GENERAL AND APPLICATION

CONTROLS

• Explain how general controls and

application controls reduce IT
risks.
 Why do we need controls?
• (1) to provide reasonable assurance that the
goals of each business process are being
achieved
• (2) to mitigate the risk that the enterprise will be
exposed to some type of harm, danger, or loss
(including loss caused by fraud or other
intentional and unintentional acts)
• (3) to provide reasonable assurance that the
company is in compliance with applicable legal
and regulatory obligations.
 Internal Controls Specific to
Information Technology

General controls

Application controls
 Relationship Between General
and Administrative Controls
Risk of unauthorized change
Risk of system crash
to application software

Cash receipts
application
controls
Sales Payroll
applications application
controls controls
Other cycle
application
controls

Risk of unauthorized GENERAL CONTROLS Risk of unauthorized

master file update processing
 General Controls
Administration of the IT function

Segregation of IT duties

Systems development

Physical and online security

Backup and contingency planning

Hardware controls
 Administration of the IT
Function
The perceived importance of IT within an
organization is often dictated by the attitude of
the board of directors and senior management.
 Segregation of IT Duties

Chief Information Officer or IT Manager

Security Administrator

Systems Data
Operations
Development Control
Systems Development

Typical test
strategies

Pilot testing Parallel testing

 Physical and Online Security

Physical Controls: Online Controls:

Keypad entrances User ID control
Badge--entry systems
Badge Password control
Security cameras Separate add-
add-on
Security personnel security software
 Backup and Contingency
Planning

One key to a backup

and contingency plan
is to make sure that
all critical copies of
software and data files
are backed up and
stored off the premises.
 Hardware Controls

These controls are built into computer

equipment by the manufacturer to
detect and report equipment failures.
Application Controls

Input controls

Processing
controls

Output controls
 Input Controls

These controls are designed by an

organization to ensure that the
information being processed is
authorized, accurate, and complete.
 Batch Input Controls

Financial total

Hash total

Record count
 Input Controls
• Data input controls ensure the accuracy,
completeness, and timeliness of data during
its conversion from its original source into
computer data, or entry into a computer
application. Data can be entered into a
computer application from either manual
online input or by batch processing
(automated). Someone reviewing input
controls should determine the adequacy of
both manual and automated controls over
data input to ensure that data is input
accurately with optimum use of computerized
validation and editing and that error handling
procedures facilitate the timely and accurate
resubmission of all corrected data.
• 1) Documented procedures should
exist for any data manually
entered into the application.
These procedures should include
how to identify, correct,
and reprocess rejected data.
• 2) Input edits should be used by
the application. These could
include checking for invalid field
lengths, invalid characters,
missing or erroneous data,
incorrect dates, or the use of
check digits.
• 3) Input data should also be
controlled by the use of record
counts, batching techniques,
control totals, or some other type
of logging. (Balancing of
source documents to input
processing)
• 4) Another way to help ensure
appropriate data is being entered
into the application is to require
that an authorized person approve
the input documents.
The authorization levels of the
assigned approvers should also be
reviewed to determine if they are
reasonable.
• 5) Passwords should be used to
control access to the application.
Passwords should be changed
periodically, deleted when
employees/users leave the
University, and modified to reflect
changes as a person’s
responsibilities change.

•
• 6) Duties should be separated to
ensure that no one individual
performs more than one of the
following operations without
supervisory review:
- Origination of data
- Input of data into the system
- Processing the data
- Distribution of the output
 Processing Controls

Validation test

Sequence test

Arithmetic accuracy test

Data reasonableness test

Completeness test
 Processing Controls
• Processing controls are used to
ensure the accuracy, completeness,
and timeliness of data during either
batch or real-time processing by the
computer application. Someone
reviewing these controls should
determine the adequacy of controls
over application programs and
related computer operations to
ensure that data is accurately
processed through the application
and that no data is added, lost, or
altered during processing.
• 1) Documentation should exist
explaining the processing of data
through the application. Examples
would be narratives on how the
application processes
data, flowcharts, and an
explanation of system or error
messages.
• 2) If the application is “run” on a
regular schedule to process data,
either manually or automatically,
there should be documented
procedures explaining how this
is performed. There may be a
schedule that must be followed
with controls in place to ensure
all processing was completed.
• 3) A processing log may exist. If it
does, it should be reviewed for
unusual or unauthorized activity.
• 4) The processing log, or another
log or report, should be used to
document any errors or problems
encountered during processing.
Types of information that
should be considered keeping are
descriptions of any errors
encountered, dates identified, any
codes associated with errors, any
corrective action taken, date and
times corrected.
• 5) There should be controls in
place to make sure the correct
generation/cycle of files are used
for processing. This may include
the generation of backup files
from processing to be used for
disaster recovery.
• 6) Processing edits should also be
used. These may be similar to
input edits but applied to the data
during processing.
• 7) Audit trails should be
generated during processing.
These audit trails should be logs
or reports that contain
information about each
transaction. Data that should
be included are who initiated
each of the transactions, the data
and time of the transactions, the
location of the transaction
origination (IP address as
an example).
 Output Controls

These controls focus on detecting errors

after processing is completed rather
than on preventing errors.
 Output Controls
• Data output controls are used to
ensure the integrity of output and the
correct and timely distribution of any
output produced. Output can be in
hardcopy form, in the form of files used
as input to other systems, or
information available for online
viewing. Someone reviewing these
controls should evaluate the adequacy
of controls over output to ensure that
the data processing results are
accurate and reliable, output control
totals are accurate and are being
verified, and the resulting information
is distributed in a timely and
consistent manner to the end users.
• 1) Output should be
balanced/reconciled to input.
There should be adequate
separation of duties for the
balancing / reconciliation process.
• .
• 2) There should be documented
procedures to explain the
methods for the proper balancing /
reconciliation and error correcting
of output.

• 3) Output should be reviewed for

general acceptability and
completeness, including any
control totals.
• 4) There should be either error
reports or a log kept of output
errors. These should contain
information such as:
- A description of problems/errors
and date identified
- Corrective action taken

• 5) Record retention and backup

schedules for output files should be
established. Consideration should
be given to rotate output files offsite
• RISK ANALYSIS
 What is Risk Analysis

• Risk Analysis has been

defined as:
• "a formal process of
determining risks and
developing a plan to deal with
them"
• Risks do not arise all by
themselves. A risk is normally
a product of two factors:
threats (something could go
wrong) and vulnerabilities (the
information system/s used by
the business will allow things
to do wrong).
• Threats include:
- Deliberate manipulation of
information prior to
input/processing
- Impersonation of a legitimate
user
- Untrained or poorly trained
staff
• Vulnerabilities include:
- Poor website or network
design (e.g. which can allow
"hackers" into a system or
web site)
- Poor recruitment procedures
• The first - and key stage - in
addressing risks is to do a risk
analysis
• A risk analysis process has three
main stages:
• (1) Understanding risks to the
business and how they can occur

• (2) Understanding the potential

cost to the business if they do
occur (a business should focus its
attention with the risks that have
the greatest potential cost)
• (3) Identifying suitable and
effective measures and policies
to:
- Minimise the likelihood of the
threats happening
- Prevent or detect the threat
- Enable appropriate recovery
action to be taken
Many risks can be quantified -
since they occur in most
businesses - and there is lots of
evidence of how threats and
vulnerabilities arise.
• The most important element
in the process is that risk
decisions are taken openly.
Denying the presence of risk
is not helpful. But trying to
reduce the risk to zero is not
realistic either.
SYSTEMS SECURITY
 Access Control
Control Access to What?

• Businesses need to control

access to:
Information
Computer applications
Operating system facilities
 How is It Achieved?
• Control over access to an
information system is achieved by
using a logical access system:
such a system:
• - Requests details of the
identification of the user (e.g. by
requesting a username and
password)
- Checks whether the user has the
authority to access the system
- Authenticates the user and
allows access
• Effective control ensures that staff
have appropriate access to
information and applications, and do
not abuse it.
• Management issues, such as
periodic reviews of user accounts,
can apply as much to IT systems as
to physical access control systems.
Confidentiality of information is best
achieved by ensuring that people
only have access to the information
they actually need.
• If access rules are too detailed,
managing them will be very difficult. If
they are too general, people will have
access to information or applications
that they will never need. A balance
must be struck depending on:
•
Needs of the business
Security features provided by the
systems
Trust in staff
• Consideration of security issues during
system design, development and
procurement will greatly enhance
effectiveness. Look for:
•
• Strong password enforcement
• Management of access rights to
read, amend, process or delete
information
• Analysis of what users require to
do their job
• Analysis of the security features
each system can provide
 physical security in information
systems

• How do you stop unauthorised physical

access to information systems? How
do you protect the security of the
information systems assets
themselves (e.g. computer rooms,
laptops and disks)? The answers lies in
physical security controls. The key
controls you need to be aware of are
summarised in this revision note.
• Ensuring that there is a proper
physical environment for systems,
records and staff is essential for
maintaining confidentiality,
integrity and availability of
information.
• Management need to think about the
following aspects of physical
security:
• (1) Protection
- of information and information
systems from the elements is as
important as protecting them from
unauthorised people
- of physical access, which should
be restricted to authorised
personnel. IT equipment is tempting
to thieves, and can be damaged by
accidents or sabotage
 (2) Maintenance
•
- of the physical operating environment
in a computer server room is as
important as ensuring that paper
records are not subject to damage by
fire or flooding.
- of supporting equipment such as air
conditioning plant or mains services
• The main physical security controls are
as follows:
 Controlling Physical Access

• The objective with physical access

controls is to stop unauthorised people
getting near to computer systems.
• The key is to have a range of controls
that include:
• - Personnel (e.g. security) controlling
human access
- Use of locks, key pads or car entry
systems to sensitive computer
locations
- Intruder alarms (detection)
 Preventing Theft

• Increasingly, computer equipment

is smaller and lighter - which
makes it easier to steal. So it
makes sense for such equipment
to be:
• - Locked away when not in use
- Marked with identification (e.g.
bar code / security code)
 Physical Environment
• The locations in which information
systems are held also need to be
protected. Measures include:
• - Site preparation (e.g. materials that
are fireproof)
- Detection equipment (e.g smoke
detectors)
- Extinguishing equipment (e.g.
sprinklers)
- Protection of power supplies (e.g.
back up generator)
DISASTER RECOVERY
PLANNING
 What Is a Disaster
• Any natural or man-made
event that disrupts the
operations of a business
in such a significant way that
a considerable and
coordinated effort is required
to achieve a recovery.
 Natural Disasters
• Geological: earthquakes,
volcanoes, tsunamis, landslides,
and sinkholes
• Meteorological: hurricanes,
tornados, wind storms, hail, ice
storms, snow storms, rainstorms,
and lightning
• Other: avalanches, fires, floods,
meteors and meteorites, and solar
storms
• Health: widespread illnesses,
quarantines, and pandemics
 Man-made Disasters
• Labor: strikes, walkouts, and
slow-downs that disrupt
services and supplies
• Social-political: war,
terrorism, sabotage,
vandalism, civil unrest,
protests, demonstrations,
cyber attacks, and blockades
Man-made Disasters (cont.)

• Materials: fires, hazardous

materials spills
• Utilities: power failures,
communications outages,
water supply shortages, fuel
shortages, and radioactive
fallout from power plant
accidents
 How Disasters Affect
Businesses
• Direct damage to facilities and equipment
• Transportation infrastructure damage
– Delays deliveries, supplies, customers,
employees going to work
• Communications outages
• Utilities outages
• Loss of Critical IT resources
• Loss of data
 How BCP and DRP
Support Security
• BCP (Business Continuity
Planning) and DRP (Disaster
Recovery Planning)
• Security pillars: C-I-A
– Confidentiality
– Integrity
– Availability
• BCP and DRP directly support
availability
 BCP and DRP Differences
and Similarities
• BCP
– Activities required to ensure the
continuation of critical business
processes in an organization
– Alternate personnel, equipment,
and facilities
– Often includes non-IT aspects of
business
• DRP
– Assessment, salvage, repair, and
eventual restoration of damaged
facilities and systems
– Often focuses on IT systems
 WHAT IS A DISASTER
RECOVERY PLAN
• A disaster recovery plan (DRP) -
sometimes referred to as a
business continuity plan (BCP) -
describes how an organization is
to deal with potential disasters.
Just as a disaster is an event that
makes the continuation of normal
functions impossible,
• a disaster recovery plan consists
of the precautions taken so that
the effects of a disaster will be
minimized and the organization
will be able to either maintain or
quickly resume mission-critical
functions.
• Typically, disaster recovery
planning involves an analysis of
business processes and continuity
needs; it may also include a
significant focus on disaster
prevention.
• What Should Be The Goals Of The
Disaster Recovery & Business
Resumption Plan?
The three (3) primary goals of
disaster recovery and business
resumption planning are to:
• Eliminate or reduce the potential for
injuries or the loss of human life, damage
to facilities, and loss of assets and
records. This requires a comprehensive
assessment of each department within
the institution, to insure that appropriate
steps have been taken to:

– Minimize disruptions of services to the

institution and its customers;
– Minimize financial loss;
– Provide for a timely resumption of
operations in case of a disaster; and
– Reduce or limit exposure to potential
liability claims filed against the
institution, and its directors, officers
and other personnel.
• Immediately invoke the emergency
provisions of Disaster Recovery &
Business Resumption Plan to stabilize
the effects of the disaster, allowing for
appropriate assessment and the
beginning of recovery efforts. We then
minimize the effects of the disaster and
provide for the fastest possible recovery.
• Implement the procedures contained in the
Disaster Recovery & Business Resumption
Plan according to the type and impact of the
disaster. When we implement these
procedures, we must prioritize all recovery
efforts as follows:

– Employees: Not only must we help to ensure their

survival as a basic human concern, but because of
their anticipated performance in helping other persons
on the institution's premises when the disaster strikes;
– Customers: As we do with employees, we must help
to ensure the survival of or care for customers
affected by the disaster: physically, mentally,
emotionally and financially;
– Facilities: After ensuring the safety of
employees and customers, we then secure
each facility as shelter for both people and
assets;
– Assets: Conducting a damage assessment
will determine which assets have been
destroyed, which ones are at risk and what
resources that we have left; and
– Records: Documenting the disaster and the
actions taken by the institution's personnel
-- when combined with comprehensive
videotapes of facilities that are obtained
during routine facility inspections -- reduce
the likelihood of legal actions while helping
to assess the responsibility for losses.
• DISASTER RECOVERY PLAN
 Disaster Recovery Planning
• Disaster recovery planning consists of
deciding in advance what, how, when
and who are needed to provide a
solution that will sustain critical
business functions. The planning
process includes steps that identify
and document key elements in a
successful disaster recovery solution.
These steps include the following:

– 1. Identifying and prioritizing business-

critical systems and functions,

– 2. Identifying business-critical resources

and performing impact analysis,
– 3. Developing a notification plan,

– 4. Developing a damage assessment

plan,

– 5. Designating a disaster recovery

site (if necessary and possible),

– 6. Developing a plan to recover

critical functions at the disaster
recovery site, and identifying and
documenting security controls, and

– 7. Designating responsibilities.
• Disaster recovery planning is an
ongoing, dynamic process that
continues throughout the
information system’s lifecycle.
 1. Identifying Critical Systems
and Functions
• Information systems can be very
complex, fulfilling many business
functions. Your first step in disaster
recovery planning is to identify and
prioritize the business-critical
functions, systems, and processes. As
a disaster recovery planner, you must
obtain input from Executive and
Functional Managers to determine
each system’s criticality
2. Identifying Critical Resources
• Your second step in disaster recovery
planning is to identify the resources that are
critical to the information systems that
support the functions, systems, and
processes that you identified in step one. The
critical resources that you identify must
include everything necessary to support the
critical function, system, or process. Some
examples of critical resources are:

• Servers, workstations and peripherals,

• Applications and data,

• Media and output,

• Telecommunications connections,

• Physical infrastructure (e.g.,

electrical power, environmental
controls), and

• Personnel.
• As a disaster recovery planner, you must
analyze the critical resources identified and
determine the impact on information system
operations if a given resource is disrupted or
damaged. The impact analysis must include
allowable outage times, i.e., “How long can a
company afford to be without this resource?”
When analyzing the impact, you must also
consider the outage effect on dependent
systems.
• Using the resulting business impact
analysis, you must then develop and
prioritize strategies for recovery and
restoration.
3. Developing a Notification Plan
• Your third step is to develop a
plan for notifying essential
personnel when a disaster occurs
or is imminent. The plan must
describe the methods the
company uses to notify personnel
during business and non-business
hours. Prompt notification can
reduce the disaster’s effects on
the information system because
you will have time to take
mitigating actions.
 4. Developing a Damage
Assessment Plan
• Your fourth step is to develop a plan for
assessing the nature and extent of damage to
the system, and determine the extent to
activate the Disaster Recovery Plan. Although
damage assessment procedures may be
unique for each system, you must address the
following areas:

– • Cause of the outage or interruption,

– • Damage to the information system or

data,

– • Potential for additional disruption or

damage,
– • Physical infrastructure status,

– • Information system inventory and

functional status,

– • Requirements for repair or

replacement, and

– • Estimated time to recover or

restore.
• Disaster Recovery Plan activation
criteria (the conditions under which
you activate the plan) are unique to
each event and you must state them in
the plan. You must base criteria on:

– • Information system damage,

– • Facility damage,

– • System criticality, and

– • Anticipated disruption length.

5. Designate a Disaster Recovery
Site
• Your fifth step is to choose a
disaster recovery site where
recovery of system operations will
be performed until restoration is
possible. The Disaster Recovery
Plan must define the specific site
for the contingencies identified
within the plan. The following
table describes the site types that
may be used:
 Cold Site
A facility with adequate space and
infrastructure (electric power,
telecommunications connections,
and environmental controls) to
support the information system,
but no equipment.

• Low setup costs

 Warm Site
Partially equipped office spaces
that contain some or all of the
system hardware, software,
telecommunications, and power
sources. The warm site is
maintained in an operational
status, ready to receive the
relocated system.
 Hot Site
Office spaces appropriately sized
to support system requirements
and configured with the
necessary system hardware,
supporting infrastructure, and
support personnel.

Medium/High setup costs

 Mirrored Site
• Fully redundant facilities with
full, real-time information
mirroring. Mirrored sites are
identical to the primary site in
all technical respects.

• High setup costs

6. Developing a Plan to Recover
Critical Functions
• Your sixth step in disaster recovery
planning is to establish how you will
recover critical functions. The
planning requirements for this step
may include procuring and setting
up necessary equipment, providing
guaranteed safety and
transportation for personnel,
obtaining backups from storage, etc.
You must include the procedures
that support these requirements in
your Disaster Recovery Plan
7. Designate Responsibilities
• Your seventh step in disaster
recovery planning is to designate
responsibility for key activities
identified and their duties outlined
within the Disaster Recovery Plan.
You must make certain that the
designated personnel are trained
to perform their activities.
 Implement and Maintain the
Disaster Recovery Plan
• The first seven steps, as taken,
populate sections of the Disaster
Recovery Plan. Once populated, you
must keep the Disaster Recovery Plan
up-to-date, and securely store it for
use. You must validate the Disaster
Recovery Plan annually. Whenever
there are changes to your information
system, you must update and validate
the Disaster Recovery Plan