How to improve client's access control over programs and files.by Doost, Roger K.
Until recently when most and perhaps all computer activities took place in a closed-shop environment under the direction of a data processing manager, the primary emphasis for security was protecting the central facility and what went on within it. Controls included choosing a secure location for the computer center, using employee identification badges and special magnetic cards or keys for entrance to the facility, logging all entrances and departures and generally limiting permitted access.
In recent years changes have been made in how computers are used. Computers are now placed at locations where data is generated or used (distributed data processing) and there has been a growth in on-line processing where data are entered as events occur and processed instantaneously for immediate feedback to users. In addition, long distance transfer of data and infomation permits data entry, verification, and processing to take place in various parts of the organization.
These changes have shifted the emphasis from traditional controls to what can be termed on-line access controls. How many of these access controls are necessary, and at what cost are they justified? The answers to these questions depend upon the degree of proliferation of computer systems within an organization and the critical nature of the data involved.
The Necessary Controls
Presence of general controls such as separation of functions and sound personnel policies and training will reduce the chances of unauthorized access to and use of computer resources. But these alone are by no means adequate quate in the computer processing environment of today. With the decentralization of computer processing, access controls have become even more important.
Simply locking the office and/or maintaining security guards or security cameras for surveillance purposes is a common and effective access control. User identification and passwords for accessing systems are also widely used. This is essentially a three-step procedure. Step 1 gives an authorized user access to the hardware. Step 2 permits the user to access the system, while step 3 restricts the user to certain programs and files.
What needs greater attention is the level of sophistication necessary to make a password system effective and reliable. Additional controls may be needed such as dial-back procedures, cryptographic protection, password protection, device authorization tables, access control matrices, data communication access controls, and off-line storage of critical programs and files.
The dial-back procedure has the computer dial back for verification of a request source to make certain that the source is an authorized user. This procedure is particularly important in long distance communication where data is transferred via public communication lines and where there is the possibility of wiretapping. A complimentary procedure is the encoding of data, commonly referred to as cryptographic protection. Data being transferred via communications lines are encoded via a special program which makes the data virtually unreadable to an intruder. At the receiving end, a complementary program decodes the data before it is processed.
Password protection is used to enhance the reliability of passwords. The users must be warned to protect their passwords. The system should not let the password appear on the screen when entered. There should be an automatic shut-off if there are three or four unsuccessful entry attempts with the wrong password. Initial creation of a password is often left to the computer because such passwords are seldom meaningful and are more difficult to abuse. Frequent changes of passwords also enhance control. In addition, there should be a system log showing all password access attempts with indication of the location of the access, the Id number used, and the time of day when the access was attempted. Such a log should be frequently checked by a system security officer.
A device authorization table is another useful password control procedure. Specific workstations can be programmed to perform only limited pre-determined functions. For example, a terminal in the payroll department may be dedicated to payroll functions and be authorized to access personnel and payroll data while a terminal in the sales department may have access only to inventory and customer information. Accordingly, a salesman will not be able to change payroll data, nor may a payroll clerk be able to place an order.
An access control matrix is used to control what a user can do with the files and/or programs he or she is authorized to access. Restrictions are placed on reading or making changes. A payroll clerk, for example, may be allowed to access the payroll program as well as the employee's payroll transaction and master files. However, this clerk should not be allowed to make any changes to payroll programs or to permanent payroll information such as employee deductions, name, address, or pay rates. These items can only be changed by designated individuals in the personnel department.
In like manner, a programmer may have access to a copy of the payroll program when changes or modifications are requested, but he or she should not have access to the live payroll file or the production copy of the program. Only after the user has reviewed the output generated by the revised program and the data processing manager has approved the changes should the production program be altered.
A sophisticated access control system would introduce limitations not only in the use of programs and files, but also in individual fields within a file. One employee may be allowed to make changes to names and addresses while another employee may be authorized to alter pay rates. Increased security can be provided by allowing certain operators to read data but not make changes in certain fields. For example, a salesman may be authorized to review a customer's credit information and unpaid balances but not be permitted to make changes in those balances. A complementary procedure would be to prevent an operator from viewing certain portions of a file. For example, a payroll clerk may be able to access payroll information for general employees but not the executive payroll.
Data communication software introduces the need for additional controls over sensitive data. Methods used include fragmentation, message intermixing and data encryption. Fragmentation transmits each byte of data individually so that a wiretapper would have a hard time figuring out what the complete message is. Message intermixing intermixes messages from various terminals before sending. They are separated by the receiving computer. Data encryption encodes data at the sending end to disguise its meaning and then decodes it at the receiving end.
Another important control is off-line storage of critical files and programs which do not have to be constantly accessed by users. There is seldom a reason for continuous access to a payroll file on a daily or hourly basis. Depending on how often employees are paid, the relevant data can be made available when needed. After maintenance and updating it can be put back in the secure off-line location until the next processing.
Access control in an on-line computerized environment is of significant importance to a company. Considerable agony due to unauthorized use and consequent loss, abuse, or alteration of files or programs may be avoided if a comprehensive and workable access control system is in place. Regardless of the access control system used, constant monitoring of its operation is required. It must be kept up to date and passwords no longer used must be voided. However, since there is a cost associated with all controls, a careful cost/benefit analysis must precede the implementation of each additional control.
Client Write-up Software
Accounting by Design has started shipping Version 2.0 of its ACCOUNTING BY DESIGN WRITEUP PROGRAM. This package runs under Microsoft Windows/286 and takes advantage of Windows' multi-tasking features to allow long jobs like posting and printing to run in the background while other Windows applications continue to run in the foreground. Multiple jobs such as writing letters, checking spreadsheets and making journal entries can be performed on the screen at the same time.
The graphics interface of Windows allows reports to be displayed on the screen in their entirety with up to 212 characters per line. the graphics capability also supports continuous underlining on financial reports. The CLIENT WRITE-UP PROGRAM, which supports multiple companies as well as multiple departments and sub-departments provides over 15 standard reports including a current period and year-to-date general ledger, chart of accounts and journals.
Version 2.0 supports reversing journal entries for any period, including the last one of the year. It includes a custom report generator and an after-the-fact payroll system which supports ten payroll fields and direct printing onto federal and state tax forms including W2s and 1099s. Data can be imported from such general ledger programs as RealWorld and Computer Associates. ACCOUNTING BY DESIGN CLIENT WRITE-UP Accounting By Design 2931 Shattuck Avenue Berkeley, CA 94705 415-845-4716 . Requirements: Runs under both 286 and 386 versions of Microsoft Windows on the IBM AT and compatibles with 640K. Although not required, a mouse and color monitor are recommended. . Price: $995 including Windows.
Compound Interest and Loan
TVALUE Version 3.0 is now available from Time Value Software. This is a financial utility which handles compound interest problems and prints loan amortization schedules. The user simply fills in the blanks on the main screen to enter his or her loan information such as interest rate, number of payments, loan or deposit amount, etc. The program then solves for unknowns with a single keystroke.
The program is applicable to a broad range of business tasks such as computing the future values of annuities or rental properties, figuring yields on investments, or comparing mortgage interest costs. New enhancements to the program include an improved user interface for handling multiple loans and interest rate changes, the ability to export reports to 123 and text files, and the use of pop-up windows for handling interest only, skip payment, fixed principal, and other payment series. TVALUE VERSION 3.0 Time Value Software 14771 Plaza Drive, Suite K PO Box 443 Tustin, CA 92681-0443 714-731-9214 . Requirements: IBM PC, PS/2 or compatible computer with 348K and MS/PC DOS 2.0 or higher. A hard disk is not required. . Price: $99.
Time and Billing Software
Q.W. Page Associates, developers of NEWVIEWS accounting software have announced the release of an add-on product to handle time and billing applications. NVTIMEBILL is designed for accounting, legal, and other professional firms, collecting time entries and tracking activities in hours and dollars by project, client, and professional.
NVTIMEBILL supplements existing NEWVIEWS capabilities and shares its full reporting and transaction capabilities. It is fully integrated with other NEWVIEWS FUNCTIONS, running in real time, and updating all accounts and reports as transactions are entered.
There are no separate modules or menus and there is no limit to the number of companies, reports, accounts or transactions. NVTIMEBILL Q.W. Page Associates, Inc. One St. Clair Avenue West Toronto, Ontario M4V 2Z5, Canada 416-923-4567 . Requirements: IBM AT or compatibles, hard disk, 512K, DOS 2.1 or higher. . Price: $195.
The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.
©2009 The New York State Society of CPAs. Legal Notices
Visit the new cpajournal.com.