Project Quality and Compliance
There are regulatory rules that must be met as well as organizational policy directives from management to be implemented. Additionally, there are also directives from outsiders (such as hackers) or from insiders (such as those with particular departmental or personal priorities that conflict with management’s objectives) that must be avoided.
As a result, compliance can be considered to fall into three general categories:
1. Regulatory: Mandated actions from outside governmental/regulatory agencies
2. Procedural/Policy: Mandated actions from (inside) management
3. Security: Prevention of the actions of outsiders and insiders attempting to enhance personal interests that are in conflict with owners’ (stockholders’ or the public’s) best interests
In some cases, categories 2 and 3 may overlap, such as when the actions of management are not in the best interests of the organization. An example of this would be a CEO who treats the company’s funds as her own personal piggy bank or a government official who uses public funds for personal gain. For example, consider the actions of former CEO Dennis Kozlowski at Tyco, who threw lavish parties (costing over $200 million) with company funds, and the actions of former Maryland governor Spiro Agnew, who took kickbacks on government contracts.
REGULATORY COMPLIANCE
The IT department—since it is primarily a service department—has very few direct governmental rules that apply to its own operations. However, IT management does have to concern itself with any area that relies on data integrity or information process quality.
Five areas that fall into this category are:
1. The finance department, which is concerned with taxes, internal control over financial statements, and proper recording of costs and revenue recognition
2. The human resources department, which must protect confidential personal information, such as Social Security numbers and health information, and which must safeguard fingerprint or security clearance data
3. The engineering department, which must protect new patents or innovative technology
4. The manufacturing department, which must protect secrets regarding proprietary processes for manufacturing and/or establishing high-level quality products that exceed competitors’ capabilities
5. The legal department, which may be involved in high-stakes negotiations or lawsuits
In most cases, IT regulatory compliance involves solely data protection. However, it may, in rare cases, involve establishing the processes that ensure such data protection is afforded to the appropriate other departments. One example of this is the recent IT audit requirements that exist as part of the Sarbanes-Oxley Act of 2002.
Sarbanes-Oxley Act of 2002
The Sarbanes-Oxley Act of 2002 (also known as SOX) was implemented by Congress in response to the fraudulent financial reporting at both Enron and WorldCom at the end of the dot-com boom period of 1999 to 2001. The collapse of these two firms led to a law requiring that large businesses enact very detailed processes to ensure that the financial reporting processes, including the IT processes surrounding financial reporting, were designed such that top management would be directly responsible for any irregularities and could not blame such irregularities on the actions of lower-level management or staff-level positions.
The actions of this law were quite successful and led to a major overhaul and improvement in the integrity of firms’ financial statements. Unfortunately, SOX regulations were designed to apply specifically to manufacturing and service firms, but exempted financial firms and brokerages if they were already subject to the restrictive covenants of banking and securities laws. As we now know, these banking and securities laws seemed very conservative, restrictive, and were continually monitored—but in reality, they ignored many of the exact same problems (such as the creation of exotic derivatives and overextension of debt leverage) that had led to the problems at Enron and WorldCom. As a result, in late 2008 and on through 2009, the world suffered a major economic downturn that was largely the result of financial firms (and their clients) being overextended in the credit and debt markets. One estimate put the size of this collapse at the equivalent of $66 trillion. Banks failed at rates not seen since the Great Depression of the 1920s and 1930s, and, as of the time of the writing, the economic depression is still very much affecting worldwide economies negatively.
Many critics state that SOX and any regulatory rules cost companies money and thus negatively affect the companies’ economic activity and profit-making capabilities. This complaint brings into question the need of any company to do anything besides make profit. My argument is that even if a company does not have a requirement to contribute to the betterment of its community or be fair to its customers, it still has a commitment to its shareholders to properly report its operating results—and most regulatory rules, such as Securities and Exchange Commission reporting requirements and SOX, are designed primarily with shareholders in mind.
PROCEDURAL/POLICY COMPLIANCE
A second compliance issue for IT is how to help management achieve its objectives. This is the area referred to as procedural/policy compliance.
Whether the organization is a for-profit firm, a nonprofit private entity, or a public governmental entity, the IT department has three primary purposes as part of procedural/policy compliance. IT must ensure that:
1. The organization’s assets are used for improving the organization’s value or the value of its owners (which may include the public when the organization is a governmental entity).
2. All assets (including those of human capital) are able to perform at top efficiency.
3. Data are recorded to determine how effective the organization is at achieving purposes 1 and 2.
In the past, organizations often thought that they were performing their activities well, without recognizing the many actions that IT could perform more quickly and the extra data analysis and overview that IT resources could provide to determine the true effectiveness of the organization’s activities. Nowadays, most organizations have used at least some of these new processes. The automation of the improved processes has shown the many review and analysis possibilities of IT.
SECURITY
One of today’s key concerns is that modern hardware and software configurations be designed such that software assets are maintained intact and not corrupted by inadvertent or deliberate unauthorized changes. This is one of the primary reasons why companies use standard frameworks and comply with suggested regulatory standards such as ISO20000, Control Objectives for Information and Related Technology (COBiT), and the Basel Accords. It is also the reason that they use Six Sigma methodologies in reviewing system designs and/or system deficiencies.
Most of these technologies are designed not only to detect unauthorized changes but also to streamline existing processes and operational methodologies. By so doing, they establish operational compliance as a by-product, ensuring that the IT organization is meeting corporate and regulatory requirements for the protection of the corporation’s valuable information. Vulnerability assessments are a standard part of such regulatory standards, and there are systemic programs available for such assessments as well as standard auditing techniques. Some of the things that should be considered in a compliance audit of a web site audit include:
Backup Controls
1. Ensure that physical security, including environmental and life safety controls, is in place at the hardware site running the Web application.
2. Ensure that network availability and data backup is assured by using component failure architectures that repair themselves, such as RAID, tape or compact disc juke boxes, Bernoulli boxes, or other similar backup media.
3. Review disaster recovery and business interruption plans for the web site, focusing on whether the alternate plan had been tested for validity and readiness.
E-Commerce Controls
1. Ensure that IT is using a set of security mechanisms and procedures, which, taken together, constitute a security architecture—for example, Internet firewalls, public key infrastructure, encryption, certificates, and password management (including nonstatic passwords).
2. Ensure that the firewall mechanisms in place can mediate between the public network (the Internet) and an organization’s private network.
3. Ensure that the web site is using a combination of public and private key encryption to guarantee a unique and positive identification of the user.
4. Ensure that digital signatures are being used.
5. Ensure that certificates are being used—including certificate authority, registration authority, certification revocation list, and a certification practice statement.
6. Ensure that logs of the e-commerce portion of the web site are being monitored by responsible personnel on a regular basis. This includes operating system logs, console messages, network management messages, firewall logs and alerts, router management messages, intrusion detection alarms, application and server statistics, and system integrity checks.
7. Ensure that the system has a method, such as SSL (encrypted secure socket layers), to guarantee confidentiality of data.
System and Transaction Controls
1. Check on the ability of the system to counteract vulnerabilities, such as instituting countermeasures to traffic/trend analysis on the part of intruders (e.g., padding messages, sending noise, and providing covert channel analysis).
2. Ensure that hardware controls, such as elimination of unused maintenance accounts, are in place.
3. Test that existing employees have been screened for security and that measures are in place to ensure that they are not using data scavenging techniques to piece together information from bits of data.
4. Check the system logs to ensure that the IT administrators are not taking advantage of initial program load (IPL) vulnerabilities by putting the system into a single-user mode during web site start-up.
5. Review data traffic patterns to ensure that neither existing personnel nor intruders are using network address hijacking to reroute data traffic from a server or network device to a personal machine.
6. Follow sample transactions all the way through the system by use of audit trails to ensure that all the various security events relating to the transaction are taking place; to ensure that the terminal at which the transaction was processed (if internal) is one that is authorized for such a transaction; to look for production job reruns and amendments to production jobs; and to look for computer programmer changes to live production data.
Data Library Procedures
1. Ensure that utility software (used for data correction of inconsistencies on an automated basis) is restricted on a need-to-use basis and that a log is generated whenever this utility is used.
2. Review the check-in and check-out of standard code for the web site to ensure that it was not being reviewed by nonauthorized individuals or those not involved in the web site code process.
System Development Standards
1. Ensure that run-to-run totals of key fields are used and compared to detect alterations between postings per reports from the web site, and posting to the general ledger based on actual sales booked/monies received.
2. Ensure that there is a separation of duties in the upgrade of Web application software and systems software so no individual has the capability to perform more than one of these processes: origination, authorization, verification, or distribution.
3. Review the change management procedure for installing changes to the Web applications.
4. Use mapping to identify specific logic that has not been tested, then analyze these programs during execution to determine whether program statements have been executed, thus identifying potential exposures.
Data Center Security
1. Ensure that reports, such as critical output reports, are produced and maintained in a secure area and distributed in an authorized manner. Access to online output reports should also be restricted. Online access can be tested through a review of the access rules or by monitoring user output.
2. Run a set of substantive tests on transactions that examine the accuracy, completeness, consistency, and authorization of data currently held in a system in order to see any failures in input or processing controls. Verify the data against the source documentation.
Online Auditing
Consider using at least one (and probably more) of these types of online automated evaluation techniques:
1. System control audit review file and embedded audit modules (SCARF/EAM)
2. Snapshots (of the steps transactions take from input to output)
3. Audit hooks (embedding programs within the web site that act as red flags to indicate when an error or irregularity has occurred that is escalating in size or severity, so as to prevent it from getting out of control)
4. Integrated test facilities (a duplicate site to simulate the entire web site operation and verify its validity by comparing the results at the test site to actual results based on live data flowing through the system)
5. Continuous and intermittent simulation (a system that continuously checks while running transactions, and audits a transaction if certain predetermined criteria are met)
Contingency Items
1. Any other item that has been a serious concern, from business managers or whistleblower calls to the audit committee, or that key executives would like to have checked relative to the operation of the web site
2. Anything unusual relating to the information systems architecture that covers the web site operations (including changes to process synchronization, job scheduling software, data communications software, operating system changeover/upgrade, or new data modeling/reporting software implementation)
HACKERS AND OUTSIDE-THE-NETWORK ATTACKS
As you can tell, many problems can be encountered when trying to protect information in the systems network from outside attack (either from unauthorized access or unauthorized modification).
Hackers, internal and external, are constantly trying to bypass internal controls, both manual and automated, to steal company funds or to obtain data on customers that will allow them to steal or modify customer data.
Hackers perform their work in a variety of ways. Some of the most common methods are shown next.
Looking at Established Automated Diaries
Your company computer faithfully preserves data that most people are unaware of. Sensitive information is contained in bits of deleted files, parts of documents created or opened, cookies from Web pages visited, and chats in instant messenger. Access to these should be restricted by setting your history time frame to one or two days only or by offloading this history to a more secure location.
Computers used on the Internet keep track of all your activities. Every time you give your credit card to a retailer, even a local restaurant, you run the risk of that data failing into the wrong hands. Limiting such access—or monitoring its results—is important to ensure that unauthorized charges are not made. Verify the data against the source documentation to spot inconsistencies. Also, be sure not to access such sites from public locations, such as Internet cafes or local libraries.
Viewing Swap Files
Computer programs require memory to function. While processing is normally handled by the central RAM (random access memory) processing unit, the computer is able to perform its job by creating what is commonly referred to as virtual memory. Virtual memory is a fabulous thing but a privacy nightmare. Files or data encrypted in Windows or Linux often are unencrypted in the virtual memory (usually in the paging or swap files).
Often this problem can be resolved through the creation of a permanently allocated swap file of a fixed size that then can be destroyed periodically by use of a file-wipe utility.
Making Changes to the System Directory
The system registry contains configuration data and tells programs and device drivers when to start and how to run properly. As a result, any changes to this area can stop vital functions or create new programs or tell your computer to go to a web site and post information there. Unlike other parts of your computer, the system register cannot be file-wiped or deleted because its function is vital to the performance of your computer. Hackers love putting new things in system registries, because it makes these things almost impossible to delete.
It is almost impossible for the average person or even system programmer to understand how the system registry functions or what it is telling the computer to do. As a result, average users do not know the processes it initiates or deletes. Some IT people consider this an advantage, because they can then track users’ activities when they are using the computer. This is true, but I believe that the loss of local user control relative to the ease of hacker control offsets the advantages gained.
There are many other hacking options, such as stack overrides or placing Trojan programs, but these are generally easily defeated if proper security measures, such as firewalls and the use of proxy servers, are enacted. Other, more advanced methods include denial-of-service attacks or emanation eavesdropping, but these are beyond the scope of discussion of this chapter.
All of the hacker attacks mentioned require the use of network access, whether the hacker is internal (i.e., he or she works for the company) or external (outside of the company). But another possible method to override compliance involves outside-the-network attacks. Better known as social engineering, these activities involve convincing others inside the company (who do have access to the network) to make the changes for them. Hackers sometimes do this by sending spam e-mails that entice computer users to give up confidential information, such as logon IDs and passwords. Other times, “bait” sites are used to encourage people to visit the site and download “rootkits” that contain infected programs. Sometimes all that is needed is to convince people on the other end of a phone to assume that what the hacker tells them is real. For example, if I call and say that I work for a bank at which you have an account, you may well believe that I really do work for that bank.
SUMMARY
IT professionals need to be cognizant of the need for compliance with many different types of rules. There are actual laws that need to be complied with and that may require regulatory reporting to agencies that monitor such compliance. There are company policies that require compliance in order to improve the efficiency and effectiveness of the company’s profit-making efforts. And there are security compliance needs to protect the company against attempted theft of company assets or confidential information. The IT department plays a vital role in all of these activities—often, the key role in the company. Recognizing what these rules are, how others are attempting to circumvent them, and what the company needs to do in response are some of the primary roles of the chief information officer in today’s company.