1 / 31

HAPTER 10

HAPTER 10. Information Systems Controls for System Reliability Part 3: Processing Integrity and Availability. INTRODUCTION. Questions to be addressed in this chapter include: What controls ensure processing integrity? What controls ensure that the system is available when needed?.

lucia
Download Presentation

HAPTER 10

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HAPTER 10 Information Systems Controls for System Reliability Part 3: Processing Integrity and Availability

  2. INTRODUCTION • Questions to be addressed in this chapter include: • What controls ensure processing integrity? • What controls ensure that the system is available when needed?

  3. PROCESSING INTEGRITY • A reliable system produces information that is accurate, timely, reflects results of only authorized transactions, and includes outcomes of all activities engaged in by the organization during a given period of time. • Requires controls over both data input quality and the processing of the data. SYSTEMS RELIABILITY CONFIDENTIALITY PROCESSING INTEGRITY PRIVACY AVAILABILITY SECURITY

  4. Controls Ensuring Processing Integrity • Input • Process • Output

  5. Input Controls • Forms Design • Pre-numbered forms/ sequence test • Turnaround documents • Authorization and segregation of duties • Cancellation and storage of documents • Visual scanning

  6. Input Controls • Data Entry Controls (Edit checks) • Field check • Sign check • Limit check • Range check • Size (or capacity) check • Completeness check • Validity check • Reasonableness test • Check digit verification • Key verification

  7. Input Controls • The preceding tests are used for batch processing and online real-time processing. • Both processing approaches also have some additional controls that are unique to each approach.

  8. Batch Input Controls • Batch Processing • Input multiple source documents at once in a group • In addition to the preceding controls, when using batch processing, the following data entry controls should be incorporated. • Sequence check • Error log • Batch totals

  9. Batch Input Controls • Batch Totals • Compare input totals to output totals • Financial • Sums a field that contains monetary values • Hash • Sums a nonfinancial numeric field • Record count • The number of records in a batch

  10. Online Data Entry Controls • Additional online data entry controls • Online processing data entry controls include: • Automatic entry of data • Prompting • Closed-loop verification • Transaction logs • Error messages

  11. Processing Controls • Processing controls to ensure that data is processed correctly include: • Data matching • File labels • Recalculation of batch totals • Cross-footing balance test • Write-protection mechanisms • Concurrent update controls

  12. Output Controls • Careful checking of system output provides additional control over processing integrity. • Output controls include: • User review of output • Reconciliation procedures • External data reconciliation • Data transmission controls

  13. Output Controls • Data Transmission Controls • Two basic types of data transmission controls: • Checksums – hash of file transmitted, comparison made of hash before and after transmission • Parity checking

  14. Output Controls • Parity checking • Computers represent characters as a set of binary digits (bits). • For example, “5” is represented by the seven-bit pattern 0000101. • When data are transmitted some bits may be lost or received incorrectly. • Two basic schemes to detect these events are referred to as even parity and odd parity. • In either case, an additional bit is added to the digit being transmitted.

  15. AVAILABILITY • Reliable systems are available for use whenever needed. • Threats to system availability originate from many sources, including: • Hardware and software failures • Natural and man-made disasters • Human error • Worms and viruses • Denial-of-service attacks and other sabotage SYSTEMS RELIABILITY CONFIDENTIALITY PROCESSING INTEGRITY PRIVACY AVAILABILITY SECURITY

  16. Controls Ensuring Availability • Systems or information need to be available 24/7 • It is not possible to ensure this so:

  17. AVAILABILITY • Minimizing Risk of System Downtime • Loss of system availability can cause significant financial losses, especially if the system affected is essential to e-commerce. • Organizations can take a variety of steps to minimize the risk of system downtime.

  18. AVAILABILITY • Preventive maintenance can reduce risk of hardware and software failure. Examples: • Cleaning disk drivers • Properly storing magnetic and optical media • Use of redundant components can provide fault tolerance, which enables the system to continue functioning despite failure of a component. Examples: • Dual processors • Arrays of multiple hard drives.

  19. AVAILABILITY • Risks associated with natural and man-made disasters can be reduced with proper location and design of rooms housing mission-critical servers and databases. • Raised floors protect from flood damage. • Fire protection and suppression devices reduce likelihood of fire damage. • Adequate air conditioning reduces likelihood of damage from over-heating or humidity. • Cables with special plugs that cannot be easily removed reduce risk of damage due to accidentally unplugging.

  20. AVAILABILITY • Surge protection devices provide protection against temporary power fluctuations. • An uninterruptible power supply (UPS) provides protection from a prolonged power outage and buys the system enough time to back up critical data and shut down safely.

  21. AVAILABILITY • Training • Well-trained operators are less likely to make mistakes and more able to recover if they do. • Security awareness training, particularly concerning safe email and web-browsing practices, can reduce risk of virus and worm infection. • Patch management and antivirus software • Anti-virus software should be installed, run, and kept current. • Email should be scanned for viruses at both the server and desktop levels. • Newly acquired software and disks, CDs, or DVDs should be scanned and tested first on a machine that is isolated from the main network.

  22. AVAILABILITY • Recovery and Resumption of Normal Operations • Data backup procedures • Disaster recovery plan (DRP) • Business continuity plan (BCP)

  23. AVAILABILITY • Data Backup Procedures • Data need to be backed up regularly and frequently. • A backup is an exact copy of the most current version of a database, file, or software program. It is intended for use in the event of a hardware or software failure. • The process of installing the backup copy for use is called restoration.

  24. AVAILABILITY • A full backup is an exact copy of the data recorded on another physical media (tape, magnetic disk, CD, DVD, etc.) • Full backups are time consuming, so most organizations: • Do full backups weekly • Supplement with daily partial backups. • incremental backup- copy only data that changed since the last partial backup • differential backup – copy only data that changed from last full back-up

  25. AVAILABILITY • Whichever backup procedure is used, multiple backup copies should be created: • One can be stored on-site for use in minor incidents. • At least one additional copy should be stored off-site to be safe should a disaster occur

  26. AVAILABILITY • Disaster Recovery and Business Continuity PlanningObjectives: • Minimize the extent of the disruption, damage, and loss • Temporarily establish an alternative means of processing information • Resume normal operations as soon as possible • Train and familiarize personnel with emergency operations • Recovery point objective (RPO) • Recovery time objective (RTO)

  27. AVAILABILITY • Infrastructure Replacement • Major disasters can totally destroy an organization’s information processing center or make it inaccessible. • A key component of disaster recovery and business continuity plans incorporates provisions for replacing the necessary computing infrastructure, including: • Computers • Network equipment and access • Telephone lines • Office equipment • Supplies • It may even be necessary to hire temporary staff.

  28. AVAILABILITY • Organizations have three basic options for replacing computer and networking equipment. • Reciprocal agreements • Cold sites • Hot sites

  29. AVAILABILITY • Documentation • An important and often overlooked component. Should include: • The disaster recovery plan itself, including instructions for notifying appropriate staff and the steps to resume operation, needs to be well documented. • Assignment of responsibility for the various activities. • Vendor documentation of hardware and software. • Documentation of modifications made to the default configuration (so replacement will have the same functionality). • Detailed operating instructions. • Copies of all documentation should be stored both on-site and off-site.

  30. AVAILABILITY • Testing • Periodic testing and revision is probably the most important component of effective disaster recovery and business continuity plans. • Most plans fail their initial test, because it’s impossible to anticipate everything that could go wrong. • The time to discover these problems is before the actual emergency and in a setting where the weaknesses can be carefully analyzed and appropriate changes made.

  31. AVAILABILITY • Insurance • Organizations should acquire adequate insurance coverage to defray part or all of the expenses associated with implementing their disaster recovery and business continuity plans.

More Related