Chapter 7: INFORMATION SYSTEMS CONTROL

9.1 IS CONTROL
Concerned with the quality, longevity, integrity, security and normal operations of information
systems. Should be able to guarantee the security of information system, the data, and the
users.

9.1.1 Threats to security, privacy and confidentiality

Security can be defined as the protection of data from accidental or deliberate threats,
which might cause unauthorised modification, disclosure or destruction of data, and the
protection of the system from the degradation or non-availability of services.

Privacy is the right of an individual to control the use of information about him or her,
including information on financial status, health and lifestyles.

Liability for system failure: Liability is legal responsibility for one’s actions or products. This is
very serious in medical systems e.g. a computer program controlling an x-ray machine caused a
patients death by setting the machine to deliver 100 times the prescribed exposure to radiation.

Threats, accidents and malfunctions

 Telephone fraud- tapping
 Operator error:
 Hardware malfunctions
 Software bugs
 Data errors
 Damage to physical facilities
 Inadequate system performance
 Computer crimes
Computer crime is the use of computerised systems to perform illegal acts. It is divided into:
Theft, and Sabotage and vandalism
Perpetrators of computer crime can be divided into employees, outsiders, and hackers.

1. Theft

2. Sabotage and

Factors that increase the risks

a) Nature of complex systems/ Complexity of systems
System decentralisation and multivendor connectivity affect security. As networked
workstation’s become more common, the ability to access, copy and change computerised data
expands.

b) Human limitations

1
Complacency, carelessness, greed and limited ability to understand complex systems increase
system vulnerability. These lead to users and managers to assume systems work correctly, lax
enforcement of security systems and provide a motive for computer crime.

c) Pressure in the business environment

In the rush to meet deadlines with insufficient resources, features and testing that reduce
vulnerability may be left out. The competitive environment has also pushed companies to
reduce their executive level attention to security.

d) Developments in the IT- advancement in programming techniques. Virus developers getting

smarter by the day.

9.1.2 Information Systems Controls

Information systems need to be run both effectively and efficiently to ensure that they produce
the maximum possible profits arising from productive output. Part of effective running of an
information system requires proper control. Control is needed to ensure that unauthorised users
in any way do not tamper with the information in the organisation. Information systems need to
be safely secured from outside interference.

Security can be defined as the protection of data from accidental or deliberate threats, which
might cause unauthorised modification, disclosure or destruction of data and the protection of
the information system. Security ensures that the data is inaccessible to unauthorised personnel
rather than correctness of data, which essentially is validation.

Security Measures
Factors that determine the extent to which security measures should be applied:
a) The confidentiality of the data.
b) The extent to which it may be subjected to unauthorised access.
c) The possibility of system failure.
d) The possibility of corrupting files.
e) The possibility of theft of disk files.
f) The nature of the system.

Dumping of data from a master disc file to a magnetic tape file or another disk to safeguard
against accidental erasure or corruption of the data or even theft of the master disc file.

1) Security in on-line Processing Systems

Applications such as order processing, invoicing and sales ledger; stock control, purchase
ledger and payroll are on-line processing systems.

The use of passwords is most apt for these applications. The passwords though need to be
allocated and controlled by a responsible official and should also be changed frequently.

2) Databases
The use of user names and passwords before access is common. Each information owner must
explicitly list those user names not all may amend the database.

3) Real Time Systems

Since real time systems are designed to deal with dynamic situations, there is need for a control
that can allow for random input at random times. The most common control method is by use of

2
dumping. There is also a second processor, which is automatically switched onto the real time
system in the event of the first machine ceasing to function for any reason.

Areas of Control
An Information System is a sub-system of a larger system, which must be co-ordinated within
the framework of the corporate strategy and company policy. Thus checks need to be employed
/ applied as the activities of the IT department have a bearing on the efficiency and
effectiveness of nearly all functions of a business. The areas of control in the organisation are
numerous and can be analysed within the following categories.
 Organisational
 Administrative
 Environmental
 Technological
 Sociological
 Procedural and Operational
 Development

1) Organisational Controls
Organisational controls can be summarised as:
a) The IT department should function through a policy formulating steering committee in order
to ensure that only those projects are undertaken which will provide maximum benefit to the
entire business rather than maximising individual functions.
b) The IT manager should report to high authority (higher than the functional level) such as the
managing director so that over riding authority may be implemented in conflicting
circumstances.
c) The activities of the IT department should be organised to allow for the implementation of
internal check procedures to prevent collusion to perpetrate fraudulent data conversion and
master file conversion in any way. This calls for separation of data and duties, for instance,
cash handling (development) and cash recording (operation). It also necessitates
independence of a data control section even though it is normally structured within the
operations section under the control of the operations manager. The data preparation
process should be shielded from the influence of operations staff, as data must maintain the
highest integrity.

2) Administrative Controls
a) Access to data relating to business transactions should be restricted to functional and data
preparation staff in the IT department.
b) Access to the computer room should be restricted to authorised personnel only.
c) Master files and programs must be released from the library only on the presentation of an
authorisation slip and they must not be allowed to leave the IT department unless by special
authority for processing at a bureau in the event of a systems breakdown.
d) Internal check procedures must be implemented.
e) Adequate security measures must be incorporated to prevent fraudulent entry of data to
perpetrate fraud by use of passwords.
f) Projects must be controlled to ensure they are implemented to time schedules as far as
possible.
g) Projects must be formally approved by management prior to systems development, perhaps
as a result of the deliberations of a steering committee.
h) Budgeted levels of expenditure should be adhered to and controlled by means of a formal
budgetary control system.
i) Control of performance standards.

3
3) Environmental Controls
a) Dust extracting mats and double doors as well as monitoring equipment should be
implemented to prevent dust from corrupting files.
b) The installations should be perfectly done in terms of conditions of temperature, power and
humidity.

4) Technological Controls
a) Controls to ensure that the most suitable equipment is being used for all IT activities to
prevent obsolescence which leads to less productivity.
b) Direct input methods requiring the use of workstations in the form of Visual Display Units for
order entry systems may need to be installed to replace the older techniques.
c) Rightsizing

5) Sociological Controls
a) Human aspects such as redundancy should be treated in the most humane way.
b) Restructuring of tasks so that users may remain motivated.

6) Input Controls
a) Correct errors before releasing the documents for processing in IT.
b) Check for missing data fields or transposed digits.
c) Verification and validation.
d) Use a different operator to key in the same data.

7) Hardware Controls
a) Maintain the hardware regularly.
b) Check the computer circuitry to check all characters consist of correct number of bits (that is,
the parity checks).
c) Detect data corrupted due to parity failure and correct them.

8) Systems Development Controls

These aim at designing and development of systems that meet user requirements, conform to
laid down time schedules, ensure co-ordination between user department staff and ensure that
design philosophy is adhered to.