Chapter Eight

1
Chapter Eight

• CBIS and Checklists

2
General Controls

• 12 controls
• Planning, controls, standards, security
• Continuous updating
• e.g., CL 66 of firms inadequate monitoring
• Plans made -- not implemented

3
Security Plans

• Who
• What
• When
• Which

4
Project Development Controls

• Long-range, 3-5 year, master plan
• and, what happens next year?
• Project Development Plan - use milestones
• DP Schedule - comp resources as scarce
• Define responsibility / method of evaluation
• Postimplementation Review / Measure

5
IA DHS Revisited

• 12 million project development
• Failed (at point of success?)
• Funding ended
• Project development failure?
• Or, communication failure?

6
Mission Impossible

• Limit physical access
• Limit access to computer logic
• Problem - insiders
• where are my tennis shoes?
• Security breaches
• the Net?

7
Logic Controls

• Passwords
• random assignment,
• ID cards
• use your PIN number for CC purchases?
• Active badges (as opposed to inactive?)
• Biometric Identification
• permit or limit access
• cocaine residue on a four year old
• sniffer at the airport

8
More Logic Access Control

• Compatibility Tests
• multiple layers of passwords for access to
  records
• screen passwords, e.g., payroll
• print passwords, e.g., contracts
• e-mail attachment controls?

9
Paranoia or Security?

• Outside workers with access
• Webco customer list theft
• CIA director - national security on home PC
• Mattel stolen laptops

10
Simple Measures

• Property listing in files
• resume example
• Floppy read/write limits
• File passwords
• Volume names
• External labels

11
Encryption

• Private key only
• threat?
• Public key only
• threat?
• Public and Private Keys
• threat?

12
Routing Verification

• Great for phone callers
• Too busy now, can I call you back?
• Verify the callers identity and authorization
• Automated - as discussed in your text

13
Documentation

• Administrative
• overall uses and change authorization
• System
• flowcharts, narrative, libraries
• Operating
• hardware software program considerations

14
IC as Prevention

• UPS
• Preventive maintenance
• RAM test
• Microprocessor test
• Hard and Removable Disk interfaces

15
Every Day is Y2K

• Disaster Recovery Plans
• e.g., your grades
• WTC bombing 43 of firms failed
• Electronic vaulting
• my computer default and mail on a server
• backup nightly
• Backup
• Master Vs. Transaction files

16
When do you press the save key?

• When should you complete
• a system backup?

17
Disaster Recovery Plan

• Press release who, what, when, where, why
• Prioritize the process (what)
• Backup data and program files (when, where)
• Have specific assignments (who)
• Complete recovery documentation (why)
• Alternative (backup) telecommunication sites
  (where II)

18
Alternative Sites

• Alliances
• Hot site
• fully configured
• current copies of most recent backups
• access guaranteed, ready to run
• Cold site
• no equipment in-place
• contracts provided to provide service on-demand

19
Internet Controls(a different IC)

• NWS - six Denmark hackers
• NWS goes down, airlines stop flying
• Anyone see a business opportunity here?
• Firewalls, tunneling,
• Separate systems
• external (in-coming) internet site
• internal intranet

20
Application Controls

• Data entry and reporting controls
• Source Data Controls
• Input Validation Routines
• On-Line Data Entry Controls
• DP and File Maintenance Controls
• Output Controls

21
Auditor Usage

• Page 263 and 264