The Institute of Chartered Accountants of Bangladesh (ICAB)

Course Name: IT Application Session: March-May, 2012

Professional Stage (Application Level) Lecture Synopsis-5
Course Teacher: Abdulla-Al-Mahmud FCA, FCMA, FCS, MBA, LL.B

Chapter: Controls and standards:

Computer security:
Computer security includes the policies, procedures, tools and techniques designed to protect an
organization's computer assets from accidental, intentional or natural disasters including
accidental input or output errors, theft, breakings, physical damage and illegal access or
manipulation.
Computer security is a complex and pervasive problem that often stumps many organizations,
which struggle to balance proper security against the cost and inconvenience of providing it. It
cannot be achieved through automation or sophisticated equipment alone; it also requires the
active participation of employees with common sense, good judgment and high moral values,
because security is ultimately the responsibility of the individual using the computer. Therefore, it is
not surprising that organizations that promote creativity, innovation, trust and high ethical
standards appear to be more successful in enforcing computer security than organizations with
stifling cultures.

Security issues:
The security issues of a computerized system can be discussed by dividing them in four related
issues and these are as follows.
 Security;
 Integrity;
 Privacy; and
 Confidentiality.
Each issue is discussed below:
Security: It can be classified as follows:
System Security: It refers to the technical innovations and procedures applied to the hardware and
operating systems to protect against deliberate or accidental damage from a defined threat.
Data Security: It refers to the protection of data from loss, unauthorized disclosure and
modification, processing errors and destruction.
Integrity: It has also two sides:
System Integrity: It refers to the proper functioning of hardware and programs appropriate physical
security and safety against external threats.
Data Integrity: Data Integrity makes sure that the data do not differ from its original form and have
not been accidentally or intentionally destroyed, altered or disclosed without proper authorization.
Privacy: It defines the rights of the users or Enterprise to determine what information they are
willing to share with or accept from others and how the Enterprise can be protected against
unwelcome unfair information.
Confidentiality: This is a special status given to sensitive information in a database to minimize
the possible invasion of privacy.

Security controls:
Computer security controls are policies, procedures, tools and techniques designed to reduce
security breaches and system destruction to prevent errors in data, software and systems to
protect systems from accidental, intentional and natural disasters and to continually enhance
system security. In other word, security controls are safeguards or countermeasures to avoid,
counteract or minimize security risks. Controls may be manual or automated. Effective controls
provide information system security that is the accuracy, integrity and safety information system
activities and resources. An effective control also provides quality assurance for information
systems. That is, they can make computer based information system more free of errors and fraud

1
and able to provide information products of higher quality than manual types of information
processing. The IS controls in the audit program have been grouped into four general types that
must be developed to ensure the quality and security of information systems. These are:
 Physical security control;
 Logical security control;
 Environmental control;
 IS operating control.

Physical security controls:

The primary goal of physical facilities control is to protect the physical facilities that house the
computer and other related assets from theft, unauthorized access, natural disasters and
vandalism through measures such as posting security personnel, installing fire alarms, hidden
cameras and requiring users to wear badges or use smart cards to gain access to the building.
Physical security controls pertain to the protection over computer hardware, components and the
facilities within which they reside. Though the reliability of physical support facilities is often
overlooked, but it is an important part of the system security, particularly for real time system.
Physical security control also protect equipment against physical damage resulting from natural
disasters such as earthquakes, hurricanes, tornadoes, flood etc. as well as other danger like
bombings, fires, power surges, theft, vandalism and unauthorized tampering. There are various
types of physical security controls should be adopted within an organization. Some of them are as
follows:
 Physical locks;
 Security guards;
 Video surveillance cameras;
 General emergency and detection control;
 Heating, ventilation and cooling system;
 Insurance coverage;
 Periodic back-up;
 Emergency power and uninterruptible power supply system;
 Business resumption program;
 Back-up system security administrator.

Physical locks: This is the first step of physical security that is established usually using various
types of locks on doors to the rooms that includes the main computer room where file server,
gateways, routers and other telecommunication equipments are located. Various types of physical
locks are conventional key locks, electronic access badge, cipher locks, combination locks,
biometric locks etc. Biometrics lock is fast growing area of computer security. These are security
measures provided by computer devices that measure physical traits that make each individual
unique. This includes voice verification, fingerprints, hand geometry and signature dynamics,
keystroke analysis.

Security guards: Employment of security guard is one of the common practice for physical
control. It reduces the chances of crime and they also help in monitoring the video camera. The
incident report prepare by the security guard can be the crucial evidence in case of criminal
prosecution and/or employee misconduct.

Video surveillance cameras: Basically this type of camera has been positioned in strategic
locations of the organization that afford full views of the IT system and perform as an additional
control to protect unauthorized activities and also provide recording evidence with mentioning time,
date etc.

General emergency and detection control: In many organizations alarm system is used for
safety and security reason. Through this system unauthorized person, unauthorized devices can
be detected and at the same time natural disaster like fire, smoke etc. can be notified to
management in early stage for prevention by automated way.

Heating, ventilation and cooling system: Computer survives best in a cool, dry, dust-free
environment. Through HVAC systems it can be maintained and it should be audited periodically to
ensure the environment.

2
Insurance coverage: Main purpose of insurance is to spread the economic cost and the risk of
loss from an individual or business to a large number of people. This is accomplished through the
use of an insurance policy. Policies are contracts that obligate the insurer to indemnify the
policyholder or some third party from specific risks in return for the payment of a premium. Policies
usually can be obtained to cover the following resources:
 Equipment;
 Facilities;
 Storage media;
 Business interruption;
 Extra expenses;
 Valuable papers;
 Accounts receivable;
 Media transportation;
 Malpractice, errors.

Periodic back-up: A better back-up policy is to perform periodically (every day, weekly, monthly)
of all types of software, programs, data etc. by using the different types of back-up media. The
back-up media must be logged and stored both inside and off-site location and also make
provision for periodic audit for evolution the adequacy of physical controls.

Emergency power and uninterruptible power supply system: An emergency power system
and an uninterruptible power supply system should be designed into every information processing
facility. An emergency power system consists of a generator and the necessary hardware to
provide limited electrical power to critical operational areas within areas within a facility. In the
event of a power loss, the emergency power system should activate automatically. A UPS system
consists of an arrangement of batteries and supporting hardware components that are configured
to provide smooth, continuous power to computer equipment. During an audit of physical security
at one information processing center, a description of the emergency power system and UPS
system was prepared and key aspects of the systems were tested.

Business resumption programs: BRP refers as disaster recovery plan. It must include the
followings:
 List of key contract personnel of the organization;
 Identify and rank operational area;
 Brief description of events of BRP;
 Concise description of action actions taken at that time;
 Potential psychological impact of the disaster and necessary assistance of BRP.

Back-up system security administrator:

 Granting complete control over a computer system to one individual is one of the most
common control weaknesses in the real world;
 The system security administrator could be involved in an accident, have to leave work
unexpectedly, or may be at a location where he or she cannot be reached;
 Thus, the organization might not be able to restore operations adequately in a timely
manner.

Logical security control:

Logical security control restricts the access capabilities of users of the system and prevents
unauthorized users from accessing the system. It may exist within the operating system, database
management system, application program and/or all the three. It includes system access
capabilities of users, system access profiles and parameters and logging mechanisms. The major
logical security controls are as follows:
 User IDs and passwords;
 Remote access control;
 Computer operations audit;
 Back-up and recovery procedures;
 Integrity/completeness checks.

3
 Application program → Database management system → Operating system
Fig: Logical control

User IDs and passwords: Password should be in minimum length. The system should reject any
user attempts to enter passwords with fewer characters than the parameter settings. For most
commercial system, a minimum password length of eight characters is sufficient. The system
should be programmed so that the system user ID cannot be deleted and allow only certain user
IDs to sign on from workstation.

Remote access controls: Today more and more users are requiring the ability to sign on
remotely using laptops, personal digital assistants (PDAs) and some kinds of cell phones. The
most common remote access controls include dedicated leased lines, automatic dial back; secure
sockets layer (SSL) sessions, multifactor authentication and virtual private networks (VPNs). This
control may be made by using the following networking systems:
 Dedicated leased lines;
 Automatic dial-back;
 Secure sockets layer;
 Multifactor authentication;
 Virtual Private Networks.

Dedicated leased lines: In this case telephone lines are leased to an organization for its
exclusive use. It is a dedicated line between two remote locations. Though it is more
expensive but it tends to be less error-prone than a public telephone line.

Automatic dial-back: One of the easiest ways to set-up a WAN is direct distance dialing. It
uses the services of the telephones department and a long distance carrier to transmit voice
and data. Although DDD is simple and easy to use, long distance data communication can
become expensive and error-prone. DDD is restricted to sites that are linked by telephone
network.

Secure sockets layer:

It is a protocol used to provide encrypted internet sessions between remote computers and
network server. Once the connection has been established, all data exchanged between the
remote computer and the network server is symmetrically encrypted.

Multifactor authentication:
It is implementation of two or more controls prior to granting access to a user. Two-factor
authentication is typically applied to remote users. It requires the user first to authenticate to a
challenge-response server and then to authenticate to the network server with their network
user ID and password. To authenticate to the challenge-response server, a user must possess
a token device.

Virtual private networks (VPNs):

Many organizations use virtual private networks (VPNs) to establish secure intranets and
extranets. A virtual private network is a secure network that uses the Internet as its main
backbone network, but relies on the firewalls and other security features of its Internet and
Intranet connections and those of participating organizations. Thus, for example, VPNs would
enable a company to use the Internet to secure intranets between its distant branch offices
and manufacturing plants, and secure extranets between itself and its customers and
suppliers.

Computer operations audit: A computer operations audit assessments of internal controls that
ensures the production jobs are completed in a timely manner and production capacity is sufficient
to meet short- and long-range processing needs; output media are distributed in a timely, accurate
and secure manner; back-up and recovery procedures adequately protect data and programs
against accidental or international loss or destruction; problem management procedures ensure
that system problems are documented and resolved in a timely and effective manner.
Back-up and recovery procedures: The primary controls to provide this protection are to perform
periodic (daily, weekly, monthly) backups of system software, application programs and data as
well as storage and rotation of the back-up media such as magnetic tapes, disks and compact

4
disks (CDs) to a secure offsite location; Daily backups are usually necessary only for data since
the application programs and system software do not charge significantly. Management should
ensure that tests are performed to confirm that system operations can in fact be fully restored
using the back-up media.

Integrity/completeness checks:
When large volumes of data are electronically imported from or exported to other systems, data
integrity and completeness controls can provide reasonable assurance that the recipient has
received all the data intact without any alterations or missing information. Control totals are the
most common form of integrity/completeness check. The sender provides the recipient with control
totals, such as the total number of records in the data file and the total amount of the records.

Environmental control:
Environmental control include IS security policies, standards and guidelines, the reporting
structures within the IS processing environment, the financial condition of the service organizations
and vendors, vendors software license, maintenance and support agreements and warranties and
the status of computing system, policies and procedures placed in operation of the service
organization.

IS operating control:
Information system operating controls are designed to ensure that the information system is
operating efficiently and effectively. These controls include the timely and accurate completion of
production jobs, distribution of output media, performance of back-up and recovery procedures,
performance of maintenance procedures, documentation and resolution of system problems and
monitoring of central processing unit and data storage capacity utilization.

Information system security policy:

A security policy consists of statements ranking information risks, identifying acceptable security
goals and identifying the mechanisms for achieving these goals. Security policies must be
approved by the top management and specify the persons responsibility for its implementation but
it should not specify the detailed control. An IS security policy is divided into five sections:

Purpose and responsibility: The purpose of the Organization’s Information Systems Security
Policy is to provide the essential guidelines for efficient electronic transaction processing and
reporting services, management information systems and appropriate customer information
capabilities for top level management to effectively operate the Organization.

System procurement and development: The computing systems of the Organization shall be
constantly monitored to identify the current and future needs. The Organization should follow the
system life-cycle evaluation steps like problem definition, requirement analysis, feasibility study,
design, development, testing, monitoring, review etc.

Access terminals: Management is authorized to install other dial-up access online terminals as
may be required in operations of the Organization.

Equipment and information security: Equipment and Information security can be further divided
into 3 categories. They are as follows:
 Equipment and environmental security;
 Information and communication security;
 Contingency and recovery.

Service bureau programs: The Organization’s service Bureau agreements shall be drafted to
require that such bureaus retained by the Organization indicate a commitment to developing and
maintaining computer application software in such a manner that system capabilities, as specified
by the Organization, are ensured and that appropriate record-keeping checks and balances are in
place.
Information system security standards:
Information system security standard are minimum criteria, rules and procedures established by
the senior management that must be implemented to help ensure the achievement of IS security

5
policy. The following minimum IS security standards have been approved by senior management
and are to be applied to applicable information systems within the organization:
 Upon completion of initial installation of software, the maiden password shall be changed
by the system security administrator;
 A back-up system security administrator shall be designated and trained to ensure
continued operation of the system, even in the absence of the primary system security
administrator;
 System security administrators shall set parameters to require passwords to be a
minimum of 8 alphanumeric, case-sensitive characters in length;
 Systems shall be designed so that passwords are masked (i.e. invisible) on workstation
screens as they are entered by users;
 Systems shall be designed so that password files are encrypted by a secure algorithm so
that nobody, including system security administrator, can view them;
 System security administrators shall set passwords to automatically expire within 60 days
or less;
 User IDs shall be suspended after three consecutive unsuccessful sign on attempts;
 User sessions shall be terminated after 5 minutes of inactivity;
 Users shall not be allowed concurrent sign on sessions;
 Systems security administrator shall move the user IDs of terminated or transferred users
immediately upon notification from the user department manager and/or the human
resource department.
 Department managers shall be responsible for training users not to share or divulged the
password to anyone, write them down, post them in the work stations, store them in an
electronic file or perform in any other act that could potentially result in their password
being divulged;
 System security administrators shall request user department management to review user
access capabilities and certify in writing that the access capabilities of the users in their
department are necessary to perform normal duties;
 Logical security related events shall be logged by the system and the log shall be
continuously monitored by system security administrators for potential acts of
unauthorized access;
 Business resumption procedures shall be fully developed, tested and documented by
management in collaboration with system security administrator and other key staff
members;
 Adequate insurance coverage shall be maintained over the hardware, Operating system,
application software and data. Hardware should be covered at replacement cost;
 Vendor-developed applications acquired in the future should be contractually required to
improve programming that enabled standards to be deployed upon installation;
 Confidential information including passwords shall be encrypted by a secure algorithm
during electronic transmission;
 System security administrators shall install software that automatically checks for viruses
using a current virus pattern file.

Control and standards for information integrity:

Information integrity provides reasonable assurance that the data recipients have received all the
data intact. It has follows components:
 System and information integrity policy and procedures;
 Flaw remediation;
 Malicious code protection;
 Security alerts and advisories;
 Security functionality verification;
 Software and information integrity;
 Spam protection;
 Information input restrictions;
 Information input accuracy, completeness, validity and authenticity.

System and information integrity policy and procedures: A control system including
information integrity increases assurance that sensitive data have neither been modified nor
deleted in an unauthorized or undetected manner. The security controls described under the

6
system and information integrity family provide policy and procedure for indentifying, reporting and
correcting control system flaws. For this reason the organization develops, disseminates and
periodically reviews and updates formal, documented, system and control integrity policy that
addresses purpose, scope, roles, responsibilities, management commitment, coordination among
organizational entities and compliance.

Flaw remediation: The organization centrally manages the flaw remediation process and installs
updates automatically. For this reason organization should consider the risk of employing
automated flaw remediation process on a control system. To control the flaw remediation the
organization must, identifies, reports and corrects system flaws; tests software updates related to
flaw remediation for effectiveness and potential side effects on organizational systems before
installation and incorporates flaw remediation into the organizational configuration management
process as an emergency change.

Malicious code protection: To protect the system from malicious code, the organization should
employs malicious code protection mechanism at system entry and exit points and at workstations,
servers, or mobile computing devices on the network. Updates malicious code protection
mechanisms, whenever new releases are available in accordance with organizational configuration
management policy and procedures.

Security alerts and advisories: To implement security alerts and advisories the organization
receives system security alerts, advisories and directives from designated external organizations
on an ongoing basis and generates those as deemed necessary. Disseminate security alerts,
advisories and directives to an organization-defined list of personnel.

Security functionality verification: The organization verifies the correct operation of security
functions within the control system upon system startup and restart, upon command by user with
appropriate privilege, periodically and/or at defined time periods. The control system notifies the
system administrator when anomalies are discovered.

Software and information integrity: The system monitors and detects unauthorized changes to
software and information. The organization reassesses the integrity of software and information by
performing on organization-defined frequency scans of the system and uses the scans with
extreme caution on designated high-availability systems.

Spam protection: To control the unwanted spam messages the organization should employs
spam protection mechanisms at system entry points and at workstations, servers or mobile
computing devices on the network to detect and take action on unsolicited messages transported
by electronic mail, electronic mail attachments, web accesses or other common means.

Information input restrictions:

The organization implements security measures to restrict information input to the control system
to authorized personnel only. Restrictions on personnel authorized to input information to the
control system may extend beyond the typical access requirements employed by the system and
include limitations based on specific operational or project responsibilities.

Information input accuracy, completeness, validity and authenticity: The Control system
employs mechanisms to check information for accuracy, completeness, validity and authenticity.

Control and standards for information access control:

Access control is used to provide authorized access to the information system that means ensure
resources are only accessed by the appropriate personnel and that personnel are correctly
identified. The major mechanisms of access control are as follows:
 Access control policy and procedures;
 Identification and authentication policy and procedures;
 Account management;
 Account review;
 User identification and authentication;
 Device identification and authentication;

7
  Passwords.

Access control policy and procedures: The Organization should develops, disseminates and
periodically reviews and updates a formal, documented, access control policy that addresses
purpose, scope, roles, responsibilities, management commitment, coordination among
organizational entities and compliance.

Identification and authentication policy and procedures: The organization should develops,
disseminates and periodically reviews and updates a formal, documented, identification and
authentication policy that addresses purpose, scope, roles, responsibilities, management
commitment, coordination among organizational entities and compliance.

Account management: The organization manages the following controls for system accounts:
 Identifying account types (i.e., individual, group and system);
 Establishing conditions for group membership;
 Requiring appropriate approvals for requests to establish accounts.
 Authorizing, establishing, activating, modifying, disabling and removing accounts

Account review: The organization manages reviews and analyzes system audit records on an
organization-defined frequency for indications of inappropriate or unusual activity and report
findings to designated organizational officials.

User identification and authentication: The system uniquely identifies and authenticates
organizational users by using the following controls:
 The system employs multifactor authentication for remote access and for access to
privileged accounts;
 The system employs multifactor authentication for network access and for access to
privileged accounts;
 The system employs multifactor authentication for local and network access.

Device identification and authentication: The system uniquely identifies and authenticates an
organization defined list of devices before establishing a connection. The system authenticates
devices before establishing remote network connections using bi-directional authentication
between devices that is cryptographically based.

Password: Password is the key to electronic account at the office. Selecting a good password is
the single most important thing that does to protect the security of an electronic account. The
organization develops and enforces policies and procedures for control system users concerning
the generation and use of passwords.

How does one choose a good password?

It is often said that choosing a good password will be the hardest thing that one does all day and
it's true. Choosing a password that is both easy to remember and difficult to guess is not a small
task. However, there are some popular methods of choosing passwords which are usually
considered fairly well.
One such method is to use the first letter from each word in a phrase, including punctuation and
capitalization and using numbers or symbols to represent words in the phrase.
Another method is to start with two or more unrelated words and then abbreviate or mangle them
in some manner, such that no part will be found in the dictionary. Make sure the two words aren’t
easily guessable.
In addition to these methods, some rules that prevent the user from choosing passwords with the
bad traits described above. Specifically, the user passwords must have the following
characteristics:
 Must be at least 6 characters long;
 Must contain at least 1 character from each of at least 3 different character classes. The
character classes are:
- lowercase letters;
- uppercase letters;
- numbers;
- punctuation (printable characters other than letters or numbers);

8
 - all other characters (control characters).
 Must not appear to be systematic ("abcdef" will be rejected);
 Must not be based on anything in the user password file entry (name, login name, user id
etc.);
 Must not be based on a dictionary word or a reversed dictionary word. A complete word as
a substring will cause the user password to be rejected.

Protecting measures of password (individual):

Password is a secret which only should be known by the user. If anybody else learns password,
the user’s security has been compromised. Here are some measures for protect the user’s
password:
 Never tell the password to anyone;
 Do not write down the password;
 Never put the password in electronic mail to anyone (including system administrators or
those who claim to be system administrators). If ever gets mail from anyone asking for the
password, please send mail to lab immediately. Do not include the password;
 Change the password frequently, but choose a password that is easy to remember, so that
users don’t have to write it down;
 Do not type password on any system that will put the password over a potentially insecure
network in clear text.
Control measures of password (corporate):
 Default passwords of different systems or programs must be changed immediately after
installation;
 Organization replaces default user names whenever possible;
 Organization develops policies that stipulated the complexity level of the password for
each critical level;
 Good security practices need to be followed in the generation of passwords;
 Password must be transferred to the users via source media;

Control and standards for computer audit:

Information system audit:

Information systems audit is a part of the overall audit process, which is one of the facilitators for
good corporate governance. There is no universal definition of IS audit. A famous information
technologist “Ron Weber” defined IS audit as “the process of collecting and evaluating evidence to
determine whether a computer system (information system) safeguards assets, maintains data
integrity, achieves organizational goals efficiently and consumes resources efficiently.”

Importance of IS audit:
Information system is the lifeblood of any large business. Information system not only record
business transactions, but actually drives the key business process of the enterprise. The purpose
of IS audit is to review and provide feedback, assurances and suggestions. IS audit is important,
because
 to ensure the availability of information for the business at all times when required;
 to ensure the system is well protected against all types of losses and disasters;
 to establish the confidentiality of the system;
 to check whether the system is always be accurate, reliable and timely;
 to ensure that no unauthorized modification can be made to the data or the software in the
system.

IS audit standard:

9
IS an audit standard provides audit professionals a clear idea of the minimum level of acceptance
performance essential to discharge their responsibilities effectively. Audit objectives in a computer
information system environment & elaborates on the following:
 The auditors responsibility in gaining sufficient understanding & assurance on the
adequacy of accounting and internal controls that protect against the inherent & control
risks in a CIS and the resulting considerations to be taken while designing audit
procedures;
 The potential impact of auditing in a CIS on the assessment of control & audit risks;
 The auditor is required to determine the following factors to determine the effect of CIS
environment on the audit arising from:
 The extent to which the CIS is used for recording, compiling & analyzing
accounting information.
 The system of internal controls relating to the authorized, complete, accurate &
valid processing & reporting procedures.
 The impact of CIS accounting system on the audit trail.
 The standard also requires the auditor to have sufficient knowledge of the CIS possess
appropriate specialized skills to enable him to plan, direct, supervise, control & review the
work performed.

The IS audit process:

The purpose of IS audit is to review and provide fee back, assurance and suggestions. These
concerns can be grouped under three board heads:
Availability: Will the information systems on which the business is heavily dependent be available
for the business at all times when required? Are the systems well protected against all types of
losses and disasters?
Confidentiality: Will the Information in the systems be disclosed only to those who have a need to
see and use it and not to anyone else?
Integrity: Will the information provided by the systems always be accurate reliable and timely?
What ensures that no unauthorized modification can be made to the data or the software in the
systems?

Elements of IS audit:
An information system is not just a computer. Today’s information systems are complex and have
many components that piece together to make a business solution. Assurance about an
information system can be obtained only if all the components are evaluated and secured. The
proverbial weakest link is the total strength of the chain. The major elements of IS audit can be
broadly classified:
Physical and environmental review: This includes physical security power supply and
conditioning, humidity control and other environmental factors;
System administration review: This includes security review of the operating systems database
management systems. All system administration procedures and compliance;
Application software review: The business application could be payroll invoicing a web-based
customer order processing system or an enterprise resource planning system that actually runs
business. Review of such application software includes access control and authorizations.
Validations, error and exception handling, business process flows within the application software
and complementary manual controls and procedures. Additionally a review of the system
development lifecycle should be completed.
Network security review: Review of internal and external connections to the system perimeter
security, firewall review, router access control lists, port scanning and intrusion detection are some
typical areas of coverage.
Business continuity review: This includes existence and maintenance of fault tolerant and
redundant hardware, backup procedures and storage and documented and tested disaster
recovery business continuity plan.
Data integrity review: The purpose of this is scrutiny of live data to verify adequacy of controls
and impact of weaknesses, as noticed from any of the above reviews. Such substantive testing
can be done using generalized audit software (e.g., computer assisted audit techniques).

Events of computer audit:

10
Computer audit examines the systems record and activities to determine the systems security and
the security breaches. It includes the following events:
 Audit and accountability policy and procedures;
 Auditable events;
 Content of audit records;
 Audit storage capacity;
 Response to audit processing failure;
 Audit monitoring, analysis and reporting;
 Time stands;
 Protection of audit information;
 Audit generation.
Audit and accountability policy and procedures: The Organization develops, disseminates and
periodically updates a formal, documented, audit and accountability policy that addresses purpose,
scope, roles, responsibilities, management commitment, coordination among organizational
entities and compliance.

Auditable events: The organization maintains some policies for auditable events, such as
determines, based on a risk assessment in conjunction with mission/business needs, which
system-related events required auditing. Ensures that auditable event is adequate to support after
the-fact investigations of security incident and includes execution of privileged functions in the list
of event to be audited by the system.

Content of audit records: Controls for purpose of audit records are the system produces audit
record that content sufficient information to establish what events occurred, when the events
occurred, where the events occurred, the sources of the event and the outcomes of the event.

Audit storage capacity: The Organization allocates sufficient audit record storage capacity and
configures auditing to reduce the likelihood of such capacity being exceed.

Response to audit processing failure: The controls for response to audit failures are the system
provides a warning when allocated audit record storage. Volume reaches an organization define
percentage of maximum audit record storage capacity.

Audit monitoring, analysis and reporting: The controls for audit monitoring, analysis and
reporting are the system reviews and analyzes system audit records on an organization-defined
frequency for indications of in appropriate or unusual activity and report findings to designated
organizational officials. The organizational analyzes and correlates audit records across different
repository to gain organization-wide situational awareness.

Time stands: The controls are the system uses internal system clocks to generate time stamps for
audit records. The system synchronizes internal system clocks on an organization-define
frequency.

Protection of audit information: The control system protects audit information and audit rules for
unauthorized access, modification and deletion.

Audit generation: Audit generation is the system provides audit record generation capability for
the auditable events. It allows authorized users to select which auditable events are to be audited
by specific components of the system. It generates audit records for the selected list of auditable
events.

Control and standards for system implementation phases:

System implementation phase’s controls are the control of an information system from analysis to
implementation of the system. It includes the following:
 System Installation;
 System Testing;
 Documentation;
 Training;
 File Conversion and change-over

11
System installation: An implementation plan should be documented, communicated and
approved.

System testing: A test plan/methodology should exist for managing and monitoring the testing
effort to provide reasonable assurance that the system functionality is fully tested.

Documentation: Documentation is one of the most important tools for control. System
documentation should include the following:
System descriptions: System descriptions provide narrative explanations of operating
environments and the interrelated input, processing and output functions of integrated application
systems.
System documentation: System documentation includes system flowcharts and models that
identify the source and type of input information, processing and control actions and the nature
and location of output information.
System file layouts: System file layouts describe collections of related records generated by
individual processing applications.

Training: Personnel training are important for the successful implementation of information system
because through this organizational employees can easily cope up with the new system. Without
knowing the full process of the system a person cannot handle all the functionalities of the
information system. For better understanding with the information system implemented,
organizational employees must have to be oriented with the new system by training. Training
should be necessary for both system operators as well as the users. The types of training they
require are as follows:

System operator needed the following training:

 System training;
 Network training;
 Hardware training;
 Security training;
 Maintenance training;
 Data recovery or back-up training;
 System software training; etc.
Users need the following training:
 System software training;
 Facilities training;
 Operating system training; etc.

File conversion and change-over: In case of implementation of an automated or new system,

existing old file must be included in the new system. This file can be in a manual or an automated
form. The tasks in this section are twofold:
 Data input of the file;
 Data verification of the file.
In case of replacing the manual file, hard copy of data need to be entered into the system and
verify the accuracy of input data. For this organization employ parallel conversion methodology.
Parallel operations consist of running the old process or system and the new system
simultaneously until the new system is certified.

Control and standards for system maintenance and evaluation:

Computer system maintenance procedures should adequately protect computer hardware against
failure over the expected useful life of the equipment and should be serviced according to
manufacturer’s recommendation as specified in the contract with vendor. Control and standards for
system maintenance and evaluation process includes the followings:
 System maintenance policy and procedures;
 Legacy system upgrades;
 System monitoring and evaluation;
 Backup and recovery;
 Unplanned system maintenance;
 Periodic system maintenance;
 Post implementation review.

12
System maintenance policy and procedures: A system maintenance policy is a formal,
documented, control system maintenance policy that addresses purpose, scope, roles,
responsibility, management commitment, coordination among organizational entities and
compliance. The organization ensures the control system maintenance policy and procedures are
consistent with applicable laws, directives, policies, regulations, standards and guidance and it
should be included as part of the general information security policy for the organization. System
maintenance procedures should be developed for the security program in general and for a
particular control system when required.

Legacy system upgrades: The organization develops policies and procedures to upgrade
existing legacy control systems to include security mitigating measures commensurate with the
organization’s risk tolerance and the risk to the system and processes controlled.

System monitoring and evaluation: The organization conducts periodic security vulnerability
assessments according to the risk management plan and accordingly it should be monitored and
evaluated periodically to identify vulnerabilities or conditions that might affect the security of a
control system.

Back-up and recovery: The organization makes and secures backups of critical system software,
applications and data for use if the control system operating system software becomes corrupted
or destroyed.

Unplanned system maintenance: Unplanned maintenance is required to support control system

operation in the event of system/component malfunction or failure. Security requirements
necessitate that all unplanned maintenance activities use approved contingency plans and
document all actions taken to restore operability to the system.

Periodic system maintenance: The system schedules, performs, documents and reviews
records of maintenance and repairs on system components in accordance with manufacturer or
vendor specifications and/or organizational requirements and it must be done periodically to verify
that the controls are still functioning properly following maintenance or repair actions.

Post implementation review: Organizations implement various IT solutions to meet their

business requirements. Once the solutions are implemented, post implementation reviews are
generally carried out by IS auditors to assess the effectiveness and efficiency of the IT solutions
and their implementation, initiate actions to improve the solution (where necessary) and serve as a
learning tool for the future.

Risks to IT systems:

IT risk assessment:
Before an organization commits resources to controls, it must know which assets require
protection and the extent to which these assets are vulnerable. A risk assessment helps answer
these questions and also helps the firm determine the most cost-effective set of controls for
protecting assets. A risk assessment determines the level of risk to the firm if a specific activity or
process is not properly controlled. Business managers working with information systems
specialists can determine the value of information assets, points of vulnerability, the likely
frequency of a problem and the potential for damage.
One problem with risk assessment and other methods for quantifying security costs and benefits is
that organizations do not always know the precise probability of threats occurring to their
information systems and they may not be able to quantify the impact of such events accurately.
Nevertheless, some effort to anticipate, budget for and control direct and indirect security costs will
be appreciated by management in this case.
The end product of risk assessment is a plan to minimize overall cost and maximize defenses. To
decide which controls to use, information systems builders must examine various control
techniques in relation to each other and to their relative cost-effectiveness. A control weakness at
one point may be offset by a strong control at another. It may not be cost-effective to build tight
controls at every point in the processing cycle if the areas of greatest risk are secure or if
compensating controls-exist elsewhere. The combination of all of the controls developed for a

13
particular application determines the applications overall level of control. The areas to be focused
upon are:
1. Prioritization;
2. Identifying critical applications;
3. Assessing their impact on the organization:
4. Determining recovery time-frame;
5. Assess insurance coverage.

What is a computer virus? What precautions a business can take to circumvent virus?
Viruses are a form of high-tech maliciousness. It is the cause of destruction of data and software.
One of the most destructive examples of computer crime involves the creation of computer
viruses. Virus is the more popular term but technically a virus is a program code that cannot work
without being inserted into another program. These programs copy annoying or destructive
routines into the networked computer systems of anyone who accesses computers infected with
the virus or who uses copies of magnetic disks taken from infected computers. Thus, a computer
virus can spread destruction among many users. Though they sometimes display only humorous
messages, they more often destroy the contents of memory, hard disks and other storage devices.
Copy routines in the virus or worm spread the virus and destroy the data and software of many
computer users. In a word, a computer virus is a rouge software program that attaches itself to
other software programs or data files in order to be executed usually without user knowledge or
permission.
When a virus-infected is run the virus which has modified its host is able to replicate itself. Some
viruses are merely annoying, such as the one which cause a small dot to wander randomly or
deleted. There are many virus detention packages on the market today. These can be used to
detect, control or remove viruses from the computer system. For the increasing use of intranets
and extranets in business the security problems arises for the computer virus. For this data
security, system security, integrity, privacy and confidentiality are affected very much. In this
situation to safeguard the computer systems from virus infection, the following certain precautions
should be taken to circumvent them:
 Install virus detection, control and removal programs in the computer system;
 Use only licensed and authorized programs. Avoid printed programs;
 Screen all disks through anti-virus programs and minimize disk swapping into the system;
 Anti-virus system should be active during use of a network or Internet;
 Update anti-virus system with the latest available device;
 Maintain backup copies of Important and critical data files and programs to safeguard from
a disaster; etc.

Typical symptoms of virus activity are:

 OS loading may slow;
 Opening a file is slow;
 Opening a program is slow;
 Logging may not happen;
 Internet may not available or disturbing;
 Message while booting (hardware failure);
 Font of document may change;
 Hard disk failure; etc.

Hacking:
Hacking remains the most common form of cyber crime and it continues to grow in popularity. A
hacker is someone who uses a computer and network or Internet connection to intrude into
another computer or system to perform an illegal act. This may amount to simple trespassing or
acts that corrupt destroy or change data.
In another form, hacking can be the basis for a Distributed Denial of Service (DDOS) attack, in
which a hacker hides malicious code on the PCs of many unsuspecting victims. This code may
enable the hacker to take over the infected PCs or simply use them to send requests to a Web
Server. Successful DDOS attacks can cost targeted companies millions of dollars. The extent of

14
the problem is not known simply because it is so widespread. PricewaterhouseCoopers estimates
that viruses and hacking alone cost the world economy upwards of $1.6 trillion in 2003.
At one time, a hacker was just a person who understood computers well; however, hacking now
refers to criminal or antisocial activity. Today, hackers’ activities are usually categorized by their
intent:
 Recreation attacks;
 Business or financial attacks;
 Intelligence attacks;
 Grudge and military attacks;
 Terrorist attacks.
Other than posing an invasion of privacy, recreational hacking is relatively harmless. In most
cases, recreational hackers just attempt to prove their abilities without doing any damage. In
business, financial or intelligence attacks, however, hackers often engage in data diddling-forging
or changing records for personal gain or attempting to copy the data from the penetrated system.
Grudge attacks are carried out by hackers with a grievance against an individual or organization
and such attacks are frequently destructive. The harm from terrorist attacks could be catastrophic.
The industrial world is highly dependent on its computers and there is evidence that this type of
attack may be the tool of future war.

Common hacking methods:

Hackers use a variety of methods to break into computer systems. These methods fall into three
broad categories:
Sniffing: The term sniffing refers to finding a user's password. There are three ways to sniff a
password: password sharing, password guessing and password capture. Password sharing is the
most common and occurs when a victim simply discloses his or her password to a hacker.
Passwords are shared out of simple ignorance, when victims do not realize that the password
might be used against their wishes or in ways they would never intend. Password guessing is done
exactly as the term implies: a hacker tries to guess a user's password and keeps trying until he or
she gets it right. Users can safeguard against password guessing by using complex Passwords.
Network administrators can prevent guessing by limiting the number of attempts anyone can make
to log into the network. In password capture, a password is obtained by some type of malware
program and forwarded to the hacker. Passwords may be captured electronically if they are sent
as text that is not encrypted. For example, during a login session, a hacker may intercept the
password data when it is sent to a server even if it is encrypted within the system itself.
Social Engineering: Social engineering used to be called "running a confidence game." The
hacker may use any number of frauds to "con" victims out of their passwords. It might be as simple
as dumpster diving. Just as in identity theft, a password thief searches the victim's trash in order to
find useful access information. Another form of social engineering is the "phone survey," the
"application" and the "emergency situation." In these situations, a hacker may contact potential
victims by phone or e-mail and ask the victims to provide password information for an apparently
legitimate reason. This method is sometimes referred to as phishing.
Spoofing: Hackers may alter an e-mail header to make it appear that a request for information
originated from another address. This is called spoofing. They can gain electronic entry by
pretending to be at a legitimate computer, which is called 1P spoofing. Using this technique, the
hacker intercepts a message or gains access to the system by posing as an authorized user. On a
network, this is done by altering the message information to make it appear that it originated from
a trusted computer.

How to prevent system from hacker:

The following measures may be taken to prevent information system from hacker:
 Implement firewalls;
 Develop a corporate security policy;
 Install anti-virus software;
 Keep operating system up to date;
 Do not run unnecessary network services;
 Conduct a vulnerability test;
 Avoid scam/spammy websites;
 Securing the ports.

15
Controls for personal systems:
An effective control system provides reasonable, but not absolute assurance for the safeguarding
of assets, the reliability of financial information and the compliance with laws and regulation. The
degree of control employed is a matter of good business judgment. Two categories of control over
personal systems to ensure processing, integrity, security and safeguarding of IT resources and
they are:
 General controls;
 Application controls
General controls: It represents the foundation of the IT control structure. It help to ensure the
reliability of data generated by IT systems and support the assertion that systems operate as
intended and that output is reliable. General controls include:
 Access security, data & program security, physical security;
 Software development & program change controls;
 Data center operations;
 Disaster recovery.

Application controls: Application or program controls are to ensure the complete and accurate
processing of data from input through output. These controls are basically varied based on the
business purpose of the specific application. Applications are the programs and processes,
including manual processes that enable us to conduct essential activities:
 Buying products;
 Paying people;
 Accounting for research costs
 Forecasting and monitoring budgets.
Application controls apply to application systems and include input controls (e.g., edit checks),
processing controls (e.g., record counts) and output controls (e.g. error listings), they are specific
to individual applications. Application controls Include:
 Input controls;
 Authorization;
 Validation;
 Error notification and correction;
 Processing controls;
 Output controls.
They consist of the mechanisms in place over each separate system that ensures that authorized
data is completely and accurately processed.

What are the possible categories of risk when the company starts to use the customized
account software? What measures can you take to encounter the risk?
The possible categories of risk when the multinational company starts to use the customized
accounting software are as follows:
Customization: Without ensuring proper customization, the accounting system cannot bring better
result for the organization. It includes financial report, input screen, forms, source code etc.
Proper documentation: Proper documentation of the system record is very much important;
otherwise improvement of the system is under threat.
Training: Before implementing new system training is important to familiar the system to the
employees which ensures the accurate and optimum use of the system.
Vendor reliability: To ensure good accounting system, users must rely on continued support from
the vendor. For this reason, vendor should be reliable and will be available when needed.
Environment: Organizational environment is a great risk factor because without ensuring proper
environment for the accounting system, it is very difficult to implement and run it.
Security issue: System security which ensures data integrity, privacy and confidentiality is the big
risk factor for an accounting system.
Proper maintenance: Maintenance of the system is another risk. It helps in minor modifications to
the system to optimize performance, improve its usability or accommodate small changes in the
environment will have to be made from time to time, whilst the system is operational.

Measures that can be taken to encounter the risk are as follows:

 To ensure proper customization, continuous review of the system is necessary;
 Documentation of the system must be preserved carefully;

16
  Employees training and work environment must be created;
 System should be developed by the reliable vendor;
 Proper security measures must be ensured;
 Provision for continuous maintenance with expert should be made.

The reasons of people resist imposed change:

The reasons why people resist imposed change and not change that they initiate can largely be
attributed to fear. This applies in case of computerization at the organization. Specifically what
individuals fear is related to their security and the uncertainly of the impact that change will have
upon them personally. It is necessary to somehow make the employees overcome the fear
complex in order to introduce changes smoothly. Employees will accept computerization easily
when they are taken in confidence. In respect of employees in general, do the following:
 Inform them;
 Indicate benefits to them;
 Be honest with them;
 Get employees opinion;
 Involve employees in discussion;
 Use subcommittees;
 Use a third party;
 Assess management style;
 Don’t delay decision making;
 Get feedback from employees;
 Consider alternatives;
 Possibly try a “pilot implementation”.
When the management ignores these actions then the change process will be a bumpy ride with
unpredictable results.

Ethics in business:
Ethics in business means the principles of right and wrong that can be used by business and user
acting as free moral agent to make choices to guide their behavior. Organizations must provide
employees with clear guidelines for conduct and encourage them to uphold high ethical standards
in their everyday business practice. There are three sources that can be assessed ethical
behavior:
 the law and regulations that specify codes of conduct;
 the explicit ethical guidelines established by an organization; and
 the ethical and moral code of conduct of an individual.

Ethical problem in business issue:

Now computer represent new ethical problems in business issue that are:
 Privacy: People desire to be in full control of what and how much information they want to
share and some don’t want to share without the permission of the individuals.
 Security: Computer security is an attempt to avoid such undesirable events as a loss of
confidentiality of or data integrity.
 Ownership of property: Laws designed to preserve real property rights have been
extended to cover what is referred to as intellectual property that is software.
 Equity and access: Some barriers to access are intrinsic to the technology of information
systems, but some avoidable through careful system design.

The end

17