The main objective is to ensure that the organization’s information technology and business systems are adequately controlled, monitored and assessed.

The techniques used to achieve security are many and varied. In order to assess the level of security required, it is necessary to identify the risks, which apply to your installation. Having identified the risks, select those techniques, which together will provide the appropriate level of security for the data, for the systems and for the organization.

In this regard, the following areas of the computer activity should be monitored on a regular basis.

They are: Access control, System activity monitoring, and the Audit trail

1. User Access Control:

This includes adding of new users to the system’s user login group files, modifying or deleting, changing users accounts, and maintaining an appropriate level of security on the system.

Access capabilities are implemented by security administration in a set of rules that stipulates which users or group of users are to gain access to certain information on the system. It is generally on the “need-to-know” or “need-to-do” basis.

The objective of security in this area is to optimize productive computer time, lessen the risk of error and fraud, eliminate unauthorized work and secure the confidentiality of information. It should allow proper division of duties to ensure that the potential for unauthorized operation and fraud is minimized.

2. Monitoring the system:

To track system activity through online accounting procedures to determine how effectively system resources are being used.

Most organizations today have installed computers of various sizes for processing data into information and knowledge. Too much emphasis appears to have been placed on the technology and too little attention on the security of the valuable business wealth contained in the information being managed with Information Technology Department. This is perhaps the worst risk facing business today because security awareness among non-computer professionals is low.

Most computer installations have experienced system collapse or degradation because of failure of some component of systems software. Unexpected situation do arise and if care is not taken, can have extensive and expensive repercussions.

Anyone can make a mistake and the consequences of these must be contained by effective security controls. Malicious acts of sabotage or fraud are more likely to occur, if there are low chances of detection. However the odds can be lessened by reducing the opportunity to commit crimes by increasing the possibility of detection through effective system security and controls.

Controls over the experts who work on the computers are also critical aspect. An uncontrolled systems development will automatically produce a system that is uncontrollable. Bugs and accidental errors will proliferate while these systems are fertile breeding ground for attempts at fraud.

For an improvement to take place, the following questions may be asked, on probable areas of risk, such as

1. Could this happen here?
2. How?
3. Are security measures adequate to prevent/detect the threat?
4. How can we improve on the measures?

Inadequate system security exposes organization to so many risks. Some of these are: Data Diddling, Trojan Horse, Rounding Down, Salami techniques, virus, Logic bomb and data leakage etc.

3. Audit Trail

A security subsystem should maintain detailed logs of who did what and when and also if there are any attempted security violations. The availability of the log is extremely valuable. Log provides information for the system auditor to be able to determine who initiated the transaction, the time of the day and date of entry, the type of entry, what fields of information were affected and the terminal used.

System log should be analyzed to provide detailed information on all normal and abnormal occurrences during each processing period.
Computer access and attempted access violations can be automatically logged by the computer and reported. Listing of terminal addresses and locations can be used to look for incorrectly logged, missing or additional terminals.

Applying the principles of Information System Security and Audit raised in this write-up will ensure that an organization’s information assets and systems are adequately controlled, monitored and assessed.

Article by Mukaila Apata is a System Auditor and Security Administrator with over 18 years of experience in banking systems, programming and system analysis. In addition to his System Audit function, he has a strong background in Unix, Relational database management software and Globus banking software.