Information Systems ControlInformation Systems Control

Dr. Yan XiongDr. Yan XiongCollege of BusinessCollege of BusinessCSU SacramentoCSU SacramentoJanuary 27,2003January 27,2003

This lecture is based on Martin (2002) and Romney and This lecture is based on Martin (2002) and Romney and Steinbart (2002)Steinbart (2002)

AgendaAgenda AIS ThreatsAIS Threats Internal ControlsInternal Controls General controls for information systemsGeneral controls for information systems Internet controlsInternet controls Contingency managementContingency management

AIS ThreatsAIS ThreatsNatural and politicalNatural and political disasters:disasters:

– fire or excessive heatfire or excessive heat– floodsfloods– earthquakesearthquakes– high windshigh winds– warwar

AIS ThreatsAIS Threats Software errors andSoftware errors and equipment malfunctionsequipment malfunctions

– hardware failureshardware failures– power outages and fluctuationspower outages and fluctuations– undetected data transmission errorsundetected data transmission errors

AIS ThreatsAIS Threats Unintentional actsUnintentional acts

• accidents caused by human carelessnessaccidents caused by human carelessness• innocent errors of omissionsinnocent errors of omissions• lost or misplaced datalost or misplaced data• logic errorslogic errors• systems that do not meet company needssystems that do not meet company needs

AIS ThreatsAIS Threats Intentional actsIntentional acts

• sabotagesabotage• computer fraudcomputer fraud• embezzlementembezzlement• confidentiality breachesconfidentiality breaches• data theftdata theft

AgendaAgenda AIS ThreatsAIS Threats Internal ControlInternal Control Cost-benefit AnalysisCost-benefit Analysis General controls for information systemsGeneral controls for information systems Internet controlsInternet controls Contingency managementContingency management

Internal ControlInternal ControlThe COSO (Committee of Sponsoring Organizations) The COSO (Committee of Sponsoring Organizations)

study defines internal control as the process study defines internal control as the process implemented by the board of directors, management, implemented by the board of directors, management, and those under their direction to provide reasonable and those under their direction to provide reasonable assurance that control objectives are achieved with assurance that control objectives are achieved with regard to:regard to:– effectiveness and efficiency of operations effectiveness and efficiency of operations – reliability of financial reportingreliability of financial reporting– compliance with applicable laws and regulationscompliance with applicable laws and regulations

Internal Control ClassificationsInternal Control Classifications The specific control procedures used in the internal control and management control The specific control procedures used in the internal control and management control

systems may be classified using the following four internal control classifications:systems may be classified using the following four internal control classifications:1 Preventive, detective, and corrective controls Preventive, detective, and corrective controls 2 General and application controlsGeneral and application controls3 Administrative and accounting controlsAdministrative and accounting controls4 Input, processing, and output controlsInput, processing, and output controls

Types of ControlsTypes of Controls PreventivePreventive: deter problems : deter problems

beforebefore they arise they arise segregating dutiessegregating duties

DetectiveDetective: discover control : discover control problems problems as soonas soon as they arise as they arise bank reconciliationbank reconciliation

CorrectiveCorrective: remedy problems : remedy problems discovered with detective controlsdiscovered with detective controls file backupsfile backups

Internal Control ModelInternal Control Model COSO’s internal control model has five crucial components: COSO’s internal control model has five crucial components:

1 Control environmentControl environment2 Control activitiesControl activities3 Risk assessmentRisk assessment4 Information and communicationInformation and communication5 MonitoringMonitoring

The Control EnvironmentThe Control EnvironmentThe control environment consists of many factors, including The control environment consists of many factors, including

the following:the following:1 Commitment to integrity and ethical valuesCommitment to integrity and ethical values2 Management’s philosophy and operating styleManagement’s philosophy and operating style3 Organizational structureOrganizational structure

The Control EnvironmentThe Control Environment4 The audit committee of the board of directorsThe audit committee of the board of directors5 Methods of assigning authority and responsibilityMethods of assigning authority and responsibility6 Human resources policies and practicesHuman resources policies and practices7 External influencesExternal influences

Control ActivitiesControl ActivitiesGenerally, control procedures fall into one of five categories:Generally, control procedures fall into one of five categories:

1 Proper authorization of transactions and activitiesProper authorization of transactions and activities2 Segregation of dutiesSegregation of duties3 Design and use of adequate documents and recordsDesign and use of adequate documents and records4 Adequate safeguards of assets and recordsAdequate safeguards of assets and records5 Independent checks on performanceIndependent checks on performance

Proper Authorization of Transactions Proper Authorization of Transactions and Activitiesand Activities AuthorizationAuthorization is the empowerment management gives employees to is the empowerment management gives employees to

perform activities and make decisions.perform activities and make decisions. Digital signatureDigital signature or fingerprint is a means of signing a document with or fingerprint is a means of signing a document with

a piece of data that cannot be forged.a piece of data that cannot be forged. Specific authorizationSpecific authorization is the granting of authorization by management is the granting of authorization by management

for certain activities or transactions.for certain activities or transactions.

Segregation of DutiesSegregation of Duties Good internal control demands that no single Good internal control demands that no single

employee be given too much responsibility.employee be given too much responsibility. An employee should not be in a position to perpetrate An employee should not be in a position to perpetrate

and conceal fraud or unintentional errors.and conceal fraud or unintentional errors.

Segregation of DutiesSegregation of Duties

Recording FunctionsPreparing source documents

Maintaining journalsPreparing reconciliations

Preparing performance reports

Custodial FunctionsHandling cash

Handling assetsWriting checks

Receiving checks in mail Authorization FunctionsAuthorization of

transactions

Segregation of DutiesSegregation of Duties If two of these three functions are the responsibility of a single person, If two of these three functions are the responsibility of a single person,

problems can arise.problems can arise. Segregation of duties prevents employees from falsifying records in Segregation of duties prevents employees from falsifying records in

order to conceal theft of assets entrusted to them.order to conceal theft of assets entrusted to them. Prevent authorization of a fictitious or inaccurate transaction as a Prevent authorization of a fictitious or inaccurate transaction as a

means of concealing asset thefts.means of concealing asset thefts.

Segregation of DutiesSegregation of Duties Segregation of duties prevents an employee Segregation of duties prevents an employee

from falsifying records to cover up an from falsifying records to cover up an inaccurate or false transaction that was inaccurate or false transaction that was inappropriately authorized.inappropriately authorized.

Design and Use of Adequate Design and Use of Adequate Documents and RecordsDocuments and Records

The proper design and use of documents and records The proper design and use of documents and records helps ensure the accurate and complete recording of all helps ensure the accurate and complete recording of all relevant transaction data.relevant transaction data.

Documents that initiate a transaction should contain a Documents that initiate a transaction should contain a space for authorization.space for authorization.

Design and Use of Adequate Design and Use of Adequate Documents and RecordsDocuments and Records The following procedures safeguard assets from theft, unauthorized use, The following procedures safeguard assets from theft, unauthorized use,

and vandalism:and vandalism:– effectively supervising and segregating dutieseffectively supervising and segregating duties– maintaining accurate records of assets, including informationmaintaining accurate records of assets, including information– restricting physical access to cash and paper assetsrestricting physical access to cash and paper assets– having restricted storage areashaving restricted storage areas

Adequate Safeguards of Assets and RecordsAdequate Safeguards of Assets and Records What can be used to safeguard assets?What can be used to safeguard assets?

– cash registerscash registers– safes, lockboxessafes, lockboxes– safety deposit boxessafety deposit boxes– restricted and fireproof storage areasrestricted and fireproof storage areas– controlling the environmentcontrolling the environment– restricted access to computer rooms, computer files, and informationrestricted access to computer rooms, computer files, and information

Independent Checks on PerformanceIndependent Checks on Performance Independent checks to ensure that transactions are processed Independent checks to ensure that transactions are processed

accurately are another important control element.accurately are another important control element. What are various types of independent checks? What are various types of independent checks?

– reconciliation of two independently maintained sets of recordsreconciliation of two independently maintained sets of records– comparison of actual quantities with recorded amountscomparison of actual quantities with recorded amounts

Independent Checks on PerformanceIndependent Checks on Performance– double-entry accountingdouble-entry accounting– batch totalsbatch totals

Five batch totals are used in computer systems:Five batch totals are used in computer systems:1 A financial total is the sum of a dollar field.A financial total is the sum of a dollar field.2 A hash total is the sum of a field that would usually not be added.A hash total is the sum of a field that would usually not be added.

Independent Checks on PerformanceIndependent Checks on Performance3 A record count is the number of documents processed.A record count is the number of documents processed.4 A line count is the number of lines of data entered.A line count is the number of lines of data entered.5 A cross-footing balance test compares the grand total of A cross-footing balance test compares the grand total of

all the rows with the grand total of all the columns to all the rows with the grand total of all the columns to check that they are equal.check that they are equal.

Information and CommunicationInformation and Communication The fourth component of COSO’s internal control model is information The fourth component of COSO’s internal control model is information

and communication.and communication. Accountants must understand the following:Accountants must understand the following:

1 How transactions are initiatedHow transactions are initiated2 How data are captured in machine-readable form or converted from How data are captured in machine-readable form or converted from

source documentssource documents

Information and CommunicationInformation and Communication3 How computer files are accessed and updatedHow computer files are accessed and updated4 How data are processed to prepare informationHow data are processed to prepare information5 How information is reportedHow information is reported6 How transactions are initiatedHow transactions are initiated

All of these items make it possible for the system to have an audit trail.All of these items make it possible for the system to have an audit trail. An audit trail exists when individual company transactions can be traced through the An audit trail exists when individual company transactions can be traced through the

system.system.

Monitoring PerformanceMonitoring Performance The fifth component of COSO’s internal control model is monitoring.The fifth component of COSO’s internal control model is monitoring. What are the key methods of monitoring performance?What are the key methods of monitoring performance?

– effective supervisioneffective supervision– responsibility accountingresponsibility accounting– internal auditinginternal auditing

Risk AssessmentRisk Assessment The third component of COSO’s internal control model is risk The third component of COSO’s internal control model is risk

assessment.assessment. Companies must identify the threats they face:Companies must identify the threats they face:

– strategic — doing the wrong thingstrategic — doing the wrong thing– financial — having financial resources lost, wasted, or stolenfinancial — having financial resources lost, wasted, or stolen– information — faulty or irrelevant information, or unreliable systemsinformation — faulty or irrelevant information, or unreliable systems

Risk AssessmentRisk Assessment Companies that implement electronic data interchange (EDI) must identify Companies that implement electronic data interchange (EDI) must identify

the threats the system will face, such as:the threats the system will face, such as:1 Choosing an inappropriate technologyChoosing an inappropriate technology2 Unauthorized system accessUnauthorized system access3 Tapping into data transmissionsTapping into data transmissions4 Loss of data integrityLoss of data integrity

Risk AssessmentRisk Assessment5 Incomplete transactionsIncomplete transactions6 System failuresSystem failures7 Incompatible systemsIncompatible systems

Risk AssessmentRisk Assessment Some threats pose a greater risk because the probability of their Some threats pose a greater risk because the probability of their

occurrence is more likely.occurrence is more likely. What is an example?What is an example? A company is more likely to be the victim of a computer fraud rather A company is more likely to be the victim of a computer fraud rather

than a terrorist attack.than a terrorist attack. Risk and exposure must be considered together.Risk and exposure must be considered together.

Cost and BenefitsCost and Benefits Benefit of control procedure is Benefit of control procedure is

difference between difference between expected loss with control procedure(s) expected loss with control procedure(s) expected loss without itexpected loss without it

Loss / Fraud ConditionsLoss / Fraud Conditions ThreatThreat: potential adverse : potential adverse

or unwanted event that can or unwanted event that can be injurious to AISbe injurious to AIS

ExposureExposure: potential maximum : potential maximum $ loss if event occurs$ loss if event occurs

RiskRisk: likelihood that event will occur: likelihood that event will occur Expected Loss:Expected Loss: Risk * Exposure Risk * Exposure

Loss / Fraud ConditionsLoss / Fraud Conditions

ExposureExposure RiskRiskExpected

LossExpected

LossXX ==

Maximum Loss ($)Maximum Loss ($)

Likelihood of Event Occurring

Likelihood of Event Occurring

Potential $ LossPotential $ Loss

For each AIS threat:For each AIS threat:

ExposuresExposures

PossiblePossibleThreatThreat SymbolSymbol

Expo-Expo-suresure RiskRisk

DisasterDisaster DD HH L+L+

Power OutagePower Outage OO MM HH

System Down System Down HH LL LL

Human ErrorHuman Error EE MM MM

FraudFraud FF MM LL

Data TheftData Theft TT LL MM

SabotageSabotage SS HH LL

Risk Assessment of ControlsRisk Assessment of Controls

Control NeedsControl Needs

CostsCosts

ThreatThreat

RiskRisk

ExposureExposure

CostBenefi-cial?

CostBenefi-cial?

ImplementImplement

YesYes

NoNo

Payroll CasePayroll Case

ConditionCondition WithoutWithout WithWith DifferenceDifference

Cost Payroll Cost Payroll $10K$10K $10K$10K

Risk of ErrorRisk of Error 15%15% 1%1%

Error CostError Cost $1.5K$1.5K $0.1K $0.1K $1.4K$1.4K

Validate CostValidate Cost 00 $0.6K$0.6K $(0.6K)$(0.6K)

ExpectedExpected BenefitBenefit

$0.8K$0.8K

AgendaAgenda AIS ThreatsAIS Threats Internal ControlsInternal Controls General controls for information systemsGeneral controls for information systems Internet controlsInternet controls Contingency managementContingency management

General ControlsGeneral Controls General controlsGeneral controls ensure that ensure that overall overall computer environment is computer environment is

stable and well managedstable and well managed General control categories:General control categories:

1 Developing a security planDeveloping a security plan2 Segregation of duties within the systems functionSegregation of duties within the systems function

General ControlsGeneral Controls3 Project development controlsProject development controls4 Physical access controls Physical access controls 5 Logical access controlsLogical access controls6 Data storage controlsData storage controls7 Data transmission controlsData transmission controls8 Documentation standardsDocumentation standards9 Minimizing system downtimeMinimizing system downtime

General ControlsGeneral Controls10. 10. Protection of personal computers and Protection of personal computers and

client/server networksclient/server networks11.11. Internet controlsInternet controls12.12. Disaster recovery plansDisaster recovery plans

Security PlanSecurity Plan Developing and continuously Developing and continuously

updating a comprehensive updating a comprehensive security plan one of most security plan one of most important controls for company important controls for company

Questions to be asked:Questions to be asked: WhoWho needs access to needs access to whatwhat information? information? WhenWhen do they need it? do they need it? On On whichwhich systems does the information systems does the information

reside?reside?

Segregation of DutiesSegregation of Duties In AIS, procedures that used to be performed by separate In AIS, procedures that used to be performed by separate

individuals combinedindividuals combined Person with unrestricted accessPerson with unrestricted access

to computer, to computer, its programs, its programs, and live data and live data

has opportunity to both perpetrate and conceal fraudhas opportunity to both perpetrate and conceal fraud

Segregation of DutiesSegregation of Duties To combat this threat, organizations must To combat this threat, organizations must

implement compensating control proceduresimplement compensating control procedures Authority and responsibility must be clearly Authority and responsibility must be clearly

divideddividedNOTE: must change with increasing levels of automationNOTE: must change with increasing levels of automation

Segregation of DutiesSegregation of Duties

Divide following functions:Divide following functions:• Systems analysisSystems analysis• ProgrammingProgramming• Computer operationsComputer operations• UsersUsers• AIS libraryAIS library• Data controlData control

Duty SegregationDuty Segregation

ProgramsPrograms OutputOutput

Use

ArchiveDesignSpecsDesignSpecs

AnalyzeAnalyze

ProgramProgram

OperateOperate

What about small firms?What about small firms?

Project Development Project Development ControlsControls Long-range master planLong-range master plan Project development planProject development plan Periodic performance evaluationPeriodic performance evaluation Post-implementation reviewPost-implementation review System performance measurementsSystem performance measurements

Development ControlsDevelopment ControlsMaster

DevelopmentPlan

MasterDevelopment

Plan

ProjectDevelopment

Plan

ProjectDevelopment

Plan

STARTEDPROJECTSTARTEDPROJECT

COMPLETEDPROJECT

COMPLETEDPROJECT

SYSTEMOPERATION

SYSTEMOPERATION

PeriodicPerformance

Review

PeriodicPerformance

Review

PostImplement

Review

PostImplement

Review

PerformanceMeasures

PerformanceMeasures

Physical Access ControlsPhysical Access Controls Placing computer equipment in locked rooms and Placing computer equipment in locked rooms and

restricting access to authorized personnelrestricting access to authorized personnel Having only one or two entrances to computer roomHaving only one or two entrances to computer room Requiring proper employee IDRequiring proper employee ID Requiring visitors to sign logRequiring visitors to sign log Installing locks on PCsInstalling locks on PCs

Logical Access ControlsLogical Access Controls Users should be allowed access only to the data they are authorized to use and then Users should be allowed access only to the data they are authorized to use and then

only to perform specific authorized functions. only to perform specific authorized functions. What are some logical access controls?What are some logical access controls?

– passwordspasswords– physical possession identificationphysical possession identification– biometric identificationbiometric identification– compatibility testscompatibility tests

Access Control MatrixAccess Control Matrix

ABCABC 00 11 0 0 00 DEFDEF 11 22 00 00 KLM KLM

11 11 11 11

NOPNOP 33 00 33 00

WORDWORD A A

BB 11 22

PASSPASS-- FILESFILES PROGRAMSPROGRAMS

0 – No access1 – Read / display0 – No access1 – Read / display

2 – Update3 – Create / delete2 – Update3 – Create / delete

Data Storage ControlsData Storage Controls Information gives company competitive edge and makes Information gives company competitive edge and makes

it viable it viable Company should identify types of data used and level Company should identify types of data used and level

of protection required for each of protection required for each Company must also document steps taken to protect dataCompany must also document steps taken to protect data

e.g., off-site storagee.g., off-site storage

Data Transmission Data Transmission ControlsControls

Reduce risk of data Reduce risk of data transmission failurestransmission failures– data encryption (cryptography)data encryption (cryptography)– routing verification proceduresrouting verification procedures– parity bitsparity bits– message acknowledgment techniquesmessage acknowledgment techniques

Information Information Transmission SystemTransmission SystemInformation

Source

Receiver

Information

Destination

Transmitter

Message

ChannelSignal

Noise

Transmission ControlsTransmission Controls

Encr

ypt

Encr

ypt

Dec

rypt

Dec

rypt

SENDSEND RECEIVERECEIVE

RoutingVerification RoutingVerification

DataEncryption DataEncryption

MessageAcknowledge- ment

MessageAcknowledge- ment

MessageMessage

Parity BitParity Bit

Even Parity Bit SystemEven Parity Bit System

11 00 11 11 00 11 11 00 11

Parity BitParity Bit

Message in BinaryMessage in Binary A “1” placed in paritybit to make an even number of “1”s.

A “1” placed in paritybit to make an even number of “1”s.

There are five “1” bits in message There are five “1” bits in message

Data Transmission ControlsData Transmission Controls Added importance when using electronic data Added importance when using electronic data

interchange (EDI) or electronic funds transfer interchange (EDI) or electronic funds transfer (EFT)(EFT)

In these types of environments, sound internal control is In these types of environments, sound internal control is achieved using control proceduresachieved using control procedures

Data Transmission ControlData Transmission Control Controlled physical access Controlled physical access

to network facilitiesto network facilities Identification required for all Identification required for all

network terminalsnetwork terminals Passwords and dial-in phone Passwords and dial-in phone

numbers changed on regular basisnumbers changed on regular basis Encryption used to secure stored Encryption used to secure stored

and transmitted dataand transmitted data Transactions logTransactions log

Documentation Documentation StandardsStandards Documentation procedures and standards ensure clear and Documentation procedures and standards ensure clear and

concise documentationconcise documentation Documentation categories:Documentation categories:

• Administrative documentationAdministrative documentation• Systems documentationSystems documentation• Operating documentationOperating documentation

Minimizing System Minimizing System DowntimeDowntime Significant financial losses can be incurred if Significant financial losses can be incurred if

hardware or software malfunctions cause AIS to failhardware or software malfunctions cause AIS to fail Methods used to minimize system downtimeMethods used to minimize system downtime

• preventive maintenancepreventive maintenance• uninterruptible power systemuninterruptible power system• fault tolerancefault tolerance

Protection of PCs and Protection of PCs and Client/Server NetworksClient/Server Networks PCs more vulnerable to security risks than mainframe PCs more vulnerable to security risks than mainframe

computerscomputers Difficult to restrict physical accessDifficult to restrict physical access PC users less aware of importance of security and controlPC users less aware of importance of security and control More people familiar with the operation of PCsMore people familiar with the operation of PCs Segregation of duties is difficultSegregation of duties is difficult

Protection of PCs and Protection of PCs and Client/Server NetworksClient/Server Networks

Train users in PC-related Train users in PC-related control conceptscontrol concepts

Restrict access by using Restrict access by using locks and keys on PCslocks and keys on PCs

Establish policies and proceduresEstablish policies and procedures

Protection of PCs and Protection of PCs and Client/Server NetworksClient/Server Networks Portable PCs should not be stored in carsPortable PCs should not be stored in cars Back up hard disks regularlyBack up hard disks regularly Encrypt or password protect filesEncrypt or password protect files Build protective walls around operating systemsBuild protective walls around operating systems Use multilevel password controls to limit employee access to incompatible Use multilevel password controls to limit employee access to incompatible

datadata

AgendaAgenda AIS ThreatsAIS Threats Control conceptsControl concepts General controls for information systemsGeneral controls for information systems Internet controlsInternet controls Contingency managementContingency management

Internet ControlsInternet Controls Internet control is installing a firewall, hardware Internet control is installing a firewall, hardware

and software that control communications and software that control communications between a company’s internal network (trusted between a company’s internal network (trusted network) and an external network.network) and an external network.

Internet ControlsInternet Controls PasswordsPasswords Encryption technologyEncryption technology Routing verification Routing verification

proceduresprocedures Installing a firewall Installing a firewall

Internet RisksInternet Risks

Split into packetsSplit into packets

May travel different pathsMay travel different pathsAA

Messageoriginatingat Point A

Messageoriginatingat Point A

BB

IntendedDestination Point B

IntendedDestination Point B

??Did Point B receive this message?Did Point B receive this message?

??Was the message really sent by Point A?

Was the message really sent by Point A?

?? Did anyone elsesee the message? Did anyone elsesee the message?

Messaging SecurityMessaging Security ConfidentialityConfidentiality IntegrityIntegrity: detect tampering: detect tampering AuthenticationAuthentication: correct party: correct party Non-repudiationNon-repudiation: sender can’t deny: sender can’t deny Access controlsAccess controls: limit entry to : limit entry to

authorized usersauthorized users

Symmetric EncryptionSymmetric Encryption

ClearText

Message

Dec

ryp

t

En

cryp

t

En

cod

ed M

essa

geClearText

Message

Sender ReceiverIdentical Keys

PKIPKI Public Key InfrastructurePublic Key Infrastructure Most commonly usedMost commonly used Two keys:Two keys:

public key – publicly availablepublic key – publicly available private key – kept secretprivate key – kept secret

Two keys related through secret Two keys related through secret mathematical formulamathematical formula

Need both to process transactionNeed both to process transaction

Biometric UsageBiometric Usage For user authenticationFor user authentication By order of useBy order of use

finger scannersfinger scanners hand geometryhand geometry face-recognitionface-recognition eye scaneye scan voiceprintsvoiceprints signature verificationsignature verification

Digital SignatureDigital Signature Also called Also called CertificateCertificate Issued by trusted third partyIssued by trusted third party

Certification Authority (CA)Certification Authority (CA) Electronic passport to prove identityElectronic passport to prove identity Provides assurance messages are validProvides assurance messages are valid Uses encryption to verify Uses encryption to verify

identity of unseen partneridentity of unseen partner

FirewallFirewall FirewallFirewall is barrier is barrier

between networks between networks not allowing information not allowing information to flow into and out of to flow into and out of trusted networktrusted network

FirewallsFirewalls

ValidTraffic ValidTraffic

SensitiveDatabaseSensitiveDatabase

ValidAccess ValidAccess

Fire

wal

lFi

rew

all

Fire

wal

lFi

rew

all

External ScreenExternal Screen

Acc

ess

Con

trol

sA

cces

s C

ontr

ols

Acc

ess

Con

trol

sA

cces

s C

ontr

ols

InternalScreenInternalScreen

Internet

Attempted AccessAttempted Access

Firewall TypesFirewall Types Packet Filter:Packet Filter:

simplest typesimplest type doesn’t examine datadoesn’t examine data looks at IP headerlooks at IP header

Proxy Firewall (Server):Proxy Firewall (Server): hides protected private networkhides protected private network forwards requests from private to forwards requests from private to

public network (not within)public network (not within)

Firewall TypesFirewall Types Demilitarized Zone:Demilitarized Zone:

more securemore secure several layers of firewall protectionseveral layers of firewall protection different levels of protection to different levels of protection to

different portions of company’s different portions of company’s networknetwork

runs between private network and runs between private network and outside public networkoutside public network

Bypassing FirewallsBypassing Firewalls

Firewall

Internet

SERVERInventory

Customer InfoOrdering

R&DDepartment

AgendaAgenda AIS ThreatsAIS Threats Control conceptsControl concepts General controls for information systemsGeneral controls for information systems Internet controlsInternet controls Contingency managementContingency management

Contingency Contingency ManagementManagement Disaster RecoveryDisaster Recovery

is reactiveis reactive Contingency ManagementContingency Management

is proactiveis proactive Continuity PlanningContinuity Planning latest term latest term Accounting standards in terms Accounting standards in terms

of Disaster Recoveryof Disaster Recovery

Disaster Recovery PlanDisaster Recovery Plan Purpose: to ensure processing capacity can Purpose: to ensure processing capacity can

be restored as smoothly and quickly as be restored as smoothly and quickly as possible in the event of:possible in the event of: a major disastera major disaster a temporary disruptiona temporary disruption

Disaster Plan ObjectivesDisaster Plan Objectives Minimize disruption, Minimize disruption,

damage, and lossdamage, and loss Temporarily establish Temporarily establish

alternative means of alternative means of processing informationprocessing information

Resume normal operations as soon Resume normal operations as soon as possibleas possible

Train and familiarize personnel with Train and familiarize personnel with emergency operationsemergency operations

Plan ElementsPlan Elements Priorities for recovery Priorities for recovery

processprocess Backup data and program Backup data and program

filesfiles Backup facilitiesBackup facilities

reciprocal agreementsreciprocal agreements hot and cold siteshot and cold sites shadow mode (parallel)shadow mode (parallel)

Back Up DataBack Up Data Rollback:Rollback:

predated copy of each predated copy of each record created prior to record created prior to processing transactionprocessing transaction

If hardware failureIf hardware failure records rolled back to records rolled back to

predated versionpredated version transactions processed from transactions processed from

beginningbeginning

Back Up Data DecisionsBack Up Data Decisions How often? (e.g., weekly)How often? (e.g., weekly)

Exposure * Risk = Expected LossExposure * Risk = Expected Loss Where do you store backup dataWhere do you store backup data

on-site (e.g., fireproof safe)on-site (e.g., fireproof safe) off-site (incurs costs)off-site (incurs costs)

How quick to recover?How quick to recover? What is recovered first?What is recovered first?

Remote AccessRemote Access Computer World, 1/21/02Computer World, 1/21/02 Companies eying remote access Companies eying remote access

as contingency management tool as contingency management tool Scrambling to develop remote Scrambling to develop remote

access systemsaccess systems Result of September 11Result of September 11 If main facilities down, still can If main facilities down, still can

communicate with one another communicate with one another

Recovery PlanRecovery Plan Recovery plan not complete until tested by Recovery plan not complete until tested by

simulating disastersimulating disaster EDSEDS

Plan must be continuously reviewed and revised so it Plan must be continuously reviewed and revised so it reflects current situationreflects current situation

Plan should include insurance coveragePlan should include insurance coverage

Cardinal HealthCardinal Health Redundant systems for Redundant systems for

critical order processingcritical order processing Redundant WAN trunksRedundant WAN trunks System data backed up dailySystem data backed up daily

backup media kept off-sitebackup media kept off-site Backup replica siteBackup replica site

different part of countrydifferent part of country switched on within 30 minutesswitched on within 30 minutes

The Money StoreThe Money Store Databases backed up Databases backed up

every eveningevery evening Back-up files stored atBack-up files stored at

on-siteon-site information storage vendorinformation storage vendor

Automatic archival process that Automatic archival process that periodically pulls / stores back-up periodically pulls / stores back-up data filesdata files

The Money StoreThe Money Store Call CentersCall Centers

in 3 locations nationallyin 3 locations nationally separated so that a natural separated so that a natural

disaster will not hit all three disaster will not hit all three simultaneouslysimultaneously

calls electronically rerouted to calls electronically rerouted to other two sitesother two sites

in Sacramento, rent vacant in Sacramento, rent vacant building as emergency sitebuilding as emergency site

Topics CoveredTopics Covered AIS ThreatsAIS Threats Control conceptsControl concepts General controls for information systemsGeneral controls for information systems Internet controlsInternet controls Contingency managementContingency management