3. POLICY AND CONTROL STANDARDS

3.1

General

Top management should establish the overall policy for protecting the organization's data processing systems and should specify the control standards to be employed. It should require an effective system of controls and secure the funding necessary to establish and maintain such controls.

3.2 Assessing security safeguards

Top management must establish policies to assure periodic assessment of the security of its data processing systems. The policies should provide for assessing the sensitivity of each computer application and the vulnerability of each computer installation and related communication systems.

To effectively distribute security resources according to amount of risk, top management should adopt the risk-management concept for assessing the vulnerability of its data processing systems. That is, the investment of security resources should be based on a formal assessment of the resources to be protected, the controls that are presently in place. and any gaps in security. Perfect security is generally regarded as unattainable. Accordingly, risk analysis, as advocated by the National Bureau of Standards in its publication "Guidelines for Automated Data Processing Physical Security and Risk Management," has consid erable merit. Risk management is required by the Office of Management and Budget in Circula A-71.

3.3 Establishing control standards

Suitable guidelines for the protection of the integrity of data in data processing systems are identified in "The Auditor's Study and Evaluation of Internal Control in EDP Systems," published by the AICPA. These standards are endorsed by the workshop. In brief, these 19 standards are as follows.

1. Functions between the EDP departments and users should be segregated.

Persons within the EDP department should not be allowed to originate or authorize transactions, have custody over non-EDP assets, and originate master file changes.

3. Functions within the EDP department must be properly segregated.

4.

The procedures for systems design, including the acquisition of software packages, should require active participation by representatives of the users and, when appropriate, the accounting department and internal auditors.

5. Each system should have written specifications which are reviewed and approved by an appropriate level of management and applicable user departments.

6. System testing should be a joint effort of users and EDP personnel and should include both the manual and computerized phases of the system.

7. Final approval should be obtained prior to placing a new system into operation.

8.

9.

All master file and transaction file conversions should be controlled to prevent unauthorized changes and to provide accurate and complete results.

After a new system has been placed in operation, all program changes should be approved before implementation to determine whether they have been authorized, tested, and documented.

10. Management should require various levels of documentation and formal procedures t define the system at appropriate levels of detail.

11. The control features inherent in the computer hardware, operating system, and other supporting software should be utilized to the maximum extent to provide control over operations and to detect and report hardware malfunctions.

12. Systems software should be subjected to the same control procedures as those applied to the installation of and changes to application programs.

13. Access to program documentation should be limited to those persons who require it to perform their duties.

14. Access to data files and programs should be limited to those individuals authorized to process or maintain particular systems.

15. Access to computer hardware should be limited to authorized individuals.

16.

17.

18.

19.

A control function should be responsible for receiving all data to be processed, for ensuring that all data is recorded, for following up on errors detected during processing to see that they are corrected and resubmitted by the proper party, and for verifying the proper distribution of output.

A written manual of systems and procedures should be prepared by all computer operations and should provide for management's general or specific authorization to process transactions.

Internal auditors or some other independent group within an organization should review and evaluate proposed systems at critical stages of development.

On a continuing basis, internal auditors or some other independent group within an organization should review and test computer processing activities.

3.4 Require a plan to implement controls

Top management should require the assistant secretary to develop a plan for implementing the controls. This plan should also contain contingency plans to ensure continuity of operations if a loss should occur. The assistant secretary should be responsible for periodically reporting on implementation of the plan.

3.5 Establish personnel security policies

Top management should require the assistant secretary to establish personnel security policies for those employees who deal with its automated information systems. The policy should provide for screening all individuals participating in the design, operation, or maintenance of computer systems. The level of screening required by these policies should vary from minimal checks to full background investigations commensurate with the sensitivity of the data to be handled and the risk and magnitude of loss or harm that could be caused by the individual.

4. ALLOCATE RESOURCES

4.1 General

Top management must secure and allocate the funds and people needed to enable its policy and control standards to be implemented. It must also secure and allocate the resources to enable its prescribed controls to be periodically tested to determine that they are functioning. Top management must also secure and allocate the resources to periodically make a risk analysis of the security of its data processing systems. Fund and staff allocations to staff and line management should be based on the recommendations of the assistant secretary.

5. REPORT ON SECURITY

5.1 General

Top management should require the assistant secretary to periodically report on securit Among other things, the report should state the results of vulnerability assessments and highlight any potential risks which are not provided full protection.

From left to right: Carl Williams, Keith 0. Dorricott, Robert Campbell, Richard D. Webb, (Richard Canning, Coordinator of Sessions), Lance Hoffman, Harry Robinson, Stanley Jarocki.

Note:

Titles and addresses of attendees can be found in Appendix B.

EDITOR'S NOTES

RICHARD D. WEBB

Mr. Richard D. Webb is a Manager and Senior Computer Audit Specialist in the Executive office of Peat, Marwick, Mitchell & Co.

He has designed and implemented audit software packages and has been a financial and cost accounting systems consultant. Mr. Webb is a Certified Public Accountant (IL and NY) and a member of the American Institute of Certified Public Accountants where he is a member of the Computer Services Executive Committee. He is also chairman of the Task Force that prepared the forthcoming AICPA guideline "Controls over Using and Changing Computer Programs" and is a member of the "Computer Assisted Audit Techniques Audit Guide" project team. Mr. Webb also chaired the Audit Software Specifications Task Force and was a member of the task forces that produced the audit guides: "The Auditor ́s Study and Evaluation of Internal Controls in EDP Systems," and "Audits of Service Center Produced Records." He is a member and a former Director and Vice President of the New York Chapter of the EDP Auditor ́s Association and a member of the New York State Society of CPAs. Mr. Webb receivd his BS in accounting from the University of Minnesota.

THE CHARGE TO THE GROUP

This group addressed the question of managerial and organizational vulnerabilities and countering controls for the line level unit for Data Processing. [See PART I, Section 2 for the complete charge given to this group.] The functional areas of Operations, System Control, and Data Administration were assumed to exist within this unit and the System Control area was discussed under the three functional subunits: Application Interface, Internal Control, and Hardware Support.

The paper that follows is the consensus view of the group.