- Email: [email protected]
Problems in auditing expert system development
Abstracts of Recent Articles and Literature
in internal controls and accounting systems. As a result, systems still generate duplicate checks, approve ineligible beneficiaries and make payments to ficititious applicants.
where control and security are implemented. In addition, concurrent access must be prevented or controlled and outside callers must be verified. Telecommunications, March
Government Computer News, March 18, I988, p. 21.
1988, p. 96ff. How Safe Is Y o u r Data,Joseph M. Pujals. This article considers
Problems in Auditing Expert System Development, WayneJ. Socha. This article provides an overview of the 12 major problems that must be faced in the auditing of expert system development projects. In most cases, solutions to these problems have not, as yet, been identified. However, this listing and discussion of potential problems should help auditors develop a better focus for their planning efforts. The list includes, among others, auditors' lack of technical knowledge and experience, the lack of common AI terminology, the need to avoid copying patented technology, lack o f environmental controls, the difficulty of applying cost/benefit ratios to expert systems, and the need for testing and validation. Edpacs, March I988, pp. 1-6.
Security Concerns in a Local Area Network Environment, Michael I. Sobol. New risks and exposures accompany the introduction o f LANs. This article addresses security and control measures for a LAN environment. Physical security is easy to address but data security is more difficult. However, there are control measures that can be implemented to protect sensitive information, including access control, encryption, and diskless workstations. The diskless PC or workstation has all the microcomputer-processing capabilities except that it has no diskstorage capacity. It is intended to be connected to a central facility
428
some of the problems o f microcomputer security and offers some practical advice for information center managers who have to deal with this problem. A company must: (1) develop policies and procedures for microcomputers; (2) initiate information classification practices and procedures; (3) start security awareness programs; (4) develop a security training program; (5) invest in security tools. Also discussed are physical security, data theft, protecting information and managerial responsibilities. Information Center, April
1988, p. 46. SPA Cracks D o w n On Piracy, Raids Computer Retailer, Nick Arnett. The Software Publishers Association vowed a legal assault on those who make unauthorized software copies. They started the crackdown with a raid on a retail computer store that allegedly gave away counterfeit or pirated software with each computer it sold. The SPA is targeting retailers, electronic bulletin boards, user groups, and companies that make copies for internal use, including Fortune 500 firms, according to the executive director of the SPA. lnfo World,
April 4, 1988, p. 6. How Much Is Enough? Expert Says Security Efforts Should P a y , N o t Cost, William Murray. Maintaining the delicate balance between spending too much or too little on data and computer security is an art. MIS should want its or-
ganization operating so that the total cost (losses plus the cost o f security measures) is at a minimum. A technology loss or a fire does not occur regularly but MIS can account for the unexpected. By multiplying the estimated cost o f a loss by its rate of occurrence MIS can estimate the loss expectancy. Security measures should be focused on events with a high rate/low consequence and low rate/high consequence. Devastating events that seldom occur should be covered by insurance. Expensive measures should be applied only after they have been justified with a rigorous risk assessment. Computerworld
Focus, April 6, I988, p. 30ft. It C a n ' t Happen Here, Patricia Keefe. According to some security professionals, businesses still believe "It can't happen to them." Some industries, however, are either mandated by law to secure their data or are bound by "a high standard o f care." Whether security breaches are committed by internal or external culprits, they are helped immensely by the trend toward connectivity. The explosion in networking, coupled with the decentralization of information, will put host data access into the hands of an unprecedented number of microcomputer users during the next 5 years. Because inadvertent errors remain the most costly and frequent of all security breaches, more and more vendors are building safeguards such as decision checks, multiple levels o f passwords and access control, into their software packages and operating systems. Computerworld Focus,
April 6, 1988, pp. 13-16. Breach Reported in U.S. Computers,John Markoff. For almost 2 years, a West German cit-
in internal controls and accounting systems. As a result, systems still generate duplicate checks, approve ineligible beneficiaries and make payments to ficititious applicants.
where control and security are implemented. In addition, concurrent access must be prevented or controlled and outside callers must be verified. Telecommunications, March
Government Computer News, March 18, I988, p. 21.
1988, p. 96ff. How Safe Is Y o u r Data,Joseph M. Pujals. This article considers
Problems in Auditing Expert System Development, WayneJ. Socha. This article provides an overview of the 12 major problems that must be faced in the auditing of expert system development projects. In most cases, solutions to these problems have not, as yet, been identified. However, this listing and discussion of potential problems should help auditors develop a better focus for their planning efforts. The list includes, among others, auditors' lack of technical knowledge and experience, the lack of common AI terminology, the need to avoid copying patented technology, lack o f environmental controls, the difficulty of applying cost/benefit ratios to expert systems, and the need for testing and validation. Edpacs, March I988, pp. 1-6.
Security Concerns in a Local Area Network Environment, Michael I. Sobol. New risks and exposures accompany the introduction o f LANs. This article addresses security and control measures for a LAN environment. Physical security is easy to address but data security is more difficult. However, there are control measures that can be implemented to protect sensitive information, including access control, encryption, and diskless workstations. The diskless PC or workstation has all the microcomputer-processing capabilities except that it has no diskstorage capacity. It is intended to be connected to a central facility
428
some of the problems o f microcomputer security and offers some practical advice for information center managers who have to deal with this problem. A company must: (1) develop policies and procedures for microcomputers; (2) initiate information classification practices and procedures; (3) start security awareness programs; (4) develop a security training program; (5) invest in security tools. Also discussed are physical security, data theft, protecting information and managerial responsibilities. Information Center, April
1988, p. 46. SPA Cracks D o w n On Piracy, Raids Computer Retailer, Nick Arnett. The Software Publishers Association vowed a legal assault on those who make unauthorized software copies. They started the crackdown with a raid on a retail computer store that allegedly gave away counterfeit or pirated software with each computer it sold. The SPA is targeting retailers, electronic bulletin boards, user groups, and companies that make copies for internal use, including Fortune 500 firms, according to the executive director of the SPA. lnfo World,
April 4, 1988, p. 6. How Much Is Enough? Expert Says Security Efforts Should P a y , N o t Cost, William Murray. Maintaining the delicate balance between spending too much or too little on data and computer security is an art. MIS should want its or-
ganization operating so that the total cost (losses plus the cost o f security measures) is at a minimum. A technology loss or a fire does not occur regularly but MIS can account for the unexpected. By multiplying the estimated cost o f a loss by its rate of occurrence MIS can estimate the loss expectancy. Security measures should be focused on events with a high rate/low consequence and low rate/high consequence. Devastating events that seldom occur should be covered by insurance. Expensive measures should be applied only after they have been justified with a rigorous risk assessment. Computerworld
Focus, April 6, I988, p. 30ft. It C a n ' t Happen Here, Patricia Keefe. According to some security professionals, businesses still believe "It can't happen to them." Some industries, however, are either mandated by law to secure their data or are bound by "a high standard o f care." Whether security breaches are committed by internal or external culprits, they are helped immensely by the trend toward connectivity. The explosion in networking, coupled with the decentralization of information, will put host data access into the hands of an unprecedented number of microcomputer users during the next 5 years. Because inadvertent errors remain the most costly and frequent of all security breaches, more and more vendors are building safeguards such as decision checks, multiple levels o f passwords and access control, into their software packages and operating systems. Computerworld Focus,
April 6, 1988, pp. 13-16. Breach Reported in U.S. Computers,John Markoff. For almost 2 years, a West German cit-