CIMA P3 Course Notes

www.astranti.com

CIMA P3 Course Notes

c

Chapter 8 Control and security of IT

Strategic Business Coaching Ltd 2013 Personal use only - not licensed for use on courses

87

CIMA P3 Course Notes

www.astranti.com

1.

Key ris s

There are four key risks in systems: a) b) b) d) Data loss Corrupt data Unauthorised access Contravention of legislation

Controls must be put in place to prevent these risks from materialising.

!.

IT controls

Physical controls
Physical controls concern the environment in which the system is kept. These include physical controls to prevent: "ire dama#e fire alarms! sprinkler systems! e"tinguishers to hand "lood dama#e #void sitting systems in basements or other vulnerable areas! building maintenance to avoid leeks Power failure $ack up generators! current isolators %to minimise damage through electricity fluctuations) $nauthorised access locks on doors! security guards Theft &ocked computers! alarms! disks kept in locked cabinet.

Administrati%e controls
#dministrative controls are formalised standards! rules! and procedures on the use of systems. They ensure the security of systems through the rules and procedures imposed on people using the system. 'or e"ample this might include rules or procedures on: Checking data input against control totals #uthorisation of transactions before processing #uthorisation of system changes (egular back ups undertaken

Strategic Business Coaching Ltd 2013 Personal use only - not licensed for use on courses

88

CIMA P3 Course Notes

www.astranti.com

#dministrative controls include: Passwords # password is a number or set of characters %or a mi"ture of the two) which must be entered into a system to allow access. Passwords are an essential way to prevent unauthorised access to data. Passwords should be: a) b) c) d) Changed regularly )ot written down )ot given to other people )ot associated to something familiar to the user

# back up system to allow people to access or change forgotten passwords must be available to ensure people can continue use the system without delay. &ncryption *ncryption is used to ensure that documents can not be accessed by unauthorised users. +hen a document is encrypted it is converted into a secret code which only the intended recipient can decipher. *ncryption is commonly used when sending documents using public telephone lines e.g. when using the internet to pay using credit cards. Anti'%irus software Computer viruses are small programs which attach themselves to files in a computer. They replicate themselves onto other computers which access these files and can thus spread from computer to computer. ,any modern viruses make use of flaws in e mail software to automatically send themselves out to everyone on the individual-s address book. .iruses are written by unscrupulous individuals largely for the fun of it. The conse/uences of viruses can be varied! from no effect to the entire contents of the hard drive being erased. To prevent viruses an organisation can use virus checking software. These identify and help to remove viruses found on the system. They automatically check incoming e mails and downloaded files for viruses.

Strategic Business Coaching Ltd 2013 Personal use only - not licensed for use on courses

89

CIMA P3 Course Notes

www.astranti.com

Application controls
0T application or program controls are fully automated %i.e.! performed automatically by the systems) designed to ensure the complete and accurate processing of data! from input through output. These controls vary based on the business purpose of the specific application. These controls may also help ensure the privacy and security of data transmitted between applications. Categories of 0T application controls may include: Completeness chec s controls that ensure all records were processed from initiation to completion. (alidity chec s controls that ensure only valid data is input or processed. Identification controls that ensure all users are uni/uely and irrefutably identified. Authentication controls that provide automatic authentication that inputs are from allowable sources Authorisation controls that ensure only approved business users have access to the application system. Input controls controls that ensure data integrity fed from upstream sources into the system. "orensic controls control that ensure data is scientifically correct and mathematically correct based on inputs and outputs

Contin#ency controls ) disaster reco%ery

# contingency plan outlines the steps which will be taken in case of a 1disaster- such as a fire! flood! damage caused by a virus! theft of important systems. This is vital since many organisations are dependent upon systems. The longer the system is down the worse the conse/uences. Disaster recovery plans can include: Creation of processing facilities on separate sites #greements with other company-s to share systems in times of disaster. Computer bureau" $ack up systems

Strategic Business Coaching Ltd 2013 Personal use only - not licensed for use on courses

90

CIMA P3 Course Notes

www.astranti.com

Audit trail
#n audit trail is the ability to follow a transaction all the way through a process. 2ystems should be developed such that a complete audit trail can be followed. 0nformation about the transaction will also be recorded for information purposes %e.g. who made the transaction! when! at what location and so on). This is of use in: Testing 0nvestigations %e.g. investigating frauds) *"amining the effectiveness of controls %usually by internal audit)

*e#al issues
+ata protection le#islation aims to protect the individual from misuse of their personal information. 0t is relevant to both manual and computerised systems. The key points of legislation are that: data on individuals must be: used for a specific purpose relevant to that purpose kept accurate and up to date. individuals must give permission for the use of the data %in some instances %e.g. contracts) permission is assumed to have been given) individuals have got right of access to all information held on them! and can demand change or deletion if inaccuracies e"ist. suitable controls must be put in place to prevent unauthorised access.

Copyri#ht le#islation provides protection to the author of computer software against unauthorised copying and distribution of that software! in the same way as it does to books! paintings! music and so on. Computer software is often sold under license. The license puts restrictions on use of the software often such that it can only be used on one computer or by one user. 3rganisations have to buy a licence to use multiple copies if many people are going to use a system.

Strategic Business Coaching Ltd 2013 Personal use only - not licensed for use on courses

91

CIMA P3 Course Notes

www.astranti.com

,trate#ic Moc &-ams ) &3. "3 and P3 $ased around the latest Preseen 4 full mocks are available for each strategic sub5ect "ull mar in# and detailed feed/ac 'ull mock marking Detailed and personalised feedback to focus on helping to pass the e"ams Personal coachin# on your moc e-am 6hr personal coaching session with your marker Personalised feedback and guidance *"am techni/ue and technical review ,trate#ic and "inancial analysis of the Pre'seen ,trate#ic analysis all key business strategy models in *7 "inancial analysis 8 based around the '7 syllabus 0is analysis 8 based around the P7 syllabus 79 page strategic report 'ull video analysis of how all key models apply to the unseen .ideo introduction to all the key models Personal Coachin# Courses Personal coaching to get you through the e"am Tuition Course 8 Personalised tuition to give you the re/uired syllabus knowledge 8 tailored to your needs 0e%ision Course Practise past e"am /uestions with personal feedback on your technical weaknesses and e"am approach and techni/ue 0esit Course 8 0dentifying weaknesses from past attempts and providing personalised guidance and study guides to get you through the e"am

Strategic Business Coaching Ltd 2013 Personal use only - not licensed for use on courses

92