Chapter VI

Ethics & IT Controls

GROUP 5
content

01 Ethical Issues in Business 02 IT Controls

a. Business Ethics a. IT Governance Controls

b. Computer Ethics b. Controlling the Operating System

c. Controlling the Database

Management System
d. Controlling Networks

e. Application Controls
 Ethical standards are derived from societal mores and deep-rooted personal beliefs
about issues of right and wrong that are not universally agreed upon. It is quite
possible for two individuals, both of whom consider themselves to be acting ethically, to
be on opposite sides of an issue.

Ethical
Issues in
Business
Ethics
pertains to the principles of conduct that individuals use in making
choices and guiding their behavior in situations that involve the
concepts of right and wrong.
Business
Ethics
(1) How do managers decide what is right in conducting their business? and
(2) Once managers have recognized what is right, how do they achieve it?
Ethical issues in business can be
divided into four areas :
Equity

Rights

Honesty

Exercise of corporate power

Equity
Executive Salaries
Comparable Worth
Product Pricing
Exercise of corporate power
Political Action Committees
Workplace Safety
Product Safety
Environmental Issues
Rights Honesty
Corporate Due Process Employee and Management Conflicts of
Employee Health Screening Interest
Employee Privacy Security of Organization Data and Records
Sexual Harassment Misleading Advertising
Diversity Questionable Business Practices in Foreign
Equal Employment Countries
Opportunity Accurate Reporting of Shareholder
Whistleblowing Interests
Divestment of Interests
Corporate Political Contributions
Downsizing and Plant Closures
Making Ethical Decisions
Making Ethical Decisions

Business organizations have conflicting responsibilities to their employees,

shareholders, customers, and the public. Every major decision has consequences
that potentially harm or benefit these constituents.
Seeking a balance between these consequences is the
managers’ ethical responsibility.
Proportionality

Justice

Minimize risk
Computer Ethics
Computer Ethics

the analysis of the nature and social impact of computer technology

and the corresponding formulation and justification of policies for
the ethical use of such technology.
Three levels of computer ethics:

Pop computer ethics

Para computer ethics

Theoretical computer ethics

 Pop computer ethics

is simply the exposure to stories and reports found in the popular media
regarding the good or bad ramifications of computer technology.
 Para computer ethics

involves taking a real interest in computer ethics cases and acquiring some
level of skill and knowledge in the field.
 Theoretical computer ethics

is of interest to multidisciplinary researchers

who apply the theories of philosophy, sociology, and psychology to computer science
with the goal of bringing some new understanding to the field.
Issues in Computer Ethics
 Privacy

Control over personal information shared with others

Issues in Data Management :

Potential misuse of data in large shared databases.
Ownership of personal information.
 Privacy

Should privacy be protected through policies and systems?

What information does an individual truly own?
Should companies buy and sell personal data without consent?
 Security
(Accuracy and Confidentiality)
Prevent loss of data confidentiality and integrity.
Protect against fraud and misuse of computer systems.
 Security
(Accuracy and Confidentiality)

Ethical Issues:
Dissemination of inaccurate or unauthorized information.
Security vs. Freedom of Access:
Security can protect personal property but limit data access.
Automated monitoring may protect systems but compromise user privacy.
 Security

Where should the line be drawn between security and privacy?

What is the appropriate level of security?
Which is more important: security, accuracy, or confidentiality?
 Ownership of Property

Intellectual property laws protect creations like software, including

its source code and design.
 Ownership of Property

What can be owned? Ideas, source code, user interface?

Should users be limited in how they access or use software?
 Pros: Cons:
Safeguard the time and effort May prevent innovation and the
spent on development. creation of industry standards.

Copyright Laws
 Ownership of Property

Software is easy to copy and distribute.

Does software fit under traditional copyright laws, or do we need
new laws specifically for software?
 Equity in Access

Ensuring everyone has fair access to technology, regardless of their

background or abilities.
 Barriers to Access

Economic Cultural Physical

Cost of technology limits Limited access due to Lack of safety features

access for individuals or language barriers or or accessibility for
organizations with lower poor translations. people with disabilities.
income.
 Equity in Access

How can we design hardware and software to accommodate diverse users?

What is the cost of making technology accessible for everyone?
Which groups should be prioritized for equitable access?
 Environmental Issues

Excessive printing leads to :

Waste of paper (from trees, a limited resource).
More waste in landfills if not recycled.
 Environmental Issues

Should organizations limit nonessential printing?

How do we define "nonessential"?
Who should define it?
Should recycling be required and enforced?
 Artificial Intelligence

Reliance on AI:
Expert systems are designed to make decisions, often replacing human experts.
 Artificial Intelligence

Concerns:
Inaccurate or incomplete knowledge in the system.
Responsibility for faulty decisions made by AI.
Potential biases from the decision-making style of developers or managers.
 Artificial Intelligence

Who is responsible for the accuracy and completeness of the knowledge base?
Who is accountable if an AI system causes harm with its decisions?
Who owns the expertise once it’s coded into a system?
 Unemployment and Displacement
Computer technology is changing many jobs, and some workers are displaced
because they cannot adapt to these changes.
 Unemployment and Displacement
Should employers be responsible for retraining workers who lose their jobs due to
computerization?
 Misuse of Computers
Copying proprietary software.
Using a company computer for personal purposes.
Snooping through other people’s files.
 Misuse of Computers
Why do people often ignore laws against copying software?
Should the law be changed?
What harm does unauthorized copying cause to software developers?
Is there harm when computers are used for personal reasons at work?
Does it matter if it’s during or outside of work hours?
Is it okay to look through someone else's paper or computer files?
Are paper files and computer files treated differently?
IT GOVERNANCE CONTROLS
Information Technology Governance
a relatively new subset of corporate governance that
focuses on managing strategic IT resources
Key objectives includes: reducing risk and ensuring
that IT investments adds value to the corporation.
Information Technology Governance
Controls
Organizational Structure

Computer Center Operations

Disaster Recovery Planning

Two Primary Model of Organizational
Structure

Centralized Model

Distributed Model
Centralized Model

All IT services are managed from a central location,

promoting efficiency and consistency. This model emphasizes
segregation of duties to prevent fraud and ensure
accountability.
Centralized Model
 IT Functions

Database administrator

Data processing

Systems development and maintenance

 Segregation of Incompatible IT
Function
Separating systems Separating database
development from administration from
computer operations other functions

Separating new
systems development
from maintenance
Distributed Model

involves decentralizing decision-making authority, allowing

individual departments or units within an organization to
manage their own IT resources and initiatives.
 Risks Associated with Distributed
Model
Incompatibility Redundancy

Consolidating Acquiring qualified

Incompatible Activities professionals

Lack of standards
Corporate IT
Function
 Corporate IT Function
Central testing of
commercial software User services
and hardware

Standard setting body Personal review

Audit Objectives

The auditor’s objective is to verify that individuals in

incompatible areas are segregated in accordance with the level
of potential risk and in a manner that promotes a working
environment.
 1

Obtain and review the corporate policy on computer

security.
2

Review relevant documentation, including the current

organizational chart, mission statement, and job
descriptions for key functions, to determine if
individuals or groups are performing incompatible
functions.
3

Audit Review systems documentation and maintenance

Procedures records for a sample of applications.
 4

Through observation, determine that the segregation

policy is being followed in practice.

Review user rights and privileges to verify that

programmers have access privileges consistent with
their job descriptions.

Audit
Procedures
COMPUTER CENTER SECURITY
AND CONTROLS

it is critical for protecting data and

infrastructure in environments where
computing resources are centralized.
Computer Center Controls
Physical location

Construction

Access

Air-conditioning

Fire Suppression
 Fault Tolerance Control

The ability of the system to continue the

operation when one of the system fails because
of hardware failure, application program error or
operator error.
 Fault Tolerance Control

Redundant arrays of Uninterrupted power

independent disks supplies
Audit Objectives

The auditor must verify that: physical security controls are

adequate to reasonably protect the organization from physical
exposures; insurance coverage on equipment is adequate to
compensate the organization for the destruction of, or damage
to, its computer center; and operator documentation is
adequate to deal with routine operations as well as system
failures.
 1
Audit
procedures Tests of physical construction.
for Assessing
Physical 2
Security
Controls Tests of the fire detection system

Tests of access control

 Tests of fault
tolerance
control
1 RAID

2 POWER SUPPLIES BACKUP

 1 Be annually reviewed.
Audit
procedures 2 All new acquisitions are listed on the policy.
for verifying
Obsolete equipment and software have
insurance 3
been deleted.

coverage 4 Insurance policy should reflect the

management’s needs in terms of extent of
coverage.

1 RUN MANUAL Audit procedures for

verifying adequacy of
operator documentation
DISASTER RECOVERY PLANNING

comprehensive statement of all actions to be talen

before, during, and after a disaster, along with
documented, tested procedures that will ensure
the continuity of operatsions.
CONTROL ISSUES
Provide site backup

Identify critical application

Performing back up and off-

site storage procedure

Creating a disaster recovery

plan
PROVIDE SITE BACKUP
The empty shell

The recovery operations

center

Internally provided backup

PERFORMING BACKUP AND OFF_SIT
STRAGE PROCEDURE
Back up data files

Backup documentation

Backup supplies and source

documents
CREATING A DISASTER RECOVERY
TEAM
TESTING THE DRP
Audit objectives: Assessing disaster
recovery planning

The auditor should verify that

management’s disaster recovery plan is
adeqaute and feasible for dealing with a
catastrophe that could deprive that
organization of its computing resources.
 Audit objectives : Assessing
disaster recovery planning
1 Second-site backup

2 Critical application list

3 Backup critical applications and citical data files

4 Backup supplies source documents and documentation

5 The disaster recovery team

Controlling the OS
 Operating system

it is the computer’s control program

allows users and their applications toshare and
access common computer resources
 3 Main Tasks of Operating System

1. Translates high-level languages

2. Allocates computer resources to users, workgroups and applications
3. Manages tasks of job scheduling and multiprogramming
 5 Fundamental Control Objectives
of Operating System
1. Protect itself from users
2. Protect users from each other
3. Protectusers from themselves
4. Must be protected from itself
5. Must be protected from its environment
 Operating System Security

involves policies, procedures and controls that determine:

1. who can access the operating system
2. which resources they can access
3. what actions they can take
Four Security Components to Secure Operating
Systems
1. Log on Procedure
2. Access Token
3. Access Control List
4. Discretionary Access Privileges
 Log on Procedure

first line of defense against unauthorized access

presents a dialog box reauesting the user’s ID and password
 Access Token

contains key information about the user and that is used to approve
all actions the user attempts during the session
 Access Control List

assigned to each resource control access to system resources such

as directories, files, programs and printers
 Discretionary Access Privileges

allows resource owners to grant privileges to other users

 Two Types of Threats

Accdiental Threats
Intentional Threats
 3 Sources of Exposures
Privileged personnel who abuse their authority
Individuals who browse the operating system to identify and exploit
security flaws
Individuals who intentionally insert computer viruses into the
operating system
Operaing System Controls and Tests of Controls
Controlling Access Privileges
Password Control
Controlling against Malicious and Destuctive Programs
System Audt Trail Controls
Setting Audit Trail Objectives
Implementing a System Audit Trail
 Control Access Privileges

assigned to individuals and to entire workgroups authorized to use

the system
 Password Control

secret code that user enters to gain access to systems, applications,

or data files.
Reusable passwords
One time passwords
Controlling against Malicious and Destructive
Programs

purchase software only from reputable vendors

prohibit use of illegal copies of software
inspect viruses
 System Audit Trail Controls

logs that record activity at the system, application and user level
2 Types of Audit Logs
1. Keystroke Monitoring
2. Event Monitoring
 Setting Audit Trail Objectives

Detecting unauthorized access

Reconstructing events
Personal accountability
Controlling Database Management Systems
 Two Categories of Controlling DMS

Access
Controls designed to prevent unauthorized individuals from viewing, retrieving,
corrupting, or destroying the entity’s data

ensure that in the event of data loss due to unauthorized access,

equipment failure, or physical disaster, the organization can recover its
Backup
files and databases. Controls.
Access Controls
User Views
The user view or subschema is a subset of the total database
that defines the user’s data domain and restricts his or her
access to the database accordingly.
The database administrator typically is responsible for defining
user views. Auditors check to ensure users only have access to
what they need for their work.
User Views
Database authorization table

a table contains rules that limit the actions a user can take
Database authorization table
User-defined procedure

procedure allows the user to create a personal security

program or routine to provide more positive user identification
than a password can.
Data encryption

procedure to protect highly sensitive data that uses an

algorithm to scramble selected data, thus making it unreadable
to an intruder browsing the database.
Biometric devices

tools that check unique physical traits, like fingerprints, voice, or

eye patterns, to confirm a person's identity.
Audit Objectives Relating to Database
Access
to verify that individuals who are authorized to use the
database are limited to accessing only the data
needed to perform their duties

unauthorized individuals are

denied access to the database
 1

Responsibility for Authority Tables and Subschemas

Appropriate access authority.

Audit 3

Procedures Biometric Controls.

for Testing 4

Access Encryption Controls

Controls
 Responsibility
The auditor should make sure that only database administrators are in
charge of creating authority tables and user views. To check this, the
for Authority
auditor can: Tables and
1 Review Policies and Job Descriptions Subschemas
2 Examine Access Privileges

3 Conduct Interviews
Appropriate The auditor can select a sample of users and verify that their access
access privileges stored in the authority table are consistent with their
organizational functions.
authority.

Biometric
The auditor should evaluate the costs and benefits of biometric controls.
Controls.

Encryption The auditor should verify that sensitive data, such as passwords, are
properly encrypted. This can be done by printing the file contents to hard
Controls copy.
Backup Controls
Features of Backup Controls
Database Backup

Transaction log

Checkpoints

Recovery Module
DATABASE BACKUP
The backup feature makes a periodic backup of the entire
database.
This is an automatic procedure that should be performed at
least once a day.
The backup copy should then be stored in a secure remote
area.
TRANSACTION LOG (JOURNAL)

provides an audit trail of all processed transactions.

It lists transactions in a transaction log file and records the
resulting changes to the database in a separate database
change log.
CHECKPOINT FEATURE

suspends all data processing while the system reconciles the

transaction log and the database change log against the
database.
RECOVERY MODULE

uses the logs and backup files to restart the system after a
failure.
Audit Objectives Relating to Database
Backup

The auditor’s objective is to verify that database

backup controls are adequate to facilitate the
recovery of lost, destroyed, or corrupted data.
 Database backup should be a routine activity.

1
The auditor should verify from system documentation that
production databases are copied at regular intervals (perhaps
several times an hour).

2
The auditor should verify through documentation and observation that
backup copies of the database are stored off-site to support disaster
recovery procedures.

Audit
Procedures
CONTROLLING NETWORKS
NETWORK TOPOLOGIES

- refer to the structural layout or arrangement of different elements

(communication lines, hardware components, and software) in a
network.
 KEY COMPONENTS OF NETWORK
TOPOLOGIES
3. Software
1. Communications 2. Hardware - governs how
Lines Components devices
- are the "paths" or - are the physical communicate,
"roads" that carry data devices that facilitate ensuring that data is
communication in the sent, received, and
across the network. network. processed
correctly.
Examples: Examples:
Twisted-Pair Wires Modems Examples:
Multiplexers Protocols
Coaxial Cable Servers Network
Microwaves Front-End Control
Fiber Optics Processors Systems
GENERAL FORMS OF RISKS IN
NETWORK COMMUNICATION
Risks from Subversive Threats

Risks From Equipment Failures

1. Risks from Subversive Threats
- are intentional attacks on a network.

Examples:
Hacking - occurs when someone breaks into the network to steal
or manipulate information.
Intercepting Messages - this is like eavesdropping on private
messages being sent between two people.
Denial-of-Service (DoS) Attacks - involves overwhelming a
website or network with fake requests, causing it to crash.
2. Risks From Equipment Failures:
- are risks caused by the malfunction or breakdown of network
components like hardware, cables, or servers.

Examples:
Server going offline
Damaged cables or hardware
Loss of stored files or programs
I. CONTROLLING RISKS FROM
SUBVERSIVE THREATS
FIREWALL
- is a system that enforces access control between two networks.
It ensures secure and controlled communication between external
and internal networks.
KEY PRINCIPLES OF FIREWALLS:

Traffic Control

Only Authorized Traffic

Allowed

Immunity from Penetration

TYPES OF FIREWALL

Network-Level Firewalls

Application - Level Firewalls

Dual-homed System
Network-Level Firewalls
Efficient but low security access control.

Consists of a screen router that examines the source and

destination addresses of message packets.

Allows free flow of information, no explicit user authentication.

Application-Level Firewalls

Higher level of security but with added connectivity overhead.

Uses proxies for user authentication and secure services.

Provides logging and auditing for unauthorized activities.

Dual-Homed System

Two interfaces: one for screening incoming requests from the

Internet, one for intranet access

Proxy applications for access control, no direct Internet

communication
CONTROLLING DENIAL OF SERVICE
ATTACKS
DENIAL-OF-SERVICE (DoS) ATTACKS
- aims to disrupt the accessibility of a server, service, or network by
overwhelming it with illegitimate traffic.
COMMON TYPES OF DoS ATTACKS
SYN Flood: Smurf Attack:
Overloads with fake Spoofs (fakes) IP
connection requests addresses to flood the
(called SYN packets). target.

Distributed DoS (DDoS):

Uses thousands of
compromised devices
(called “zombies” or bots)
making it hard to block.
COUNTERMEASURES AGAINST DoS
ATTACKS
SYN Flood Attack: Smurf Attack:
Firewalls block Blocking the attacking
incomplete connection Internet Protocol (IP)
attempts. addresses.

Distributed DoS (DDoS):

Using Intrusion Prevention
Systems (IPS) to detect and
stop unusual traffic.
ENCRYPTION

- Converts data into a secret code.

- Protects data in storage and during transmission.

- Cleartext (original message) → Ciphertext (coded message).

GENERAL APPROACHES TO
ENCRYPTION

Private Key Encryption

Public Key Encryption:

1. Private Key Encryption
- one key is shared by sender and receiver.

Examples:

AES (Advanced Encryption Standard) - uses a single key

known to both the sender and the receiver of the message

Triple DES (Data Encryption Standard) Encryption- employs

three layers of encryption for better security.
1. Private Key Encryption
- one key is shared by sender and receiver.

Examples:

AES (Advanced Encryption Standard) - uses a single key

known to both the sender and the receiver of the message

Triple DES (Data Encryption Standard) Encryption- employs

three layers of encryption for better security.
COMMON FORMS OF TRIPLE DES

EEE3: EDE3:
Encrypt-Encrypt- Encrypt-Decrypt-
Encrypt with three Encrypt with three keys
different keys. but works differently.
2. Public Key Encryption
- Two keys: public (for encoding) and private (for decoding).

Example:

RSA (Rivest-Shamir-Adleman) Encryption - highly secure,

often used with DES for faster results.

»Digital Envelope - is a secure method of encrypting messages

that combines the speed of symmetric encryption (e.g., DES) with
the security of asymmetric encryption (e.g., RSA)
DIGITAL AUTHENTICATION

Digital Signature

Digital Certificate
DIGITAL SIGNATURE

- is an electronic authentication technique that ensures the

transmitted message originated with the authorized sender and
that it was not tampered with after the signature was applied.
DIGITAL CERTIFICATE

- is like an electronic identification card that is used in conjunction

with a public key encryption system to verify the authenticity of the
message sender.
NETWORK SECURITY MEASURES
Message Sequence Message Transaction
Numbering: Log:
Prevents message Records access
tampering. attempts.

Request-Response
Technique: Call-Back Devices:
Ensures smooth Verifies user identity
communication. before granting access
 AUDIT OBJECTIVES RELATING TO
SUBVERSIVE THREATS
(1) Prevent and detect (2) Make stolen data
illegal access. unusable.

(3) Ensure data

remains intact and
secure.
 AUDIT CONTROLS RELATING TO
SUBVERSIVE THREATS
1. Firewall Assessment 2. Intrusion
Criteria for a strong Prevention
firewall: Systems (IPS)

- Flexibility 3. Encryption
- Proxy Services Verification 4. Message
- Filtering Logs
- Segregation of
Systems
- Audit Tools 5. Call-Back
- Probe for Weaknesses Tests
II. CONTROLLING RISKS FROM
EQUIPMENT FAILURES
LINE ERRORS
- occur when noise disrupts the transmission of data, changing the bit
structure of the message.

» Noise - is made up of random signals that can interfere with the message
signal when they reach a certain level.

Sources:
Electric motors
Atmospheric conditions
Faulty wiring or components
Adjacent channel interference
 ERROR DETECTION AND
CORRECTION TECHNIQUES

Echo Check

Parity Check
ECHO CHECK
- The receiver returns the message to the sender.

- The sender compares the returned message with the original.

- If discrepancies are found, the message is retransmitted.

PARITY CHECK
- adds an extra bit, known as the parity bit, to detect errors.

TYPES OF PARITY CHECK

1. Vertical Parity: Adds a parity bit to each character to ensure data

accuracy.

2. Horizontal Parity: Adds a parity bit to a group of characters to check for

errors in a block of data.
 AUDIT CONTROLS RELATING TO
RISKS FROM EQUIPMENT FAILURES
(1) Select sample (2) Examine these
messages from messages for
transaction logs. corrupted content
caused by line noise.

(3) Confirm that all

detected errors were
retransmitted
successfully.
 Information Technology Control

Relates with computer environment

There are 2 broad groups: general and application controls
General - entity-wide concerns

Application Application - specific systems

Controls
Physical Control
Relates primarily to the human activities employed in
accounting systems.
Physical controls focus on people
Physical Control

01 Transaction Authorization
— to ensure that all material transactions processed by the
information system are valid and in accordance with management’s
objectives.

General authority — perform day-to-day operations.

Specific authority — nonroutine transactions.
Physical Control

02 Segregation of Duties
Objective 1. The segregation of duties should be such that the
authorization for a transaction is separate from the processing of the
transaction.
Objective 2. Responsibility for the custody of assets should be separate
from the record-keeping responsibility.
Objective 3. The organization should be structured so that a successful
fraud requires collusion between two or more individuals with
incompatible responsibilities
Physical Control

03 Supervision

— To address this, management can compensate by closely

supervising employees and regularly reviewing their work to reduce
risks associated with insufficient segregation.
often called a compensating control
Physical Control

04 Accounting Records
— these records capture the economic essence of transactions and
provide an audit trail of economic events.
Organizations must maintain audit trails for two reasons.
First, this information is needed for conducting day-to-day
operations.
Second, the audit trail plays an essential role in the financial
audit of the firm.
Physical Control

05 Access Control

— to ensure that only authorized personnel have

access to the firm’s assets.
Physical security devices, such as locks, safes,
fences, alarm systems, control against direct
access.
Physical Control

06 Independent Verification
— Through independent verification procedures, management can assess:
(1) the performance of individuals,
(2) the integrity of the transaction processing system, and
(3) the correctness of data contained in accounting records.
That was
so hot