the fundamental mandate of Section 302 of the Sarbanes-Oxley Act. Sarbanes-Oxley requires that each annual (10K) or quarterly (10Q) financial report filed or submitted to the SEC in accordance with the Securities Exchange Act of 1934 must include certifications by the company’s principal executive officer or officers and its principal financial officer or officers, as follows:
The signing officer has reviewed the report.
Based on the signing officer’s knowledge, the report does not contain any untrue material statements or omit any material fact that could cause the report to be misleading.
Based on the signing officer’s knowledge, the financial statements and all the other related information in the report present fairly, in all material respects, the financial condition and results of operations of the company for all the periods presented in the report.
The signing officers certify that they (a) are responsible for establishing and maintaining internal controls; (b) have designed the internal controls to ensure that they are made aware of all material information relating to the company and all subsidiaries; have evaluated the effectiveness of the company’s internal controls within the previous ninety days; and have presented in the report their conclusions about the effectiveness of their internal controls, based on their evaluation as of the report date.
The signing officers have disclosed to the company’s auditors and the audit committee of the board of directors (a) all significant deficiencies in the design or operation of the company’s internal controls; and (b) any fraud, regardless of its materiality, that involves management or other employees who have a significant role in the company’s internal controls.
The signing officers have stated in the report whether or not there were any significant changes in internal controls or other factors that could significantly affect internal controls after the date of their evaluation and any corrective actions taken.
A cold site
is a facility where space, electric power, and heating and air conditioning are available and processing equipment can be installed, though the equipment and the necessary telecommunications are not immediately available. If an organization uses a cold site, its disaster recovery plan must include arrangements to quickly get computer equipment installed and operational.
A hot site
is a backup facility that has a computer system similar to the one used regularly. The hot site must be fully operational and immediately available, with all necessary telecommunications hookups for online processing. A hot site also has current, live data that is replicated to it in real-time from the live site by automated data communications.
“Recovery operations center” is another term for a hot site.
A mirrored data center is another term for a hot site. It is a fully operational secondary data center where data is backed up in real-time by automated data communications.
Contingency planning
is a management activity which is essential to ensure continuity of operations in the event a disaster impairs information systems processing.
Business continuity planning
involves defining the risks facing a company in the event of a disaster, assessing those risks, creating procedures to mitigate those risks, regularly testing those procedures to ensure that they work as expected, and periodically reviewing the procedures to make sure that they are up to date.
In grandparent-parent-child processing
Systems analysis
consists of organizational analysis to learn about the:
- current system’s strengths and weaknesses;
- identification of users’ requirements for the new system;
- identifying the system requirements to fulfill the information needs of the users;
- evaluating alternative designs using cost-benefit analysis;
- and preparing a systems analysis report documenting the design of the proposed system and its specifications.
Change control
is the process of strictly controlling changes to a system or program. All changes should require authorization by the appropriate personnel, and when a system or program is changed, the changes should not be made directly to the program that is being used, but rather first to a copy of it so they can be tested before being put into production. And any changes must also be properly reflected in all of the related documentation to ensure that changes have a minimal impact on processing and results in minimal risk to the system.
check digit
is an extra reference number that follows an identification code and bears a mathematical relationship to the other digits. This extra digit is input with the data. The identification code can be subjected to an algorithm and compared to the check digit.
format check.
he computer checks the characteristics of the character content, length, or sign of the individual data fields.
single point of failure
The definition of “single point of failure” is a single part of a system, which, if it fails, will result in the unavailability of the entire system. Usually, the term is used to refer to hardware and software. However, it can be applied to password authentication, as well.
A single level sign-on password allows users to log in to all of the different systems in the organization (accounting, email, shipping, and so forth) with the same username and password. However, all of the logins would go through one single unified authentication server. If the unified password authentication server were to go down, users would lose access to all services because nobody could authenticate to anything. On the other hand, if each password system were truly separate, then if one password authentication server were to go down, users would lose access only to whatever specific password authentication system went down but not to everything.
A single level sign-on password improves security, because users don’t have several different passwords to remember. Having several different passwords to remember leads people to write them down to keep them all straight. Writing passwords down can permit the passwords to be stolen. Furthermore, with just one password authentication system, you don’t have to worry about login hacks on all of the different systems, just the main one. But the tradeoff is a “single point of failure.”
