UPDATE on Computer AUdit, Control and Security
(NEWS ment in the direction of the project, and gives certain other rights. A Control Handbook will be produced as a final report of the project, and will eventually be available for public sale. Every participant and sponsor will receive a copy. The project leaders are Edward de Bono, Michael Comer and Roger Will at (whose article on Systems Abuse appears In this issue of UPDATE). This Is a powerful team, and the project looks like being of great Interest to any organisation which wishes to rethink its security and management control strategies from first principles. Details from Special Projects Division of Strategic Management Group, 16 Charles II St, London SW1 40U. 01-930 7214.
Heaton, Steve Ross, Mike Kerford-Byrnes, Aldan Lawes and Jeff Pickering. For booking form and further details, write to the Institute of Internal Auditors/UK, 82z Portland Place, London W1N 3DH.
A special set of security problems confronts the organisation which Is totally dependent on its data processing capability, and the lnteqrltvand security of its data, but which must keep Its computers on-line 24 hours a day. There is a need to keep backups off-site, in case of total disaster, but all methods of doing this have draw-backs. 'Internal mirror imaging' - basically maintaining two The programme for COMPACS 89 Is now available. This is, databases In two locations Is expensive. The use of of course, one of the high points of the computer auditor's courier services to take backups off-site is another possibility, year, and regularly attracts over 1000 delegates. This but under certain circumstances, such as a disc failure year, the day themes for each of the four days will be: resulting in delays in backup production, a company can Auditor Productivity (Tuesday), Legal Implications for be exposed for a period of several hours- not a comfortable Auditors of Computer Abuse plus DEC Systems Software position. 'Electronic Vaulting' - transmitting backups to a (Wednesday), Computers: Threats and Countermeasures remote location via modem link - has hitherto not been (Thursday), and IBM and ICL Software (Friday). Speakers practical due to slow speed. However, in the United include PJ Coram,Jerry FitzGerald, Marti King, Dr Stephen' States, Dataport Corporation are now testing an approach Castell, Colin Nicholls OC, Mike Comer, Dave DeRosier, to electronic vaulting using 'modern fast modems and dedicated fibre optic telephone lines. Peter Wild, Rod Perry, Clive Batchford, Yvo Henniker-
COMPACS 89 programme
(SURVEYS What would you be doing now if you had had a major systems failure 24 hours ago? If you can provide a quick confident answer to that question, you are likely to be working for one of only four companies in ten that have a written contingency plan for computer failure. But are you sure your plan would work? When did you last test it? If you are still answering confidently, you are in a very select group - only a quarter of the companies with a written contingency plan have tested it in the last year. If you doubt the Importance of testing contingency plans, read a little military history! Is this apparently cavalier attitude to computer risks due to the fact that computers are unimportant in most companies these days? Far from it. Over half of companies estimate that they would not be able to keep going for more than two days without their computers. But then it always happens to someone else, doesn't? Check the background of data processing staff? What on earth fori Who ever heard of computer fraud? That seems also to be the attitude of companies, less than half of whom systematically check out the background of DP staff. (See Management Awareness of Computer Risks - a European Survey Arthur Young, Rolls Building, Fetter Lane, London EC4A INH. £40.) The theme of disaster recovery Is also covered in a recent survey carried out for Allen Computers by Romtee. Allen Computers offer disaster recovery services to DEC Installations. The findings will be predictable and depressing to anyone who earns his or her crust in computer audit, control or security. Of 180 managers of information technology departments, only two-thirds had any kind of disaster recovery plan. Unfortunately, plans were often Volume 1 Number 1 July/August 1988
confused, unworkable and poorly thought out Horrifyingly, 16 per cent ( and these were IT, not general managers) thought that their maintenance contracts dealt with disaster recovery. A third of those with plans blithely assume that it will be possible to use machines elsewhere in the group, without having assessed workload or systems Implications. Eight per cent of respondents had formal reciprocal arrangements with outside suppliers, and 7 per cent claimed to subscribe to a disaster recovery service. (Contact: Helen Anderson, Allen computers, 0784-37411.) The lack of centralised direction and top management concern for computer security is highlighted by a survey from Peat Marwick McLlntock. Few company boards involve themselves in the affairs of the data processing department or in information technology. Security is a part-time job in most companies, though positive signs are that over 40 per cent of companies actually do have a full-time security administrator, and most companIes use some security software - most having started to do so recently. (We hope to carry a full report of this survey in Issue 2 of UPDATE.) Two of our writers in this issue refer to Ernst & Whinney's latest annual survey, on fraud. The survey, carried out by Concensus Research, is available from Ernst & Whinney, Becket House, Lambeth Palace Road, London SE1, and costs £15.
Letters It is intended that UPDATE will become a two-way medium of communication between all those involved in computer audit, security and control. Therefore we positively welcome readers' letters for publication. 19