Information Technology Reference
In-Depth Information
Reviewing Policies and Procedures
The final step is to review existing policies and procedures and determine whether they are
adequate. During review, people should ask the following questions:
•
Do current policies cover existing practices adequately? Were any problems or
opportunities uncovered during monitoring?
•
Does the organization plan any new activities in the future? If so, does it need new policies
or procedures addressing who will handle them and what must be done?
•
Are contingencies and disasters covered?
This review and planning allows companies to take a proactive approach to problem solving,
which can enhance a company's performance, such as by increasing productivity and im-
proving customer service. During such a review, companies are alerted to upcoming changes
in information systems that could have a profound effect on many business activities.
Tokyo Electron, a global supplier of semiconductor production equipment, provides an
excellent example of a firm thoroughly reviewing its policies and procedures. As a U.S. sub-
sidiary of Tokyo Electron of Japan, Tokyo Electron U.S. Holdings was required to comply
with the Sarbanes-Oxley Act. When Japan's Financial Instruments and Exchange Law, that
country's equivalent of the Sarbanes-Oxley Act, went into effect, the firm used it as a moti-
vation to re-examine its entire set of policies regarding user access to data and applications,
financial control, and protection of intellectual property.
12
Information systems professionals and users still need to be aware of the misuse of re-
sources throughout an organization. Preventing errors and mistakes is one way to do so.
Another is implementing in-house security measures and legal protections to detect and
prevent a dangerous type of misuse: computer crime.
Even good IS policies might not be able to predict or prevent computer crime. A computer's
ability to process millions of pieces of data in less than one second can help a thief steal data
worth millions of dollars. Compared with the physical dangers of robbing a bank or retail
store with a gun, a computer criminal with the right equipment and know-how can steal
large amounts of money from the privacy of a home. The following is a sample of recent
computer crimes:
•
Criminals illegally obtained information about the bank accounts of an undetermined
number of Citibank customers. They created counterfeit ATM cards encoded with the
stolen information to make some 9,000 fraudulent ATM withdrawals totaling millions
of dollars. Avivah Litan, Gartner vice president, stated: “Criminals have found ways to
basically bypass many of the controls banks have in place. So ATM and debit card fraud
is expected to rise. In our surveys, banks themselves expect the rate of fraud to double
over the next two years.”
13
•
A Chilean hacker gathered personal data about 6 million people from various Chilean
government sites including names, addresses, phone numbers, ID numbers, and e-mail
addresses and posted them to a blog site for all to see. The hacker's motivation was to
protest his country's weak data security.
14
•
A hacker is alleged to have broken into the computers holding the financial results of
IMS Health to learn of the firm's disappointing results for the quarter prior to their public
announcement. Taking advantage of this knowledge, the hacker purchased over $41,000
in sell options, figuring the stock would go down when results were announced. The
investment resulted in profits of nearly $300,000.
15
•
A 15-year-old Pennsylvania student broke into an educational network and saved on a
flash drive the names, addresses, and Social Security numbers of some 55,000 people.
The student was arrested and charged with four offenses of unlawful duplication and
theft.
16
