View original document

The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.

FEDERAL RESERVE BANK
©F NEW YORK

^

dtJ 'ltd

F e b r u a r y 8 S 1988

RISKS ASSOCIATED W ITH THE USE OF MICROCOMPUTERS

To All State Member Banks, Bank Holding Companies, and Edge
and Agreement Corporations in the Second Federal Resrve District,
and Others Concerned:
T h e w id e s p r e a d u s e o f m ic r o c o m p u te r s b y f in a n c ia l i n s titu tio n s h a s p r o v id e d e n d - u s e r s
w ith d ir e c t a c c e s s t o s e n s itiv e a n d v a lu a b le b a n k d a t a . T h e f e d e r a l b a n k r e g u la to r y a g e n c ie s
a r e c o n c e r n e d t h a t in s o m e f in a n c ia l in s titu tio n s th e u s e o f m ic r o c o m p u te r s m a y h a v e o u t ­
p a c e d t h e i m p le m e n ta tio n o f c o n tr o ls . A c c o r d in g ly , t h e a g e n c ie s h a v e a g r e e d t o a le r t i n ­
s t itu tio n s s u b je c t t o th e i r s u p e r v is io n t o th e ris k s a s s o c ia te d w ith e n d - u s e r c o m p u tin g a n d
h a v e s u g g e s te d c o n tr o ls f o r t h e m i c r o c o m p u t e r e n v ir o n m e n t.
E n c lo s e d is t h e te x t o f a d o c u m e n t o n e n d - u s e r c o m p u tin g w h ic h d is c u s s e s c e r ta in
o p e r a t i o n s , c o n tr o ls , a n d ris k s . A c o p y o f th e E D P E x a m i n a t i o n H a n d b o o k r e f e r r e d t o in
t h e e n c lo s e d d o c u m e n t c a n b e o b t a i n e d f r o m P u b li c a t io n S e rv ic e s a t t h e B o a r d o f G o v e r ­
n o r s o f th e F e d e r a l R e s e rv e S y s te m , W a s h in g to n , D .C . 205 5 1 (T e l. N o . 2 0 2 -4 5 2 -3 2 4 5 ) a t a
c o s t o f $ 7 5 .0 0 . Q u e s tio n s r e g a r d in g th is m a t t e r m a y b e d ir e c te d t o o u r S p e c ia liz e d E x a m i n a ­
tio n s D e p a r t m e n t (T e l. N o . 2 1 2 -7 2 0 -7 9 4 6 ).

Ja m e s K . H o d g e t t s ,

Chief Compliance Examiner.

END-USER COMPUTING
PURPOSE
The purpose of this paper is to alert management of each
financial institution to the risks associated with ®ad°iier
computing operations and to encourage the implementation of sound
control policies over such activities0
BACKGROUND
In recent years? microcomputers? or npersonal computers05? have
become more prominent in the business environment„ They are now
being used? not only as word processors and access devices to
other computers? but also as powerful stand-alone computers„ As
such? information processing has evolved well beyond the
traditional central environment to distributed or decentralised?
operations. This trend has offered substantial benefits in
productivity? customization? and information access» However? it
also has meant that those control procedures? previously limited
to the central operations? must be reapplied and extended to the
^end-user50 level„
CONCERNS
Technology? using microcomputers as end-user computing devices?
has taken data processing out of the centralized control
environment and introduced the computer related risks in new
areas of the financial institutions» However? the implementation
of these new information delivery and processing networks has
outpaced the implementation of controls„ Basic controls and
supervision of these computer activities often have not been
introduced? or expected? at the end-user level0 The
technological advantages? expediency? and cost benefits of
end-user computing has been the primary focus. Recognition of
the increased exposures and the demands for expanded information
processing controls has lagged„ These concerns for data
protection and controlled operations within the end-user
environments must be addressed to minimize risks from:
-

incorrect management decisions?
improper disclosure of information?
fraud?
financial loss?
competitive disadvantage? and
legal or regulatory problems0

End-user computing is recognized as a productive and appropriate
operational activity„ However? control policies for data
security and computer operations? consistent with those for
centralized information processing functions? need to address the
additional risks represented in the end-user computing
operations.

2
Management in each financial institution is encouraged to
evaluate the associated risks with its end-user computing
networks and other forms of distributed computer operations.
Control practices and responsibilities to manage these activities
should be incorporated into an overall corporate information
security policy« This policy should address areas such ass

-

management control*
data security*
documentation*
data/file storage and back-up*
systems and data integrity*
contingency plans*
audit responsibility* and
training.,

Responsibilities for the acquisition* implementation and support
©f such networks should be clearly established.,
The attached appendix provides more details regarding the risks
and suggested controls for end-user computing and other computer
related activities„ Additional control recommendations can be
referenced in the FFIEC BDP Examination Handbook,
POLICY
It is the responsibility of the Board of Directors to ensure that
appropriate corporate policies* which identify management
responsibilities and control practices for all areas of
information processing activities* has been established., The
existence of a ^corporate information security policyQ* the
adequacy of its standards* and the management supervision of such
activities will be evaluated by the examiners during the regular
supervisory reviews of the institution„

APPENDIX
BISKS AND CONTROLS IN END-USER COMPUTING
Microcomputers* in the end-user computing operations* are being
used basically for three purposes §
h
20
3o

as word processors,,
as communication terminals with other computers
(to transmit or receive information in their
databases1* and
as stand-alone computer processors„

These three functions require different control objectives* based
on the risks associated with the activity,, Each function
requires certain operational type controls such as physical
security* logical security* and file baek-upQ However* the more
pronounced risks involve those operations using microcomputers as
stand-alone processorsc
While word processing and terminal communications also require
strong controls* programming support for the operating software
and applications systems generally remains centralized or is a
vendor responsibility0 In end-user computing* the user is often
engaged in program development* in addition to information
processing0 This may involve the creation of programmed software
from an original design or building customized routines from
specialized vendor software0 Regardless* the control techniques
for the programming* its testing* and its documentation are
necessary to ensure the integrity of the software and the
production of accurate dataD
In addition to the programming activity* the end-user environment
supports computer processing* which may be totally separate from
centralized controls0 Information may be downloaded from the
main databases and reprocessed by the end-user„ Data may also be
originated for processing in this structure0 Regardless of the
source* the resulting information is relied upon by management
for decisions impacting corporate strategies and customer
relationshipso The integrity of the data becomes no less
important than had the data been produced through more
sophisticated computer processes. Likewise* the need for control
at the micro level remains equally important»
IMPACTS
The failure to properly implement a uniform set of controls on
the end-users of microcomputers* consistent with those controls
required in a mainframe data center* can create two broad
categories of risks §
lo

the corruption or loss of data and/or program
software* and

2
2o

impediments to the efficient operation and
management of the financial institution0

The quality of data is paramount to the successful management of
any institution0 Should the data* or the systems which produce
that data* be corrupted* whether intentionally or
unintentionally* financial loss is highly probable,, Data
corruption could result from three basic causes5 error* fraud*
or system malfunction„
In addition to accuracy* management requires the timely
availability of dataD Inefficiencies* caused by poor operational
controls* can further impede the production of information and
result in financial loss0 Regardless of the source* poor quality
information and operations can adversely impact the financial
institution in a number of ways?
Management Error «=* Inaccurate or incomplete data can
adversely influence management decisions„ Delays in
information availability can ,also adversely impact
corporate strategies0
Inadvertent Disclosure = Human error* fraud* or system
malfunction may result in proprietary financial
institution data* customer data* or program software
being disclosed to unauthorised persons„
Competitive Disadvantage =» Problems in the production
of accurate information on a timely basis can place the
financial institution at a competitive disadvantage„
Delivery of services* customer confidence* and
management decisions could be impaired„
Legal Problems =» Errors in the production of data or
wrongful disclosure of data may result in legal actions
against the financial institution by its customers*
consumer groups* competitors* and regulators,,
Regulatory Problems ° Failure to produce timely and
accurate data can cause the financial institution to be
in violation of regulatory requirements* subjecting it
to regulatory penalties„
Monetary losses to the bank can arise from deliberate
manipulation of the data Cfraud!* missing or erroneous
data (leading to costly incorrect decision
various
inefficiencies in the operation of the system,,

!0

3
CONTROLS
There are basic controls which should be present in any level of
computer operations. These controls should already be present at
the centralized data center. The evolution of
microcomputer-based systems has not eliminated the need for these
basic controls* but has shifted the focus of control to the
end-user level. Some of these basic control standards that need
to be implemented in microcomputer-based systems ares
Policies and Procedures
Many of the control requirements of microcomputer use need
be
addressed by management in its internal policies and procedures.
Policies and procedures should be in writing and should define
what steps are to be taken to protect the microcomputer systems.
Management should also designate responsibility within the bank
to monitor microcomputer system acquisition and use. The purpose
of this function should be to help prevent redundant uses of
microcomputer systems and to ensure that there is the required
degree of compatibility among hardware and software systems in
use throughout the institution.
Program Development and Testing
Before a new system is developed or purchased* the user should
have a clear understanding of the specific needs being addressed
by the proposed new system. Alternatives should be reviewed by
the user and analyst to ensure that the best solution is
selected. Development should be done with the aim of producing a
system that is easily modified and maintained by someone other
than the original developer. Finally* the completed system
should be subject to rigorous testing to provide assurance that
the results produced are valid and reliable.
Program Changes
Just as with larger systems* microcomputer systems must be
adapted to meet changing requirements and circumstances.
Modified programs should be subject to many of the same controls
as newly-developed systems. Most important among these is the
requirement that there be thorough testing of the modified
system. In addition* accurate records should be maintained
describing the change* the reasons for the change* and the person
responsible for making the change.
Documentation
Documentation is a potential problem in microcomputer°based
systems. There is a tendency for these systems to be highly
personalized* with one person fully responsible for the

4

,

development testing, implementation, and operation of a set of
programso The successful use of a microcompufcer°based system and
the production of specialized data may depend on the continued
presence of this one person,, An adequate level of documentation
helps to prevent an over reliance on the knowledge of this one
person,, This is particularly needed should revisions to programs
be required„ Documentation standards should define acceptable
levels of program, operating and user documentation. In
addition, there should be an enforcement mechanism to guarantee
compliance with standards.

r

Data Editing
The development or purchase of microcomputer systems should be
done with adequate attention given to the need for data editing
routineso These routines are important to help ensure that data
entering the system is error°free and not likely to result in
erroneous output„ This control is important whether the data is
being manually entered into the microcomputer or electronically
transferred or ^downloaded*9 from another system,, In the case of
data being "uploaded59 to a mainframe, additional controls may be
required at that level to guarantee the integrity of the data
being transferred„
Input/Output Controls
Microcomputer systems that are used for the processing of
information with a direct monetary impact on the institution or
its customers may require that additional data controls be
established„ ht a minimum these controls may include the
requirement that there be a segregation of duties between the
input of information and the review of that information in
processed form,, This control may be extended to require that a
formal reconcilement be done by the reviewer of the processed
information„ In more sensitive situations with a significant
dollar impact there may be a requirement that certain functions
be performed under dual control„ The need for these types of
input and output controls should be established during the early
stages of program development„ These special requirements need
to be described in detail in the program documentation package«

,

Physical Access Restrictions
The location of microcomputer systems outside of
physieally-secure data center can permit unauthorized access to
programs and data files used on these systems„ The use of
physical access restriction complements the logical access
restriction discussed below0 Basic steps would include the
secure storage of diskettes or other magnetic media containing
the programs and data for a particular system. In addition
since documentation on what a system does and how it is being

,

5
used can provide important information that can be need to
compromise system security, this information should also be
securedo Finally, there should be adequate restrictions over
physical access to the hardware itself, so that it is protected
from unauthorized use, vandalism, and theft.
Logical Access Restrictions
Just as in larger application systems, the need exists to
identify those individuals who will be permitted access to the
microcomputer system5s capabilities0 In addition, there may be
the need to differentiate between functions allowed for certain
individuals, ranging from an inquiry capability for many persons
to an override and correction capability of a few supervisory
personnelo formally, these restrictions will be in the form of
password controls. Standard password-related control procedures,
such as frequent changes and reporting of exception conditions
need to be established to provide for effective access
restrictions„
Backup and Contingency Planning
For each operational system, adequate plans should be made and
precautions taken to ensure that users can adequately recover
from damage to the hardware, software, and data. For some
systems, an inability to process during recovery may mean that
work can be held for later processing. For other systems, a
manual backup may be appropriate. For some time-critical, highly
automated systems, arrangements may have to be made for data
reconstruction or for processing on other hardware. At a
minimum, for all systems, there should be secure and remote
backup storage of files and programs. Beyond this, the backup
and contingency requirements for individual systems may differ
and need to be addressed separately.
Audit
The audit area should serve as an independent control reviewing
microcomputer use throughout the institution. Audit involvement
in microcomputer systems may begin at a general level with a
review for compliance with the internal policies and procedures
discussed above and may extend to detailed testing in particular
areas such as the use of logical access controls. Audit
procedures and workprograms should be expanded to provide for
adequate coverage of microcomputer systems. Responsibility for
microcomputer auditing should be clearly assigned and plans for
microcomputer audits should be built into the audit schedule.
It should be recognized that this list of controls is not all
inclusive of methods to manage risk. Each computer operation,
whether centralized or end-user, possesses different

-

6

-

characteristics and possibly some specialized risks0 Control
practices must be sufficient to minimize such risks,, These
recommended control features are considered fundamental to sound
information processing,.