The top section of Exhibit 4-5 lists eight IT controls related to authentication of users. These were described in the previous section as controls that can lessen the risk of unauthorized users gaining access to the IT system: user ID, pass- word, security token, biometric devices, log-in procedures, access levels, com- puter logs, and authority tables. Consider the likely results if these controls were completely missing from an IT system: An unauthorized user could easily access data and programs he should not have access to, change data, record transac- tions, and perhaps even have a company check written directly to himself. Unau- thorized users could be from inside or outside the organization. In addition, the lack of a user ID and password would mean that the company would be unable to determine which users accomplish which tasks. There would be no computer log of tasks accomplished by individual users.
There are several security risks resulting from unauthorized access. How- ever, it is important first to understand the nature of unauthorized access. While the most popular type of unauthorized access is probably by a person unknown to the organization, employees of the organization also may try to access data to which they do not need access to perform their job duties. For example, a person who works in an accounts receivable department has no need to access payroll data. Data within the organization should be protected from internal unauthorized access as well as from external access. Unautho- rized access to the IT system can allow persons to browse through data that is beyond the scope of their job duties, alter data in an unauthorized man- ner, destroy data, copy the data with the intent to steal and perhaps sell to competitors, or record unauthorized transactions. Establishing log-in proce- dures that include user IDs, passwords, security tokens, access levels, bio- metric devices, and authority logs can help prevent or lessen these security risks. These are preventive controls. The computer log of attempted log-ins can be periodically reviewed to determine whether unauthorized access or any attempt to gain unauthorized access has occurred. The organization can then change policies or practices if necessary to prevent further unauthorized access. The computer log serves as a detective control to assist in the dis- covery of unusual log-in attempts.
Security token or smart card Destroy data Sabotage systems Record nonexistent or Steal data Biometric devices Steal data Alter programs unauthorized transactions
Login procedures Record nonexistent or Repudiate transactions
Access levels unauthorized transactions Computer logs
Authority tables
Hacking and other network break-ins Person breaking in can Person breaking in can Person breaking in can Person breaking in can
Firewall Browse data Shut down systems Alter data Browse data
Encryption Alter data Shut down programs Alter programs Destroy data
Security policies Destroy data Sabotage systems Record nonexistent or Steal data Security breach resolution Steal data Alter programs unauthorized transactions
Secure socket layers (SSL) Record nonexistent or Insert virus or worm that Insert virus or worm that Virtual private network (VPN) unauthorized transactions interrupts or slows operations alters or destroys data Wired equivalency privacy (WEP)
Service set identifier (SSID) Antivirus software Vulnerability assessment Penetration testing Intrusion detection
Environmental Environmental problems can Environmental problems can
Temperature, humidity controls Shut down systems Cause errors or glitches Fire, flood, earthquake controls Shut down programs Cause loss or corruption of
Uninterruptible power supplies data due to power loss
Emergency power supplies
Physical access Unauthorized intruder can Unauthorized intruder can Unauthorized intruder can Unauthorized intruder can
Card key Change user access levels Shut down systems Shut down programs Browse data Operating system configuration tables Sabotage or destroy systems Sabotage programs Destroy data Hardware configuration tables Insert virus or worm Insert virus or worm Steal data
Improper handling of backup Improper handling of
Business continuity data can System interruptions can System interruptions can backup data can
Disaster recovery plan Cause unintended access Shut down systems Cause errors or glitches Cause unintended access
Backup data to data Result in incomplete data to data
Offsite backup
Exhibit 4-5
General Controls from an AICPA Trust Services Principles Perspective (Study Objective 3) 143
Availability risks must be assessed and controlled by authentication of user
controls. Once a person gains unauthorized access, it is conceivable that he may tamper with the IT system in a manner that may shut down systems and/or programs. These interruptions would obviously make the system or program temporarily unavailable for its intended use. An unauthorized user could also sabotage an IT system by inserting malicious program code to be triggered later. For example, suppose Company XYZ fires a disgruntled pro- grammer, but fails to revoke the user ID and password immediately. Before that programmer cleans out his office and leaves, he may insert into the system some malicious instructions that erase the accounts receivable files during its next regularly scheduled run. Many years ago, this happened to a company; It was unable to recover the files and eventually filed for bank- ruptcy. This type of malicious code can be triggered by a particular date, a scheduled run, or another set of system circumstances. In addition, the unau- thorized user may simply change the program itself. Lessening the chance of unauthorized access through authentication controls can help prevent these availability risks. The computer log would assist in tracing the person respon- sible for shutting down systems and programs, sabotaging systems, or alter- ing programs.
Processing integrity can be compromised without adequate authentication
controls. Processing integrity refers to the accuracy, completeness, and time- liness of the processing in IT systems. If unauthorized users access the IT sys- tem, they could alter data to change the results of processing. This could occur prior to the transaction being processed, during processing, or after the processing is complete. In all three cases, the accuracy or completeness of processing would be affected. For example, after a sale has been processed, an unauthorized user could delete the amount due to the company in the accounts receivable record. The unauthorized user could also alter programs to affect the results of processing. An unauthorized user might change pro- gram instructions to automatically double the hours worked for a particular person every time a payroll check is written for that person. Unauthorized users are sometimes able to circumvent other controls and insert transactions that are fictitious or unauthorized.
Another processing integrity risk is repudiation of real transactions. After a sales transaction has been processed, it may be possible for an unauthorized user to erase traces of the transaction and claim that they do not owe money to the company. Attempting to limit unauthorized users through log-in and authentication controls helps reduce the chances of these risks occurring. Com- puter logs may facilitate tracing of the alteration of data or unauthorized trans- actions to the responsible person.
Confidentiality risk, or the risk of confidential data being available to unau-
thorized users, can occur if authentication controls are weak. An unauthorized user who gains access can browse, steal, or destroy confidential data. Improving authentication and log-in controls helps limit the chances of confidentiality risks. Computer logs can assist in detecting such compromises of data and in tracing them to the responsible person.
Proper use of authentication controls and computer logs can help limit all four categories of these risks. As is always true, these risks cannot be eliminated, but they can be reduced by the use of appropriate controls. Each organization should assess the level of these risks and apply the controls that are cost ben- eficial for their system.