The role of information technology (IT) control and audit has become a critical mechanism for ensuring the integrity of information systems (IS) and the reporting of organization finances to avoid and hopefully prevent future financial fiascos such as Enron and WorldCom. Global economies are more interdependent than ever and geopolitical risks impact everyone. Electronic infrastructure and commerce are integrated in business processes around the globe. The need to control and audit IT has never been greater.
Initially, IT auditing (formerly called electronic data processing (EDP), computer information systems (CIS), and IS auditing) evolved as an extension of traditional auditing. At that time, the need for an IT audit function came from several directions
- Auditors realized that computers had impacted their ability to perform the attestation function.
- Corporate and information processing management recognized that computers were key resources for competing in the business environment and similar to other valuable business resource within the organization, and therefore, the need for control and auditability is critical.
- Professional associations and organizations, and government entities recognized the need for IT control and auditability.
The early components of IT auditing were drawn from several areas. First, traditional auditing contributes knowledge of internal control practices and the overall control philosophy. Another contributor was IS management, which provides methodologies necessary to achieve successful design and implementation of systems. The field of behavioral science provided such questions and analysis to when and why IS are likely to fail because of people problems. Finally, the field of computer science contributes knowledge about control concepts, discipline, theory, and the formal models that underlie hardware and software design as a basis for maintaining data validity, reliability, and integrity.
IT auditing is an integral part of the audit function because it supports the auditor's judgment on the quality of the information processed by computer systems. Initially, auditors with IT audit skills are viewed as the technological resource for the audit staff. The audit staff often looked to them for technical assistance. As you will see in this textbook, there are many types of audit needs within IT auditing, such as organizational IT audits (management control over IT), technical IT audits (infrastructure, data centers, data communication), application IT audit (business/financial/operational), development/implementation IT audits (specification/ requirements, design, development, and post-implementation phases), and compliance IT audits involving national or international standards. The IT auditor's role has evolved to provide assurance that adequate and appropriate controls are in place. Of course, the responsibility for ensuring that adequate internal controls are in place rests with the management. The audit's primary role, except in areas of management advisory services, is to provide a statement of assurance as to whether adequate and reliable internal controls are in place and are operating in an efficient and effective manner. Therefore, whereas management is to ensure, auditors are to assure.
Today, IT auditing is a profession with conduct, aims, and qualities that are characterized by worldwide technical standards, an ethical set of rules (Information Systems Audit and Control Association [ISACA] Code of Ethics), and a professional certification program (Certified Information Systems Auditor [CISA]). It requires specialized knowledge and practicable ability, and often long and intensive academic preparation. Often, where academic programs were unavailable, significant in-house training and professional development had to be expended by employers. Most accounting, auditing, and IT professional societies believe that improvements in research and education will definitely provide an IT auditor with better theoretical and empirical knowledge base to the IT audit function. They feel that emphasis should be placed on education obtained at the university level.
The breadth and depth of knowledge required to audit IT systems are extensive. For example, IT auditing involves the
- Application of risk-oriented audit approaches
- Use of computer-assisted audit tools and techniques
- Application of standards (national or international) such as ISO 9000/3 and ISO 17799 to improve and implement quality systems in software development and meet security standards
- Understanding of business roles and expectations in the auditing of systems under development as well as the purchase of software packaging and project management
- Assessment of information security and privacy issues which can put the organization at risk
- Examination and verification of the organization's compliance with any IT-related legal issues that may jeopardize or place the organization at risk
- Evaluation of complex systems development life cycles (SDLC) or new development techniques; e.g., prototyping, end user computing, rapid systems, or application development
- Reporting to management and performing a follow-up review to ensure actions taken at work
The auditing of complex technologies and communications protocols involves the Internet, intranet, extranet, electronic data interchange, client servers, local and wide area networks, data communications, telecommunications, wireless technology, and integrated voice/data/video systems.
IT Today and Tomorrow
High-speed information processing has become indispensable to organizations' activities. For example, Control Objectives for Information and Related Technology (CoBiT) emphasizes this point and substantiates the need to research, develop, publicize, and promote up-to-date internationally accepted IT control objectives. The primary emphasis of CoBiT is to ensure that information needed by businesses is provided by technology and the required assurance qualities of information are both met. CoBiT, fourth edition, has evolved and improved in its guidance to incorporate the essential elements of strategic management, value delivery, resource management, risk management, and performance management.
From a worldwide perspective, IT processes need to be controlled. From a historical standpoint, much has been published about the need to develop skills in this field. In its 1992 discussion paper, "Minimum Skill Levels in Information Technology for Professional Accountants,"and its 1993 final report, "The Impact of Information Technology on the Accountancy Profession," the International Federation of Accountants (IFAC) acknowledged the need for better university-level education to address growing IT control concerns and issues. From this, it has published more recent guidance and information. The Institute of Internal Auditors (IIA) 1992 document "Model Curriculum for Information Systems Auditing" was developed to define the knowledge and skills required by internal auditors to be proficient in the information age of the 1990s and beyond. The IIA has developed and produced guidance for its membership as cited in Appendix III. Around the world, reports of white-collar crime, information theft, computer fraud, information abuse, and other information/technology control concerns are being heard more frequently, thanks to surveys and reports by SANS (SysAdmin, Audit, Network, Security) Institute, U.S. Government Accountability Office (GAO), Federal Bureau of Investigation (FBI), Federal Trade Commission (FTC), Computer Security Institute (CSI), Computer Emergency Response Teams (CERT), and others. Organizations are more information dependent and conscious of the pervasive nature of technology across the business enterprise. The increased connectivity and availability of systems and open environments have proven to be the lifelines of most business entities. IT is used more extensively in all areas of commerce around the world.
Owing to the rapid diffusion of computer technologies and the ease of information accessibility, knowledgeable and well-educated IT auditors are needed to ensure that effective IT controls are in place to maintain data integrity and manage access to information. Globally, private industry, professional associations, and organizations such as International Federation of Information Processing (IFIP), Association for Computing Machinery (ACM), Association of Information Technology Professionals (AITP), Information Systems Security Association (ISSA), and others have recognized the need for more research and guidance as identified in Appendix III. Control-oriented organizations such as the American Institute of Certified Public Accountants (AICPA), the Canadian Institute of Chartered Accountants (CICA), IIA, Association of Certified Fraud Examiners (ACFE), and others have issued guidance and instructions and supported studies/research in this area. Since 1996, The Colloquium for Information Systems Security Educators (CISSE) has been a leading proponent for implementing the course of Instruction in information security (InfoSec) and Information Assurance in education The need for improved control over IT has been advanced over the years in earlier and continuing studies by the AICPA's Committee of Sponsoring Organizations of the Treadway Commission (COSO), International Organization for Standardization (ISO) issuance of ISO 9000 and ISO 17799 and follow-on amendments, OECD's "Guidelines for the Security of IS by the Organization for Economic Cooperation and Development (OECD)," IIA's "Systems Auditability and Control (SAS) Report," and the U.S. President's Council on Integrity and Efficiency in Computer Audit Training Curriculum. The most recent addition to these major studies is the aforementioned CoBiT research. Essentially, technology has impacted three significant areas of the business environment:
- It has impacted what can be done in business in terms of information and as a business enabler. It has increased the ability to capture, store, analyze, and process tremendous amounts of data and information, which has increased the empowerment of the business decision maker. Technology has also become a primary enabler to various production and service processes. It has become a critical component to business processes. There is a residual effect in that the increased use of technology has resulted in increased budgets, increased successes and failures, and increased awareness of the need for control.
- Technology has significantly impacted the control process. Although control objectives have generally remained constant, except for some that are technology specific, technology has altered the way in which systems should be controlled. Safeguarding assets, as a control objective, remains the same whether it is done manually or is automated. However, the manner by which the control objective is met is certainly impacted.
- Technology has impacted the auditing profession in terms of how audits are performed (information capture and analysis, control concerns) and the knowledge required to draw conclusions regarding operational or system effectiveness, efficiency and integrity, and reporting integrity. Initially, the impact was focused on dealing with a changed processing environment. As the need for auditors with specialized technology skills grew, so did the IT auditing profession.
Information Integrity, Reliability, and Validity: Importance in Today's Global Business Environment
Organizations today operate in a dynamic global multi-enterprise environment with team-oriented collaboration and place very stringent requirements on the telecommunications network. The design of such systems is complex and management can be very difficult. Organizations are critically dependent on the timely flow of accurate information. A good way to view how stringent the network requirements are is to analyze them in terms of the quality of the telecommunications service. Perhaps, two examples of the world's dependency on IT come as a result of two reported events in the past where IT failure impacted world commerce and communications. In 1998, an AT&T major switch failed due to two software errors and a procedural error, causing communications at that switch to become overloaded and making customers using credit cards unable to access their funds for 18 hours. In another 1998 event, a communication satellite went into an uncontrollable rotation causing pager communication systems worldwide to be "useless," and those companies using this technology for E-account transaction and verification were unable to process credit card information for 24 hours, thus causing their customers to pay cash for their transactions. The disruption of the paging services caused severe impact to services provided by both private and governmental organizations that depended on this communication. Even today, these types of events are repeated over and over again where organizations dependent on technology encounter failure and disruption to services and business. In August 2003, the northeast quadrant and part of Canada were still recovering from a massive power outage to the area that shut down ATMs and all electrical services (elevators, phone service, street signals, subways, etc.).
Most telecommunication experts believe the network must be able to reach anyone anywhere in the world and be capable of supporting the sharing of a wide range of information, from simple voice, data, and text messages to cooperative transactions requiring the information updating of a variety of databases. The chief executive officer (CEO) and chief information officer (CIO) want to meet or exceed their business objectives and attain maximum profitability through an extremely high degree of availability, fast response time, extreme reliability, and a very high level of security.
This means that the products for which IT provides consumer feedback will also be of high quality, rich in information content, and come packaged with a variety of useful services to meet the changing business conditions and competition. Flexible manufacturing and improvement programs such as Just-In-Time (JIT) and Lean Manufacturing, and Total Quality Management (TQM) will enable low-cost production. Flexible manufacturing will permit products to be produced economically in arbitrary lot sizes through modularization of the production process.
The unpredictability of customer needs and the shortness of product life cycles will cause the mix of production capabilities and underlying resources required by the organization to change constantly. Organizations must be capable of assembling its capabilities and resources quickly, thereby bringing a product to market swiftly. To achieve the high degree of organizational flexibility and value-chain coordination necessary for quick market response, excellent product quality, and low cost, the organization will employ a network, team-oriented, distributed decision-making organizational approach rather than a more traditional hierarchical, vertically integrated, command-and-control approach.
Organizations will possess a dynamic network organization synthesizing the best available design, production, supply, and distribution capabilities and resources from enterprises around the world and linking them and the customers together. A multi-enterprise nature will enable organizations to respond to competitive opportunities quickly and with the requisite scale, while, at the same time, enabling individual network participant's cost and risk to be reduced. The network will be dynamic because participant identities and relationships will change as capabilities and resources required change. The global scope of the network will enable organizations to capitalize on worldwide market opportunities. Work will be performed by multidisciplinary, multi-enterprise teams, which will work concurrently and, to reduce production time, be granted significant decision-making authority. Team members will be able to work collaboratively regardless of location and time zone. Openness, cooperativeness, and trust will characterize the relationships among the organizations in the network and their personnel.
Aside from reach, range, and service responsiveness, the network must be highly interconnective so that people, organizations, and machines can communicate at any time, regardless of location. Also, the network must be very flexible because the organization is constantly changing. Finally, the network must be cost effective because low cost is one of the ingredients in the mass-customization strategy. In addition, a control structure, which provides assurances of integrity, reliability, and validity, must be designed, developed, and implemented.
So how can this be accomplished? The ability to reach anyone anywhere in the world requires global area networks. Clearly, the Internet and global carrier services will be crucial. Also, because the intended receiver need not be in the office or even at home, wireless networks will play a major part. This will be true on-premise, such as with the use of wireless private branch exchanges (PBXs) or local area networks (LANs), and off-premise, with the use of cellular networks, global satellite networks such as Iridium, and Personal Communications Networks. To support the sharing of a wide range of voice, data, and video information, bandwidth on demand will be required all the way to the desktop as well as the mobile terminal. Also, various collaborative service platforms such as Lotus Notes will be necessary. Finally, perfect service will have to be designed into the network. Speed can be achieved through broadband networking: locally via fast Ethernet, gigabit, and Asynchronous Transfer Mode (ATM) LANs, and over a wide area via switched multimegabit data services (SMDS) and ATM services, and reliability through quality hardware/software and proven wired and wireless solutions where possible.
Control and Audit: A Global Concern
The events of September 11, 2001, and the collapse of trust in the financial reports of private industry (Enron, WorldCom, etc.) have caused much reflection and self-assessment within the business world. The evolution of the economic society parallels the evolution of exchange mechanisms because advancement in the latter allows the facilitation of the former. Society started with the primitive use of the barter system. In this way, individuals were both consumers and producers because they brought to market that commodity which they had in excess and exchanged it directly for a commodity for which they were in need. Simply, society exercised an exchange of goods for goods. Owing to its numerous inefficiencies and societies' demands to accommodate for the increased population, production, communication, and trading areas, this system was soon replaced by a modified barter exchange mechanism. In the modified barter exchange system, a common medium of exchange was agreed upon. This allowed the time and effort expended in trying to find a trading partner with the need for one's product to be reduced. In the early stages of economic development, precious metals such as gold and silver gained widespread acceptance as exchange media. Precious metals characterized acceptability, durability, portability, and divisibility, but it gradually played the role of money. Thus, when emerging central governments began minting or coinage of these metals to begin the money-based exchange system, its monetary role was even more strengthened.
As economies became more commercial in nature, the influential mercantile class shaped the new society. The needs of the mercantilists, which included the promotion of exchange and accumulation of capital, led to the development of money warehouses that served as depositories for the safekeeping of funds. A receipt would be issued for those who opened a deposit account, and upon presentation of the receipt, the warehouse would return the specified amount to the depositor. These warehouses represented an elementary banking system because, like banks of today, they collected fees to cover their costs as well as earned profits for their owners. Soon the warehouses began issuing bills of exchange or their own drafts because of the idea that not all depositors would withdraw their funds at the same time. This created the fractional reserve banking system in which banks used the deposits not only to back up the receipts that they issued but also to extend credit.
The coin, currency, and demand deposit payment mechanism flourished for many decades because of its convenience, safety, efficiency, and widespread acceptance by the public. However, another major change is now at hand for payment mechanisms: electronic funds transfers (EFTs).
E-Commerce and Electronic Funds Transfer
Electronic-commerce (E-commerce) and EFT open the next chapter for payment systems. They have been around since the 1960s. T he banking industry is considered to be one of the forerunners in the use of computers. The industry started with mechanizing bookkeeping and accounting tasks, automating transaction flows, implementing magnetic ink character recognition (MICR) technology, and finally, utilizing online terminals to update depositor's account and record receipt or disbursement of cash. The advancement of both computer and communication technologies has spurred the phenomenal growth of EFT systems in the past 20 years. As more consumers become familiar and trust electronic financial transactions, EFTs will continue to be more widely used. Today, EFTs have already gone beyond the banking industry and can be seen in almost all retail establishments such as supermarkets, clothing stores, gas stations, and even amusement parks. EFTs allow the convenience of paying for goods and services without having to use checks or currency. In today's society of ever more computer-literate individuals, a transition is being witnessed from the traditional cash and check system to electronic payment systems.
Future of Electronic Payment Systems
The increased used of the Internet has brought with it a new form of exchange: virtual commerce. The cashless society that futurists have long forecast is finally at hand, and it will replace today's paper money, checks, and even credit cards. Virtual commerce involves a new world of electronic cash (E-cash). Virtual transactions work very much like physical cash but without the physical symbols.
Although the use of E-cash has its positive aspects such as more convenience, flexibility, speed, cost savings, and greater privacy than using credit cards or checks on the Internet, it also has negative ramifications. Uncontrolled growth of E-cash systems could threaten bank and government-controlled payment systems, which would fuel the growth of confusing and inefficient systems. Also, current technology has not yet deemed E-cash to be more secure than bank money because money stored in a personal computer (PC) could be lost forever if the system crashes. In addition, E-cash could permit criminal activity such as money laundering and tax evasion to hide behind cyber dollars. Counterfeiters could also design their own mints of E-cash that would be difficult to differentiate from real money. Finally, criminals such as computer hackers could instantaneously pilfer the wealth of thousands of electronic consumers.
Therefore, many companies have been compelled to develop electronic payment systems that will solve these consumer concerns. In 2000, it represented about 40 percent of the online population. This grew to 63 percent by 2006. There is a definite need for the security and privacy of payments made over the Internet, as millions of transactions occur daily and will be increasing at a rapid pace in the future. With this increase of E-commerce, the likelihood of fraud increases as well. E-commerce depends on security and privacy because, without them, neither consumers nor businesses would have an adequate level of comfort in digital transmission of transaction and personal data. In the newly revolutionized economy, it is a necessity for companies to conduct business online and reach out to customers through the Internet. The primary areas of concern with E-commerce are confidentiality, integrity, nonrepudiation, and authentication. These areas are addressed through several ways such as encryption, cryptography, and the use of third parties.
In addition, the credit card industry has been motivated to find secure technology for
E-commerce. The National Institute of Standards and Technology (NIST) has done some extensive work in this area under its Information Technology Laboratory, devoting an emphasis to Smart Card Standards and Research at http://smartcard.nist.gov. Organizations like these are only a fraction of the massive experiments that will transform the way people think about money. This is a worldwide commerce movement, and not just a U.S. movement. E-cash is the next inevitable payment system for an increasingly wired world. Economic history has once again reached another crossroads. Just as the mercantile class transformed the money exchange system to one of money warehouses, E-commerce (trade on the Internet) will be a revolutionary opportunity for global society to transform today's traditional system of exchange into a system of electronic payments. Thus, the need for auditability, security, and control of IT has become a worldwide issue.
Legal Issues Impacting IT
The financial scandals involving Enron and Arthur Andersen LLP, and others generated a demand for the new legislation to prevent, detect, and correct such aberrations. In addition to this, the advancements in network environments technologies have resulted in bringing to the forefront issues of security and privacy that were once only of interest to the legal and technical expert but which today are topics that affect virtually every user of the information superhighway. The Internet has grown exponentially from a simple linkage of a relative few government and educational computers to a complex worldwide network that is utilized by almost everyone from the terrorist who has computer skills to the novice user and everyone in between. Common uses for the Internet include everything from marketing, sales, and entertainment purposes to e-mail, research, commerce, and virtually any other type of information sharing.
Unfortunately, as with any breakthrough in technology, advancements have also given rise to various new problems that must be addressed, such as security and privacy. These problems are often being brought to the attention of IT audit and control specialists due to their impact on public and private organizations. Current legislation and government plans will effect the online community and, along with the government's role in the networked society, will have a lasting impact in future business practices.
Federal Financial Integrity Legislation
The Enron-Arthur Andersen LLP financial scandal continues to plague today's financial market as the trust of the consumer, the investor, and the government to allow the industry to self-regulate have all been violated. The Sarbanes-Oxley Act of 2002 will be a vivid reminder of the importance of due professional care. T he Sarbanes-Oxley Act prohibits all registered public accounting firms from providing audit clients, contemporaneously with the audit, certain non-audit services including internal audit outsourcing, financial-information-system design and implementation services, and expert services. These scope-of-service restrictions go beyond existing Security and Exchange Commission (SEC) independence regulations. All other services, including tax services, are permissible only if preapproved by the issuer's audit committee and all such preapprovals must be disclosed in the issuer's periodic reports to the SEC.
The act requires auditor (not audit firm) rotation. Therefore, the lead audit partner and the concurring review partner must rotate off the engagement if he or she has performed audit services for the issuer in each of the five previous fiscal years. The act provides no distinction regarding the capacity in which the audit or concurring partner provided such audit services. Any services provided as a manager or in some other capacity appear to count toward the five-year period. The provision starts as soon as the firm is registered, therefore, absent guidance to the contrary, the audit and concurring partner must count back five years starting with the date in which Public Company Accounting Oversight Board registration occurs. This provision has a definite impact on small accounting firms. The SEC is currently considering whether or not to accommodate small firms in this area; currently, there is no small-firm exemption from this provision.
This act is a major reform package mandating the most far-reaching changes Congress has imposed on the business world since the Foreign Corrupt Practices Act of 1977 and the SEC Act of the 1930s. It seeks to thwart future scandals and restore investor confidence by, among other things, creating a public company accounting oversight board, revising auditor independence rules, revising corporate governance standards, and significantly increasing the criminal penalties for violations of securities laws.
Federal Security Legislation
The IT auditor should recognize that the U.S. federal government has passed a number of laws to deal with issues of computer crime and security and privacy of IS. Private industry has in the past been reluctant to implement these laws because of the fear of the negative impact it could bring to a company's current and future earnings and image to the public. The passage of the Homeland Security Act of 2002 and the inclusion of the Cyber Security Enhancement Act will have a substantial impact on private industry. An example of a number of past laws in place is as follows.
The Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act (CFAA) was first drafted in 1984 as a response to computer crime. The government's response to network security and network-related crimes was to revise the act in 1994 under the Computer Abuse Amendments Act to cover crimes such as trespassing (unauthorized entry) into an online system, exceeding authorized access, and exchanging information on how to gain unauthorized access. Although the act was intended to protect against attacks in a network environment, it does also have its fair share of faults. The IT auditor must be aware of it significance.
Under this act, penalties are obviously less severe for "reckless destructive trespass" than for "intentional destructive trespass." The reasoning behind this is that reckless attackers may not necessarily intend to cause damage, but must still be punished for gaining access to places that they should not have access to. However, the impact of such terminology appears to possibly create some confusion in prosecuting the trespasser because it resides in such a "gray area." In Morris v. United States, it was determined that "intent" applied to access and not to damages. The implication here would be that if the "intentional" part of the violation was applied to access and not the damage, then the culprit could possibly be prosecuted under the lesser sentence.
For example, if an individual intentionally intended to release a virus over a network, it would seem difficult for prosecutors to prove the motive for the violation. What if the individual stated that he or she was conducting some type of security test (as Morris contested) and "accidentally" set off a procedure that released a virus over the network? Intentional could refer to access to a system but it may not apply to damage. In this case, the lesser penalty of "reckless destructive trespass" may be applied. Within the courts, this is a matter that must be contemplated on a case-by-case basis, observing the facts of each individual case. In some instances, however, it would appear that even "intentional" trespass could be defended by claims that the violation was due to negligence and therefore falls under the less severe of the two circumstances.
This legislation has been helpful as a legal tool for prosecuting crimes involving some of the aforementioned intruders and violators of system security, but it also seems to have a loophole in certain cases. Unfortunately, this loophole may be large enough for a serious violator of the act to slip through and be prosecuted under a lesser penalty by virtue of having to prove intent. All states have closed a portion of that loophole through statutes prohibiting harassment or stalking, including "e-mail." This act has been amended several times since 1984 to keep it current.
The Computer Security Act of 1987
Another act of importance is the Computer Security Act of 1987, which was drafted due to congressional concerns and public awareness on computer security-related issues and because of disputes on the control of unclassified information. The general purpose of the act was a declaration from the government that improving the security and privacy of sensitive information in federal computer systems is in the public interest. The act established a federal government computer-security program that would protect sensitive information in federal government computer systems. It would also develop standards and guidelines for unclassified federal computer systems and facilitate such protection.
The Computer Security Act also assigned responsibility for developing governmentwide computer system security standards, guidelines, and security training programs to the National Bureau of Standards. It further established a Computer System Security and Privacy Advisory Board within the Commerce Department, and required federal agencies to identify computer systems containing sensitive information and develop security plans for those systems. Finally, it provided periodic training in computer security for all federal employees and contractors who managed, used, or operated federal computer systems.
The Computer Security Act is particularly important because it is fundamental to the development of federal standards of safeguarding unclassified information and establishing a balance between national security and other non-classified issues in implementing security and privacy policies within the federal government. It is also important in addressing issues concerning government control of cryptography, which has recently become a hotly contested topic.
Privacy on the Information Superhighway
Now that some issues associated with computer security have been reviewed, how the issue of privacy is impacted when computer security is breached will be examined. As is well known, there is a tremendous amount of information that companies and agencies are able to retrieve on any individual. People, corporations, and government are active in trading personal information for their own gain. In Virginia, a resident filed suit in the state court against U.S. News & World Report, challenging the right of the magazine to sell or rent his name to another publication without his express written consent. It is known that individuals share private information on a daily basis, but how has it affected the network world and the Internet? This issue will be analyzed in the following section.
The large number of users on the Internet has resulted in the availability of an enormous amount of private information on the network. This information unfortunately seems to be available for the taking by anyone who might be interested. A person's bank balance, Social Security number, political leanings, medical record, and much more is there for anyone who may want it. Information identity theft has been one of the fastest growing crimes, and use of the IS highway has been a key component of such crimes. In 2003, it was revealed that a hacker penetrated the State of California Payroll system and gained access to personal information. This information potentially could be put up for sale to anyone who might be interested in it. Someone has been collecting information and making it available for use, and a large number of these individuals seem to be refusing to follow any sort of fair information practice. In another 2003 incident, all it took was a phone call for an Internet hijackers to steal 65,000 Web addresses belonging to the County of Los Angeles. The addresses were then sold and used to send pornographic material and junk e-mail and to try to hack into other computers.
Fortunately, the FTC has been very active in providing the public alerts to the various ongoing scams, and by visiting its Web site at www.ftc.gov, people can be helped by the information it can provide if they become victims. This activity is a cause of alarm for everyone and the question is asked-Is it entitled to one's information? What is the government's policy regarding privacy of an individual and keeping a strong security policy? Ideally, citizens would like to limit the amount of monitoring that the government is allowed to do on them, but is the government in a position to monitor communications on the information superhighway? How will this affect one's right to privacy as guaranteed by the U.S. Constitution? The focus of the following section will then be to address these issues, paying especially close attention to the security-based measures that have affected the ideal of individual right to privacy.
Privacy Legislation and the Federal Government Privacy Act
In addition to the basic right to privacy that an individual is entitled to under the U.S. Constitution, the government also enacted the Privacy Act of 1974. The purpose of this is to provide certain safeguards to an individual against an invasion of personal privacy. This act places certain requirements on federal agencies, which include the following:
- Permits an individual to determine what records pertaining to him or her are collected and maintained by federal agencies
- Permits an individual to prevent records pertaining to him or her that were obtained for a particular purpose from being used or made available for another purpose without consent Permits an individual to gain access to information pertaining to him or her in federal agency records and to correct or amend them
- Requires federal agencies to collect, maintain, and use any personal information in a manner that assures that such action is for a necessary and lawful purpose, that the information is current and accurate, and that safeguards are provided to prevent misuse of the information
Although the Privacy Act is an important part of safeguarding individual privacy rights, it is important for the IT auditor to recognize that there are many exemptions under which it may be lawful for certain information to be disclosed. This could, in some cases, for various agencies, both federal and nonfederal, allow the means by which they can obtain and disclose information on any individuals simply because they may fall under one of the many exemptions that the Privacy Act allows. For example, the subsequent Freedom of Information Act provides the federal government a way to release historical information to the public in a controlled fashion. The Privacy Act has also been updated over time through the amendment process.
Electronic Communications Privacy Act
In the area of computer networking, the Electronic Communications Privacy Act is one of the leading early pieces of legislation against violation of private information as applicable to online systems. Before analyzing some of the implications that the act has had on the network community, let us briefly analyze some of the provisions defined by the act, as it seems to be quite complicated in giving privacy protection in some instances and not others.
Communications Decency Act of 1995
The Communication Decency Act (CDA) bans the making of "indecent" or "patently offensive" material available to minors through computer networks. The act imposes a fine of up to $250,000 and imprisonment for up to two years. The CDA does specifically exempt from liability any person who provides access or connection to or form a facility, system, or network that is not under the control of the person violating the act. Also, the CDA specifically states that an employer shall not be held liable for the actions of an employee unless the employee's conduct is within the scope of his or her employment.
Health Insurance Portability and Accountability Act of 1996
On August 21, 1996, President Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) into law. The original purpose of the law was to make it easier for Americans to maintain their health insurance when they switch jobs and restrict the ability of insurers to reject them based on preexisting health conditions. Unfortunately, the digital age added the provision of "administrative simplifications" to the law. According to the U.S. Department of Health,
The "administrative simplifications" provisions require the adaptation of national standards for electronic health care transactions. By ensuring consistency throughout the industry, these national standards will make it easier for health plans, doctors, hospitals, and other healthcare providers to process claims and other transactions electronically. The law also required security and privacy standards in order to protect personal information.
The provisions for administrative simplification came "At the time when hospitals and insurers used more than 400 different software formats to transmit healthcare data. These covered everything from the headers on insurance forms to the codes describing diseases and medication." Many in the healthcare industry have viewed the "administrative simplification" component of the laws to be the most expensive and most difficult to implement. Part of the reason for the difficulty in implementation involves the issue of privacy. According to InfoWorld, "Medical organizations will need to invest in some of the new technologies currently available in other industries. Technologies like digital certificates, authentication, and biometric standards are needed to ensure that those authorized to view something are the only ones that have access." The cost and difficulty of implementing these new technologies to meet the requirements of HIPAA can be both time consuming and expensive, especially for smaller hospitals and clinics with little or no IT support. This is a challenge for internal and external auditors of the U.S. health care industry. Noncompliance by organizations can face stiff fines and penalties. Recent guidance issued by NIST and support of professional associations such as ISSA, IIA, ISACA, and Association of Health Internal Auditors have helped to make internal control improvements to this area.
Security, Privacy, and Audit
In summary, it appears that traditional as well as new security methods and techniques are simply not working. Although many products are quite efficient in securing the majority of attacks on a network, no single product seems to be able to protect a system from every possible intruder. Current security legislation, although addressing the issues of unwanted entry into a network, may also allow for ways by which some criminals can escape the most severe penalties for violating authorized access to a computer system. Moreover, some legislation, in effect, does not require periodic review, thus allowing for various policies and procedures to get outdated. The computer networking industry is continually changing. Because of this, laws, policies, procedures, and guidelines must constantly change with it; otherwise, they will have a tendency to become outdated, ineffective, and obsolete.
On the subject of privacy, it has been seen that in the online world, private information can be accessed by criminals. Some of the legislation passed in recent years does protect the user against invasion of privacy. However, some of the laws observed contain far too many exceptions and exclusions to the point that their efficacy suffers. In addition, the government continues to utilize state-of-the-art techniques for the purpose of accessing information for the sake of "national security" justified currently under the Homeland Security Act. New bills and legislation continue to attempt to find a resolution to these problems, but new guidelines, policies, and procedures need to be established, and laws need to be enforced to their full extent if citizens are to enjoy their right to privacy as guaranteed under the constitution.
Thus, if security products are not safe from every attack, and if current laws may not always be efficient in addressing the problem correctly, is there anything a user might be able to do? Although there is nothing at this time that will guarantee a system's security, a good starting point might be the establishment and implementation of a good computer security policy. A good policy can include
- Specifying required security features
- Defining "reasonable expectations" of privacy regarding such issues as monitoring people's activities
- Defining access rights and privileges and protecting assets from losses, disclosures, or dam
ages by specifying acceptable use guidelines for users and also, providing guidelines for
external communications (networks)
- Defining responsibilities of all users
- Establishing trust through an effective password policy
- Specifying recovery procedures
- Requiring violations to be recorded
- Providing users with support information
A good computer security policy will differ for each organization, corporation, or individual depending on security needs, although such a policy will not guarantee a system's security or make the network completely safe from possible attacks from cyberspace. With the implementation of such a policy, helped by good security products and a plan for recovery, perhaps the losses can be targeted for a level that is considered "acceptable" and the leaking of private information can be minimized.
Because IT and information security are integral parts of the IT's internal controls, we have discussed earlier the Internal Control Integrated Framework publication by COSO in 1997, which specifically includes IT controls. Also addressed are the IIA's SAC and ISACA's CoBiT, which are both directly related to the frameworks identified by COSO in their reports. These are standards of practice, mentioned earlier, to help guide business in its IT strategic planning process. This chapter has provided guidance and examples of how critical these components are in setting the direction for what will follow.
The computer is changing the world. Business operations are also changing, sometimes very rapidly, because of the fast continuing improvement of technology. Events such as September 11, 2001, and financial upheavals from corporate scandals such as Enron and Global Crossing have resulted in increased awareness. Yes, IT controls are very important. Today, people are shopping around at home through networks. People use "numbers" or accounts to buy what they want via shopping computers. These "numbers" are "digital money," the modern currency in the world. Digital money will bring us benefits as well as problems. One major benefit of digital money is its increased efficiency. However, it will also create another problem for us. "Security" is perhaps the biggest factor for individuals interested in making online purchases by using digital money. Also, it must be remembered that vigilance needs to be maintained over those who use the Internet for illegal activities, including those who are now using it for scams, crime, and covert activities that could potentially cause loss of life and harm to others. IT control and security is everyone's business.
Most people fear giving their credit card numbers, phone numbers, or other personal information to strangers. They are afraid that people will be able to use these to retrieve their private or other valuable information without their consent. With identity theft and fraud on the rise, much care is needed in the protection, security, and control of such information. Security, indeed, is the biggest risk in using digital money on the Internet. Besides the problem of security, privacy is a significant factor in some electronic payment systems. To encourage people to use digital money, these electronic payment systems should ensure that personal and unrelated information is not unnecessarily disclosed.
For the IT auditor, the need for audit, security, and control will be critical in the areas of IT and will be the challenge of this millennium. There are many challenges ahead; everyone must work together to design, implement, and safeguard the integration of these technologies in the workplace.