Information Technology Reference
In-Depth Information
output on computer screens, output in hard copy, and output to other application systems
which is used for further processing.
Enterprises do not want to have their business activities exposed to competitors and will
do everything possible to secure data and information. In recent past, we have seen big
enterprises having their client data being stolen or hacked into by unauthorised users.
a) How does the enterprise ensure reports are protected from accidental or deliber-
ate disclosure?
Output can be protected by using access controls which will grant access to only authorised
users. Unauthorised users cannot view or print output which they have no authority to ac-
cess. Production of output such as printing can also be limited to selected printers. Inform-
ation security awareness programs can also be conducted regularly so that employees are
aware of the need to protect information from unauthorised users both internal and extern-
al to the enterprise. Such measures can ensure that output is protected from accidental or
deliberate disclosure. Measures also need to be put in place to protect information which is
in hard copy or voice form.
Evidence on whether the enterprise is appropriately protecting output can be obtained by
reviewing access controls on output and storage of information. The IS auditor can also
interview users to obtain an understanding of how they protect information and if they are
aware of policies and practices on information protection.
b) What control procedures does the enterprise have in place for output authoriza-
tion?
Users are authorised to produce output in either print, on-screen, or both. Management can
decide depending on a user's job role to grant appropriate access to output. For example
management might decide that only front office staff should have authority to print cash
receipts. The responsibility for authorising access to output is with line managers or other
designated officials.
The IS auditor can review access control documentation to check user access rights on the
system. Further evidence can be obtained by checking access control configurations on the
application systems.
c) Which reports are restricted from users who are not managers?
Management will from time to time decide which information should only be available to
managers and not accessible to non-managers. Such decisions can be made depending on
the sensitivity of information being handled. Management reports for example can only be
available to managers.
Search WWH ::
Custom Search