Chapter 15

Controlling
Computer-Based
Information
Systems, Part I
 Objectives for Chapter 15
● Features of a CBIS environment and the control objectives in SAS
78
● Threats to the operating system and controls used to minimize
exposures
● Techniques used to control access to the database
● Incompatible functions in a CBIS environment
● Controls necessary to regulate systems development and
maintenance activities
● Controls of an organization’s computer facilities and the disaster
recovery options

2
 Controls, CBIS & SAS 78

● TRANSACTION AUTHORIZATION
● may be embedded into the programs
● SEGREGATION OF DUTIES
● Duties that must be separated in a manual
system may be combined in a computerized
setting.
● The computer-based functions of
programming, processing, and maintenance
must be separated.

3
 Segregation of Duties
Control Objectives
● Transaction authorization is separate
from transaction processing.
● Asset custody is separate from
recordkeeping responsibilities.
● The sub-tasks needed to process the
transactions are separated so that no
individual or group is responsible for
transaction authorization, transaction
recording, and asset custody.
4
 Segregation of Duties

Control Objective 1 Authorization Processing

Control Objective 2 Authorization Custody Recording

Custody Recording

Control Objective 3 Journals Task 1 Task 2 Task 3 Task 4

TRANSACTION
5
 Controls, CBIS & SAS 78

● SUPERVISION - more supervision is

typically necessary in a CBIS because:
● highly skilled employees generally have a
higher turnover rate
● highly skilled employees are often in positions
of authority
● physical observation of employees working
with the system is often difficult or impractical

6
 Controls, CBIS & SAS 78

● ACCOUNTING RECORDS
● Source documents and ledgers may be stored
magnetically with no “paper trail.”
● Expertise is required to understand the links.
● ACCESS CONTROL
● Tight control is necessary over access to
programs and files.
● Fraud is easier to commit since records are
located in one data repository.
7
 Controls, CBIS & SAS 78
(continued)
● INDEPENDENT VERIFICATION
● need to review the internal logic of
programs and comparison of accounting
records and physical assets
● management must assess:
▪ the performance of individuals
▪ the integrity of the transaction processing system
▪ the correctness of data contained in accounting
records

8
 General Control Framework
for CBIS Exposures
10 control components need to be addressed:
● Operating system
● Data management
● Organizational structure
● Systems development
● Systems maintenance
● Computer center security
● Internet and Intranet
● EDI
● Personal computer
● Applications 9
 Organizational Structure

Internet
& Intranet

Operating Data Internet

System Management & Intranet

Systems
Development

EDI Trading Systems Personal Computers

Partners Maintenance Applications

Computer Center Security

10
General Control Framework for CBIS Exposures
 Organizational Structure

Internet
& Intranet

Operating Data Internet

System Management & Intranet

Systems
Development

EDI Trading Systems Personal Computers

Partners Maintenance Applications

Computer Center Security

11
General Control Framework for CBIS Exposures
 Operating System Controls

● The operating systems performs three main

tasks:
● It translates high-level languages into the
machine-level language.
● It allocates computer resources to user
applications.
● It manages the tasks of job scheduling and
multiprogramming.

12
 For An Operating System To Perform
These Tasks Consistently And Reliably, It
Must

● protect itself from tampering from users

● be able to prevent users from tampering with
the programs of other users
● be able to safeguard users’ applications from
accidental corruption
● be able to safeguard its own programs from
accidental corruption
● be able to protect itself from power failures or
other disasters

13
 Operating System Security

● Log-On Procedure
● first line of defense--user IDs and passwords
● Access Token
● contains key information about the user
● Access Control List
● defines access privileges of users
● Discretionary Access Control
● allows user to grant access to another user

14
 Other Good Security
Policies

● Formalized procedures for software

acquisition
● Security clearances of prospective employees
● Formal acknowledgment by users of their
responsibilities to the company
● Security group to monitor security violations
● Formal policy for taking disciplinary action
against security violators
● Use of one-time passwords
15
Operating System Control
Dangers
● Browsing
● looking through memory for sensitive
information (e.g., in the printer queue)
● Masquerading
● pretend to be an authorized user by
getting id and passwords
● Virus & Worms
● foreign programs that spread
through the system
● virus must attach to another program,
worms are self-contained 17
Operating System Control
Dangers
● Trojan Horse
● foreign program that conceals itself with
another legitimately imported program
● Logic Bomb
● foreign programs triggered by a specific
event
● Back Door
● alternative entry into system

18
 Anti-Virus
Software

● can prevent the initial

infection by write protecting the file
● can detect the infection of known
viruses
● can sometimes remove the infection
● must stay current
19
 Organizational Structure

Internet
& Intranet

Operating Data Internet

System Management & Intranet

Systems
Development

EDI Trading Systems Personal Computers

Partners Maintenance Applications

Computer Center Security

20
General Control Framework for CBIS Exposures
Data Management Controls

Two crucial control issues:

Access controls
Backup
controls
21
 Access Controls

● User views - based on sub-schemas

● Database authorization table - allows greater
authority to be specified
● User-defined procedures - user to create a
personal security program or routine
● Data encryption - encoding algorithms
● Biometric devices - fingerprints, retina prints, or
signature characteristics
● Inference controls - necessary in systems which
allow queries 22
 Data Management Controls
● Backup options:
● Grandparent-parent-child backup - the
number of generations to backup is a policy
issue
● Direct access file backup - back-up
master-file at pre-determined intervals
● Off-site storage - guard against
disasters and/or physical destruction

23
 Computer Resource
Authority Table
List
Resource Employee Line Cash Receipts
User AR File File Printer Program

Read data
Ticket User 1 Change No Access Use No Access
Add
Delete
Read only Read code
User 2 No Access Use Modify
Delete

User 3 No Access Read only Use No Access

24
 Backup Controls
● Flat-file environment
● grandparent-parent-child (GPC) used in sequential file
batch systems
● direct access backup called destructive replacement
● offsite storage
● Database environment
● database backup - automatic periodic backup
● transaction log (journal) - a list of transactions which
provides an audit trail of all processed transactions
● checkpoint features - suspends all data processing while
the system performs reconciliation
● recovery module - restarts the system after 25 a failure
 Organizational Structure

Internet
& Intranet

Operating Data Internet

System Management & Intranet

Systems
Development

EDI Trading Systems Personal Computers

Partners Maintenance Applications

Computer Center Security

26
General Control Framework for CBIS Exposures
 Organizational Structure
Controls

The two main CBIS environments have

different exposures and IC requirements:

Centralized DP Distributed DP

27
CENTRALIZED COMPUTER President
SERVICES FUNCTION

VP VP Computer VP VP
Marketing Services Operations Finance

Systems Database Data

Development Administration Processing

New Systems Systems Data Data Computer Data

Development Maintenance Control Preparation Operations Library

DISTRIBUTED ORGANIZATIONAL President

STRUCTURE

VP VP VP VP
Marketing Finance Administration Operations

Treasurer Controller Manager Manager

Plant X Plant Y

IPU IPU IPU IPU IPU IPU

28
 Centralized DP
Organizational Controls
● In centralized IS, need to separate:
● systems development from computer
operations
● database administrator and other computer
service functions
● especially database administrator (authorizing)
and systems development (processing)
● DBA authorizes access
● maintenance and new systems
development
● data library and operations
29
 Distributed DP
Organizational Controls
● Distributed Data Processing:
despite many advantages of this
approach, control implications are
present
● incompatible software among the various
work centers
● data redundancy may result
● consolidation of incompatible tasks
● difficulty hiring qualified professionals
● lack of standards
30
 Organizational Structure
Controls
● A corporate computer services
function/information center may help to
alleviate the potential problems associated
with DDP by providing:
● central testing of commercial hardware and
software
● a user services staff
● a standard setting body
● reviewing technical credentials of
prospective systems professionals
31
 Organizational Structure

Internet
& Intranet

Operating Data Internet

System Management & Intranet

Systems
Development

EDI Trading Systems Personal Computers

Partners Maintenance Applications

Computer Center Security

32
General Control Framework for CBIS Exposures
 SDLC

SYSTEMS DEVELOPMENT LIFE CYCLE

New Systems Development
Systems Systems Conceptual System Detailed System Maintenance
Planning Analysis Design Selection Design Implementation

33
 Systems Development
Controls
● New systems must be authorized.
● User needs and requests should be formally
documented.
● Technical design activities should be documented.
● Internal auditors should participate in the
development process.
● New programs must be thoroughly tested before they
are implemented.
● New systems must be tested by a team of users,
internal audit staff, and systems professionals.
34
 Organizational Structure

Internet
& Intranet

Operating Data Internet

System Management & Intranet

Systems
Development

EDI Trading Systems Personal Computers

Partners Maintenance Applications

Computer Center Security

35
General Control Framework for CBIS Exposures
 System Maintenance
Controls
● Last, longest and most costly phase of SDLC
● 80-90% of entire cost of a system
● All maintenance actions should require
● technical specifications
● testing
● documentation updates
● formal authorizations for any changes made

36
 SPL

● Source program library (SPL)

● library of applications and software
● place where programs are developed and modified
● once compiled into machine language, no longer
vulnerable

37
 Uncontrolled Access to the
Source Program Library
Systems Source
Development Program Production
Programmers Library Load
Library

Compiler Object Link Edit Program

Source Program Module Program Load Module
Program

Systems
Maintenance Production
Programmers Application
38
 A Controlled SPL
Environment
● An SPL Management System (SPLMS)
can be used to protect the SPL
environment by controlling the following
functions:
● storing programs on the SPL
● retrieving programs for maintenance
purposes
● deleting obsolete programs from the library
● documenting program changes to provide
an audit trail of the changes 39
Source Program Library under the Control of SPL Management Software

SPL Management System

Systems
Development SPL
Systems Test Library
Development Application Compile and
Application
Programmers
Program Program Link Edit
05
00
Systems
Maintenance
Systems Test Library Maintenance
Maintenance Application Request
Programmers Program
Program
Listing Application
05 Load
Program Module
Change 05

Report
Load
Documen-
Library
tation
Production
File
40
 SPL Control Features
● Password control
● Separation of test libraries
● Reports that enhance management control and
the audit function
● Assigns program version numbers automatically
● Controlled access to maintenance commands
● Documentation and authorization of changes

41
 Organizational Structure

Internet
& Intranet

Operating Data Internet

System Management & Intranet

Systems
Development

EDI Trading Systems Personal Computers

Partners Maintenance Applications

Computer Center Security

42
General Control Framework for CBIS Exposures
 Computer Center Controls
Considerations:
● location away from human-made and natural hazards
● utility and communications lines underground
● windows closed and air filtration systems in place
● access limited to the operators and other necessary
workers; others required to sign in and out
● fire suppressions systems should be installed
● backup power supplies

43
 Disaster Recovery
Planning
● Disaster recovery plan (DRP)
● all actions to be taken before, during, and after
a disaster
● Disaster Recovery Team (DRT) identified
● critical applications must be identified
● restore these applications first
● Backups and off-site storage procedures
● databases and applications
● documentation
● supplies
44
 Second-Site Disaster
Backups
● Mutual Aid Pact - an agreement between two or more
organizations (with compatible computer facilities) to aid
each other with their data processing needs
● The Empty Shell - involves two or more user
organizations that buy or lease a building and remodel it
into a computer site, but without computer equipment
● The Recovery Operations Center - a completely
equipped site; very costly and typically shared among
many companies
● Internally Provided Backup - companies with multiple
data processing centers may create internal excess
capacity
45