| | Home | | Knowledge Universe | | K-Mailer Universe | | K-links Universe | | Jargon Universe | | K-Query Universe | |
   


Are you working in a safe den?

Sabotage is no laughing matter. Do you know how safe your company’s secrets are?

Electronic theft. – Imagine a scenario just like any other robbery…

The hacker breaks into your system, finds something he wants, and downloads it to his own computer. In most cases you may retain your copy of the data, but now someone else has it as well. Is that so bad? Ask the folks at CD Universe, an Internet music retailer based in Wallingford, Conn. Last December someone describing himself as a 19-year-old Russian broke into their systems, copied an estimated 300,000 credit-card numbers, and demanded a $100,000 ransom for their return. When CD Universe refused to pay the money, the hacker posted as many as 25,000 of the numbers on a public Web site. – A direct blow to the very existence of your business. Isn’t it?

Even Microsoft was not spared.

Microsoft has been the victim of several occurrences of internal sabotage in which software programs contain “Easter Eggs”’. One of the most famous occurred in a version of Microsoft Word in which if you typed ‘ I’d like to kill Bill Gates’, highlighted the text and chose the thesaurus, the suggested alternative was ‘I’d drink to that’. This sounds comical but the implications may be devastating.

Therefore you cannot get security out of the box…

Security is not something you find in a glossary magazine, buy and install, and then forget all about it. It extends beyond the realm of information systems department. It needs to be nurtured, grown and permeated throughout the organisation.

Everybody in the company knows that accounting system data is the most important asset of an organisation, yet many companies are not taking proper steps to safeguard these systems.

Therefore, it is the primary responsibility of the IT auditor to work closely with the IT team, identify various possible risks and develop strategies to cope with them. A security program must be developed that provides a regular appraisal and evaluation of installation security. Common security measures like systems passwords, firewalls, monitoring workstations are a must. It is the duty of the auditor to see that such safety measures are incorporated and timely reviewed.

Major security issues need to be addressed.

Q 1. How do you ensure Data Integrity?

Answer: Without data integrity being maintained, an organisation cannot have a true representation of itself or of the real world events. The value of data item depends on the value of the information content and the extent to which data is shared. However, there is no fail-safe way of ensuring the accuracy of data entered. Most of the systems lack “co-relation edits” i.e. there is no correlation between one piece of data with another to screen input that doesn’t make sense. Certainly, you can customise your system to screen bad data, but the extent of customisation should be in control or it may result in upgradation problems.

Work with your IT department to implement “scrubber” program. This program runs at night and generates an exceptional report of things that don’t make sense. This can be used to filter data that can corrupt your system.

Q 2. How to check unauthorised system access?

Answer: Systems fraud occurs when someone else uses another user’s ID and password and logs onto the system. Surprisingly, accounting and HR systems do not have an automatic lockout feature that blocks a user who fails to enter his proper password in three times.

Make your IT audit team develop an automatic lockout feature in your system, that can prevent access by an unauthorised user.

Q 3. How to beef up audit trails:

Answer: Audit trail is a system of recording or tracing the path and can be used to trace the person or the transaction responsible for a particular piece of data. This enhances the systems security by keeping a track of who’s entering your system and what are they doing.

The IT auditor should go through the system, choose specific fields, turn the audit functions on those fields. Turn on one field, if that doesn’t degrade performance, turn on a few more. The idea is to prioritise what needs to be audited. Alternatively, “ journal logs” can be used.

Can you be sure of making your systems 100% hacker-proof?

Despite the technological controls you build, you can never be 100% sure as hackers keep one-step ahead of security technology. That doesn’t mean you stop working towards it.

Related Reading:

“Steps to take today to fraud-proof your information systems”: Preventing Business Fraud: January 01, 1999.
“Potential of E-commerce and Ramifications for IT Audit”: JAGDISH PATHAK: www.isaca.org

Footnotes

“Easter Eggs”: These are unexpected surprise message, sound or a game that a developer has inserted into the program code.
“Journal Logs”: It is a database that captures every change and gives an image of before-and after events. These programs are run at night so that they don’t affect system performance
K-Mailer Universe Index Top
Board

Board of Directors | Advisory board | Partners | Offices | Team | Join our team | Press
Privacy Policy | Disclaimer | Copyright | Contact us

© Copyright 2003 C & K Management Limited