Security, Data Protection and Audit

When an organization computerizes its procedures, it becomes dependent on a system to which it has committed vital business information. Disruption of the computer system could lead to losses from which the company may not recover.

In the USA computer fraud is said to be increasing at the rate of 500 per cent per annum. There are many other risks, e.g. software error, industrial action, system abuse, hardware failure, theft and vandalism, fire and flood, industrial espionage. Counter-measures are therefore needed to safeguard the business operation and in particular the computer installation.

In many parts of the world a person's privacy is considered a basic human right. However, information about individuals is stored for many organizations. Some data is held on computers, e.g. payroll, local authorities for council tax, social security, inland revenue and health authorities, car taxation, credit card agencies and electoral rolls. These are usually separate databases, but with telecommunication advances, they could be linked together. Illegal access to databases is more likely and a person's privacy could be said to be threatened. This privacy of personalized data held on computer databases is referred to as data protection.

Security of information

New technology brings new opportunities for crime, which ranges from computer theft, desk-top forgery, voice and electronic mail terrorism, to graffiti sent by facsimile transmission and electronic data interchange fraud, including 'hacking' and destruction of data by introducing computer viruses. Desk-top publishing software combined with the latest colour laser printers and photocopiers are increasingly being used by forgers. Many business documents, including cheques, can be forged. The extent of the forgery is only limited by the quality of the paper. Various measures are taken by organizations in an attempt to combat forgery. Another big security issue involves the use of networking computers, especially as they allow information to be transferred between databases from many locations worldwide. A crime can be committed at a distance from where the criminal actually is. Passwords by themselves are not adequate security. Computer software anti-virus programs will scan disks for known viruses, which destroy computer data. Use of disks not originated on the network should be avoided unless they have been throughly checked.

Computing staff are the key to all security measures. Qualifications and references of staff recruited should be verified.

The strict control of operations is vital, especially where satellite devices are connected to a central processor, allowing easy access to files. Unauthorized users should be immediately locked out of the machine. Mathematical locks can be used on larger systems.

Records of old manual systems should be retained for a few years when a new system is being tried out, in case files and software are destroyed. The location of the central processor should be in an area of difficult access with suitable locking or card identifying systems employed. Master software tapes and disks with security copies of daily business transactions should be safely stored away.

If outside software houses write systems programs, these should be screened. Insurance cover should be adequate, and cover the cost of hardware, software, costs of recreating data and consequential loss.