Chapter 15, Problem 9P

Better Business Company (BBC) is in the process of planning a more advanced computer-based information system. Slavish, & Moore, LLP, BBC’s consulting firm, has recently been provided with an overview of their proposed plan:

To ensure that the system functions as needed, the BBC Information System (BBCIS) will be created with input from its employees. System construction will begin with prototyping, computer-aided software engineering technology, and Gantt charts. From this point, IT professionals and a systems administrator, who are full-time employees of BBC, will create data models of the business process, define conceptual user views, design database tables, and specify system controls. Users in each department will submit written descriptions of their information needs and business problems to the IT professionals, who will then perform feasibility studies. Each aspect of the system will be documented in accordance with best practices and standards.

The systems administrator will determine access privileges and maintain access control lists and database authorization tables. The administrator will have sole access to the transaction log, which will be used to record all changes made to database tables. A role of the administrator is to detect unauthorized access, reconstruct events, and promote personal accountability. The systems administrator will also be responsible for ensuring that virus protection software is current. Another important task of the administrator is to ensure that adequate backup to databases and applications occur and that disks and tapes are stored in a secure off-site location.

Each employee requiring computer access will be assigned a user ID and password that will be entered when logging onto the system. If a computer terminal is left idle for more than five minutes, the system will close out the session and the user will need to log on again. Furthermore, users will be required to change their passwords once every year.

Hardware will be purchased from Bell Computer Company with the advice of in-house systems developers. With the exception of basic applications, user departments will be allowed to purchase additional software that they need, which will be added to the system.

BBCIS will run on a central server in the computer center located in the company’s administration building. Two security guards will be assigned to the entrance to the computer room. To access the computer center, employees will swipe their ID cards on the lock to the main entrance door. The system will record the times of each entry and departure from the center. The data center will employ an advanced air-conditioning and air filtration system to eliminate dust and pollens. There will also be a sprinkler system to minimize damages in case of a fire.

Required

Based on BBC’s plans for the implementation of a new computer system, describe the potential risks and needed controls. Classify these according to the relevant areas of the COSO framework.