The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
FEDERAL RESERVE BANK ©F NEW YORK ^ dtJ 'ltd F e b r u a r y 8 S 1988 RISKS ASSOCIATED W ITH THE USE OF MICROCOMPUTERS To All State Member Banks, Bank Holding Companies, and Edge and Agreement Corporations in the Second Federal Resrve District, and Others Concerned: T h e w id e s p r e a d u s e o f m ic r o c o m p u te r s b y f in a n c ia l i n s titu tio n s h a s p r o v id e d e n d - u s e r s w ith d ir e c t a c c e s s t o s e n s itiv e a n d v a lu a b le b a n k d a t a . T h e f e d e r a l b a n k r e g u la to r y a g e n c ie s a r e c o n c e r n e d t h a t in s o m e f in a n c ia l in s titu tio n s th e u s e o f m ic r o c o m p u te r s m a y h a v e o u t p a c e d t h e i m p le m e n ta tio n o f c o n tr o ls . A c c o r d in g ly , t h e a g e n c ie s h a v e a g r e e d t o a le r t i n s t itu tio n s s u b je c t t o th e i r s u p e r v is io n t o th e ris k s a s s o c ia te d w ith e n d - u s e r c o m p u tin g a n d h a v e s u g g e s te d c o n tr o ls f o r t h e m i c r o c o m p u t e r e n v ir o n m e n t. E n c lo s e d is t h e te x t o f a d o c u m e n t o n e n d - u s e r c o m p u tin g w h ic h d is c u s s e s c e r ta in o p e r a t i o n s , c o n tr o ls , a n d ris k s . A c o p y o f th e E D P E x a m i n a t i o n H a n d b o o k r e f e r r e d t o in t h e e n c lo s e d d o c u m e n t c a n b e o b t a i n e d f r o m P u b li c a t io n S e rv ic e s a t t h e B o a r d o f G o v e r n o r s o f th e F e d e r a l R e s e rv e S y s te m , W a s h in g to n , D .C . 205 5 1 (T e l. N o . 2 0 2 -4 5 2 -3 2 4 5 ) a t a c o s t o f $ 7 5 .0 0 . Q u e s tio n s r e g a r d in g th is m a t t e r m a y b e d ir e c te d t o o u r S p e c ia liz e d E x a m i n a tio n s D e p a r t m e n t (T e l. N o . 2 1 2 -7 2 0 -7 9 4 6 ). Ja m e s K . H o d g e t t s , Chief Compliance Examiner. END-USER COMPUTING PURPOSE The purpose of this paper is to alert management of each financial institution to the risks associated with ®ad°iier computing operations and to encourage the implementation of sound control policies over such activities0 BACKGROUND In recent years? microcomputers? or npersonal computers05? have become more prominent in the business environment„ They are now being used? not only as word processors and access devices to other computers? but also as powerful stand-alone computers„ As such? information processing has evolved well beyond the traditional central environment to distributed or decentralised? operations. This trend has offered substantial benefits in productivity? customization? and information access» However? it also has meant that those control procedures? previously limited to the central operations? must be reapplied and extended to the ^end-user50 level„ CONCERNS Technology? using microcomputers as end-user computing devices? has taken data processing out of the centralized control environment and introduced the computer related risks in new areas of the financial institutions» However? the implementation of these new information delivery and processing networks has outpaced the implementation of controls„ Basic controls and supervision of these computer activities often have not been introduced? or expected? at the end-user level0 The technological advantages? expediency? and cost benefits of end-user computing has been the primary focus. Recognition of the increased exposures and the demands for expanded information processing controls has lagged„ These concerns for data protection and controlled operations within the end-user environments must be addressed to minimize risks from: - incorrect management decisions? improper disclosure of information? fraud? financial loss? competitive disadvantage? and legal or regulatory problems0 End-user computing is recognized as a productive and appropriate operational activity„ However? control policies for data security and computer operations? consistent with those for centralized information processing functions? need to address the additional risks represented in the end-user computing operations. 2 Management in each financial institution is encouraged to evaluate the associated risks with its end-user computing networks and other forms of distributed computer operations. Control practices and responsibilities to manage these activities should be incorporated into an overall corporate information security policy« This policy should address areas such ass - management control* data security* documentation* data/file storage and back-up* systems and data integrity* contingency plans* audit responsibility* and training., Responsibilities for the acquisition* implementation and support ©f such networks should be clearly established., The attached appendix provides more details regarding the risks and suggested controls for end-user computing and other computer related activities„ Additional control recommendations can be referenced in the FFIEC BDP Examination Handbook, POLICY It is the responsibility of the Board of Directors to ensure that appropriate corporate policies* which identify management responsibilities and control practices for all areas of information processing activities* has been established., The existence of a ^corporate information security policyQ* the adequacy of its standards* and the management supervision of such activities will be evaluated by the examiners during the regular supervisory reviews of the institution„ APPENDIX BISKS AND CONTROLS IN END-USER COMPUTING Microcomputers* in the end-user computing operations* are being used basically for three purposes § h 20 3o as word processors,, as communication terminals with other computers (to transmit or receive information in their databases1* and as stand-alone computer processors„ These three functions require different control objectives* based on the risks associated with the activity,, Each function requires certain operational type controls such as physical security* logical security* and file baek-upQ However* the more pronounced risks involve those operations using microcomputers as stand-alone processorsc While word processing and terminal communications also require strong controls* programming support for the operating software and applications systems generally remains centralized or is a vendor responsibility0 In end-user computing* the user is often engaged in program development* in addition to information processing0 This may involve the creation of programmed software from an original design or building customized routines from specialized vendor software0 Regardless* the control techniques for the programming* its testing* and its documentation are necessary to ensure the integrity of the software and the production of accurate dataD In addition to the programming activity* the end-user environment supports computer processing* which may be totally separate from centralized controls0 Information may be downloaded from the main databases and reprocessed by the end-user„ Data may also be originated for processing in this structure0 Regardless of the source* the resulting information is relied upon by management for decisions impacting corporate strategies and customer relationshipso The integrity of the data becomes no less important than had the data been produced through more sophisticated computer processes. Likewise* the need for control at the micro level remains equally important» IMPACTS The failure to properly implement a uniform set of controls on the end-users of microcomputers* consistent with those controls required in a mainframe data center* can create two broad categories of risks § lo the corruption or loss of data and/or program software* and 2 2o impediments to the efficient operation and management of the financial institution0 The quality of data is paramount to the successful management of any institution0 Should the data* or the systems which produce that data* be corrupted* whether intentionally or unintentionally* financial loss is highly probable,, Data corruption could result from three basic causes5 error* fraud* or system malfunction„ In addition to accuracy* management requires the timely availability of dataD Inefficiencies* caused by poor operational controls* can further impede the production of information and result in financial loss0 Regardless of the source* poor quality information and operations can adversely impact the financial institution in a number of ways? Management Error «=* Inaccurate or incomplete data can adversely influence management decisions„ Delays in information availability can ,also adversely impact corporate strategies0 Inadvertent Disclosure = Human error* fraud* or system malfunction may result in proprietary financial institution data* customer data* or program software being disclosed to unauthorised persons„ Competitive Disadvantage =» Problems in the production of accurate information on a timely basis can place the financial institution at a competitive disadvantage„ Delivery of services* customer confidence* and management decisions could be impaired„ Legal Problems =» Errors in the production of data or wrongful disclosure of data may result in legal actions against the financial institution by its customers* consumer groups* competitors* and regulators,, Regulatory Problems ° Failure to produce timely and accurate data can cause the financial institution to be in violation of regulatory requirements* subjecting it to regulatory penalties„ Monetary losses to the bank can arise from deliberate manipulation of the data Cfraud!* missing or erroneous data (leading to costly incorrect decision various inefficiencies in the operation of the system,, !0 3 CONTROLS There are basic controls which should be present in any level of computer operations. These controls should already be present at the centralized data center. The evolution of microcomputer-based systems has not eliminated the need for these basic controls* but has shifted the focus of control to the end-user level. Some of these basic control standards that need to be implemented in microcomputer-based systems ares Policies and Procedures Many of the control requirements of microcomputer use need be addressed by management in its internal policies and procedures. Policies and procedures should be in writing and should define what steps are to be taken to protect the microcomputer systems. Management should also designate responsibility within the bank to monitor microcomputer system acquisition and use. The purpose of this function should be to help prevent redundant uses of microcomputer systems and to ensure that there is the required degree of compatibility among hardware and software systems in use throughout the institution. Program Development and Testing Before a new system is developed or purchased* the user should have a clear understanding of the specific needs being addressed by the proposed new system. Alternatives should be reviewed by the user and analyst to ensure that the best solution is selected. Development should be done with the aim of producing a system that is easily modified and maintained by someone other than the original developer. Finally* the completed system should be subject to rigorous testing to provide assurance that the results produced are valid and reliable. Program Changes Just as with larger systems* microcomputer systems must be adapted to meet changing requirements and circumstances. Modified programs should be subject to many of the same controls as newly-developed systems. Most important among these is the requirement that there be thorough testing of the modified system. In addition* accurate records should be maintained describing the change* the reasons for the change* and the person responsible for making the change. Documentation Documentation is a potential problem in microcomputer°based systems. There is a tendency for these systems to be highly personalized* with one person fully responsible for the 4 , development testing, implementation, and operation of a set of programso The successful use of a microcompufcer°based system and the production of specialized data may depend on the continued presence of this one person,, An adequate level of documentation helps to prevent an over reliance on the knowledge of this one person,, This is particularly needed should revisions to programs be required„ Documentation standards should define acceptable levels of program, operating and user documentation. In addition, there should be an enforcement mechanism to guarantee compliance with standards. r Data Editing The development or purchase of microcomputer systems should be done with adequate attention given to the need for data editing routineso These routines are important to help ensure that data entering the system is error°free and not likely to result in erroneous output„ This control is important whether the data is being manually entered into the microcomputer or electronically transferred or ^downloaded*9 from another system,, In the case of data being "uploaded59 to a mainframe, additional controls may be required at that level to guarantee the integrity of the data being transferred„ Input/Output Controls Microcomputer systems that are used for the processing of information with a direct monetary impact on the institution or its customers may require that additional data controls be established„ ht a minimum these controls may include the requirement that there be a segregation of duties between the input of information and the review of that information in processed form,, This control may be extended to require that a formal reconcilement be done by the reviewer of the processed information„ In more sensitive situations with a significant dollar impact there may be a requirement that certain functions be performed under dual control„ The need for these types of input and output controls should be established during the early stages of program development„ These special requirements need to be described in detail in the program documentation package« , Physical Access Restrictions The location of microcomputer systems outside of physieally-secure data center can permit unauthorized access to programs and data files used on these systems„ The use of physical access restriction complements the logical access restriction discussed below0 Basic steps would include the secure storage of diskettes or other magnetic media containing the programs and data for a particular system. In addition since documentation on what a system does and how it is being , 5 used can provide important information that can be need to compromise system security, this information should also be securedo Finally, there should be adequate restrictions over physical access to the hardware itself, so that it is protected from unauthorized use, vandalism, and theft. Logical Access Restrictions Just as in larger application systems, the need exists to identify those individuals who will be permitted access to the microcomputer system5s capabilities0 In addition, there may be the need to differentiate between functions allowed for certain individuals, ranging from an inquiry capability for many persons to an override and correction capability of a few supervisory personnelo formally, these restrictions will be in the form of password controls. Standard password-related control procedures, such as frequent changes and reporting of exception conditions need to be established to provide for effective access restrictions„ Backup and Contingency Planning For each operational system, adequate plans should be made and precautions taken to ensure that users can adequately recover from damage to the hardware, software, and data. For some systems, an inability to process during recovery may mean that work can be held for later processing. For other systems, a manual backup may be appropriate. For some time-critical, highly automated systems, arrangements may have to be made for data reconstruction or for processing on other hardware. At a minimum, for all systems, there should be secure and remote backup storage of files and programs. Beyond this, the backup and contingency requirements for individual systems may differ and need to be addressed separately. Audit The audit area should serve as an independent control reviewing microcomputer use throughout the institution. Audit involvement in microcomputer systems may begin at a general level with a review for compliance with the internal policies and procedures discussed above and may extend to detailed testing in particular areas such as the use of logical access controls. Audit procedures and workprograms should be expanded to provide for adequate coverage of microcomputer systems. Responsibility for microcomputer auditing should be clearly assigned and plans for microcomputer audits should be built into the audit schedule. It should be recognized that this list of controls is not all inclusive of methods to manage risk. Each computer operation, whether centralized or end-user, possesses different - 6 - characteristics and possibly some specialized risks0 Control practices must be sufficient to minimize such risks,, These recommended control features are considered fundamental to sound information processing,.