Security 2
Security 2
Application
Applicationcontrols
controls
Risk
Riskofofunauthorized
unauthorizedchange
change Risk
Riskofofsystem
systemcrash
crash
totoapplication software
application software
Cash
Cashreceipts
receipts
application
application
controls
controls
Sales
Sales Payroll
Payroll
applications
applications application
application
controls
controls controls
controls
Other
Othercycle
cycle
application
application
controls
controls
Risk
Riskofofunauthorized
unauthorized GENERAL CONTROLS Risk
Riskofofunauthorized
unauthorized
master
masterfile
fileupdate
update processing
processing
Administration
Administrationof
ofthe
theIT
ITfunction
function
Segregation
Segregationof
ofIT
ITduties
duties
Systems
Systemsdevelopment
development
Physical
Physicaland
andonline
onlinesecurity
security
Backup
Backupand
andcontingency
contingencyplanning
planning
Hardware
Hardwarecontrols
controls
The
Theperceived
perceivedimportance
importanceof ofIT
ITwithin
withinanan
organization
organizationisisoften
oftendictated
dictatedby
bythe
theattitude
attitudeof
of
the
theboard
boardof
ofdirectors
directorsand
andsenior
seniormanagement.
management.
Chief
ChiefInformation
InformationOfficer
Officeror
orIT
ITManager
Manager
Security
SecurityAdministrator
Administrator
Systems
Systems Data
Data
Operations
Operations
Development
Development Control
Control
Typical
Typicaltest
test
strategies
strategies
Pilot
Pilottesting
testing Parallel
Paralleltesting
testing
Physical
PhysicalControls:
Controls: Online
OnlineControls:
Controls:
Keypad entrances User ID control
Keypad entrances User ID control
Badge-entry systems Password control
Badge-entry systems Password control
Security cameras Separate add-on
Security cameras Separate add-on
Security personnel security
Security personnel securitysoftware
software
One
Onekeykeyto toaabackup
backup
and
andcontingency
contingencyplan
plan
isisto
tomake
makesuresurethat
that
all
allcritical
criticalcopies
copiesof
of
software
softwareand anddata
datafiles
files
are
arebacked
backedup upand
and
stored
storedoffoffthe
thepremises.
premises.
These
Thesecontrols
controlsare
arebuilt
builtinto
intocomputer
computer
equipment
equipmentbybythe
themanufacturer
manufacturerto to
detect
detectand
andreport
reportequipment
equipmentfailures.
failures.
Input
Inputcontrols
controls
Processing
Processing
controls
controls
Output
Outputcontrols
controls
These
Thesecontrols
controlsare
aredesigned
designedbybyan
an
organization
organizationto
toensure
ensurethat
thatthe
the
information
informationbeing
beingprocessed
processedisis
authorized,
authorized,accurate,
accurate,and
andcomplete.
complete.
Financial
Financialtotal
total
Hash
Hashtotal
total
Record
Recordcount
count
Data input controls ensure the accuracy,
completeness, and timeliness of data during its
conversion from its original source into computer
data, or entry into a computer application. Data
can be entered into a computer application from
either manual online input or by batch processing
(automated). Someone reviewing input controls
should determine the adequacy of both manual
and automated controls over data input to ensure
that data is input accurately with optimum use of
computerized validation and editing and that
error handling procedures facilitate the timely
and accurate resubmission of all corrected data.
1) Documented procedures should exist for
any data manually entered into
the application. These procedures should
include how to identify, correct,
and reprocess rejected data.
2) Input edits should be used by the
application. These could include checking
for invalid field lengths, invalid characters,
missing or erroneous data, incorrect
dates, or the use of check digits.
3) Input data should also be controlled by
the use of record counts,
batching techniques, control totals, or some
other type of logging. (Balancing of
source documents to input processing)
4) Another way to help ensure appropriate
data is being entered into the application
is to require that an authorized person
approve the input documents.
The authorization levels of the assigned
approvers should also be reviewed to
determine if they are reasonable.
5) Passwords should be used to control
access to the application. Passwords
should be changed periodically, deleted
when employees/users leave the University,
and modified to reflect changes as a
person’s responsibilities change.
6) Duties should be separated to ensure
that no one individual performs more
than one of the following operations without
supervisory review:
- Origination of data
- Input of data into the system
- Processing the data
- Distribution of the output
Validation
Validationtest
test
Sequence
Sequencetest
test
Arithmetic
Arithmeticaccuracy
accuracytest
test
Data
Datareasonableness
reasonablenesstest
test
Completeness
Completenesstest
test
Processing controls are used to ensure
the accuracy, completeness, and
timeliness of data during either batch
or real-time processing by the
computer application. Someone
reviewing these controls should
determine the adequacy of controls
over application programs and related
computer operations to ensure that
data is accurately processed through
the application and that no data is
added, lost, or altered during
processing.
1) Documentation should exist explaining
the processing of data through
the application. Examples would be
narratives on how the application processes
data, flowcharts, and an explanation of
system or error messages.
2) If the application is “run” on a regular
schedule to process data, either manually
or automatically, there should be
documented procedures explaining how this
is performed. There may be a schedule that
must be followed with controls in place
to ensure all processing was completed.
3) A processing log may exist. If it does, it
should be reviewed for unusual
or unauthorized activity.
4) The processing log, or another log or
report, should be used to document
any errors or problems encountered during
processing. Types of information that
should be considered keeping are
descriptions of any errors encountered,
dates identified, any codes associated with
errors, any corrective action taken, date
and times corrected.
5) There should be controls in place to
make sure the correct generation/cycle of
files are used for processing. This may
include the generation of backup files
from processing to be used for disaster
recovery.
6) Processing edits should also be used.
These may be similar to input edits
but applied to the data during processing.
7) Audit trails should be generated during
processing. These audit trails should be logs
or reports that contain information about
each transaction. Data that should
be included are who initiated each of the
transactions, the data and time of
the transactions, the location of the
transaction origination (IP address as
an example).
These
Thesecontrols
controlsfocus
focuson
ondetecting
detectingerrors
errors
after
afterprocessing
processingisiscompleted
completedrather
rather
than
thanon
onpreventing
preventingerrors.
errors.
Data output controls are used to ensure
the integrity of output and the correct and
timely distribution of any output produced.
Output can be in hardcopy form, in the
form of files used as input to other
systems, or information available for
online viewing. Someone reviewing these
controls should evaluate the adequacy of
controls over output to ensure that the
data processing results are accurate and
reliable, output control totals are accurate
and are being verified, and the resulting
information is distributed in a timely and
consistent manner to the end users.
1) Output should be balanced/reconciled to
input. There should be adequate separation
of duties for the balancing / reconciliation
process.
.
2) There should be documented
procedures to explain the methods for the
proper balancing / reconciliation and error
correcting of output.
job
Analysis of the security features each
follows:
The objective with physical access controls
is to stop unauthorised people getting
near to computer systems.
The key is to have a range of controls that
include:
- Personnel (e.g. security) controlling
human access
- Use of locks, key pads or car entry
systems to sensitive computer locations
- Intruder alarms (detection)
Increasingly, computer equipment is smaller
and lighter - which makes it easier to steal.
So it makes sense for such equipment to be:
- Locked away when not in use
◦ 7. Designating responsibilities.
Disaster recovery planning is an ongoing,
dynamic process that continues throughout
the information system’s lifecycle.
Information systems can be very complex,
fulfilling many business functions. Your
first step in disaster recovery planning is
to identify and prioritize the business-
critical functions, systems, and processes.
As a disaster recovery planner, you must
obtain input from Executive and
Functional Managers to determine each
system’s criticality
Your second step in disaster recovery planning
is to identify the resources that are critical to the
information systems that support the functions,
systems, and processes that you identified in
step one. The critical resources that you identify
must include everything necessary to support the
critical function, system, or process. Some
examples of critical resources are:
• Telecommunications connections,
• Personnel.
As a disaster recovery planner, you must
analyze the critical resources identified and
determine the impact on information
system operations if a given resource is
disrupted or damaged. The impact analysis
must include allowable outage times, i.e.,
“How long can a company afford to be
without this resource?” When analyzing the
impact, you must also consider the outage
effect on dependent systems.
Using the resulting business impact
analysis, you must then develop and
prioritize strategies for recovery and
restoration.
Your third step is to develop a plan for
notifying essential personnel when a
disaster occurs or is imminent. The plan
must describe the methods the company
uses to notify personnel during business
and non-business hours. Prompt notification
can reduce the disaster’s effects on the
information system because you will have
time to take mitigating actions.
Your fourth step is to develop a plan for
assessing the nature and extent of damage to the
system, and determine the extent to activate the
Disaster Recovery Plan. Although damage
assessment procedures may be unique for each
system, you must address the following areas:
◦ • Facility damage,