Sei sulla pagina 1di 4

Case Question for Internal Control MailMed Inc.

(MMI), a pharmaceutical firm, provides discounted prescription drugs through direct mail. MMI has a small systems staff that designs and writes MMI=s customized software. ntil recently, MMI=s transaction data were transmitted to a service !ureau for processing on its hardware. MMI has e"perienced significant sales growth as the cost of prescription drugs has increased and medical insurance companies have !een tightening reim!ursements in order to restrain premium cost increases. #s a result of these increased sales, MMI has purchased its own computer hardware. $he computer center is installed on the ground floor of its two story head%uarters !uilding. It is !ehind large plate glass windows so that the state of the art computer center can !e displayed as a measure of the company=s success and attract customer and investor attention. $he computer area is e%uipped with halon gas fire suppression e%uipment and an uninterrupti!le power supply system. MMI has hired a small computer operations staff to operate this computer center. $o handle MMI=s current level of !usiness, the operations staff is on a two shift schedule, five days per wee&. MMI=s systems and programming staff, now located in the same !uilding, has access to the computer center and can test new programs and program changes when the operations staff is not availa!le. #s the systems and programming staff is small and the wor& demands have increased, systems and programming documentation is developed only when time is availa!le. 'eriodically, !ut not on a scheduled !asis, MMI !ac&s up its programs and data files, storing them at an off site location. nfortunately, due to several days of heavy rains, MMI=s !uilding recently e"perienced serious flooding which reached several feet into the first floor and affected not only the computer hardware !ut also the data and program files that were on site.

REQUIRED: a. (escri!e at least four computer security wea&nesses that e"isted at MailMed Inc. prior to the flood occurrence. !. (escri!e at least five components that should !e incorporated in a formal disaster recovery plan in order that MailMed Inc. can !ecome operational within )* hours after a disaster affects its computer operations capa!ility. c. Identify at least three factors other than the plan itself, that MailMed Inc. should consider in formulating a formal disaster recovery plan. (+ource,,CM# -.#M)

REQUIRED: a. Describe at least four computer security weaknesses that existed at MailMed Inc. prior to the flood occurrence. /. 0iles are !ac&ed up periodically, not on a scheduled !asis. *. $he computer center is on the ground floor, !ehind glass , not secure. 1. +ystems and programming staff has access to the computer center when operations staff is not availa!le. 'rogrammers should not !e a!le to modify #live2 production environment, should not !e unsupervised. 3. (ocumentation is inade%uate , systems documentation is developed only when time is availa!le.

!ile yan" diback#up secara berkala$ tidak secara ter%adwal.

&. (.

'usat komputer di lantai dasar$ di balik kaca # tidak aman. )istem dan staf pemro"raman memiliki akses ke pusat komputer ketika staf operasi tidak tersedia. 'ro"rammer seharusnya tidak dapat memodifikasi lin"kun"an produksi * +li,e$ tidak boleh tanpa pen"awasan.

-.

Dokumentasi tidak memadai # sistem dokumentasi dikemban"kan hanya ketika waktu tersedia.

b. Describe at least fi,e components that should be incorporated in a formal disaster reco,ery plan in order that MailMed Inc. can become operational within .& hours after a disaster affects its computer operations capability. /. Contact List: 4ames and telephone num!ers of operations manager, programming staff, !uilding maintenance manager and &ey personnel (disaster and recovery team). *. Offsite storage5 0acility used for data !ac&ups. #uthorization for several disaster recovery team mem!ers to pic& up !ac&ups. 1. Detailed backup strategy: +hould include daily, wee&ly, and month end !ac& up, stored offsite. 3. Select a Ahot site@: #nother computer facility that can !e used in an emergency. 6. Test: 7oth hot site and data restoration on e"isting computer on a regular !asis. 8. Signed contracts and authorizations so that &ey disaster recovery team mem!ers can deal with computer vendors and suppliers for replacement hardware or supplies. ). 'rocedures for reinstating files, rerunning progra s, and recalling conta inated output!

. Daftar /ontak: 0ama dan nomor telepon dari mana%er operasional$ staf pemro"raman$ memban"un mana%er pemeliharaan dan personil kunci 1bencana dan tim pemulihan2.

&. 'enyimpanan offsite: !asilitas yan" di"unakan untuk backup data. /ewenan"an untuk beberapa an""ota tim pemulihan bencana untuk men"ambil backup. (. strate"i back#up yan" detail: Mencakup back up harian$ min""uan$ dan akhir bulan$ disimpan offsite 1luar2. -. 'ilih situs +hot *: !asilitas lain komputer yan" dapat di"unakan dalam keadaan darurat. 3. 4est: /edua 5ot site dan pemulihan data pada komputer yan" ada secara teratur. 6. Menandatan"ani kontrak dan otorisasi sehin""a an""ota tim pemulihan bencana utama dapat berurusan den"an ,endor komputer dan pemasok untuk pen""antian hardware atau persediaan. .. 'rosedur untuk pemulihan file kembali$ men%alankan pro"ram kembali$ dan recalling output yan" terkontaminasi. c. Identify at least three factors other than the plan itself$ that MailMed Inc. should consider in formulatin" a formal disaster reco,ery plan. /. +electing the proper team within the company. *. 'roper computer room design and layout. 1. 'reventative maintenance program. 3. Implementing proper security measures5 such as scheduled !ac& ups, loc&ed computer room, limited access to computer room, program change control procedures (so live system cannot !e changed until properly tested), etc. . Memilih tim yan" tepat dalam perusahaan. &. desain dan tata letak ruan" /omputer yan" tepat (. 'ence"ahan pro"ram pemeliharaan. -. Menerapkan ukuran keamanan yan" tepat: seperti pen%adwalan kembali$ ruan" komputer yan" terkunci$ akses terbatas ke ruan" komputer$ prosedur pen"endalian perubahan pro"ram 1sehin""a sistem hidup tidak dapat diubah sebelum diperiksa2$ dll