Professional Documents
Culture Documents
9.1 IS CONTROL
Concerned with the quality, longevity, integrity, security and normal operations of information
systems. Should be able to guarantee the security of information system, the data, and the
users.
Privacy is the right of an individual to control the use of information about him or her,
including information on financial status, health and lifestyles.
Liability for system failure: Liability is legal responsibility for one’s actions or products. This is
very serious in medical systems e.g. a computer program controlling an x-ray machine caused a
patients death by setting the machine to deliver 100 times the prescribed exposure to radiation.
1. Theft
2. Sabotage and
b) Human limitations
1
Complacency, carelessness, greed and limited ability to understand complex systems increase
system vulnerability. These lead to users and managers to assume systems work correctly, lax
enforcement of security systems and provide a motive for computer crime.
Security can be defined as the protection of data from accidental or deliberate threats, which
might cause unauthorised modification, disclosure or destruction of data and the protection of
the information system. Security ensures that the data is inaccessible to unauthorised personnel
rather than correctness of data, which essentially is validation.
Security Measures
Factors that determine the extent to which security measures should be applied:
a) The confidentiality of the data.
b) The extent to which it may be subjected to unauthorised access.
c) The possibility of system failure.
d) The possibility of corrupting files.
e) The possibility of theft of disk files.
f) The nature of the system.
Dumping of data from a master disc file to a magnetic tape file or another disk to safeguard
against accidental erasure or corruption of the data or even theft of the master disc file.
The use of passwords is most apt for these applications. The passwords though need to be
allocated and controlled by a responsible official and should also be changed frequently.
2) Databases
The use of user names and passwords before access is common. Each information owner must
explicitly list those user names not all may amend the database.
2
dumping. There is also a second processor, which is automatically switched onto the real time
system in the event of the first machine ceasing to function for any reason.
Areas of Control
An Information System is a sub-system of a larger system, which must be co-ordinated within
the framework of the corporate strategy and company policy. Thus checks need to be employed
/ applied as the activities of the IT department have a bearing on the efficiency and
effectiveness of nearly all functions of a business. The areas of control in the organisation are
numerous and can be analysed within the following categories.
Organisational
Administrative
Environmental
Technological
Sociological
Procedural and Operational
Development
1) Organisational Controls
Organisational controls can be summarised as:
a) The IT department should function through a policy formulating steering committee in order
to ensure that only those projects are undertaken which will provide maximum benefit to the
entire business rather than maximising individual functions.
b) The IT manager should report to high authority (higher than the functional level) such as the
managing director so that over riding authority may be implemented in conflicting
circumstances.
c) The activities of the IT department should be organised to allow for the implementation of
internal check procedures to prevent collusion to perpetrate fraudulent data conversion and
master file conversion in any way. This calls for separation of data and duties, for instance,
cash handling (development) and cash recording (operation). It also necessitates
independence of a data control section even though it is normally structured within the
operations section under the control of the operations manager. The data preparation
process should be shielded from the influence of operations staff, as data must maintain the
highest integrity.
2) Administrative Controls
a) Access to data relating to business transactions should be restricted to functional and data
preparation staff in the IT department.
b) Access to the computer room should be restricted to authorised personnel only.
c) Master files and programs must be released from the library only on the presentation of an
authorisation slip and they must not be allowed to leave the IT department unless by special
authority for processing at a bureau in the event of a systems breakdown.
d) Internal check procedures must be implemented.
e) Adequate security measures must be incorporated to prevent fraudulent entry of data to
perpetrate fraud by use of passwords.
f) Projects must be controlled to ensure they are implemented to time schedules as far as
possible.
g) Projects must be formally approved by management prior to systems development, perhaps
as a result of the deliberations of a steering committee.
h) Budgeted levels of expenditure should be adhered to and controlled by means of a formal
budgetary control system.
i) Control of performance standards.
3
3) Environmental Controls
a) Dust extracting mats and double doors as well as monitoring equipment should be
implemented to prevent dust from corrupting files.
b) The installations should be perfectly done in terms of conditions of temperature, power and
humidity.
4) Technological Controls
a) Controls to ensure that the most suitable equipment is being used for all IT activities to
prevent obsolescence which leads to less productivity.
b) Direct input methods requiring the use of workstations in the form of Visual Display Units for
order entry systems may need to be installed to replace the older techniques.
c) Rightsizing
5) Sociological Controls
a) Human aspects such as redundancy should be treated in the most humane way.
b) Restructuring of tasks so that users may remain motivated.
6) Input Controls
a) Correct errors before releasing the documents for processing in IT.
b) Check for missing data fields or transposed digits.
c) Verification and validation.
d) Use a different operator to key in the same data.
7) Hardware Controls
a) Maintain the hardware regularly.
b) Check the computer circuitry to check all characters consist of correct number of bits (that is,
the parity checks).
c) Detect data corrupted due to parity failure and correct them.