- Email: [email protected]
Business continuity planning: Part 1
Computer Audit Update
May 1995
could
have.
remember perfectly. regards
In this
case
it is important
that the back-up
systems
to
operated
How many of us could say that with to the computer
systems
of our own
organizations. There does seem to be a reluctance to admit software and hardware failures -
BUSINESS CONTINUITY PLANNING: PART 1 Contemporary Computing
Issues in Corporate
Microsoft and
Keith Hearnden
Pentium spring to mind from the last few months. Why? In the case of safety critical software such a reluctance
could
be fatal.
Why,
when
autopilot software fault was known to Airbus and a fix available were aircraft still operating with the software ? Was it managerial
bug-ridden
communication
incompetence?
money by not upgrading next full service?
of us would be interested
or
the conduct of their affairs, and that it is wise to plan how to recover the business or service from
the software
until the decision
If so I, and I am sure most in full disclosure
before
we boarded a flight on an A340, or indeed any other aircraft with software bugs. Computer abuse is committed by people, not by technology. A340,
It is not the technology
or any other fly-by-wire
aircraft,
of the or any
computer system that is the problem per se, it is the abuse nonexistent
of management failures, of poor or requirements and user
specifications,
of inadequate
system and user acceptance risk assessment, “unsinkable”
and
insufficient
testing, of a lack of
and of inadequate
recovery. On the anniversary
It is widely recognized that businesses and public services depend heavily on computers for
Was it to save
Was it a conscious
after a full risk analysis?
Context
the
Titanic it is worth contemplating
went down with its engines running.
traditionally
considered
the
resolution
of
problems affecting a central corporate mainframe service. However, the use of personal computers (PCs) within mainstream corporate computing has become widespread in recent years to the extent that they have become a factor likely to affect the nature of business recovery planning. A recent postal survey of 421 UK organizations examined many factors affecting the organization, quality and control of corporate computing.
In particular,
it explored
the nature
and extent of business recovery planning and the impact of computer down-sizing on such plans.
back-up and
of the sinking of the
if IT is the engine of our organizations,
a major disruption to its computing. Such plans are invariably complex and dynamic and have
that
the Titanic
The reason for the research is to be found in the amazingly rapid transformation of corporate computing. It has been calculated’ that as recently as 1978, virtually 100% of the world’s computing power was concentrated in large central-processing units, with dumb terminals attached. By 1990, such machines held less than 1% of the world’s computer power. Driven by microelectronic advances, there was a PC microprocessor on nearly every desk that was as powerful as a 1970’s mainframe. At the same time, businesses were becoming increasingly computer-driven increasingly reliant on computer processing power for both mainstream and ancillary business functions. A recent survey* of 323 businesses revealed that 83% of mainframe users, 77% of mid-range users
01995
Elsevier Science Ltd
3
Computer Audit Update
May 1995
87
8a
._:
Key: q Mainframe
76
74
UPC
60
3 ._
s
F 0
40
Budgetary Control
Customer Accounts
Figure 1: The incidence of core business accounting applications
80
r
Stock
on mainframes/mid-ranges
and PCs.
69
65 60 50
:
‘i;
i! ._
s P
56
4a
r 32
0
3 8
20
2a
Business Planning
Financial Forecasting
Information Searches
Figure 2: The incidence of business planning and applications
Market Research
1
on mainframes/mid-ranges
and PCs.
01995 Elsevier Science Ltd
Computer Audit Update
May 1995
overload. The task of managers is to filter, prioritize, synthesize and interpret the information that goes into decisions ..... A common tendency is to streamline, integrate and centralise key management decisions, while decentralising operations and activities. ......But increasing reliance on electronic information systems as a basis for decisions creates a dependence that introduces its own special problems.“’
and 27% of PC users believed their computer systems were crucial to their businesses. These same businesses reported a total of 359 incidents of computer down-time, thus reinforcing the current importance attached to contingency planning for business recovery. It is the appropriateness and extent of this contingency planning, together with the nature of the business controls that impinge on it which this research seeks to explore. Two important earlier studies carried out by Evens and Or? and Hearnden4 both concentrated on recover issues following a mainframe disaster: Doswell on the other hand, presents a convincing case for re-examining the appropriateness and effectiveness of traditional, mainframe-oriented contingency planning, in the context of the increasing prevalence of stand-alone and networked personal computers. He draws the contrast between the professionally managed and comprehensively secured corporate mainframe environment, and the regular absence of protection given to the fileservers and workstations on which we increasingly rely. “Whereas”, he says “the personnel in the mainframe environment ..... represent years of management experience in processing business data, there is a good chance that the desk-top PC user will have learned everything he knows from his son’s games machine.” Lest there should remain any doubt about the importance of these issues, consider the fact that information technology’s share of the overall capital stock of US corporations has doubled to 13% in the last fifteen years, whilst in key areas such as communications, finance, business services, healthcare and education it is now more than 25%6. The very nature of decision-making in most organizations is being fundamentally altered by the widespread application of information and communication technologies. “It used to be essentially a hierarchical process with information fed upward. Small decisions were taken at the bottom and big decisions at the top ....(But) increasingly decisions are taken under conditions of information surplus, if not information
01995 Elsevier Science Ltd
That, then, is the context in which this research has taken place. Have British organizations taken fully on board the momentous changes that are taking place in Have they corporate information services? responded effectively to protect their dependence on their computing systems? And, in particular, have they recognized the growing need to re-orient their contingency planning for business recovery towards stand-alone and networked PCs? Business computing applications: mainframes vs PCs Any study that seeks to examine the effectiveness of contingency planning in the context of this perceived shift in the organization of corporate computing must first establish the reality of the situation. How far has corporate computing now devolved to the personal computer and how much remains with the centrally managed mainframe? The answer to this question appears in Figures 1 to 4 which progressively show the frequency with which specific business applications are carried out on mainframes or mid-range computers on the one hand and personal computers on the other. The four groupings broadly represent: ’
Core business accounting.
l
Business planning and forecasting.
’
Nonaccounting applications.
l
Communications.
5
May 1995
80
._ 3 ._ s
40 30 30
F 0 z
20
8
0 Business Customer Functions Marketing
Figure 3: The incidence of nonaccounting
Sales Data
Process Prod’n Scheduling Control
applications
F&D Data & Software Development
on mainframes/mid-range
computers and PCs.
Key:
80
0
Mainframe
0 Electronic Mail
Figure 4: The incidence of communications
6
word Processing
applications
Desk Top Publishing
on mainframes/m&range
computers ana MS.
01995 Elsevier Science Ltd
May 1995
The traditional corporate accounting applications are still predominantly undertaken on the centrally managed mainframe computers, though it is clear that personal computers are also widely used on these core functions. It is already evident, therefore, that business recovery planning should no longer concern itself solely with the corporate mainframe, but must look wider. In the planning and forecasting applications recorded in Figure 2, the PC is largely dominant, thanks in part to the power and popularity of spread-sheet software. Although it might be argued that these are applications of secondary importance compared to accounting, they should also be recognized for their essential contribution to the quality of management decision-making what Professor Melody’ referred to as the task of filtering, prioritizing, synthesizing and interpreting information. It would be difficult to imagine any organization surviving long if its management were denied access to this kind of facility. In most organizations there are a range of tasks routinely undertaken that, whilst of secondary importance to recording and accounting actual business transactions, are nevertheless essential to the effective conduct of operations. Activities such as those recorded in Figure 3 may help to form part of the “information overload” to which Professor Melody referred, but it is difficult to imagine dealing with the analysis of research and sales data, the complexities of production scheduling or a host of supporting functions without the computer processing and storage power now so routinely available. The fact that such tasks are almost equally undertaken on PCs and mainframes underlines the importance already noted of including the effects of the loss of personal computers and their supporting networks in contingency planning. Perhaps nowhere has the impact of the personal computer been more dramatically rapid than with word processing and its close relative, desk top publishing. Although the latter has not yet achieved the near-universal take-up of word processing, clearly there is enormous potential for expansion. Electronic mail facilities are divided fairly evenly between mainframes and
01995 Elsevier Science Ltd
Computer Audit Update
PCs, but the ratio is two to one in favour of the PC for word processing and even greater for desk top publishing. It is not easy to imagine the modern office functioning at all without the first two facilities. In summary, core accounting functions are still largely undertaken on central mainframe/mid-range computers, though even here the personal computer has achieved significant inroads. In every other area of corporate computing, the PC has achieved either virtual parity or dominance over the mainframe. Such evidence provides a cogent argument for including the PC and its supporting networks as an essential element in any corporate contingency planning for business recovery. Education and training Early in 1992 a major survey by the National Computing Centre’ revealed that more than half of the 950 computer users studied had suffered a significant security breach in the previous five years, either accidentally or deliberately. The survey also disquietingly revealed a widespread lack of awareness and unpreparedness by organizations for dealing with computer abuse. Three-quarters of them had not reviewed their disciplinary measures since the advent of the 1990 Computer Misuse Act. Since we have just illustrated some of the ways in which processing power is moving from the professionally managed computer centre to the users through the widespread adoption of PCs and local area networks (LANs), and since the PC tends to be inherently insecure, there is a clear implication that organizations need to reassess their approach to computer security. In fact, there has for some time been a general business trend to devolve power from the corporate headquarters to the individual business units, and it would therefore be surprising if responsibility for computer security did not parallel the transfer of processing power and become an issue for the devolved business unit. In the context of these changes and the findings of the NCC survey, surely it behoves organizations at least to introduce new
7
Computer Audit Update
May 1995
New Employees
titttttttt
100%
Those receiving induction training
ttttttt
64%
Those learning about computing facilities
tttt
34%
Figure 5: The proportion of employees receiving induction training and details of corporate computing facilities.
employees to the computing facilities they will use and to ensure that they are informed about and understand the policies and procedures that apply in their working environment? If employees are not told how they are expected to behave, it is not easy to discipline them subsequently, if they act in a way of which the organization does not approve. Since the great majority of computer abuses and disasters are caused by an organization’s own employeesgV” the issues of employee education and corporate rules are not without significance. This research examined the incidence of induction training for new staff, the extent to which corporate computing facilities formed part of that induction training, the methods by which computing policies and procedures were conveyed to employees, and whether these policies and user rules formed part of employees’ terms and conditions of employment. The results confirmed that there is much more that organizations could do to ensure that staff are made aware of the facilities available to them and of the rules that govern the computing environment within which they work. Figure 5 shows the proportion of new employees who receive induction training and those whose training includes an explanation of corporate computing facilities. Whereas nearly two employees in three receive some kind of induction, less than two in five are told about computing facilities.
In seeking to discover how computer policies and procedures are conveyed to employees (not just new staff), the survey offered participants fourteen ways in which this might be achieved. Those responding were invited to tick as many of these ways as applied within their own organizations, in other words given a multiple choice. In order to set their choices into a context, it should be noted that: l
21% chose only one method;
l
21% chose three methods;
l
74% chose between one and four methods of conveying information to employees.
In practice, the alternative methods on offer could reasonably be judged to vary in their effectiveness as a means of conveying information and (equally importantly) an understanding of policies and procedures to employees. In Figure 6 the options are grouped for their relative effectiveness and the proportion who chose them is indicated. This analysis confirms how little attention is paid to this aspect of corporate computing and, by extension, how incomplete is the approach to computer security, misuse and outright abuse. Finally, under this heading, organizations were asked whether computing policy and user rules formed part of employee’s terms and
01995 Elsevier Science Ltd
Computer Audit Update
May 1995
By personal memo to all employees By personal memo to registered users By compulsory training By formal induction training
By incorporation into staff handbook
33%
By personal memo to Dept. Heads
22%
By News Sheet to registered users
21%
Average/ Fairly Effective
By News Sheet to Dept. Heads
16% 35% ‘
*
By optional training
25%
By electronic mail
9%
By News Sheet available on request
PoOrI Ineffective
I
Disastrous
16%
45% 30%
By user initiative in finding out There are no formal policies or procedures
Figure 6: How corporate computer policies and procedures
conditions of employment. Although this procedure does not guarantee the employee’s proper use of corporate computing facilities, it does form a legal contract between employer and employee. This should normally achieve a dual benefit. It indicates to the employee that the employer takes seriously such issues as computer security, misuse, data confidentiality, software piracy and so on. Secondly, it provides an effective legal redress at any industrial tribunal called by an ex-employee dismissed for offences defined by the contract. The answer to this question confirmed that organizations have yet to address consistently the broad issues of employee education, security awareness and behaviour within the corporate computing environment, for only one-third indicated that computing policies and rules did form part of employees’ terms and conditions of employment. In summary, the questions about computer education and training revealed that:
01995 Elsevier Science Ltd
By word of mouth
are conveyed to employees
l
only 38% of new employees are told about computing facilities during induction training;
l
at most, only 28% of all employees receive very effective instructions in computer policies and procedures; and
l
only 33% of organizations incorporate computer policies and user rules within employees’ terms and conditions of employment.
Conclusion The product of the research so far has been to demonstrate that personal computers whether in stand-alone or networked mode now undertake a wide range of corporate computing applications, without which no business could function effectively. Certainly, the central, professionally managed mainframe still features importantly in core accounting applications, but it can no longer merit the
9
Computer Audit Update
exclusive attention of those who have responsibility for developing contingency plans for recovering from disastrous events and ensuring the continuity of the business. As a consequence of this important shift in the way in which businesses and public organizations process information, extra significance is attached to the ways in which employees are trained to use a key resource (computers), since there can no longer be a realistic expectation that the resource will be solely managed by experienced professionals. However, the research shows that adequate training is provided only in a minority of organizations - a problem that is compounded by a frequent failure to explain to employees the rules intended to control their behaviour within the computing environment. Future issues of Update will look at what the research revealed about quality issues and the current state of business recovery planning. References 1. 2. 3.
4.
5.
6.
7.
8.
9.
10.
The Economist, ‘The World in 1992’, Economist Publications Ltd, London 1991, p.117. KPMG Management Consulting, reported in Computing, London, 2 July 1992, p.7. Evens, M. and Orr, J., Management Awareness of Computer Risks: A European Survey, Arthur Young, UK, 1987. Hearnden, K., Contingency Planning for Computer Disaster Recovery, Computing Services Association, London, 1990. Doswell, B., ‘Down-sizing Disaster Recovery’, private paper to the Contingency Planning Special Interest Group of the Computing Services Association, London 1992. Applebaum, E., CRC/T (Centre for lnten-tational Research on Communication and Information Technologies) Newsletter, Australia, October 1992, p3. Melody, Professor W. H., Director of the CIRCIT research programme, C//X/T Newsletter, Australia, October 1992, p.2. National Computing Centre, ‘Security Breaches Survey’, reported in Computer Audit Update, March 1992, p.1. Audit Commission for England and Wales, Opportunity Makes a Thief: an analysis of computer abuse, HMSO. London 1994. BIS Computer Disaster Casebook and Supplement, Wong, K. and Farquhar, W. (Eds), BlSApplied Systems Ltd, London 1987 and 1988.
May 1995
Keith Heamden is a Senior Lecturer at the Centre for Hazard and Risk Management, Loughborough University. The research was commissioned by IBM (UK) Ltd and the Computing Software and Services Association. 0 Copyright Keith Hearnden 1995
UNFAIR CONTRACTS: NEW EUROPEAN DIRECTIVE TO DELIVER MORE POWER TO THE CONSUMER’S ELBOW? Dai Davis Some European laws are destined for obscurity even before the ink dries in the Official Journal, others will affect our everyday lives well into the future. The new Directive on Unfair Terms in Consumer Contracts is most definitely in the latter category. This law affects many businesses ranging from financial institutions such as banks and building societies to house builders, travel agents, garages and retailers. It will also affect software houses who supply consumers with software, particularly suppliers of off-the-shelf software. That software is often called shrink wrap software - a reference to the packing in which it is packed. The exterior of that packaging often contains terms and conditions, which may not stand up to the rigorous tests of this new legislation. Under the law, unfair terms used in contracts are not binding on consumers. Therefore, the legislation may have quite severe effects for those businesses that do not take adequate note. Contracts caught by the new law Almost all contracts for the supply of goods
10
01995 Elsevier Science Ltd
May 1995
could
have.
remember perfectly. regards
In this
case
it is important
that the back-up
systems
to
operated
How many of us could say that with to the computer
systems
of our own
organizations. There does seem to be a reluctance to admit software and hardware failures -
BUSINESS CONTINUITY PLANNING: PART 1 Contemporary Computing
Issues in Corporate
Microsoft and
Keith Hearnden
Pentium spring to mind from the last few months. Why? In the case of safety critical software such a reluctance
could
be fatal.
Why,
when
autopilot software fault was known to Airbus and a fix available were aircraft still operating with the software ? Was it managerial
bug-ridden
communication
incompetence?
money by not upgrading next full service?
of us would be interested
or
the conduct of their affairs, and that it is wise to plan how to recover the business or service from
the software
until the decision
If so I, and I am sure most in full disclosure
before
we boarded a flight on an A340, or indeed any other aircraft with software bugs. Computer abuse is committed by people, not by technology. A340,
It is not the technology
or any other fly-by-wire
aircraft,
of the or any
computer system that is the problem per se, it is the abuse nonexistent
of management failures, of poor or requirements and user
specifications,
of inadequate
system and user acceptance risk assessment, “unsinkable”
and
insufficient
testing, of a lack of
and of inadequate
recovery. On the anniversary
It is widely recognized that businesses and public services depend heavily on computers for
Was it to save
Was it a conscious
after a full risk analysis?
Context
the
Titanic it is worth contemplating
went down with its engines running.
traditionally
considered
the
resolution
of
problems affecting a central corporate mainframe service. However, the use of personal computers (PCs) within mainstream corporate computing has become widespread in recent years to the extent that they have become a factor likely to affect the nature of business recovery planning. A recent postal survey of 421 UK organizations examined many factors affecting the organization, quality and control of corporate computing.
In particular,
it explored
the nature
and extent of business recovery planning and the impact of computer down-sizing on such plans.
back-up and
of the sinking of the
if IT is the engine of our organizations,
a major disruption to its computing. Such plans are invariably complex and dynamic and have
that
the Titanic
The reason for the research is to be found in the amazingly rapid transformation of corporate computing. It has been calculated’ that as recently as 1978, virtually 100% of the world’s computing power was concentrated in large central-processing units, with dumb terminals attached. By 1990, such machines held less than 1% of the world’s computer power. Driven by microelectronic advances, there was a PC microprocessor on nearly every desk that was as powerful as a 1970’s mainframe. At the same time, businesses were becoming increasingly computer-driven increasingly reliant on computer processing power for both mainstream and ancillary business functions. A recent survey* of 323 businesses revealed that 83% of mainframe users, 77% of mid-range users
01995
Elsevier Science Ltd
3
Computer Audit Update
May 1995
87
8a
._:
Key: q Mainframe
76
74
UPC
60
3 ._
s
F 0
40
Budgetary Control
Customer Accounts
Figure 1: The incidence of core business accounting applications
80
r
Stock
on mainframes/mid-ranges
and PCs.
69
65 60 50
:
‘i;
i! ._
s P
56
4a
r 32
0
3 8
20
2a
Business Planning
Financial Forecasting
Information Searches
Figure 2: The incidence of business planning and applications
Market Research
1
on mainframes/mid-ranges
and PCs.
01995 Elsevier Science Ltd
Computer Audit Update
May 1995
overload. The task of managers is to filter, prioritize, synthesize and interpret the information that goes into decisions ..... A common tendency is to streamline, integrate and centralise key management decisions, while decentralising operations and activities. ......But increasing reliance on electronic information systems as a basis for decisions creates a dependence that introduces its own special problems.“’
and 27% of PC users believed their computer systems were crucial to their businesses. These same businesses reported a total of 359 incidents of computer down-time, thus reinforcing the current importance attached to contingency planning for business recovery. It is the appropriateness and extent of this contingency planning, together with the nature of the business controls that impinge on it which this research seeks to explore. Two important earlier studies carried out by Evens and Or? and Hearnden4 both concentrated on recover issues following a mainframe disaster: Doswell on the other hand, presents a convincing case for re-examining the appropriateness and effectiveness of traditional, mainframe-oriented contingency planning, in the context of the increasing prevalence of stand-alone and networked personal computers. He draws the contrast between the professionally managed and comprehensively secured corporate mainframe environment, and the regular absence of protection given to the fileservers and workstations on which we increasingly rely. “Whereas”, he says “the personnel in the mainframe environment ..... represent years of management experience in processing business data, there is a good chance that the desk-top PC user will have learned everything he knows from his son’s games machine.” Lest there should remain any doubt about the importance of these issues, consider the fact that information technology’s share of the overall capital stock of US corporations has doubled to 13% in the last fifteen years, whilst in key areas such as communications, finance, business services, healthcare and education it is now more than 25%6. The very nature of decision-making in most organizations is being fundamentally altered by the widespread application of information and communication technologies. “It used to be essentially a hierarchical process with information fed upward. Small decisions were taken at the bottom and big decisions at the top ....(But) increasingly decisions are taken under conditions of information surplus, if not information
01995 Elsevier Science Ltd
That, then, is the context in which this research has taken place. Have British organizations taken fully on board the momentous changes that are taking place in Have they corporate information services? responded effectively to protect their dependence on their computing systems? And, in particular, have they recognized the growing need to re-orient their contingency planning for business recovery towards stand-alone and networked PCs? Business computing applications: mainframes vs PCs Any study that seeks to examine the effectiveness of contingency planning in the context of this perceived shift in the organization of corporate computing must first establish the reality of the situation. How far has corporate computing now devolved to the personal computer and how much remains with the centrally managed mainframe? The answer to this question appears in Figures 1 to 4 which progressively show the frequency with which specific business applications are carried out on mainframes or mid-range computers on the one hand and personal computers on the other. The four groupings broadly represent: ’
Core business accounting.
l
Business planning and forecasting.
’
Nonaccounting applications.
l
Communications.
5
May 1995
80
._ 3 ._ s
40 30 30
F 0 z
20
8
0 Business Customer Functions Marketing
Figure 3: The incidence of nonaccounting
Sales Data
Process Prod’n Scheduling Control
applications
F&D Data & Software Development
on mainframes/mid-range
computers and PCs.
Key:
80
0
Mainframe
0 Electronic Mail
Figure 4: The incidence of communications
6
word Processing
applications
Desk Top Publishing
on mainframes/m&range
computers ana MS.
01995 Elsevier Science Ltd
May 1995
The traditional corporate accounting applications are still predominantly undertaken on the centrally managed mainframe computers, though it is clear that personal computers are also widely used on these core functions. It is already evident, therefore, that business recovery planning should no longer concern itself solely with the corporate mainframe, but must look wider. In the planning and forecasting applications recorded in Figure 2, the PC is largely dominant, thanks in part to the power and popularity of spread-sheet software. Although it might be argued that these are applications of secondary importance compared to accounting, they should also be recognized for their essential contribution to the quality of management decision-making what Professor Melody’ referred to as the task of filtering, prioritizing, synthesizing and interpreting information. It would be difficult to imagine any organization surviving long if its management were denied access to this kind of facility. In most organizations there are a range of tasks routinely undertaken that, whilst of secondary importance to recording and accounting actual business transactions, are nevertheless essential to the effective conduct of operations. Activities such as those recorded in Figure 3 may help to form part of the “information overload” to which Professor Melody referred, but it is difficult to imagine dealing with the analysis of research and sales data, the complexities of production scheduling or a host of supporting functions without the computer processing and storage power now so routinely available. The fact that such tasks are almost equally undertaken on PCs and mainframes underlines the importance already noted of including the effects of the loss of personal computers and their supporting networks in contingency planning. Perhaps nowhere has the impact of the personal computer been more dramatically rapid than with word processing and its close relative, desk top publishing. Although the latter has not yet achieved the near-universal take-up of word processing, clearly there is enormous potential for expansion. Electronic mail facilities are divided fairly evenly between mainframes and
01995 Elsevier Science Ltd
Computer Audit Update
PCs, but the ratio is two to one in favour of the PC for word processing and even greater for desk top publishing. It is not easy to imagine the modern office functioning at all without the first two facilities. In summary, core accounting functions are still largely undertaken on central mainframe/mid-range computers, though even here the personal computer has achieved significant inroads. In every other area of corporate computing, the PC has achieved either virtual parity or dominance over the mainframe. Such evidence provides a cogent argument for including the PC and its supporting networks as an essential element in any corporate contingency planning for business recovery. Education and training Early in 1992 a major survey by the National Computing Centre’ revealed that more than half of the 950 computer users studied had suffered a significant security breach in the previous five years, either accidentally or deliberately. The survey also disquietingly revealed a widespread lack of awareness and unpreparedness by organizations for dealing with computer abuse. Three-quarters of them had not reviewed their disciplinary measures since the advent of the 1990 Computer Misuse Act. Since we have just illustrated some of the ways in which processing power is moving from the professionally managed computer centre to the users through the widespread adoption of PCs and local area networks (LANs), and since the PC tends to be inherently insecure, there is a clear implication that organizations need to reassess their approach to computer security. In fact, there has for some time been a general business trend to devolve power from the corporate headquarters to the individual business units, and it would therefore be surprising if responsibility for computer security did not parallel the transfer of processing power and become an issue for the devolved business unit. In the context of these changes and the findings of the NCC survey, surely it behoves organizations at least to introduce new
7
Computer Audit Update
May 1995
New Employees
titttttttt
100%
Those receiving induction training
ttttttt
64%
Those learning about computing facilities
tttt
34%
Figure 5: The proportion of employees receiving induction training and details of corporate computing facilities.
employees to the computing facilities they will use and to ensure that they are informed about and understand the policies and procedures that apply in their working environment? If employees are not told how they are expected to behave, it is not easy to discipline them subsequently, if they act in a way of which the organization does not approve. Since the great majority of computer abuses and disasters are caused by an organization’s own employeesgV” the issues of employee education and corporate rules are not without significance. This research examined the incidence of induction training for new staff, the extent to which corporate computing facilities formed part of that induction training, the methods by which computing policies and procedures were conveyed to employees, and whether these policies and user rules formed part of employees’ terms and conditions of employment. The results confirmed that there is much more that organizations could do to ensure that staff are made aware of the facilities available to them and of the rules that govern the computing environment within which they work. Figure 5 shows the proportion of new employees who receive induction training and those whose training includes an explanation of corporate computing facilities. Whereas nearly two employees in three receive some kind of induction, less than two in five are told about computing facilities.
In seeking to discover how computer policies and procedures are conveyed to employees (not just new staff), the survey offered participants fourteen ways in which this might be achieved. Those responding were invited to tick as many of these ways as applied within their own organizations, in other words given a multiple choice. In order to set their choices into a context, it should be noted that: l
21% chose only one method;
l
21% chose three methods;
l
74% chose between one and four methods of conveying information to employees.
In practice, the alternative methods on offer could reasonably be judged to vary in their effectiveness as a means of conveying information and (equally importantly) an understanding of policies and procedures to employees. In Figure 6 the options are grouped for their relative effectiveness and the proportion who chose them is indicated. This analysis confirms how little attention is paid to this aspect of corporate computing and, by extension, how incomplete is the approach to computer security, misuse and outright abuse. Finally, under this heading, organizations were asked whether computing policy and user rules formed part of employee’s terms and
01995 Elsevier Science Ltd
Computer Audit Update
May 1995
By personal memo to all employees By personal memo to registered users By compulsory training By formal induction training
By incorporation into staff handbook
33%
By personal memo to Dept. Heads
22%
By News Sheet to registered users
21%
Average/ Fairly Effective
By News Sheet to Dept. Heads
16% 35% ‘
*
By optional training
25%
By electronic mail
9%
By News Sheet available on request
PoOrI Ineffective
I
Disastrous
16%
45% 30%
By user initiative in finding out There are no formal policies or procedures
Figure 6: How corporate computer policies and procedures
conditions of employment. Although this procedure does not guarantee the employee’s proper use of corporate computing facilities, it does form a legal contract between employer and employee. This should normally achieve a dual benefit. It indicates to the employee that the employer takes seriously such issues as computer security, misuse, data confidentiality, software piracy and so on. Secondly, it provides an effective legal redress at any industrial tribunal called by an ex-employee dismissed for offences defined by the contract. The answer to this question confirmed that organizations have yet to address consistently the broad issues of employee education, security awareness and behaviour within the corporate computing environment, for only one-third indicated that computing policies and rules did form part of employees’ terms and conditions of employment. In summary, the questions about computer education and training revealed that:
01995 Elsevier Science Ltd
By word of mouth
are conveyed to employees
l
only 38% of new employees are told about computing facilities during induction training;
l
at most, only 28% of all employees receive very effective instructions in computer policies and procedures; and
l
only 33% of organizations incorporate computer policies and user rules within employees’ terms and conditions of employment.
Conclusion The product of the research so far has been to demonstrate that personal computers whether in stand-alone or networked mode now undertake a wide range of corporate computing applications, without which no business could function effectively. Certainly, the central, professionally managed mainframe still features importantly in core accounting applications, but it can no longer merit the
9
Computer Audit Update
exclusive attention of those who have responsibility for developing contingency plans for recovering from disastrous events and ensuring the continuity of the business. As a consequence of this important shift in the way in which businesses and public organizations process information, extra significance is attached to the ways in which employees are trained to use a key resource (computers), since there can no longer be a realistic expectation that the resource will be solely managed by experienced professionals. However, the research shows that adequate training is provided only in a minority of organizations - a problem that is compounded by a frequent failure to explain to employees the rules intended to control their behaviour within the computing environment. Future issues of Update will look at what the research revealed about quality issues and the current state of business recovery planning. References 1. 2. 3.
4.
5.
6.
7.
8.
9.
10.
The Economist, ‘The World in 1992’, Economist Publications Ltd, London 1991, p.117. KPMG Management Consulting, reported in Computing, London, 2 July 1992, p.7. Evens, M. and Orr, J., Management Awareness of Computer Risks: A European Survey, Arthur Young, UK, 1987. Hearnden, K., Contingency Planning for Computer Disaster Recovery, Computing Services Association, London, 1990. Doswell, B., ‘Down-sizing Disaster Recovery’, private paper to the Contingency Planning Special Interest Group of the Computing Services Association, London 1992. Applebaum, E., CRC/T (Centre for lnten-tational Research on Communication and Information Technologies) Newsletter, Australia, October 1992, p3. Melody, Professor W. H., Director of the CIRCIT research programme, C//X/T Newsletter, Australia, October 1992, p.2. National Computing Centre, ‘Security Breaches Survey’, reported in Computer Audit Update, March 1992, p.1. Audit Commission for England and Wales, Opportunity Makes a Thief: an analysis of computer abuse, HMSO. London 1994. BIS Computer Disaster Casebook and Supplement, Wong, K. and Farquhar, W. (Eds), BlSApplied Systems Ltd, London 1987 and 1988.
May 1995
Keith Heamden is a Senior Lecturer at the Centre for Hazard and Risk Management, Loughborough University. The research was commissioned by IBM (UK) Ltd and the Computing Software and Services Association. 0 Copyright Keith Hearnden 1995
UNFAIR CONTRACTS: NEW EUROPEAN DIRECTIVE TO DELIVER MORE POWER TO THE CONSUMER’S ELBOW? Dai Davis Some European laws are destined for obscurity even before the ink dries in the Official Journal, others will affect our everyday lives well into the future. The new Directive on Unfair Terms in Consumer Contracts is most definitely in the latter category. This law affects many businesses ranging from financial institutions such as banks and building societies to house builders, travel agents, garages and retailers. It will also affect software houses who supply consumers with software, particularly suppliers of off-the-shelf software. That software is often called shrink wrap software - a reference to the packing in which it is packed. The exterior of that packaging often contains terms and conditions, which may not stand up to the rigorous tests of this new legislation. Under the law, unfair terms used in contracts are not binding on consumers. Therefore, the legislation may have quite severe effects for those businesses that do not take adequate note. Contracts caught by the new law Almost all contracts for the supply of goods
10
01995 Elsevier Science Ltd