Elements of General controls
- Organisational controls and personnel practices
- Systems developments and change controls
- Business continuity control
- Operating controls
- Access controls
Organisational controls and personnel practices
- LEVELS OF RESPONSIBILITY / STRUCTURE
Establish responsibilities -hierarchy- Delegation
Establishing reporting levels e.g. IS manager: report directly to top management
Clear (i) communication channels and (ii) documentation of responsibility - SoD
Separate IS department
Separation between IS & user dept’s
Segregation between initiation, authorisation, custody and the reporting functions
Segregation within CIS department - development and operation segregation - Staff practices
Regarding- employment, duties, leave, resignation and dismissal - Supervision and approval
Hierarchy
Constant reporting
Regular Systems checks
Organisational and personnel practices risks
- Conducting unauthorised transactions
- Collusion to commit and hide fraud
- Multiple functions performed by a single application
- Errors are not detected
- Untrustworthy or incompetent employees
Systems development
- REQUEST + AUTHORISATION
Written request from users/management
Feasibility study: consider-Users needs- Options: purchase or develop
Authorisation…multilevel
Computer Steering Committee (CSC) - PROJECT MANGEMENT & PLANNING
Project management
User needs
System specifications
Predefined standards
Preliminary system design: approval - DEVELOPMENT
Programming
Review and testing
Adjusting
Final approval - IMPLEMENTATION-
Control over conversion- personnel and hierarchy
Implementation- direct shutdow, parallel or modular/ phased
POST-IMPLEMENTATION
Reconcile
Number of transactions
VAC at given of conversion
Training- user manual
System documentation- operating manual
Program change
- Request and Authorisation
Types of system development testing
Program tests
String/series tests
System tests
Tension test
System changes controls
- Request and authorisation
Authorised request
Recorded in register/ log - Inspect the request and approve
Request from department head
Feasibility study
SoD - Design and Development
Provisional blueprint approved
Programmers- design, change version
Testing
Final written approval - Implementation
Implement
Version control- log changes and backup(must be tested)
Amendments of system documentation
Staff training
System development Risks
- Excessive costs
- Insufficient controls and non-compliance with standards
- Errors occur during the transfer of information
- System is not intuitive
ACCESS CONTROLS
Preventive controls:
1, Security management/policy
2. Physical access/controls
-Premises
-Facilities: IT – computer department
-Terminal/computer
-Other assets (physical files, doc, program)
3. Logical controls
-“Username” & “password”
-Firewalls
4. Librarian controls
Detective controls:
4. Monitoring (Logs & activity register)
5. Data communication (Librarian controls)
ACCESS CONTROLS RISKS
Damage to comp. equipment;
Unauthorised access to files & data;
Unauthorised transactions,
Users not security conscious
ACCESS CONTROLS; security management
a)
-Risk assessment
-SOD→ responsibilities
- written policy
= How info is prepared are distributed (passwords, Email: CC Vs Bcc)
= confidential clause agreement
= Breach of contract- consciouses
ACCESS CONTROLS: physical access
b) physical access control
Premises and IS Departmends-facility:
- Fences, gates and guards
- Hardware locked away in rooms
→ Guards after hours
→ Guest arrangements (temp key cards)
→ Tv-monitors (cameras)
→ Doors with key cards connected to register that is reviewed
user terminals/system:
- Access to terminal
- located in locked offices or terminal (Separated to SOD activities)
- management supervise activity of computer activity register/logbook
→ computer is safeguarded physical files, programs and docs/data
- store safely at separate place
→ lock in safe or library - file protection
→ Internal and external file label (understandable to outsiders)
→ Read only Switch
- logs and registers
→ access is approved by person in charge of file → must be review ed regular
ACCESS CONTROLS: Logical access
- Identify and authorisation of users →user ID
→ physical verification
→ key card or Fingerprint - Access table
→ User ID and password
→ least privilege principle→ rights to data, read vs write based on necessity
-Passwords
→ unique
→ frequently change
→ confidential
→ auto shutdown after inactivity
→ deny access after failed password attempts
ACCESS CONTROLS: logs and reviews and librarian controls
Library
→ procedure manual
→ Data, file and program protection= Monitoring access and processing
- monitor audit trail, reconsole logs and activity register= Signing in of personal, sensitive transitions, use of equipment
→ Review by senior personnel and additional investigation into time spent on devices Vs time they recorded
- Data Communication
→ Ensure integrity of file wall and encryption (check for malisus code)
Business continuity:
Preventive:
1. Physical
2. Non- physical
Detective and corrective:
3. Back ups
4. Disaster Recovery plan
Business continuity: physical environment
→ located away from Industrial Area, pipelines, rivers
→Constructed
= separate or middle of the building = On platform(good structure)
= fireproof walls
= Air conditioned
= Alarms and sensors → Detective
→ power supply
= cable protection
= UPS
= backup generator or alternative
→ wear and tear
=regular and scheduled maintenance
Business continuity: non physical
→ physical Security and logical access controls
→ Anti-virus protection
→ Insurance (can be corrective)
→ No-over reliance on personnel
=Trained back-up staff
= Documented roles
= staff rotation
→ Contracts/security policy
= specific
= SOD on hardware usage
=Ban on bootleg/pirated software
=signed contracts
Business continuity: back ups and data recovery plan
-Back-up Copies
→ Formalized plan
→ regularly back-ups
→ stored off-premises
→ Regularly tested
-Emergency procedures and disaster recovery plan
→ procedures
= Function
= Responsibilities
→ list of data to be recovered
→ disaster recovery plan -procedures, for facilities and equipment, software docs and data and files
= Responsibilities of staff
= Tested and practiced
Business continuity risks
risks
→water(floods)
→ Heat/fire
→ Power interruptions
→ Wear and tear
