0Chapter – 3 Protection of Information Systems
We shall study Managerial and Application Controls in detail now.
Managerial Controls and their Categories.
The managerial controls must be performed to ensure the development, implementation, operation and maintenance of information systems in a planned and controlled manner.
1) Top Management and Information Systems Management Controls
The major functions that a senior manager must perform are as follows:
(a) Planning:- It includes determining the goals of the IS function and the means of achieving these goals.
• Preparing the Plan:- Recognizing opportunities and problems that confront the organization in which Information technology and Information systems can be applied cost effectively; Identifying the resources needed to provide the required information technology and information systems and Formulating strategies and tactics for acquiring the needed resources.
• Types of Plan:- Strategic Plan: The Strategic Plan is the long-run plan covering, say, the next three to five years of operations.
Operation Plan:- It is the short-plan covering, say, next one to three years of operations.
• Role of Steering Committee: o The steering committee shall comprise of representatives from all areas of the business, and IT personnel. The committee would be responsible for the overall direction of IT. The ultimate responsibility for information systems planning should be vested in an information systems steering committee. The steering committee should assume overall responsibility for the activities of the information systems function.
(b) Organizing:- There should be a prescribed IT organizational structure with documented roles and responsibilities and agreed job descriptions. This includes gathering, allocating and coordinating the resources needed to accomplish the goals that are established during planning function.
• Resourcing the Information Systems Function:- A major responsibility of top management is to acquire the resources needed to accomplish the goals and objectives set out in the information systems plan. These resources include hardware, software, personnel, finances and facilities. Adequate funding should be provided to support the acquisition and development of resources when and where they are needed. Further, Auditors should question whether top managers have a good understanding of the role the information systems function should play in their organization.
• Staffing the Information Systems Function:- Staffing the Information systems function involves three major activities - Acquisition of information systems personnel, Development of information systems personnel and Termination of information systems personnel.
(c) Leading:- This includes motivating, guiding, and communicating with personnel. The purpose is to achieve the harmony of objectives, i.e., a person’s or group’s objectives must not conflict with the organization’s objectives. The process of leading requires managers to motivate subordinates, direct them and communicate with them.
• Motivating and Leading Information Systems Personnel:- Though many theories exist, however there is no one best way of motivating and guiding all people and thus the strategies for motivating/leading people need to change depending upon particular characteristics of an individual person and his/her environment.
• Communicating with IS Personnel:- Effective communications are also essential to promoting good relationships and a sense of trust among work colleagues. For example - Due to failure in understanding the directions given by the top management, a serious error is made in the system design; the effect of which is for long-term.
(d) Controlling:- It includes comparison of actual performance with planned performance for taking corrective actions, if needed.
• Overall Control of IS function:- When top managers seek to exercise overall control of the information systems function, two questions arise:-
How much the organization should be spending on the information systems function? Is the organization getting value for the money from its information systems function?
• Control of Information System Activities:- Top managers should seek to control the activities on the basis of Policies and Procedures; where Policies provide broad, general guidelines for behavior whereas Standards provide specific guidelines for behavior. New and existing staff must be made aware of the policies and procedures that govern their work.
• Control over Information System Services:- For each service level, estimates must be made of the expected benefits and resource consumption and finally the review committee must establish priorities.
2) Systems Development Management Controls
3) Programming Management Controls:- The primary objectives of this phase are to produce or acquire and to implement highquality programs. The purpose of the control phase during software development or acquisition is to monitor progress against plan and to ensure software released for production use is authentic, accurate, and complete.
The program development life cycle comprises six major phases as follows:-
• Planning:- Techniques like Work Breakdown Structures (WBS), PERT (Program Evaluation and Review Technique) Charts can be used to monitor progress against plan.
• Control:- The Control phase has two major purposes:- o Task progress in various software life-cycle phases should be monitored against plan and corrective action should be taken in case of any deviations. o Control over software development, acquisition, and implantation tasks should be exercised to ensure software released for production use is authentic, accurate, and complete.
• Design:- A systematic approach to program design, such as the structured design or object oriented design is adopted.
• Coding:- Programmers must choose a module implementation and integration strategy (like Top-down, bottom-up and Threads approach), a coding strategy (that follows the percepts of structured programming), and a documentation strategy (to ensure program code is easily readable and understandable).
• Testing:- Three types of testing can be undertaken: Unit Testing: which focuses on individual program modules; Integration Testing: Which focuses in groups of program modules; and Whole-of-Program Testing: which focuses on whole program.
These tests are to ensure that a developed or acquired program achieves its specified requirements.
• Operation and Maintenance:- Management establishes formal mechanisms to monitor the status of operational programs so maintenance needs can be identified on a timely basis. Three types of maintenance can be used: a) Repair Maintenance: in which program errors are corrected; b) Adaptive Maintenance:- in which the program is modified to meet changing user requirements; and c) Perfective Maintenance:- In which the program is tuned to decrease the resource consumption.
4) Data Resource Management Controls:
Data is a critical resource that must be managed properly and therefore, centralized planning and control are implemented. For data to be managed better, users must be able to share data, data must be available to users at the time, in the location and in the form as needed. Further, it must be possible to modify data easily and the integrity of the data must be preserved. The consequences if the data is compromised or destroyed are serious and therefore, careful control should be exercised over the roles by appointing trustworthy persons, separating duties to the extent possible and maintaining and monitoring activity logs.
The control activities involved in maintaining the integrity of the database is as under:
(a) Definition Controls: These controls are placed to ensure that the database always corresponds and comply with its definition standards.
(b) Existence/Backup Controls: These ensure the existence of the database by establishing backup and recovery procedures. Backup refers to making copies of the data so that these additional copies may be used to restore the original data after a data loss. Backup controls ensure the availability of system in the event of data loss due to unauthorized access, equipment failure or physical disaster; the organisation can retrieve its files and databases.
Various backup strategies are given as follows:-
• Dual recording of data:- Under this strategy, two complete copies of the database are maintained. The databases are concurrently updated. • Periodic dumping of data:- This strategy involves taking a periodic dump of all or part of the database by copying it onto some backup storage medium – magnetic tape, removable disk, and optical disk. The dump may be scheduled. • Logging input transactions:- This involves logging the input data transactions which cause changes to the database. Normally, this works in conjunction with a periodic dump. • Logging changes to the data:- This involves copying a record each time it is changed by an update action.
(c) Access Controls:- They are designed to prevent unauthorized individual from viewing, retrieving, destroying the entity's data. Controls are established in the following manner:-
User Access Controls through passwords, tokens and biometric Controls; and o Data Encryption: Keeping the data in database in encrypted form.
(d) Update Controls:- These controls restrict update of the database to authorized users in two ways:
1). By permitting only addition of data to the database; and 2). Allowing users to change or delete existing data.
(e) Concurrency Controls:- These controls provide solutions, agreed-upon schedules and strategies to overcome the data integrity problems that may arise when two update processes access the same data item at the same time.
(f) Quality Controls:- These controls ensure the accuracy, completeness, and consistency of data maintained in the database. This may include traditional measures such as program validation of input data and batch controls over data in transit through the organization.
5) Quality Assurance Management Controls:-
Quality Assurance management is concerned with ensuring that the –
• Information systems produced by the information systems function achieve certain quality goals; and • Development, implementation, operation and maintenance of Information systems comply with a set of quality standards.
The reasons for the emergence of Quality assurance in many organizations are as follows:-
• Organizations are increasingly producing safety-critical systems and users are becoming more demanding in terms of the quality of the software they employ to undertake their work. • Organizations are undertaking more ambitious projects when they build software. • Organizations are becoming more concerned about their liabilities if they produce and sell defective software. • Poor quality control over the production, implementation, operation, and maintenance of software can be costly in terms of missed deadlines, dissatisfied users and customer, lower morale among IS staff, higher maintenance and strategic projects that must be abandoned. • Improving the quality of Information Systems is a part of a worldwide trend among organizations to improve the quality of the goods and services they sell.
Quality Assurance (QA) personnel should work to improve the quality of information systems produced, implemented, operated, and maintained in an organization. They perform a monitoring role for management to ensure that –
• Quality goals are established and understood clearly by all stakeholders; and • Compliance occurs with the standards that are in place to attain quality information systems.
6) Security Management Controls:-
Information security administrators are responsible for ensuring that information systems assets categorized under Personnel, Hardware, Facilities, Documentation, Supplies Data, Application Software and System Software are secure. Assets are secure when the expected losses are at an acceptable level.
The control’s classification on the basis of “Nature of Information System Resources – Environmental Controls, Physical Controls and Logical Access Controls” (discussed above) are all security measures against the possible threats.
Threat Identification:- A threat is some action or event that can lead to a loss. During the threat-identification phase, security administrators attempt to flesh out all material threats that can eventuate and result in information systems assets being exposed, removed either temporarily or permanently, lost, damaged, destroyed or used for unauthorized purposes.
Some of the major threats to the security of IS and their controls are as follows:-
• Fire: Well-designed, reliable fire protection systems must be implemented. • Water: Facilities must be designed to mitigate losses from water damage. • Energy Variations: Voltage regulators, circuit breakers and uninterruptible power supplies can be used. • Structural Damage: Facilities must be designed to withstand structural damage. • Pollution: Regular cleaning of facilities and equipment should occur. • Unauthorized Intrusion: Physical access controls can be used. • Viruses and Worms: Controls to prevent use of virus-infected programs and to close security loopholes that allow worms to propagate. • Misuse of software, data and services: Code of conduct to govern the actions of information systems employees. • Hackers: Strong, logical access controls to mitigate losses from the activities of hackers.
However, in spite of the controls on place, there could be a possibility that a control might fail. When disaster strikes, it still must be possible to recover operations and mitigate losses using the last resort controls - A Disaster Recovery Plan (DRP) and Insurance.
• DRP:- A comprehensive DRP comprise four parts – an Emergency Plan, a Backup Plan, a Recovery Plan and a Test Plan. The plan lays down the policies, guidelines, and procedures for all Information System personnel. These controls are related to having an operational and tested IT continuity plan and business requirements so as to make sure IT services are available as required and to ensure a minimum impact on business in the event of a major disruption. The controls include alternative procedures, Back-up and Recovery, Systematic and Regular Testing and Training, Risk Management Activities, Problem Management etc.
• Insurance:- Adequate insurance must be able to replace Information Systems assets and to cover the extra costs associated with restoring normal operations. Policies usually can be obtained to cover the resources like – Equipment, Facilities, Storage Media, Valuable Papers and Records etc.
7) Operations Management Controls:-
Operations management is responsible for the daily running of hardware and software facilities and performs controls over the functions as below:-
(a) Computer Operations:- The controls over computer operations govern the act
