To say Risk Analysis is an important issue is an understatement. It is difficult to quantify the losses suffered each year by businesses arising from the use and misuse of Information Systems (IS). In Ernst and Young's 1998 report Fraud: the unmanaged risk the total losses experienced by 132 companies exceeded US$628 million, with over half of the respondents having been the victims of fraud during the year. Add to that the costs from virus infection, accidental and malicious damage and from technical failures and the total is staggering conservative estimates start at around US$7.5 billion.
IS risk analysis is the process of:
- identifying potential causes of loss;
- designing and implementing controls to prevent them, and, should these fail;
- designing and implementing controls to detect any occurrences and to minimise their effect.
This article will identify and briefly describe the main risks that computer systems are exposed to and, for each of these risks, suggest some appropriate controls.
Unauthorised access from inside
According to some surveys, 84% of reported IS related frauds were carried out by the companies' own employees, most often managers. Common examples include the setting up of ghost employees onto payroll systems and changing delivery note details to divert goods to the employee's home address.
A job sensitivity analysis should be performed identifying roles where there is a higher than average potential for fraudulent transactions e.g., payroll supervisors, system supervisors.
Recruitment procedures for these roles should be particularly stringent with at least two references and criminal record report obtained. These staff should also be actively monitored, in particular for unusual behaviour. Long periods without holidays, a surprisingly lavish lifestyle (holiday destinations, car driven) or a tendency to regularly work late at night or during weekends when there are no other staff around are good early indicators that a problem may exist. User logs, maintained by the computer system, can be helpful in this review.
The next step is to ensure that only these reliable staff can access the system. This is usually achieved by using a good password protection system, that is one requiring passwords which are imaginative, chosen by the user, changed at regular intervals, not divulged to anyone else and not displayed on screen.
Passwords are often accompanied by a User ID, created by the system administrator and allocated to users. These restrict which parts of a system a user can access and what tasks (s)he can perform.
A typical User ID might have a pattern such as ACS-SNR-GM. The ACS denotes that the user can access the accounts system, SNR (for Senior) will restrict the tasks (s)he can perform (they might be able to inquire about employee wage rates but not be able to change them) and the final GM their initials, allowing a log to be kept that can differentiate between the accounts department's seniors.
The password controls who can access the system, the user ID controls what they can do once logged on.
The recent hysteria surrounding viruses such as Melissa and Chernobyl probably do overstate their impact, but viruses can cause significant disruption, most commonly slowing system performance by generating high volumes of e-mail traffic and sometimes by corrupting or destroying data stored on fixed disks.They can be introduced innocently or deliberately, by your own staff or by third parties via e-mail.
Antiviral software such as Dr. Solomon's Anti Virus Toolkit should be acquired and any updates received loaded onto the system promptly.
Where there is internet or e-mail connection a 'firewall' should be set up. Most often a firewall is a separate computer installed to inspect incoming data and decide whether it appears suitable for acceptance onto the main system. Typically they search for files that are unusually large or have a specific filename or extension (such as .exe files). Any suspicious files would either be returned to their sender or opened by a systems supervisor on a separate computer.
Viruses are often transferred innocently by employees taking work from an infected home PC back to their office computer. This can be prevented by allowing the employee to reclaim the cost of anti-virus software for the home PC. Alternatively, the disk drives on their work computers can be disabled. This has the effect of requiring data to be transferred via e-mail (where viruses will be intercepted by the firewall) or by diskette where the diskette can only be loaded and simultaneously virus scanned by a system supervisor.
Unauthorised access from outside
In addition to increasing the risk of virus infection, the widespread acceptance and use of e-mail and the internet brings increased risk of external access to systems either to amend data or to obtain commercially sensitive information. A website from which you can download software (BO2K from CDC) that allows users to obtain remote access to another PC has now had more than 130,000 hits.
The control required depends on where the authorised outside access will come from. Where external access always comes from predictable locations – say the regional head office of a supermarket chain being contacted by one of the 50 stores in its region ' a callback system is best – see diagram 1.
Where external access comes from unpredictable locations – say an audit practice allowing staff to dial in for e-mails from hotel rooms or client premises – the system cannot know the telephone number to make the return call to and so a code generator system will be used ' see diagram 2.
Lightning never strikes twice? I have worked for a company where, in a three month period, there were two separate lightning strikes, each knocking out the company's main transaction processing system. (The substantial above ground power and network cabling attracted the atmospheric electrical activity.)
Damage caused by fire and flooding is more common and when these affect computer systems they cause substantial damage.
The main computer room should not be in the basement (flooding) but ground floor or higher. You can also learn from one New York company whose 42nd floor computer room was flooded – by a burst pipe. Do not place your computer underneath any air-conditioning units or water pipes.
The room should have at least one wall of fireproof glass – this visibility allows passing staff to detect any problems and also deters unauthorised access – and be equipped with smoke detectors and extinguishers suitable for electrical fires.
The main servers should be connected to the power supply through an Uninterruptible Power Supply (UPS).
UPSs have two purposes:
- to protect the computer from damage by any electrical surges, as can be caused by lighting strikes onto power supply cables;
- to provide a reserve of power sufficient for users to complete current processes and allow the system to be shut down properly in the event of a power failure.
Similar anti-surge devices are recommended for modems in the event of lightning striking phone lines.
Should the disaster prevention controls above fail, a disaster recovery plan ought to be in place. It needs to consider not just how to replace the lost hardware, software and data but how the company will continue until these are recovered.
Where systems are 'Mission Critical' there should be a full back-up system available which will allow the organisation to continue its operations. One UK bank estimated that if their Information Systems failed for just 30 minutes the loss of customer confidence would be so great that it would take them 20 years to win back enough new customers to replace the ones they had lost. As a result of this, that bank has designed a 'fault tolerant' system that, whilst very expensive, virtually guarantees undisrupted processing. (see diagram 3)
Back-up manual systems are often viable. British Airways have a paper alternative available should their 'Checking-in' system at Heathrow Airport fail. Passengers are asked to check-in at a specific desk, determined by their flight number. At that desk, the flight is represented by a cardboard seating plan of the particular aircraft. A label is peeled off this floor plan as each customer is allocated their seat, thus ensuring no seats are double booked and the plane is not overfilled.
Hardware recovery – stand-by agreements with hardware suppliers are recommended. For a monthly charge they will hold an appropriate server in stock to be used whilst a new server can be bought.
Data and software recovery – back-up software such as ArcServe are commonplace, and available for less than £250. These automatically create back-up tapes at specific points during the day or night so the only staff effort required is to remove the back-up tape from the tape drive and to store it in a safe place away from the computer room.
Off-site storage is also available where the data is backed-up over phone lines to another location. This facility is available on the internet – for instance www.i-FileZone.com offer 10mb of storage space, free of charge.
Faults in either hardware or software will obviously have a significant impact.
The processes covered in System Design – using methodologies such as SSADM, performing walk-through tests, conducting extensive testing during both design and implementation and so on – are all relevant here as preventative controls.
Once the system is in operation, controls are also needed to ensure the system remains error free. The main emphasis of these controls is to ensure that only valid amendments can be made to software. Staff with the ability to amend software must be carefully recruited and supervised and given access to amend software only when there is a valid reason. The amended software must be thoroughly tested to ensure it operates correctly. A final review should ensure that all of the changes made were actually required and that there weren't additional changes made for other ulterior motives.
Back up copies of each version of the software must be kept so that when an error is identified a 'clean' version can be quickly recovered.
No matter how good the system installed and no matter how well maintained it is, if staff are not using correctly it isn't going to work.
Selecting and implementing user friendly systems will eliminate many errors as will good training, both during implementation and throughout the system's life.
The system should also have adequate input controls to ensure users are entering data correctly. These should combine a mix of error and exception controls.
- Error controls: These identify where data input is clearly wrong and will not be accepted for processing.
format checks where an account code must be six characters long to be accepted;
check digits where stock item codes must match a mathematical pattern recognized by the computer;and
existence checks where codes such as customer codes or account numbers must exist in the appropriate master files.
- Exception controls: These identify where input is unusual and so may be wrong. The operator is asked to reconsider the input and confirm if they believe it to be correct.
deletion checks – the “Are you sure?” question when deleting files as range checks where chargeable hours would be expected to fall within a certain range and warning messages created if the hours entered were, say, less than three or more than 80 hours in a week.
For companies that rely heavily on information systems (see the banking example above) a strike by a few key IT staff can have the same effect on the organisation as an 'all out' strike. Such strikes can also last far longer – the striking employees can be 'paid' either by the remaining employees or by their Trade Union.
These key staff need to be identified and required to sign an employment contract with a 'No Strike' clause. They should be subject to regular appraisal interviews where an assessment should be made as to whether there are any grievances affecting them that might result in the withdrawal of their labour. If these cannot be resolved then replacement staff – often more senior mangers – need to be identified and trained.
Textbooks (and as a result exam answers) on this topic can be a bit unreal, with locked doors everywhere and guard dogs patrolling offices. However, the risks themselves are very real and practical, cost effective controls are required. These controls can easily be developed if you consider how both management and the computer system can prevent problems from occurring and from minimising their impact should they occur.