IT Controls Part I,Sarbanes-Oxley and IT Governance:Computer Center Security and Controls

Computer Center Security and Controls

Fires, floods, wind, sabotage, earthquakes, or even power outages can deprive an organization of its data processing facilities and bring to a halt those functions that are performed or aided by the computer. Although the likelihood of such a disastrous event is remote, the consequences to the organization could be serious. If a disaster occurs, the organization not only loses its investment in data processing facilities, but more importantly, it also loses its ability to do business.

The objective of this section is to present computer center controls that help create a secure environment. We will begin with a look at controls designed to prevent and detect threats to the computer center. However, no matter how much is invested in control, some disasters simply cannot be anticipated and prevented. What does a company do to prepare itself for such an event? How will it recover? These questions are at the heart of the organization’s disaster recovery plan. The next section deals specifically with issues pertaining to the development of a disaster recovery plan.

COMPUTER CENTER CONTROLS

Weaknesses in computer center security have a potential impact on the function of application controls related to the financial reporting process. Therefore, this physical environment is a control issue for SOX compliance. The following are some of the control features that contribute directly to computer center security.

Physical Location

The physical location selected for a computer center can influence the risk of disaster. To the extent possible, the computer center should be located away from human-made and natural hazards, such as processing plants, gas and water mains, airports, high-crime areas, flood plains, and geological faults.

Construction

Ideally, a computer center should be located in a single-story building of solid construction with con- trolled access (discussed in the following section). Utility (power and telephone) and communications lines should be underground. The building windows should not open. An air filtration system should be in place that is capable of excluding pollens, dust, and dust mites.

Access

Access to the computer center should be limited to the operators and other employees who work there. Programmers and analysts who occasionally need to correct program errors should be required to sign in and out. The computer center should maintain accurate records of all such events to verify the function of access control. The main entrance to the computer center should be through a single door, although fire exits with alarms are necessary. To achieve a higher level of security, closed-circuit cameras and video re- cording systems should monitor access.

Air Conditioning

Computers function best in an air-conditioned environment. For mainframe computers, providing adequate air-conditioning is often a requirement of the vendor’s warranty. Computers operate best in a temperature range of 70 to 75 degrees Fahrenheit and a relative humidity of 50 percent. Logic errors can occur in computer hardware when temperatures depart significantly from this range. Also, the risk of circuit damage from static electricity is increased when humidity drops. High humidity, on the other hand, can cause molds to grow and paper products (such as source documents) to swell and jam equipment.

Fire Suppression

The most common threat to a firm’s computer equipment is fire. Half of the companies that suffer fires go out of business because of the loss of critical records, such as accounts receivable. The implementation of an effective fire-suppression system requires consultation with specialists. Some of the major features of such a system are listed in the following section.

1. Automatic and manual alarms should be placed in strategic locations around the installation. These alarms should be connected to a permanently staffed firefighting station.

2. There must be an automatic fire-extinguishing system that dispenses the appropriate type of suppressant (carbon dioxide or halon) for the location. For example, spraying water and certain chemicals on a computer can do as much damage as the fire.

3. There should be manual fire extinguishers placed at strategic locations.

4. The building should be of sound construction to withstand water damage that fire-suppression equipment causes.

5. Fire exits should be clearly marked and illuminated during a fire.

Fault Tolerance Controls

Fault tolerance is the ability of the system to continue operation when part of the system fails because of hard- ware failure, application program error, or operator error. Implementing redundant system components can achieve various levels of fault tolerance. Redundant disks and power supplies are two common examples.

Redundant arrays of independent disks (RAID) involves using parallel disks that contain redundant elements of data and applications. If one disk fails, the lost data are automatically reconstructed from the redundant components stored on the other disks.

Uninterruptible power supplies help prevent data loss and system corruption. In the event of a power supply failure, short-term backup power is provided to allow the system to shut down in a controlled manner. Implementing fault tolerance control ensures that there is no single point of potential system failure. Total failure can occur only in the event of the failure of multiple components.

Audit Objectives Relating to Computer Center Security

The auditor’s objective is to evaluate the controls governing computer center security. Specifically, the auditor must verify that (1) physical security controls are adequate to reasonably protect the organization from physical exposures; (2) insurance coverage on equipment is adequate to compensate the organization for the destruction of, or damage to, its computer center; and (3) operator documentation is adequate to deal with routine operations as well as system failures.

Audit Procedures for Assessing Physical Security Controls

The following are tests of physical security controls.

TESTS OF PHYSICAL CONSTRUCTION. The auditor should obtain architectural plans to determine that the computer center is solidly built of fireproof material. There should be adequate drainage under the raised floor to allow water to flow away in the event of water damage from a fire in an upper floor or from some other source. In addition, the auditor should assess the physical location of the computer center. The facility should be located in an area that minimizes its exposure to fire, civil unrest, and other hazards.

TESTS OF THE FIRE DETECTION SYSTEM. The auditor should establish that fire detection and suppression equipment, both manual and automatic, are in place and are tested regularly. The fire-detec- tion system should detect smoke, heat, and combustible fumes. The evidence may be obtained by reviewing official fire marshal records of tests, which are stored at the computer center.

TESTS OF ACCESS CONTROL. The auditor must establish that routine access to the computer center is restricted to authorized employees. Details about visitor access (by programmers and others), such as arrival and departure times, purpose, and frequency of access, can be obtained by reviewing the access log. To establish the veracity of this document, the auditor may covertly observe the process by which access is permitted.

Tests of Fault Tolerance Controls

RAID. Many RAID configurations provide a graphical mapping of their redundant disk storage. From this mapping, the auditor should determine if the level of RAID in place is adequate for the organization, given the level of business risk associated with disk failure. If the organization is not employing RAID, the potential for a single point of system failure exists. The auditor should review with the system administrator alternative procedures for recovering from a disk failure.

POWER SUPPLIES BACKUP. The auditor should verify from test records that computer center personnel perform periodic tests of the backup power supply to ensure that it has sufficient capacity to run the computer and air-conditioning. These important tests and their results should be formally recorded.

Audit Procedures for Verifying Insurance Coverage

The auditor should annually review the organization’s insurance coverage on its computer hardware, soft- ware, and physical facility. The auditor should verify that all new acquisitions are listed on the policy and that obsolete equipment and software have been deleted. The insurance policy should reflect management’s needs in terms of extent of coverage. For example, the firm may wish to be partially self-insured and require minimum coverage. On the other hand, the firm may seek complete replacement-cost coverage.

Audit Procedures for Verifying Adequacy of Operator Documentation Computer operators use documentation called a run manual to run certain aspects of the system. In particular, large batch systems often require special attention from operators. During the course of the day, computer operators may execute dozens of computer programs that each process multiple files and pro- duce multiple reports. To achieve effective data processing operations, the run manual must be sufficiently detailed to guide operators in their tasks. The auditor should review the run manual for completeness and accuracy. The typical contents of a run manual include:

• The name of the system, such as ‘‘Purchases System’’

• The run schedule (daily, weekly, time of day)

• Required hardware devices (tapes, disks, printers, or special hardware)

• File requirements specifying all the transaction (input) files, master files, and output files used in the system

• Run-time instructions describing the error messages that may appear, actions to be taken, and the name and telephone number of the programmer on call, should the system fail

• A list of users who receive the output from the run Also, the auditor should verify that certain systems documentation, such as systems flowcharts, logic flowcharts, and program code listings, are not part of the operator’s documentation. For reasons previously discussed, operators should not have access to the operational details of a system’s internal logic.

Comments

Popular posts from this blog

The Conversion Cycle:The Traditional Manufacturing Environment

The Revenue Cycle:Manual Systems

Nassi-Shneiderman charts