Security and Control Assessment Brew Bottle Company (BBC) is in the process of planning a more advanced
Question:
Security and Control Assessment Brew Bottle Company (BBC) is in the process of planning a more advanced computer-based information system. Slavish & Moore, LLP, BBC’s consulting firm, have recently been provided with an overview of their proposed plan:
The Brew Bottle Company Information System (BBCIS) will be created with the help of its employees so that the system will function effectively. This helps ensure that the end product will perform the tasks that the user wants. System construction will begin with prototyping, CASE technology, and Gantt charts. From here, systems professionals and a systems administrator who will work full-time for BBC will create data models of the business process, define conceptual user views, design database tables, and specify system controls.
Each user in each department will submit a written description of their needs and business problems to the systems professionals. Systems professionals will then perform analysis of feasibility and system design. Each aspect of the system will be properly documented for control reasons; this will help if problems arise in the future stages of development and is essential to long-term system success.
The new systems administrator will determine access privileges, maintain the access control list, and maintain the database authorization table. Anyone requesting access will fill out a petition, which the systems administrator must approve and sign. The administrator will have sole access to the transaction log, which will be used to record all changes made to a file or database. This information will help detect unauthorized access, reconstruct events if needed, and promote personal accountability.
The systems administrator will also be responsible for updating virus protection weekly so that viruses planted intentionally or accidentally will not damage the system. One of the most important tasks of the systems administrator will be to copy databases and system documentation for critical applications to tape or disk on a daily basis. These disks and tapes will be stored in a secure location away from the company property.
Employees requiring computer access will be given a user name and password that will be entered when logging on to their computer terminal. A dialog box will appear when the system is turned on and this information will be entered. Correct entry of information will give the user access; if information is entered incorrectly, the user will not be granted access.
Furthermore, if a computer terminal is left idle for more than five minutes, a password will be needed to regain access. For security reasons, users will be required to change their passwords once every year.
Hardware will be purchased from Bell Computer Company with the advice of inhouse systems developers. With the exception of basic applications, user departments will purchase computer software, which will be added to the system.
BBCIS will run off of a computing center located in the company’s administration building adjacent to the factory. Access to the computing center will require formal authorization.
When entering the room, there will be two security guards. Authorized employees will need to swipe their ID cards to pass though security. Times will be recorded when employees swipe their cards for entrance and exit. The actual room that houses the computer systems will have an advanced air-conditioning and air filtration system to eliminate dust and pollens.
There will also be a sprinkler system to minimize damages in case of a fire.
Required:
Based on BBC’s plans for the implementation of a new computer system, describe the potential risks and needed controls. Classify these according to the relevant areas of the COSO framework.
Step by Step Answer: