Focus on potential risks - one of four industry experts making security recommendations about a fictitious multinational firm's international network

FOCUS ON POTENTIAL RISKS

Advances in technology have provided businesses with low-cost, powerful and flexible minicomputer, microcomputer and local-area network (LAN) resources. Companies have, in turn, distributed this equipment throughout the organization under the control of end users.

End-user computing has provided users with the hardware and software tools to develop and implement a variety of capabilities that previously were unavailable or required mainframe resources. Another important ingredient previously required was the support of a central MIS organization. The prospect of eliminating MIS has been perceived by many end users to be a positive development.

However, MIS organizations traditionally provide procedures and controls to ensure that systems operate effectively and securely. MIS also ensures that appropriate contingencies are in place in the event of a malfunction or disaster. Backup and recovery procedures are among the areas most neglected in end-user computing.

McGonagle's decision to notify the various locations of the auditor's assessment and to appoint Stollard with the responsibility to address the issue is a good first step. It would be wise to take this approach a step further, though, and establish a wider and more representative group to assess and evaluate the situation. I recommend establishing a committee with representatives not only from MIS, but also from management of the manufacturing plants, sales offices, corporate, internal audit and any other appropriate users of end-user computing.

Management commitment to this process is critical. It may not be practical or appropriate to assign top management to the committee, but management should be involved in the assignment process. Dixon may be the ideal representative, but the business manager of her office should have some input.

Once established, the steering committee must understand the organizational concerns regarding backup and recovery in an end-user computing environment. The committee needs to focus on the following potential risks:

End users may be unaware of policies that require program and data backup at regular intervals.

End users may lack knowledge, training or hardware to correctly back up files.

End users may not know all the ways that storage media or devices can be damaged.

MIS disaster recovery plans may not include strategic end-user computing areas.

Secure, on-site backup storage facilities may not be available and off-site storage options may be overlooked.

The committee should develop an action plan to determine how effectively Amprox is situated to mitigate these risks. A first step is to ensure that all end-user computing environments have been identified and will be included in the project. The committee must gain management acceptance and implement the plan.

After the plan has been implemented and procedures and controls are in place, Amprox should ensure that it continues to operate effectively by performing routine audits or reviews of each area on a rotational basis. Internal audit or another designated group should be responsible for this function.

The committee should also address:

Setting of policies and procedures to prevent unauthorized changes to files and programs.

Protection against viruses, destruction or modification of data, and service interruptions.

Controls to ensure systems are properly designed, tested and documented.

Internal audit involvement during systems development.

System auditability built into end-user computing applications.

By examining the risks of end-user computing and applying sensible solutions, Amprox should be well positioned to continue on a course of applying advanced technology in a cost-conscious manner.

For those looking for additional information about end-user computing controls, I suggest the end-user computing volume of the Systems Auditability and Controls (SAC) report from the Institute of Internal Auditors Research Foundation.

COPYRIGHT 1992 Wiesner Publications, Inc.
COPYRIGHT 2004 Gale Group