Chapter Eight CBIS and Checklists. General Controls 12 controls Planning, controls, standards,...
-
Upload
oliver-may -
Category
Documents
-
view
213 -
download
1
Transcript of Chapter Eight CBIS and Checklists. General Controls 12 controls Planning, controls, standards,...
General Controls
• 12 controls
• Planning, controls, standards, security
• Continuous updating– e.g., C&L 66% of firms inadequate monitoring
• Plans made -- not implemented
Project Development Controls
• Long-range, 3-5 year, master plan– and, what happens next year?
• Project Development Plan - use milestones
• DP Schedule - comp resources as “scarce”
• Define responsibility / method of evaluation
• Postimplementation Review / Measure
IA DHS Revisited
• $12 million project development
• Failed (at point of success?)
• Funding ended
• Project development failure?
• Or, communication failure?
Mission Impossible
• Limit physical access
• Limit access to computer logic
• Problem - insiders– where are my tennis shoes?
• Security breaches– the Net?
Logic Controls• Passwords
– random assignment,
• ID cards– use your PIN number for CC purchases?– Active badges (as opposed to inactive?)
• Biometric Identification– permit or limit access– cocaine residue on a four year old– “sniffer” at the airport
More Logic Access Control
• Compatibility Tests– multiple layers of passwords for access to
records– screen passwords, e.g., payroll– print passwords, e.g., contracts– e-mail attachment controls?
Paranoia or Security?• Outside workers with access
– Webco customer list theft
• CIA director - national security on home PC
• Mattel stolen laptops
Simple Measures
• Property listing in files– resume example
• Floppy read/write limits
• File passwords
• Volume names
• External labels
Encryption• Private key only
– threat?
• Public key only– threat?
• Public and Private Keys– threat?
Routing Verification
• Great for phone callers– Too busy now, can I call you back?– Verify the caller’s identity and authorization
• Automated - as discussed in your text
Documentation• Administrative
– overall uses and change authorization
• System– flowcharts, narrative, libraries
• Operating– hardware & software program considerations
IC as Prevention
• UPS
• Preventive maintenance– RAM test– Microprocessor test– Hard and Removable Disk interfaces
“Every Day is Y2K”• Disaster Recovery Plans
– e.g., your grades– WTC bombing 43% of firms failed
• Electronic vaulting– “my computer” default and mail on a server– backup nightly
• Backup– Master Vs. Transaction files
Disaster Recovery Plan
Press release: who, what, when, where, why
• Prioritize the process (what)
• Backup data and program files (when, where)
• Have specific assignments (who)
• Complete recovery documentation (why)
• Alternative (backup) telecommunication sites (where II)
Alternative Sites• Alliances
• Hot site– fully configured– current copies of most recent backups– access guaranteed, ready to run
• Cold site– no equipment in-place– contracts provided to provide service on-
demand
Internet Controls(a different “IC”)
• NWS - six Denmark hackers– NWS goes down, airlines stop flying– Anyone see a business opportunity here?
• Firewalls, tunneling,
• Separate systems– external (in-coming) internet site– internal intranet
Application Controls
Data entry and reporting controls
• Source Data Controls
• Input Validation Routines
• On-Line Data Entry Controls
• DP and File Maintenance Controls
• Output Controls