BSAC 322

HANDOUT
CHAPTER 7 & 8

Information Systems Control for

Systems Reliability P1 & P2

• One basic function of AIS is to provide information useful for decision making. In order to
be useful, the information must be reliable, which means:
• It provides an accurate, complete, and timely picture of the organization’s activities.
• It is available when needed.
• The information and the system that produces it is protected from loss,
compromise, and theft.
• The five basic principles that contribute to systems reliability:
• Security – Access to the system and its data is controlled.
• Confidentiality - Sensitive information is protected from unauthorized disclosure.
• Privacy - Personal information about customers collected through e-commerce is
collected, used, disclosed, and maintained in an appropriate manner.
• Processing integrity - Data is processed:
• Accurately
• Completely
• In a timely manner
• With proper authorization
• Availability - The system is available to meet operational and contractual
obligations.
SECURITY
• It is the foundation of systems reliability.
• Security procedures restrict system access to only authorized users and protect:
• The confidentiality of sensitive organizational data.
• The privacy of personal identifying information collected from customers.
• Security procedures also:
– Provide for processing integrity by preventing:
• Submission of unauthorized or fictitious transactions.
• Unauthorized changes to stored data or programs.
– Protect against a variety of attacks, including viruses and worms, thereby
ensuring the system is available when needed.
• The press carries many stories about information security incidents including:
– Denial of service attacks
– Fraud
– Loss of trade secrets
– Identity theft
 • Accountants and IS professionals need to understand basic principles of information
security in order to protect their organizations and themselves.

COBIT and Trust Services

• Control Objectives for Information and related Technology (COBIT)
• It is an IT governance framework and supporting toolset that allows managers to
bridge the gap between control requirements, technical issues and business risks.
• It enables clear policy development and good practice for IT control throughout
organizations.
• It emphasizes regulatory compliance, helps organizations to increase the value
attained from IT, enables alignment and simplifies implementation of the COBIT
framework.
• Created by the Information Systems Audit and Control Association (ISACA), and the IT
Governance Institute (ITGI) in 1996.

The three fundamental information security concepts:

1. Security is a management issue, not a technology issue
 Though information security is a complex technical subject, security is first and
foremost a top management issue, not an IT issue.
 Management is responsible for the accuracy of various internal reports and
financial statements produced by the organization’s IS.
 Security is a key component of the internal control and systems reliability to
which management must attest.
 The Trust Services framework identifies four essential criteria for successfully
implementing the five principles of systems reliability:
 Develop and document policies.
 It’s more exciting to react to security issues than to prevent them.
 However, it is important to develop a comprehensive set of
security policies before designing and implementing specific
control procedures.
 Helps ensure that the security products you ultimately purchase
protect each IS resource.
 Developing a comprehensive set of security policies begins with
taking an inventory of information systems resources, including:
o Hardware
o Software
o Databases
 Once the resources have been identified, they need to be valued
in order to select the most cost-effective control procedures.
o Not easy—particularly in valuing information itself.
o Management at the highest level needs to be involved
because they have a broader understanding of the
organization’s mission and goals that will enable them to
better assess the dollar impact caused by loss or
disclosure of information resources.
  Effectively communicate those policies to all authorized users.
 Security policies must be communicated to and understood by
employees, customers, suppliers, and other authorized users.
 Needs to be more than having people sign off that they’ve
received and read a written document.
 Employees should have regular reminders about security policies
and training in how to comply.
 Training and communication will only be taken seriously if
management provides active support and involvement.
 Sanctions must also be associated with these violations, again
requiring management support for enforcement.

 Design and employ appropriate control procedures to implement those

policies.
 Systems personnel have knowledge about the technical merits of
each alternative, as well as the risk of various threats.
 Management insight is needed in identifying potential costs and
ensuring that all relevant organizational factors are considered.
 COBIT stresses that the CEO and CFO are accountable for
ensuring that the organization has implemented a thorough risk
assessment program

 Monitor the system, and take corrective action to maintain compliance

with the policies.
 Security is a moving target.
 Technology advances create new threats and alter the risks
associated with existing threats.
 Effective control involves a continuous cycle of:
 Developing policies to address identified threats;
 Communicating those policies to all employees;
 Implementing specific control procedures to mitigate risk;
 Monitoring performance; and
 Taking corrective action in response to problems.
 Corrective actions often involve the modification of existing cycles,
and the cycle starts all over.
 Senior management must be involved to ensure that security
policies remain consistent with and support the organization’s
business strategy.

 Top management involvement and support is necessary to satisfy each of the
preceding criteria.
2. The time-based model of security
 Given enough time and resources, any preventive control can be circumvented.
 Consequently, effective control requires supplementing preventive procedures
with:
 Methods for detecting incidents; and
 Procedures for taking corrective remedial action.
 Detection and correction must be timely, especially for information security,
because once preventive controls have been breached, it takes little time to
destroy, compromise, or steal the organization’s economic and information
resources.
 The time-based model of security focuses on implementing a set of
preventive, detective, and corrective controls that enable an organization to
recognize that an attack is occurring and take steps to thwart it before any
assets have been compromised.
 All three types of controls are necessary:
 Preventive - Limit actions to those in accord with the organization’s
security policy and disallows all others.
 Detective - Identify when preventive controls have been breached.
 Corrective - Repair damage from problems that have occurred and
improve preventive and detective controls to reduce likelihood of similar
incidents.
 The time-based model evaluates the effectiveness of an organization’s security
by measuring and comparing the relationship among three variables:
 P = Time it takes an attacker to break through the organization’s
preventive controls.
 D = Time it takes to detect that an attack is in progress.
 C = Time to respond to the attack.
 These three variables are evaluated as follows:
 If P > (D + C), then security procedures are effective.
 Otherwise, security is ineffective.
 The model provides management with a means to identify the most cost-
effective approach to improving security by comparing the effects of additional
investments in preventive, detective, or corrective controls.
 EXAMPLE: For an additional expenditure of $25,000, the company could take
one of four measures:
 Measure 1 would increase P by 5 minutes.
 Measure 2 would decrease D by 3 minutes.
 Measure 3 would decrease C by 5 minutes.
 Measure 4 would increase P by 3 minutes and reduce C by 3 minutes.
 Because each measure has the same cost, which do you think would be the
most cost-effective choice? (Hint: Your goal is to have P exceed [D + C] by the
maximum possible amount.)
 You may be able to solve this problem by eyeballing it. If not, one way to solve
it is to assume some initial values for P, D, and C.
 So let’s assume that P = 15 min., D = 5 min., and C = 8 min.
 At our starting point, P – (D + C) = 15 – (5 + 8) = 2 min.
 With Measure 1, P is increased by 5 minutes:
  20 – (5 + 8) = 7 min.
 With Measure 2, D is decreased by 3 minutes:
 15 – (2 + 8) = 5 min.
 With Measure 3, C is decreased by 5 min.
 15 – (5 + 3) = 7 min.
 With Measure 4, P is increased by 3 minutes and C is reduced by 3 min.
 18 – (5 + 5) = 8 min.
 The most cost-effective choice would therefore be Measure 4, because for the
same money, it creates a greater distance between the time it takes a
perpetrator to break into a system and the time it takes the company to detect
and thwart the attack.
3. Defense-in-depth
 The idea of defense-in-depth is to employ multiple layers of controls to avoid
having a single point of failure.
 If one layer fails, another may function as planned.
 Information security involves using a combination of firewalls, passwords, and
other preventive procedures to restrict access.
 Redundancy also applies to detective and corrective controls.
 Major types of preventive controls used for defense in depth include:
 Authentication controls (passwords, tokens, biometrics, MAC addresses)
 The objective of preventive controls is to prevent security
incidents from happening.
 Involves two related functions:
o Authentication - focuses on verifying the identity of the
person or device attempting to gain access.
o Users can be authenticated by verifying:
 Something they know, such as passwords or PINs.
 Something they have, such as smart cards or ID
badges.
 Some physical characteristic (biometric identifier),
such as fingerprints or voice.
o Passwords are probably the most commonly used
authentication method and also the most controversial.
 An effective password must satisfy a number of
requirements:
 Length
o Longer is better.
o Should be at least 8 characters.
 Multiple character types
o Use a mix of upper-and lower-case
alphabetic, numeric, and special
characters.
  Random
o Passwords should not be words found
in the dictionary or dictionary words
preceded or followed by a number
such as 4dog or dog4.
o Should not be related to the
employee’s personal interests or
hobbies, because special-purpose,
password-cracking dictionaries can be
found on the Internet containing the
most common passwords related to
various topics.
 Secret
o The most important requirement.
o A password must be kept secret to be
effective.
 A password that meets the preceding criteria is
typically difficult to memorize—exacerbated by the
typical requirement that the password be changed
every 90 days.
 So most people either:
 Select passwords that can be easily guessed
but can be memorized; or
 Select passwords that meet the criteria for a
strong password but write them down.
 When the password is written down, it
changes from something the employee knows
to something the employee has, which can be
stolen and used.
 As a result of this dilemma, some security experts
argue for abandoning the quest to develop and use
strong passwords.
 They note that a major component of help desk
costs is associated with resetting passwords.
 They suggest reliance on dual-factor authentication
methods, such as a combination of a smart card and
a PIN number.
 Other experts disagree.
 They note that operating systems can now
accommodate passwords longer than 15
characters.
 So users can create strong but easy-to-
remember paraphrases like: Idlike2binParis.
 Long paraphrases dramatically increase the
effort required to crack them by guessing.
 So this group argues that longer length,
coupled with the fact that it is easier to
remember a long paraphrase than a strong
 password, should dramatically cut help desk
costs while improving security.
o Each authentication method has its limitations.
 Passwords
 Can be guessed, lost, written down, or given
away.
 Physical identification techniques
 Include cards, badges, and USB devices.
 Can be lost, stolen, or duplicated.
 Biometric techniques
 Expensive and often cumbersome.
 Not yet 100% accurate, sometimes rejecting
legitimate users and allowing unauthorized
people.
 Some techniques like fingerprints may carry
negative connotations that hinder
acceptance.
 Security concerns surround the storage of this
data.
o If the data is compromised, it could
create serious, life-long problems for
the donor.
o Unlike passwords or tokens, biometric
identifiers cannot be replaced or
changed.
 Although none of the three basic authentication methods is
foolproof by itself, the use of two or three in conjunction, known as
multi-factor authentication, is quite effective.
o Example: Using a palm print and a PIN number together is
much more effective than using either method alone.

 Authorization controls (access control matrices and compatibility tests)

 Authorization - restricts access of authenticated users to specific
portions of the system and specifies what actions they are
permitted to perform.
 Authorization controls are implemented by creating an access
control matrix.
o Specifies what part of the IS a user can access and what
actions they are permitted to perform.
o When an employee tries to access a particular resource,
the system performs a compatibility test that matches the
user’s authentication credentials against the matrix to
determine if the action should be allowed.
 o The access control matrix should be regularly updated, so
that an employee who changes job duties cannot
accumulate a set of rights that are incompatible with proper
segregation of duties.

 Authentication and authorization can be applied to devices as well as

users.
 Every workstation, printer, or other computing device needs a
network interface card (NIC) to connect to the organization’s
network.
 Each network device has a unique identifier, referred to as its
media access control (MAC) address.
 It is possible to restrict network access to only those devices
which have a recognized MAC address or to use MAC addresses
for authorization.
 For example, payroll or EFT applications should be set only to run
from authorized terminals.

Another way of applying the defense-in-depth approach is to create a multiple

layers of preventive controls
This diagram illustrates further the defense-in-depth approach to security control. The
multiple layers of preventive controls should be circumvented to gain access to internal
information assets and resources.

 Training
o People play a critical role in information security.
  The effectiveness of specific control procedures depends on how
well employees understand and follow the organization’s security
policies.
 Employees should be taught why security measures are important
to the organization’s long-run survival.
o Employees should be trained to follow safe computing
practices, such as:
 Never open unsolicited email attachments.
 Use only approved software.
 Never share or reveal passwords.
 Physically protect laptops, especially when traveling.
o Train employees about social engineering attacks, which
use deception to obtain unauthorized access.
o Do not allow other people (employees or outsiders) to
follow them through restricted-access entrances.
o It is also important to invest in continuing professional
education for information security specialists.
o Top management must also provide support for training.
 Physical access controls (locks, guards, biometric devices)
 Within a few minutes, a skilled attacker with unsupervised direct
physical access to the system can successfully obtain access to
sensitive data
 Physical access control begins with entry points to the building
itself.
 Once inside the building, physical access to rooms housing
computer equipment must be restricted.
 Access to wiring used in LANs must be restricted to prevent
wiretapping.
 Controlling remote access
 Devices such as routers, modems, wireless access points, dial up
connections are use to connect the organizations’ IS to the
internet.
 These devices should be protected against intrusion both from the
outside and from the inside
 Firewalls are either devices or software that prevents
unauthorized access to the organizations data.
 There can be one main firewall to prevent unauthorized access
from the outside and several inner firewall to prevent unauthorized
access within the IS.
 Host and application hardening procedures (firewalls, anti-virus software,
disabling of unnecessary features, user account
 Routers, firewalls, and intrusion prevention systems are designed
to protect the network perimeter.
 Information security is enhanced by supplementing preventive
controls on the network perimeter with additional preventive
controls on the workstations, servers, printers, and other devices
 (collectively referred to as hosts) that comprise the organization’s
network.
 Three areas deserve special attention:
o Host configuration
 Hosts can be made more secure by modifying their
configurations.
 Turning on unnecessary features and extra services
 Every program contains flaws, called
vulnerabilities, and therefore represents a potential
point of attack.
 Optional programs and features that are not used
should be disabled.
 This process of turning off unnecessary features is
called hardening.
 In addition to hardening, two other preventive
controls should be applied to hosts on the network:
 Every host should be running anti-virus and
firewall software that is regularly updated.
 COBIT states that it is important to harden
and properly configure every device, including
those used to protect the network (e.g.,
firewalls, IPS, routers, etc.) to make them
resistant to tampering.
o User accounts
 COBIT stresses the need to carefully manage user
accounts, especially when they have unlimited
(administrative) rights on the computer.
 Users who need administrative powers on a
particular computer should be assigned two
accounts:
 One with administrative rights.
 One with limited privileges.
 Users should log in under the limited account to
perform routine duties.
 They should be logged into their limited
account when browsing the Web or reading
email.
 If they visit a compromised Website or open
an infected email, the attacker will only
acquire limited rights.
o Software design
 Encryption
 Encrypting sensitive stored data provides one last barrier that
must be overcome by an intruder.
  Also strengthens authentication procedures and plays an
essential role in ensuring and verifying the validity of e-business
transactions.
 Therefore, accountants, auditors, and systems professionals need
to understand encryption.
 Encryption is the process of transforming normal text, called
plaintext, into unreadable gibberish, called ciphertext.
 Decryption reverses this process.
 Detective controls include:
 Preventive controls are never 100% effective in blocking all attacks.
 So organizations implement detective controls to enhance security by:
 Monitoring the effectiveness of preventive controls; and
 Detecting incidents in which preventive controls have been
circumvented.
 Authentication and authorization controls (both preventive and detective)
govern access to the system and limit the actions that can be performed
by authorized users.
 Actual system use (detective control) must be examined to assess
compliance through:
 Log analysis
o Most systems come with extensive capabilities for logging
who accesses the system and what specific actions each
user performed.
 Logs form an audit trail of system access.
 Are of value only if routinely examined.
 Log analysis is the process of examining logs to
monitor security.
o The log may indicate unsuccessful attempts to log in to
different servers.
o The person analyzing the log must try to determine the
reason for the failed attempt. Could be:
 The person was a legitimate user who forgot his
password.
 Was a legitimate user but not authorized to access
that particular server.
 The user ID was invalid and represented an
attempted intrusion.
o Log analysis should be done regularly to detect problems in
a timely manner.
 Not easy because logs can quickly grow in size.
 So system administrators use software tools to
efficiently strip out routine log entries so that they
can focus their attention on anomalous behavior.
  Also supplement log analysis with software tools
called intrusion detection systems to automate the
monitoring process.
 Intrusion detection systems
o A major weakness of log analysis is that it is labor intensive
and prone to human error.
o Intrusion detection systems (IDS) represent an attempt to
automate part of the monitoring.
o An IDS creates a log of network traffic that was permitted to
pass the firewall.
 Analyzes the logs for signs of attempted or
successful intrusions.
 Most common analysis is to compare logs to a
database containing patterns of traffic associated
with known attacks.
 An alternative technique builds a model representing
“normal” network traffic and uses various statistical
techniques to identify unusual behavior.
o IDS sensors are usually located in several places.
 Most common is just inside the main firewall.
 Some may be placed inside each internal firewall to
monitor the effectiveness of policies governing
employee access to resources.
 Sometimes located just outside the main firewall.
 Provides means to monitor the number of
attempted intrusions that are blocked.
 Can provide early warning that the
organization is being targeted.
 May also be located on individual hosts to provide
warnings of attempts to compromise those systems.
 Managerial reports
o Management reports are another important detective
control.
o Management can use COBIT
o COBIT provides:
 Management guidelines that identify crucial success
factors associated with each objective.
 Key performance indicators that can be used to
assess their effectiveness.
 COBIT key performance indicators:
 Number of incidents with business impact
 Percent of users who do not comply with
password standards
 Percent of cryptographic keys compromised
and revoked
  Although regular review of periodic performance
reports can help ensure that security controls are
adequate, surveys indicate that many organizations
fail to regularly monitor security
 Periodically testing the effectiveness of existing security
procedures
o The effectiveness of existing security procedures should be
tested periodically.
 One approach is vulnerability scans, which use
automated tools designed to identify whether a
system possesses any well-known vulnerabilities.
 Security Websites such as the Center for Information
Security (www.cisecurity.org) provide:
 Benchmarks for security best practices.
 Tools to measure how well a system
conforms.
o Penetration testing provides a rigorous way to test the
effectiveness of an organization’s information security.
o This testing involves an authorized attempt by either an
internal audit team or external security consulting firm to
break into the organization’s IS.
o The teams try every possible way to compromise a
company’s system, including:
 Masquerading as custodians, temporary workers, or
confused delivery personnel to get into offices to
locate passwords or access computers.
 Using sexy decoys to distract guards.
 Climbing through roof hatches and dropping through
ceiling panels.
o Some claim they can get into 90% or more of the
companies they attack.
 CORRECTIVE CONTROLS
 COBIT specifies the need to identify and handle security incidents.
 Two of the Trust Services framework criteria for effective security are the
existence of procedures to:
 React to system security breaches and other incidents.
 Take corrective action on a timely basis.
 Three key components that satisfy the preceding criteria are:
 Establishment of a computer emergency response team.
 Designation of a specific individual with organization-wide
responsibility for security.
 An organized patch management system.
 Computer emergency response team
 A key component to being able to respond to security incidents
promptly and effectively is the establishment of a computer
emergency response team (CERT).
o Responsible for dealing with major incidents.
o Should include technical specialists and senior operations
management.
 Some potential responses have significant economic
consequences (e.g., whether to temporarily shut
down an e-commerce server) that require
management input.
 The CERT should lead the organization’s incident response
process through four steps:
o Recognition that a problem exists
 Typically occurs when an IDS signals an alert or as
a result of a system administrator’s log analysis.
o Containment of the problem
 Once an intrusion is detected, prompt action is
needed to stop it and contain the damage.
o Recovery
 Damage must be repaired.
 May involve restoring data from backup and
reinstalling corrupted programs
o Follow-up
 Once recovery is in process, the CERT should lead
analysis of how the incident occurred.
 Steps should be taken to modify existing security
policy and minimize the likelihood of a similar
incident.
 An important decision is whether to try to catch and
punish the perpetrator.
 If the perpetrator will be pursued, forensic experts
should be involved immediately to ensure that all
possible evidence is collected and maintained in a
manner that makes it admissible in court.
 Communication is vital to all four steps, so multiple methods are
needed for notifying members of CERT (e.g., email, phone, cell
phone).
 It is also important to practice the incident response plan,
including the alert process, so that gaps can be discovered.
 Regular practice helps identify the need for change in response to
technological changes.
o EXAMPLE: A CERT practicing an incident response in
Texas recently realized that the password to a Web
address that was vital to the incident response had been
changed. The CERT did not have the new password.
Better to find this out on a trial run and make provision for
the CERT to be immediately notified of any future
password changes than to discover it in a live incident.
 Designation of a specific individual with organization-wide
responsibility for security.
 A chief security officer (CSO):
o Should be independent of other IS functions and report to
either the COO or CEO.
o Must understand the company’s technology environment
and work with the CIO to design, implement, and promote
sound security policies and procedures.
o Disseminates info about fraud, errors, security breaches,
improper system use, and consequences of these actions.
o Works with the person in charge of building security, as
that is often the entity’s weakest link.
o Should impartially assess and evaluate the IT environment,
conduct vulnerability and risk assessments, and audit the
CIO’s security measures.
 An organized patch management system.
 Patch management
 Another important corrective control involves fixing known
vulnerabilities and installing latest updates to:
o Anti-virus software
o Firewalls
o Operating systems
o Application programs
 The number of reported vulnerabilities rises each year.
 A primary cause of the rise in reported vulnerabilities is the ever-
increasing size and complexity of software.
 Many widely-used programs contain millions of lines of code.
 Even if 99.9% error free, there would still be 100 vulnerabilities
per million lines.
 Both hackers and security consultants constantly search for these
vulnerabilities.
 Once discovered, the question is how to take advantage of them.
 Hackers usually publish instructions for doing so (known as
exploits) on the Internet.
 Although it takes skill to discover the exploit, once published, it
can be executed by almost anyone.
 Attackers who execute these programmed exploits are referred to
as script kiddies.
 A patch is code released by software developers to fix
vulnerabilities that have been discovered.
 Patch management is the process for regularly applying patches
and updates to all of an organization’s software.
 Challenging to do because:
 o Patches can have unanticipated side effects that cause
problems, which means they should be tested before being
deployed.
o There are likely to be many patches each year for each
software program, which may mean that hundreds of
patches will need to be applied to thousands of machines.
 Intrusion prevention systems may provide great promise if they
can be quickly updated to respond to new vulnerabilities and block
new exploits, so that the entity can buy time to:
o Thoroughly test the patches.
o Apply the patches.
CONFIDENTIALITY

• Maintaining confidentiality requires that management identify which information is

sensitive.
• Each organization will develop its own definitions of what information needs to be
protected.
• Most definitions will include:
• Business plans
• Pricing strategies
• Client and customer lists
• Legal documents
• COBIT control objective PO 2.3 specifies the need to identify and to
properly label potentially sensitive information, to assign responsibility for
its protection, and to implement appropriate controls.
• Key controls to protect confidentiality of information

• Encryption is a fundamental control procedure for protecting the confidentiality of

sensitive information.
• Confidential information should be encrypted:
 • While stored
• Whenever transmitted

• The Internet provides inexpensive transmission, but data is easily intercepted.

• Encryption solves the interception issue.
• If data is encrypted before sending it, a virtual private network (VPN) is created.
• Provides the functionality of a privately owned network
• But uses the Internet
• Use of VPN software creates private communication channels, often referred to as
tunnels.
• The tunnels are accessible only to parties who have the appropriate encryption
and decryption keys.
• Cost of the VPN software is much less than costs of leasing or buying a
privately-owned, secure communications network.
• Also, makes it much easier to add or remove sites from the “network.”
• It is critical to encrypt any sensitive information stored in devices that are easily lost or
stolen, such as laptops, PDAs, cell phones, and other portable devices.
• Many organizations have policies against storing sensitive information on these
devices.
• 81% of users admit they do so anyway.
• Encryption alone is not sufficient to protect confidentiality.
• Given enough time, many encryption schemes can be broken.
• Access controls are also needed:
• To prevent unauthorized parties from obtaining the encrypted data; and
• Because not all confidential information can be encrypted in storage.
• Strong authentication techniques are necessary.
• Strong authorization controls should be used to limit the actions (read, write, change,
delete, copy, etc.) that authorized users can perform when accessing confidential
information.
• Access to system outputs should also be controlled:
• Do not allow visitors to roam through buildings unsupervised.
• Require employees to log out of any application before leaving their workstation
unattended, so other employees do not have unauthorized access.
• Workstations should use password-protected screen savers that automatically
engage when there is no activity for a specified period.
• Access should be restricted to rooms housing printers and fax machines.
• Reports should be coded to reflect the importance of the information therein,
and employees should be trained not to leave reports with sensitive information
laying in plain view.
• It is especially important to control disposal of information resources.
• Printed reports and microfilm with sensitive information should be shredded
• COBIT control objective DS 11.4 addresses the need to define and
implement procedures governing the disposal of sensitive data and any
hardware on which that data was stored.
• Special procedures are needed for information stored on magnetic and optical media.
• Using built-in operating system commands to delete the information does
not truly delete it, and utility programs will often be able to recover these
files.
• De-fragmenting a disk may actually create multiple copies of a “deleted”
document.
• Consequently, special software should be used to “wipe” the media clean by
repeatedly overwriting the disk with random patterns of data (sometimes
referred to as “shredding” a disk).
• Magnetic disks and tapes can be run through devices to demagnetize them.
• The safest alternative may be to physically destroy disks with highly
sensitive data.
• Controls to protect confidentiality must be continuously reviewed and modified to
respond to new threats created by technological advances.
• Many organizations now prohibit visitors from using cell phones while touring their
facilities because of the threat caused by cameras in these phones.
• Because these devices are easy to hide, some organizations use jamming devices to
deactivate their imaging systems while on company premises.
• Phone conversations have also been affected by technology.
• The use of voice-over-the-Internet (VoIP) technology means that phone conversations
are routed in packets over the Internet.
• Because this technology makes wiretapping much easier, conversations about
sensitive topics should be encrypted.
• Employee use of email and instant messaging (IM) probably represents two of the
greatest threats to the confidentiality of sensitive information.
• It is virtually impossible to control its distribution once held by the recipient.
• Organizations need to develop comprehensive policies governing the appropriate and
allowable use of these technologies for business purposes.
• Employees need to be trained on what type of information they can and cannot share,
especially with IM.
• Many organizations are taking steps to address the confidentiality threats created by
email and IM.
• One response is to mandate encryption of all email with sensitive information.
• Some organizations prohibit use of freeware IM products and purchase commercial
products with security features, including encryption.
• Users sending emails must be trained to be very careful about the identity of their
addressee.
• EXAMPLE: The organization may have two employees named Allen Smith. It’s critical
that sensitive information go to the correct Allen Smith.
PRIVACY
• In the Trust Services framework, the privacy principle is closely related to the
confidentiality principle.
• Primary difference is that privacy focuses on protecting personal information about
customers rather than organizational data.
• Key controls for privacy are the same that were previously listed for confidentiality.
• COBIT section DS 11 addresses the management of data and specifies the need to
comply with regulatory requirements.
• In USA, a number of regulations, including the Health Insurance Portability and
Accountability Act (HIPAA) and the Financial Services Modernization Act (aka,
Gramm-Leach-Billey Act) require organizations to protect the privacy of customer
information.
• The Trust Services privacy framework of the AICPA and CICA lists ten internationally
recognized best practices for protecting the privacy of customers’ personal
information:
• Management
• The organization establishes a set of procedures and policies for protecting
privacy of personal information it collects.
• Assigns responsibility and accountability for those policies to a specific person
or group.
• Notice
• Provides notice about its policies and practices when it collects the information
or as soon as practicable thereafter.
• Choice and Consent
• Describes the choices available to individuals and obtains their consent
to the collection and use of their personal information.
• Choices may differ across countries.
• United States—The default is “opt out,” i.e., organizations can
collect personal information about customers unless the customer
explicitly objects.
• Europe—The default is “opt in,” i.e., they can’t collect the
information unless customers explicitly give them permission.
• Collection
• The organization collects only that information needed to fulfill the
purposes stated in its privacy policies.
• Collection
• The organization collects only that information needed to fulfill the
purposes stated in its privacy policies.
• Use and retention
• The organization uses its customers’ personal information only according
to stated policy and retains that information only as long as needed.
• Access
• The organization provides individuals with the ability to access, review,
correct, and delete the personal information stored about them.
• Disclosure to third parties
 • The organization discloses customers’ personal information to third
parties only per stated policy and only to third parties who provide
equivalent protection.
• Security
• The organization takes reasonable steps to protect customers’ personal
information from loss or unauthorized disclosure.
• Issues that are sometimes overlooked:
• Disposal of computer equipment
• Should follow the suggestions presented on section
regarding protection of confidentiality.
• Email
• If you send emails to a list of recipients, each recipient
typically knows who the other recipients are.
• If the email regards a private issue, e.g., perhaps it pertains
to their AIDS treatment, then the privacy of all recipients
has been violated.
• Quality
• The organization maintains the integrity of its customers’ personal
information.
• Monitoring and enforcement
• The organization assigns one or more employees to be responsible for
assuring and verifying compliance with its stated policies.
As with confidentiality, encryption and access controls are the two basic mechanisms for
protecting consumers’ personal information.
• It is common practice to use *SSL to encrypt all personal information
transmitted between individuals and the organization’s Website.
• However, SSL only protects the information in transit.
• Consequently, strong authentication controls are needed to restrict Website
visitors’ access to individual accounts.
Organizations should consider encrypting customers’ personal information in storage.
• May be economically justified, because some state laws require companies to
notify all customers of security incidents.
• The notification process is costly but may be waived if the information was
encrypted while in storage.
• Organizations need to train employees on how to manage personal information
collected from customers.
• Especially important for medical and financial information.
• Intentional misuse or unauthorized disclosure can have serious economic
consequences, including:
• Drop in stock price
• Significant lawsuits
• Government suspension of the organization’s business activity
• One topic of concern is cookies used on Web sites.
• A cookie is a text file created by a Website and stored on a visitor’s hard drive.
It records what the visitor has done on the site.
 • Most Websites create multiple cookies per visit to make it easier for visitors to
navigate the site.
• Browsers can be configured to refuse cookies, but it may make the Website
inaccessible.
• Cookies are text files and cannot “do” anything other than store information, but
many people worry that they violate privacy rights.

• Another privacy-related issue that is of growing concern is identity theft.

• Organizations have an ethical and moral obligation to implement controls to
protect databases that contain their customers’ personal information.
• Steps that individuals can take to minimize the risk of becoming a victim of
identity theft include:
• Shred all documents that contain personal information, especially
unsolicited credit card offers. Cross-cut shredders are more effective as
against strip cut.
• Never send personally identifying information in unencrypted email.
• Beware of email, phone, and print requests to “verify” personal
information that the requesting party should already possess.
• Credit card companies won’t ask for your security code.
• The IRS won’t email you for identifying information in response to
an audit.
• Do not carry your social security card with you or comply with requests to
reveal the last 4 digits.
• Limit the amount of identifying information preprinted on checks and
consider eliminating it.
• Do not place outgoing mail with checks or personal information in your
mailbox for pickup.
• Don’t carry more than a few blank checks with you.
• Use special software to thoroughly clean any digital media before
disposal, or physically destroy the media. It is especially important to
thoroughly erase or destroy hard drives before donating or disposing of
equipment.
• Monitor your credit reports regularly.
• File a police report as soon as you discover that your purse or wallet was
stolen.
• Make photocopies of driver’s licenses, passports, and credit cards. Store
them with phone numbers for all the credit cards in a safe location to
facilitate notifying authorities if they are stolen.
• Immediately cancel any lost or stolen credit cards.
• A related concern involves the overwhelming volume of spam.
• Spam is unsolicited email that contains either advertising or
offensive content.
• Reduces the efficiency benefits of email.
• Is a source of many viruses, worms, spyware, and other
malicious content?
 • In 2003, the U.S. Congress passed the Controlling the Assault of Non-Solicited
Pornography and Marketing (CAN-SPAM) Act.
• Provides criminal and civil penalties for violation of the law.
• Applies to commercial email, which is any email with a primary purpose of
advertising or promotion.
• Covers most legitimate email sent by organizations to customers, suppliers, or
donors to non-profits.

• Consequently, organizations must carefully follow the CAN-SPAM guidelines, which

include:
• The sender’s identity must be clearly displayed in the message header.
• The subject field in the header must clearly identify the message as an
advertisement or solicitation.
• The body must provide recipients with a working link that can be used to “opt
out” of future email.
• The body must include the sender’s valid postal address.
• Organizations should not;
• Send email to randomly generated addresses
• Set up Websites designed to harvest email addresses of potential
customers.

PROCESSING INTEGRITY
• COBIT control objective DS 11.1 addresses the need for controls over the input,
processing, and output of data.
• Identifies six categories of controls that can be used to satisfy that objective.
• Six categories are grouped into three for discussion.
• Three categories/groups of integrity controls are designed to meet the preceding
objectives:
• Input Control
• Processing Control
• Output Control

Input Controls:
• If the data entered into a system is inaccurate or incomplete, the output will be, too.
(Garbage in  garbage out.)
• Companies must establish control procedures to ensure that all source documents are
authorized, accurate, complete, properly accounted for, and entered into the system or
sent to their intended destination in a timely manner.

The following input controls regulate integrity of input:

 Forms Design
o Source documents and other forms should be designed to help ensure that
errors and omissions are minimized.
  Pre-numbered from sequence test
o Pre-numbering helps verify that no items are missing.
o When sequentially pre-numbered input documents are used, the system
should be programmed to identify and report missing or duplicate form
numbers.

 Turn around documents

o Documents sent to external parties that are prepared in machine-readable
form to facilitate their subsequent processing as input records.
o Example: the stub that is returned by a customer when paying a utility bill.
o Are more accurate than manually-prepared input records.
 Cancellation and storage of documents
o Documents that have been entered should be canceled
 Paper documents are stamped “paid” or otherwise defaced
 A flag field is set on electronic documents.
o Canceling documents does not mean destroying documents.
o They should be retained as long as needed to satisfy legal and regulatory
requirements.

 Authorization and Segregation of duties

o Source documents should be prepared only by authorized personnel acting
within their authority.
o Employees who authorize documents should not be assigned incompatible
functions.
 Visual Scanning
o Documents should be scanned for reasonableness and propriety.
 RFID security

DATA ENTRY CONTROLS

• If the data entered into a system is inaccurate or incomplete, the output will be, too.
(Garbage in  garbage out.)
• Companies must establish control procedures to ensure that all source documents are
authorized, accurate, complete, properly accounted for, and entered into the system or
sent to their intended destination in a timely manner.
Once data is collected, data entry control procedures are needed to ensure that it is entered
correctly. Common tests to validate input include:
 Field Check
o Determines if the characters in a field are of the proper type.
o Example: The characters in a social security field should all be numeric.
 Sign Check
o Determines if the data in a field have the appropriate arithmetic sign.
 o Example: The number of hours a student is enrolled in during a semester could
not be a negative number.
 Limit Check
o Tests whether an amount exceeds a predetermined value.
o Example: A university might use a limit check to make sure that the hours a
student is enrolled in do not exceed 21.

 Range Check
o Similar to a field check, but it checks both ends of a range.
o Example: An hourly wage rate should fall between 150 to 300.
 Size or Capacity Check
o Ensures that the data will fit into the assigned field.
o Example: A social security number of 10 digits would not fit in the 9-digit social
security field.
 Completeness Check
o Determines if all required items have been entered.
o Example: Has the student’s billing address been entered along with enrollment
details?
 Validity Check
o Compares the value entered to a file of acceptable values.
o Example: Does the state code entered for an address match one of the 50 valid
state codes?
 Reasonableness Check
o Determines whether a logical relationship seems to be correct.
o Example: A freshman with annual financial aid of $60,000 is probably not
reasonable.
 Check Digit Verification
o An additional digit called a check digit can be appended to account numbers,
policy numbers, ID numbers, etc.
o Data entry devices then perform check digit verification by using the original
digits in the number to recalculate the check digit.
o If the recalculated check digit does not match the digit recorded on the source
document that result suggests that an error was made in recording or entering
the number.
• The preceding tests are used for batch processing and online real-time processing.
• Both processing approaches also have some additional controls that are unique to
each approach.

• Additional Batch Processing Data Entry Controls

• In addition to the preceding controls, when using batch processing, the
following data entry controls should be incorporated.
• Sequence check
• Tests whether the data is in the proper numerical or alphabetical
 sequence.
• Error Log
• Records information about data input or processing errors (when
they occurred, cause, when they were corrected and resubmitted).
• Errors should be investigated, corrected, and resubmitted on a
timely basis (usually with the next batch) and subjected to the
same input validation routines.
• The log should be reviewed periodically to ensure that all errors
have been corrected and then used to prepare an error report,
summarizing errors by record type, error type, cause, and
disposition.
• Batch totals
• Summarize key values for a batch of input records. Commonly
used batch totals include:
• Financial totals—sums of fields that contain dollar values, such as
total sales.
• Hash totals—sums of nonfinancial fields, such as the sum of all
social security numbers of employees being paid.
• Record count—count of the number of records in a batch.
• These batch totals are calculated and recorded when data is
entered and used later to verify that all input was processed
correctly.

• Additional On-line Data Entry Controls

• On-processing data entry controls include:
• Automatic entry of data
• Whenever possible, the system should automatically enter
transaction data, such as next available document number or new
ID number.
• Saves keying time and reduces errors.
• Prompting
• System requests each input item and waits for an acceptable
response.
• Pre-formatting
• Fields that need to be completed are highlighted.
• Closed-loop verification
• Checks accuracy of input data by retrieving related information.
• Example: When a customer’s account number is entered, the
associated customer’s name is displayed on the screen so the
user can verify that entries are being made for the correct
account.
• Transaction logs
• Maintains a detailed record of all transaction data, including:
• A unique transaction identifier
• Date and time of entry
 • Terminal from which entry is made
• Transmission line
• Operator identification
• Sequence in which transaction is entered
• The log can be used to reconstruct a file that is damaged or can
be used to ensure transactions are not lost or entered twice if a
malfunction shuts down the system.
• Error messages
• Should indicate when an error occurred, which item, and how it
should be corrected.

PROCESSING CONTROLS
These are the controls to ensure that data is processed correctly.
• Data matching
• Two or more items must match before processing can proceed.
• Example: The quantity billed on the vendor invoice must match the quantity
ordered on the purchase order and the quantity received on the receiving report.
• File labels
• External labels should be checked visually to ensure the correct and most current
files are being updated.
• There are also two important types of internal labels to be checked.
• The header record, located at the beginning of each file, contains the file name,
expiration date, and other identification data.
• The trailer record at the end of the file contains the batch totals calculated
during input.
• Recalculation of batch totals
• Batch totals should be recomputed as processing takes place.
• These totals should be compared to the totals in the trailer record.
• Discrepancies indicate processing errors, such as:
• If the recomputed record count is smaller than the original count, one or
more records were not processed.
• If the recomputed record count is larger than the original, then additional
unauthorized transactions were processed or some authorized transactions
were processed twice.
• If the discrepancy between totals is evenly divisible by 9, there was probably
a transposition error (two adjacent digits were reversed).
• Cross-footing balance test
• Compares arithmetic results produced by two different methods to verify
accuracy.
• EXAMPLE: Compute the sum of column totals in a spreadsheet and
compare it to a sum of the row totals.
• Write protection mechanisms
• Protect against accidental writing over or erasing of data files but are not
foolproof.
 • RFID security
• Many businesses are replacing bar codes and manual tags with radio
frequency identification (RFID) tags that can store up to 128 bytes of data.
• These tags should be write-protected so that unscrupulous customers
cannot change price information on merchandise.
• Database processing integrity procedures
• Database systems use database administrators, data dictionaries, and
concurrent update controls to ensure processing integrity.
• The administrator establishes and enforces procedures for accessing and
updating the database.
• The data dictionary ensures that data items are defined and used
consistently.
• Concurrent update controls protect records from being updated by two users
simultaneously.
• Locks one user out until the other has finished processing.

OUTPUT CONTROLS
• Careful checking of system output provides additional control over processing integrity.
Output Controls include:
• User review of output
• Users carefully examine output for reasonableness, completeness, and to
assure they are the intended recipient.
• Reconciliation procedures
• Periodically, all transactions and other system updates should be reconciled to
control reports, file status/update reports, or other control mechanisms.
• Control accounts should also be reconciled to subsidiary account totals.
• External data reconciliation
• Database totals should periodically be reconciled with data maintained outside
the system.
• EXAMPLE: Compare number of employee records in the payroll file to number
in the human resources file. (Excess records in payroll suggests a “ghost”
employee.)

AVAILABILITY
• Reliable systems are available for use whenever needed.
• Threats to system availability originate from many sources, including:
• Hardware and software failures
• Natural and man-made disasters
• Human error
• Worms and viruses
• Denial-of-service attacks and other sabotage
• Proper controls can minimize the risk of significant system downtime caused by the
preceding threats.
 • It is impossible to totally eliminate all threats.
• Consequently, organizations must develop disaster recovery and business continuity
plans to enable them to quickly resume normal operations after such an event.

• Minimizing Risk of System Downtime

• Loss of system availability can cause significant financial losses, especially if
the system affected is essential to e-commerce.
• Organizations can take a variety of steps to minimize the risk of system
downtime.
• Physical and logical access controls can reduce the risk of successful
denial-of-service attacks.
• Good information security reduces risk of theft or sabotage of IS
resources.
• COBIT control objective DS 13.5 identifies the need for preventive maintenance.
Examples:
• Cleaning disk drivers
• Properly storing magnetic and optical media
• Use of redundant components can provide fault tolerance, which enables the system
to continue functioning despite failure of a component. Examples of redundant
components:
• Dual processors
• Arrays of multiple hard drives.
• COBIT control objectives DS 12.1 and 12.4 address the importance of proper location
and design of rooms housing mission-critical servers and databases.
• Raised floors protect from flood damage.
• Fire protection and suppression devices reduce likelihood of fire damage.
• Adequate air conditioning reduces likelihood of damage from over-heating or
humidity.
• Cables with special plugs that cannot be easily removed reduce risk of damage
due to accidentally unplugging.
• An uninterruptible power supply (UPS) provides protection from a prolonged
power outage and buys the system enough time to back up critical data and
shut down safely.
• Training is especially important.
• Well-trained operators are less likely to make mistakes and more able to
recover if they do.
• Security awareness training, particularly concerning safe email and Web-
browsing practices, can reduce risk of virus and worm infection.
• Anti-virus software should be installed, run, and kept current.
• Email should be scanned for viruses at both the server and desktop levels.
• Newly acquired software and disks, CDs, or DVDs should be scanned and
tested first on a machine that is isolated from the main network.

Disaster Recovery and Business Continuity Planning

 • Disaster recovery and business continuity plans are essential if an organization
hopes to survive a major catastrophe.
• Being without an IS for even a short period of time can be quite costly—some
report as high as half a million dollars per hour.
• Yet many large U.S. companies do not have adequate disaster recovery and
business continuity plans.
• Experience suggests that companies which experience a major disaster
resulting in loss of use of their information system for more than a few days
have a greater than 50% chance of going out of business.

The objectives of a disaster recovery and business continuity plan are to:
• Minimize the extent of the disruption, damage, and loss
• Temporarily establish an alternative means of processing information
• Resume normal operations as soon as possible
• Train and familiarize personnel with emergency operations

First Key: Data Backup Procedures

• Data need to be backed up regularly and frequently.
• A backup is an exact copy of the most current version of a database. It is
intended for use in the event of a hardware or software failure.
• The process of installing the backup copy for use is called restoration.
• Several different backup procedures exist.
• A full backup is an exact copy of the data recorded on another physical
media (tape, magnetic disk, CD, DVD, etc.)
• Restoration involves bringing the backup copy online.
• Full backups are time consuming, so most organizations:
• Do full backups weekly
• Supplement with daily partial backups.
• Two types of partial backups are possible:
• Incremental backup
• Involves copying only the data items that have changed since the
last backup.
• Produces a set of incremental backup files, each containing the
 results of one day’s transactions.
• Restoration:
• First load the last full backup.
• Then install each subsequent incremental backup in the proper
sequence.
• Differential backup
• All changes made since the last full backup are copied.
• Each new differential backup file contains the cumulative effects
of all activity since the last full backup.
• Will normally take longer to do the backup than when incremental
backup is used.
• Restoration:
• First load the last full backup.
• Then install the most recent differential backup file.
• Incremental and differential backups are both made daily.
• Additional intra-day backups are often made for mission-critical databases.
• Periodically, the system makes a copy of the database at that point in time,
called a checkpoint, and stores the copy on backup media.
• If a hardware or software fault interrupts processing, the checkpoint is used to
restart the system.
• The only transactions that need to be reprocessed are those that occurred
since the last checkpoint.
• Whichever backup procedure is used, multiple backup copies should be
created:
• One can be stored on-site for use in minor incidents.
• At least one additional copy should be stored off-site to be safe should a
disaster occur
• Mirroring (maintaining two copies of the database at two separate data centers)
is an alternative to these traditional backup methods. Mirroring is used by
financial institutions and airlines, that cannot afford to lose transactions.
• The offsite copies can be transported to remote storage physically or
electronically.
• The same security controls should apply as to original copies.
• Sensitive data should be encrypted in storage and during transmission.
• Access to the backup files should be carefully controlled and monitored.
• Backups are retained for only a fixed period of time.
• An archive is a copy of a database, master file, or software that will be retained
indefinitely as an historical record, usually to satisfy legal and regulatory requirements.
• Multiple copies of archives should be made and stored in different locations.
• Appropriate security controls should also be applied to these files.
• Tape or disk?
• Disk backup is faster and disks are less easily lost. Tape, however, is cheaper, easier
to transport, and more durable.
• Many organizations use both.
 • Data is first backed up to disk, for speed, and then transferred to tape.
• Archives are usually stored on tape
• Special attention should be paid to email, because it has become an important archive
of organizational behavior and information.
• Access to email is often important when companies are embroiled in lawsuits.
• Organizations may be tempted to adopt a policy of periodically deleting all email to
prevent a plaintiff’s attorney from finding a “smoking gun.”

Most experts advise against such policies and recommend that organizations include email in
their backup and archive procedures because:
• There are likely to be copies of the email stored in locations outside the organization.
• Such a policy would mean that the organization would not be able to tell its side of the
story.
• Also, courts have sanctioned companies for failing to provide timely access to email.

Second Key: Provisions for access to replacement infrastructure. (Equipment,

facilities, phone lines, etc.)
• How much time can the organization afford to be without its information system? The
recovery time objective (RTO) represents the time following a disaster by which the
organization’s information system must be available again.
• Infrastructure Replacement
– Major disasters can totally destroy an organization’s information processing
center or make it inaccessible.
– A key component of disaster recovery and business continuity plans
incorporates provisions for replacing the necessary computing infrastructure,
including:
• Computers
• Network equipment and access
• Telephone lines
• Office equipment
• Supplies
– It may even be necessary to hire temporary staff.

• Organizations have three basic options for replacing computer and networking
equipment.
– Reciprocal agreements
• The least expensive approach.
• The organization enters into an agreement with another organization that
uses similar equipment to have temporary access to and use of their
information system resources in the event of a disaster.
• Effective solutions for disasters of limited duration and magnitude, especially
for small organizations.
• Not optimal in major disasters as:
– The host organization may also be affected.
 – The host also needs the resources.
• Cold sites
• An empty building is purchased or leased and pre-wired for necessary
telephone and Internet access.
• Contracts are created with vendors to provide all necessary computer and
office equipment within a specified period of time.
• Still leaves the organization without use of the IS for a period of time.
• Hot sites
• Most expensive solution but used by organizations like financial institutions
and airlines which cannot survive any appreciable time without there IS.
• The hot site is a facility that is pre-wired for phone and Internet (like the cold
site) but also contains the essential computing and office equipment.
• It is a backup infrastructure designed to provide fault tolerance in the event
of a major disaster.

• Third key: Thorough Documentation

– An important and often overlooked component. Should include:
• The disaster recovery plan itself, including instructions for notifying
appropriate staff and the steps to resume operation, needs to be well
documented.
• Assignment of responsibility for the various activities.
• Vendor documentation of hardware and software.
• Documentation of modifications made to the default configuration (so
replacement will have the same functionality).
• Detailed operating instructions.
– Copies of all documentation should be stored both on-site and off-site.
• Fourth Key: Periodic Testing
• Periodic testing and revision is probably the most important component
of effective disaster recovery and business continuity plans.
• Most plans fail their initial test, because it’s impossible to anticipate
everything that could go wrong.
• The time to discover these problems is before the actual emergency and
in a setting where the weaknesses can be carefully analyzed and
appropriate changes made.
• Plans should be tested on at least an annual basis to ensure they reflect
recent changes in equipment and procedures.
• Important to test procedures involved in executing reciprocal agreements
or hot or cold sites.
• Backup restoration procedures also require practice.
• Brainstorming sessions involving mock scenarios can be effective in
identifying gaps and shortcomings.
• More realistic and detailed simulations or drills should also be
performed, although not to the expense of completely performing
every activity.
• Experts recommend testing individual components of the plans
 separately, because it is too difficult and costly to simulate and
analyze every aspect simultaneously.
• The plan documentation needs to be updated to reflect any changes in
procedure made in response to problems identified during testing.
• Fifth Key: Adequate Insurance
– Organizations should acquire adequate insurance coverage to defray part or all
of the expenses associated with implementing their disaster recovery and
business continuity plans.
CHANGE MANAGEMENT CONTROL
• Organizations constantly modify their information systems to reflect new business
practices and to take advantage of advances in IT.
• Controls are needed to ensure such changes don’t negatively impact reliability.
• Existing controls related to security, confidentiality, privacy, processing integrity, and
availability should be modified to maintain their effectiveness after the change.
• Change management controls need to ensure adequate segregation of duties is
maintained in light of the modifications to the organizational structure and adoption of
new software.
• Important change management controls include:
– All change requests should be documented in a standard format that identifies:
– Nature of the change
– Reason for the change
– Date of the request
• All changes should be approved by appropriate levels of management.
– Approvals should be clearly documented to provide an audit trail.
– Management should consult with the CSO and other IT managers about impact
of the change on reliability.
• Changes should be thoroughly tested prior to implementation.
– Includes assessing effect of change on all five principles of systems reliability.
– Should occur in a separate, non-production environment.
• All documentation (program instructions, system descriptions, backup and disaster
recovery plans) should be updated to reflect authorized changes to the system.
• “Emergency” changes or deviations from policy must be documented and subjected to
a formal review and approval process as soon after implementation as practicable. All
such actions should be logged to provide an audit trail.
• When changing systems, data from old files and databases are entered into new data
structures.
• Conversion controls help ensure that the new data storage media are free of errors.
• Old and new systems should be run in parallel at least once and results compared to
identify discrepancies.
• Internal auditors should review data conversion processes for accuracy.
• “Backout” plans should be developed for reverting to the previous configuration if the
approved changes need to be interrupted or aborted.
• User rights and privileges should be carefully monitored during the change process to
ensure proper segregation of duties.
• The most important change management control is adequate monitoring and review
by top management to ensure that the changes are consistent with the entity’s
multiyear strategic plan.
• Objective: Be sure the system continues to effectively support the organization’s
strategy.
• Steering committees are often created to perform this function.