insurance
Last resort in protecting data/files
Insurance policies for computer damages are
usually LIMITEDin coverage