Suggestions for Improved Controls Over A Financial System Network

See the main document, Novell Netware's Financial System Review, for review observations related to the general suggestions included on this page. General suggestions on this page fall under the following categories:

Strategic Planning

  1. Prioritize projects -- estimate hours, benefits of doing the job, start date and provide feedback on status.

  2. Use a management and staff steering committee -- conduct periodic meetings to review status and prioritize projects. The status and priorities may need to be reviewed once a quarter and new projects can be added as necessary. This helps in providing a stable work environment which meets departmental requirements and allows for proper planning and implementation.

  3. Produce annual work plan for systems and application changes, changing priorities as necessary when departmental requirements change. Adding imaging, upgrading or changing the network operating system, strengthening network security, and major application changes are examples of items that could be covered.

Application Program Change Control

It is prudent to ensure that no production changes are made without checking them on the development system first. Production programs and data should be well protected, and fallback positions are necessary if an implementation in production is faulty. Greater care should be taken to ensure that the operation does not get caught without the ability to back up to the previous version of any major application or system. The following control guidelines are recommended:
  1. Use system change request (SCR) forms or screens to document requests.
  2. Ensure that the SCR’s are approved and prioritized by appropriate authority.
  3. Assign the programmer/analyst who will do the work and track the status.
  4. Ensure that the test results are reviewed before implementation in Production.
  5. Ensure that the Production status is tracked until assured that everything is okay.
  6. System interfaces and data compatibility with other systems need to be tightly controlled to prevent problems.

Network/Computer Operations

  1. Communicate schedules for Production work, uptime, downtime, etc.
  2. Consider non-day shift and weekend work for items that will impact users or system use.
  3. Minimize any impact on your Advisors and Analysts.

Management Tools

  1. Produce a network diagram or hardware list (checklist format for periodic review -- easily produced by many of the automated tools).
  2. Document the system for new employees (screen prints at a minimum).
  3. Produce status reports (on applications and systems, at least monthly).

Hardware/Software Security

  1. Control remote dial-up lines and consider using dial-back devices.
  2. Control Internet access. If you have any TCP/IP software on your system, it can potentially be accessed over the Internet and it is not secure without additional protection.
  3. Lock the doors to the server rooms (at least at lunch and at night, preferably all the time).

Disaster Recovery/Contingency Planning

  1. Ensure that incremental daily backups and weekly complete system backups are performed, and have the capability to recover from them. The client is currently doing these, and storing backups at several off-site locations.

  2. Consider having the computer center perform the backup procedures for the department in the future. The computer center could store the client’s server in their conditioned computer room if requested. Most departments do this because it provides better security, and a controlled environment that helps prevent system damage.

  3. Ensure that the departmental backup plan covers how the department will operate if the system goes down for any length of time. Departmental employees did not feel that they could operate for very long without the system.

Employee Training

Departmental employees will need initial and ongoing training in Novell, Foxpro and the financial system itself. This should be planned for and budgeted on an annual basis. Novell and Foxpro training could be obtained from external or internal sources. UC-San Diego has a web page which advertises the Novell classes offered by certified Novell trainers for a significantly reduced price.

Training for the client’s application could be provided internally, and we recommend that the ongoing trainer not be the system administrator, even if they are needed for initial or emergency training. Making the system trainer responsible for maintaining user documentation helps to ensure that it is current and useful. Program documentation is the responsibility of the programmers, but they must have sufficient training in the system, database and the programming language to be able to accurately document it.

User and System Documentation

The client’s network administrator feels that user and operations documentation are currently sufficient, but the programming documentation is minimal. Lack of program documentation will significantly increase the difficulty in training new programmers and in the time that they will require to change or enhance the system.

Higher Level Support

It might be more prudent to discourage departmental employees from doing everything. The client should plan to use the divisional network support personnel and the central IS function for whatever hardware and software support they can provide so that the client’s personnel can focus on managing the financial application. Microcomputers, their operating systems, and Microsoft Office training should not be something handled by the system administrator. It is too difficult to manage critical tasks while answering questions about basic computer issues that should be handled elsewhere. Designate a departmental representative who can decide when to contact someone else for support, and ensure that it is not someone who should not be distracted from more important tasks.

Staffing and Funding

Staffing for a computer organization will get expensive if the client continues to do everything on its own. Similar departments elsewhere appear to be using significantly more personnel than the client. Comparable salaries will be an issue because the client is requiring the same kind of expertise as IS organizations, but these organizations are paying better.

Computing and Network Administration

We recommend that the department establish clear lines of authority and responsibility to prevent the network administrator from being directly responsible for answering all computing questions, handling all computing problems, and making all computing decisions. Different employees should be empowered to handle application support, network operations, and the microcomputer support. These support efforts should be coordinated through one person with prioritization from the department head and the steering committee.

Database Analysis and Administration

This is a complicated area of expertise that requires extensive experience and education, and the salaries are high for anyone with experience in the relational database area. Oracle, DB2 and Sybase database administrators are paid at very high levels. If the client’s division intends to have a completely integrated set of data, they should consider one or more database administration positions to coordinate data between all interfacing units or organizations that require access to the data. If management develops its own internal expertise, the expertise will help all interfacing units, build additional backup application expertise, and it can be used for less than management would pay for external people. However, management must find ways to retain its internal expertise if it wants to continue with this practice.

[ Home Page ] [ NewsLine ] [ IS Audit ] [ IS Security ] [ Control ]

For comments or problems, please e-mail
Slemo Warigon
or call (805) 893-3817.
Copyright © 1996-1997 WariNet Haven