6.
Hardware Controls
Provided by the hardware manufacturers
- Today’s computers are design to be very
reliable and most of them have built- in
hardware controls
- Even with this, it is essential that the auditor
evaluate the impact of hardware control on
the system reliability
1) Redundant character check
2) Duplicate process check
3) Echo check
4) Equipment check
5) Validity check
6) Power protection
7) Operational manual controls
1) Redundant character check
- a bit, two bits or a set of bits for the purpose of
detecting errors
- data are stored in a binary codes: sequence of
zeros and ones (bits)
- the single parity bit is the creation of an
additional bit for each character processed
- the computer counts the number of 1 bits In
each character to determine if the count is odd or even
- in an odd parity check, the computer will add a
parity bit at 0 if the count is odd and a 1 if the count is
even
2) Duplicate process check
- uses the principle of complementary
operations to detect and correct errors
- an operation is performed twice, then the
results are compared; any difference indicates a
hardware induced error
3) Echo check
- purpose is to ensure that commands sent to
peripherals or remote equipment are obeyed and that
data are received correctly
- the peripherals or remote equipment send back
(Echo) a signal verifying that the command has been
received and complied with
4) Equipment check
- controls built-in into the circuitry of the
computer to ensure that the equipment is functioning
properly and where necessary, automatic error
correction
- these automatic error correction are either:
 Automatic error diagnosis, or
 Automatic retry
5) Validity Check
- to ensure that actions taken by the computer
are valid
 Operation validity
-ensures that only valid instructions are
performed
 Character or field validity check
-compares data characters or file that
are written or read with a set of all valid
characters or field
 Address validity
-check of storage location in memory or
in a peripheral device
6) Power protection
- protects the hardware from power fluctuations
(spikes or surges)
- enable the computer to continue operations in
case of power interruptions (UPS) Uninterrupted Power
Supply
7) Operational manual controls
a) Equipment failure logs
b) Environmental controls
- Dust, temperature, humidity
c) Formal recovery procedures (written)
d) Preventive and corrective maintenance
7. System Software Controls
System Software
- A set of program routines that perform
system level functions of management,
application program support, tasks common
to many application
- Includes both the control of all operations
and the allocation of the resources, i.e., CPU
time, memory, input/output devices among
the various application programs
1) Controls to program protection
2) Controls for file protection
3) Controls to handle errors
4) Security protection
5) Self-protection
1) Controls to handle errors
a. Read or write error routines (save)
- retry, diagnose, propose action – close,
etc.; prevents erroneously overwriting of existing record
or files
b. Record length checks
c. Storage device checks
- signals if a storage device is not
operational
2) Control for program protection
- prevent application programs with interfering
with each other during processing
a. Boundary protection
- assignment of memory partitions to
programs in a multiprogramming environment
b. Control over external reference (sub-routines)
in a linkage editing
 c. Library program software : restriction of Computer abuse
access to use change of programs - The violation of a computer system to
- Passwords: used to limit access to perform malicious damage, crime or
programs under test status only but not on the programs invasion of privacy
used in production  Malicious damage includes looting and
- Encryption: Use of secret codes that sabotage
prevents understanding of the program without the  Crime includes embezzlement, industrial
necessary key espionage, and the sale of commercial
- Library software control reports: secrets
program listing identifying the version of each program,  Invasion of privacy includes discovery of
run date, last copied, last change to ensure that the confidential salary information, and the
current authorized version is used. renew of sensitive data by a competing
3) Controls for file protection company (financial information)
- to prevent unauthorized use or modification of ________________________________
data - Are general controls that prevent failures in
a. Checking internal file labels – to prevent systems security and provide for recovery
processing of wrong files and premature destructions from failures in system security; they are
b. Storage protection – prevent inadvertent generally categorized as:
overwriting 1) Controls that provide a secure system
c. Memory clear – removes the risk of sensitive 2) Controls for detecting failures in systems
data being available for subsequent access security
4) Security Protection 3) Controls for recovery from system
a. Maintenance of logs and activity information security failures
b. Password monitoring The three (3) general categories pertain
5) Self-Protection (manual) to:
a. Segregation of duties – assignment of a. Prevention
responsibilities for system software, library and b. Detection
operations should be separated. c. Correction or Recovery
b. Hardwiring – encode the software logic in 1) Controls that provide a secure system
hardware; modification can only be done by removal and a. Security Management
replacement of the hardware I. Establish security objective
II. Evaluate security risks
8. Systems Security Controls III. Develop a security plan
System Security IV. Assign responsibilities
- The protection of computer facilities, V. Test system security
equipment, programs, and data from VI. Evaluate system security
destruction by environmental hazards, by b. Facilities security controls
equipment error, software error or human I. Location controls
error, or by computer abuse II. Construction controls
Environmental hazards III. Access controls
- Include fires, floods, tornadoes, - Conventional keys
earthquakes, and other acts of God. - Magnetic stripe cards
Generally occur infrequently but with a high - Devices that can read physical
cost of occurrence. characteristics, e.g. finger prints
Errors - Signature verification system
- Include damage to disk storage by faulty disk c. Library controls
drives, mistakes in application program that I. Library function for access controls
destroy or damage data, and operator - Authorized users
mounting of incorrect files. Generally - Usage log
frequent but at low cost per incident II. Physical file control
- Internal header and trailer labels
- External labels
- Protection rings
 - Read-only switch i. Further identification information made
d. On-line access controls periodically during use of the terminal
i. Physical security of terminals ii. Disconnecting and calling back the terminal
- Use of terminal locks iii. Authenticity code
ii. Authorization controls d. Systems Monitoring
- Authorized users i. CCTV
 Programs and data files that each ii. Disconnection after repeated unsuccessful
user can access should be identified attempts
in the authorization scheme iii. Log of all access failures
- Authorized terminals
iii. Identification on controls 3) Controls for recovery from system security failures
- Terminal identification a. Failure bypass procedures
- User identification (passwords) b. Recovery plan (Business Continuity Plan)
- Physiological key c. Recovery procedures
 Handprints, thumbprints i. Computer facilities and equipment
- Special key ii. Software
 Magnetic stripe cards iii. Data/source documents
 Optically encoded badge iv. Personnel
 Who is responsible for what
Some rules concerning passwords:  Substitute in case of injury
- Passwords should not be chosen because
they are easy to remember
- Should not be shared nor displayed
- Password file should be protected by the
operating system
- Unsuccessful attempts should be monitored
- Should be changed periodically
- More effective when used in combination
with other techniques
e. Data communication access control
i. Fragmentation – communication of a message
one (fragment) at a time
ii. Intermixing – communication of several
messages simultaneously
iii. Encryption – encoding of data to disguise their
meaning

2) Controls for detecting failures in systems security

a. Unauthorized Access Detection Devices
i. Micro-switches detects the presence of an
intruder by breaking or completing an electrical
circuit
ii. Beams – could be light, laser, ultraviolet or
infrared
iii. Ultrasonic (sound waves) and radar detectors;
these detect movements
iv. Microphones – sound can trigger an alarm
b. Fire Detection Devices
i. Heat – sensitive devices – fusable links built into
the nozzles of sprinker system
ii. Smoke – sensitive devices
c. Authentication