338 Part Two Information Technology Infrastructure

little time to respond between the time a vulnerability and a patch are announced
and the time malicious software appears to exploit the vulnerability.

8.2 BUSINESS VALUE OF SECURITY AND CONTROL

Many firms are reluctant to spend heavily on security because it is not directly
related to sales revenue. However, protecting information systems is so critical
to the operation of the business that it deserves a second look.
Companies have very valuable information assets to protect. Systems
often house confidential information about individuals’ taxes, financial
assets, medical records, and job performance reviews. They also can contain
information on corporate operations, including trade secrets, new product
development plans, and marketing strategies. Government systems may
store information on weapons systems, intelligence operations, and military
targets. These information assets have tremendous value, and the repercus-
sions can be devastating if they are lost, destroyed, or placed in the wrong
hands. Systems that are unable to function because of security breaches,
disasters, or malfunctioning technology can permanently impact a company’s
financial health. Some experts believe that 40 percent of all businesses will
not recover from application or data losses that are not repaired within three
days (Focus Research, 2010).
Inadequate security and control may result in serious legal liability.
Businesses must protect not only their own information assets but also those
of customers, employees, and business partners. Failure to do so may open the
firm to costly litigation for data exposure or theft. An organization can be held
liable for needless risk and harm created if the organization fails to take appro-
priate protective action to prevent loss of confidential information, data corrup-
tion, or breach of privacy. For example, BJ’s Wholesale Club was sued by the
U.S. Federal Trade Commission for allowing hackers to access its systems and
steal credit and debit card data for fraudulent purchases. Banks that issued the
cards with the stolen data sought $13 million from BJ’s to compensate them for
reimbursing card holders for the fraudulent purchases. A sound security and
control framework that protects business information assets can thus produce a
high return on investment. Strong security and control also increase employee
productivity and lower operational costs.

LEGAL AND REGULATORY REQUIREMENTS FOR

ELECTRONIC RECORDS MANAGEMENT
Recent U.S. government regulations are forcing companies to take security
and control more seriously by mandating the protection of data from abuse,
exposure, and unauthorized access. Firms face new legal obligations for the
retention and storage of electronic records as well as for privacy protection.
If you work in the health care industry, your firm will need to comply with the
Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA
outlines medical security and privacy rules and procedures for simplifying the
administration of health care billing and automating the transfer of health care
data between health care providers, payers, and plans. It requires members of
the health care industry to retain patient information for six years and ensure
the confidentiality of those records. It specifies privacy, security, and electronic
transaction standards for health care providers handling patient information,
 Chapter 8 Securing Information Systems 339

providing penalties for breaches of medical privacy, disclosure of patient

records by e-mail, or unauthorized network access.
If you work in a firm providing financial services, your firm will need to
comply with the Financial Services Modernization Act of 1999, better known as
the Gramm-Leach-Bliley Act after its congressional sponsors. This act requires
financial institutions to ensure the security and confidentiality of customer
data. Data must be stored on a secure medium, and special security measures
must be enforced to protect such data on storage media and during transmittal.
If you work in a publicly traded company, your company will need to comply
with the Public Company Accounting Reform and Investor Protection Act of
2002, better known as the Sarbanes-Oxley Act after its sponsors Senator Paul
Sarbanes of Maryland and Representative Michael Oxley of Ohio. This Act was
designed to protect investors after the financial scandals at Enron, WorldCom,
and other public companies. It imposes responsibility on companies and their
management to safeguard the accuracy and integrity of financial information
that is used internally and released externally. One of the Learning Tracks for
this chapter discusses Sarbanes-Oxley in detail.
Sarbanes-Oxley is fundamentally about ensuring that internal controls are
in place to govern the creation and documentation of information in financial
statements. Because information systems are used to generate, store, and trans-
port such data, the legislation requires firms to consider information systems
security and other controls required to ensure the integrity, confidentiality, and
accuracy of their data. Each system application that deals with critical financial
reporting data requires controls to make sure the data are accurate. Controls
to secure the corporate network, prevent unauthorized access to systems and
data, and ensure data integrity and availability in the event of disaster or other
disruption of service are essential as well.

ELECTRONIC EVIDENCE AND COMPUTER FORENSICS

Security, control, and electronic records management have become essential
for responding to legal actions. Much of the evidence today for stock fraud,
embezzlement, theft of company trade secrets, computer crime, and many civil
cases is in digital form. In addition to information from printed or typewritten
pages, legal cases today increasingly rely on evidence represented as digital
data stored on portable storage devices, CDs, and computer hard disk drives,
as well as in e-mail, instant messages, and e-commerce transactions over the
Internet. E-mail is currently the most common type of electronic evidence.
In a legal action, a firm is obligated to respond to a discovery request for
access to information that may be used as evidence, and the company is
required by law to produce those data. The cost of responding to a discovery
request can be enormous if the company has trouble assembling the required
data or the data have been corrupted or destroyed. Courts now impose severe
financial and even criminal penalties for improper destruction of electronic
documents.
An effective electronic document retention policy ensures that electronic
documents, e-mail, and other records are well organized, accessible, and neither
retained too long nor discarded too soon. It also reflects an awareness of how to
preserve potential evidence for computer forensics. Computer forensics is the
scientific collection, examination, authentication, preservation, and analysis of
data held on or retrieved from computer storage media in such a way that the
information can be used as evidence in a court of law. It deals with the follow-
ing problems:
340 Part Two Information Technology Infrastructure

• Recovering data from computers while preserving evidential integrity

• Securely storing and handling recovered electronic data
• Finding significant information in a large volume of electronic data
• Presenting the information to a court of law
Electronic evidence may reside on computer storage media in the form of
computer files and as ambient data, which are not visible to the average user.
An example might be a file that has been deleted on a PC hard drive. Data that a
computer user may have deleted on computer storage media can be recovered
through various techniques. Computer forensics experts try to recover such
hidden data for presentation as evidence.
An awareness of computer forensics should be incorporated into a firm’s
contingency planning process. The CIO, security specialists, information
systems staff, and corporate legal counsel should all work together to have a
plan in place that can be executed if a legal need arises. You can find out more
about computer forensics in the Learning Tracks for this chapter.

8.3 ESTABLISHING A FRAMEWORK FOR SECURITY

AND CONTROL
Even with the best security tools, your information systems won’t be reliable
and secure unless you know how and where to deploy them. You’ll need to
know where your company is at risk and what controls you must have in place
to protect your information systems. You’ll also need to develop a security
policy and plans for keeping your business running if your information systems
aren’t operational.

INFORMATION SYSTEMS CONTROLS

Information systems controls are both manual and automated and consist of
general and application controls. General controls govern the design, security,
and use of computer programs and the security of data files in general through-
out the organization’s information technology infrastructure. On the whole,
general controls apply to all computerized applications and consist of a com-
bination of hardware, software, and manual procedures that create an overall
control environment.
General controls include software controls, physical hardware controls,
computer operations controls, data security controls, controls over implemen-
tation of system processes, and administrative controls. Table 8.4 describes the
functions of each of these controls.
Application controls are specific controls unique to each computer-
ized application, such as payroll or order processing. They include both
automated and manual procedures that ensure that only authorized data
are completely and accurately processed by that application. Application
controls can be classified as (1) input controls, (2) processing controls, and
(3) output controls.
Input controls check data for accuracy and completeness when they enter
the system. There are specific input controls for input authorization, data
conversion, data editing, and error handling. Processing controls establish that
data are complete and accurate during updating. Output controls ensure that the
results of computer processing are accurate, complete, and properly distributed.