CHAPTER THIRTEEN Management Issues
THIS CHAPTER LOOKS at the broader Information Systems/Information Technology (IS/IT) management issues including the legal issues relating to the introduction of IT to the enterprise, intellectual property issues in cyberspace, trademarks, copyrights, patents, as well as ethical issues, rights to privacy, and the implementation of effective IT governance.
The introduction of IT to organizations has had a dramatic impact on many aspects of their compliance with the law. Perhaps the most fundamental impact of IT on enterprises doing business has been the impact on the legal position of transactions. In order for business to continue taking place in a modern computerized environment, it must be enforceable that transactions concluded and performed in whole or in part by electronic means be regarded as legally binding. In addition, a variety of concerns regarding confidentiality, accuracy, and completeness of information, identity authenticity, and protection of intellectual property have required the rethinking of existing laws and legislation. The extent to which legislation has kept pace with advances in technology varies from country to country, although all face the same problems.
Business moving onto the Internet has created some of the greatest opportunities for fraud the world has ever known. Cyberfraud is a major international growth industry that has both the business and legal world struggling to keep pace. Fraud itself typically involves a false statement or omission made deliberately to induce an individual or organization to rely upon it to its prejudice. Prejudice itself may be actual or potential depending on the wording of the individual legislation. Electronic fraud, utilizing Internet technology, may come in the form of creating a false identity on the Internet, intercepting information sent over the Internet, using the Internet to spread false information, or using the Internet to access and manipulate information within the corporate information systems.
There is an old saying that “on the Internet nobody knows you’re a dog” and identity misrepresentation or even identity theft have become a twenty-first century phenomenon. Such acts range from impersonation of an existing authorized user on a computer system, through grooming children on Internet chat rooms, to phishing for information by pretending to be a legitimate information seeker, to stealing an individual’s identity via knowledge gained on the Internet. Creating a false identity is not a new phenomenon but it is considered more difficult to detect electronically. Acquisition of goods and services from a genuine dealer by assuming a false identity and using a false credit card number is comparatively common.
This is where Certification Authorities become critical. A Certification Authority is an organization that guarantees that the business or person is as claimed having checked their identity independently. This is not to say that all Certification Authorities are equal. Some merely check that a business exists and that the bank account is valid. Others go into considerably more detail and cost correspondingly more. One difficulty with the issuance of such certificates is that many customers do not have certificates and the cyber trader can either deny access to such potential customers and therefore lose business, or take a chance that the customer is legitimate even without the appropriate certificates. Given that the Internet appeals to customers who like to do things in an easy manner, as with most things, control is frequently seen to be an inconvenience.
One of the more common concerns about doing business electronically is that someone will intercept transaction and payment details in a form of electronic eavesdropping and use them to commit the kind of fraud described earlier. Although we have had the ability to encrypt information since information processing began, most of our communication remains in clear text, easily intercepted, read, amended, and retransmitted.
Circulating information over the Internet calls for little or no capital outlay and the information circulated may be erroneous, intentionally misleading, or even libelous. Misuse in this area ranges from falsely spreading rumors for financial gain, through character assassination, through the publication of propaganda for extremist groups of every sort. Much of this information sounds plausible, although factually it is false. Tracing the originations of such rumors is not impossible but does take effort, time, and money, which individuals and organizations may be unwilling to spend.
Deliberate penetration of an organization’s systems with the intent to access and manipulate corporate information has become so common that it rarely warrants a mention in national newspapers. It has always been possible to break into any secure system, but the advent of e-commerce has effectively invited the world to have a go. Law-abiding citizens who would never consider larceny and burglary look on information larceny as a “bit of fun” and, in some cases, a challenge. The old laws regarding trespass were intended to prevent physical access and do not normally recognize logical access wherein nothing is physically damaged or removed.
New laws may be required to redefine these crimes should existing laws prove inadequate. Laws defining evidence, the nature of the signature, and proof may need to be reviewed in light of the advent of information processing.
Privacy itself is concerned with the collection and use or misuse of computer store data. Many information systems retained data on individuals, which has been collected, stored, and used without that individual’s knowledge or consent. Although information databases are normally used correctly and justifiably, the potential for misuse is inherent in all information systems. Countries around the world and several states within the United States have enacted privacy legislation to provide safeguards for individuals against an invasion of personal privacy by facilitating:
· The individual determining which records have been collected, maintained, used, or distributed regarding themselves
· The prevention of records pertaining to the individual gathered for a specific purpose from being used or made available for another purpose without their consent
· The obtaining of by an individual of such information as has been held on the individual with the opportunity to correct or amend such records
· The determination that information held is current and accurate for its intended use and that adequate safeguards exist for the prevention of misuse of such information
· Civil suit for any damages incurred as a result of willful or intentional action violating the individual’s rights under these acts
In April 2011 legislation, the Commercial Privacy Bill of Rights Act of 2011, was introduced in the United States to protect the “fundamental right of American citizens, that is the right to privacy”1 and is currently in committee. Personally identifiable information was defined as including a first and last name, a residential mailing address, a Web cookie, an e-mail address, a telephone number, biometric data, and so on. Sensitive information is a subset and includes health records, religious information, or data that could lead to “economic or physical harm.” One anomaly of this legislation was that it would regulate only commercial and nonprofit use of information that is personally identifiable. In addition, the legislation did not apply to government agencies including the Department of Health and Human Services, the Department of Veterans Affairs, the Social Security Administration, the Census Bureau, and the Internal Revenue Service (IRS), all of which collect vast amounts of data on U.S. citizens.
Many international regulations exist when the information, particularly financial information, crosses international borders and a control such as encryption is compulsory in some legislation and banned in others. Such trans-border data flow has become more complicated with the explosion of Internet traffic in an unregulated environment and in particular within a cloud-computing environment (see Chapter 19).
COPYRIGHTS, TRADEMARKS, AND PATENTS
Countries have, in the past, created enforceable rights in certain intangibles that have become known as intellectual property. This categorization includes copyrights, trademarks, patents, and trade secrets. As today’s economy grows increasingly reliant on the current proliferation of computers and computer networks, the illegal reproduction and distribution of protected material has become considerably easier to accomplish.
Conventional wisdom is that copyright protection is important to protect the computer software industry. It should always be remembered because an organization’s information itself may be as important to protect as the software it utilizes. Some of the most vital information and trade secrets are held on computers, connected into networks, and ultimately connected to the world at large. A trade secret may be defined as:
any formula, pattern, device, or compilation of information used in a business to obtain an advantage over competitors who do not know or use it.2
A great deal of time and effort is now being spent in countries such as the United States in order to ensure that an organization’s copyrights, trademarks, and patents have a legal protection within IT legislation. Obviously, the legal remedy is only of significance after a transgression has taken place, and the auditor’s role may be to ensure that practical countermeasures have been put in place by management to prevent such transgressions from occurring. Countermeasures could include:
· Effective access control
· Permissions management
· Biometric authentication
· Digital signatures and certification authorities
These technologies are discussed further in Chapter 27.
Business ethics lay out the rules under which business takes place—fairness, honesty, integrity, and the opportunity for all participants to be winners. All stakeholders within an organization maintain an ethical responsibility to act in the best interests of the organization and all of its stakeholders.
An understanding of business ethics is essential for the IT auditor who will encounter ethical issues and dilemmas in his or her daily interaction with management and auditees in any organization. Thus it is useful to understand that the general dimensions of economic activity where management will be making decisions often present tensions between ethical and legal choices. Rossouw3 identifies three main areas as including:
1. Macro or systemic dimension. The policy framework determined by the political power of the state that determines the basis for economic exchanges nationally and internationally between governments.
2. Meso or institutional dimension. The relations between economic organizations, such as public sector entities, private sector entities, and private individuals and those outside the organizations.
3. Micro or intra-organizational dimension. The economic actions and decisions of individuals within an organization.
Ethics are commonly confused with individual moral principles but in fact go far beyond them. They are designed to address issues from both practical and idealistic standpoints and as such the idealism may frequently be in conflict with the practical. From the professional’s perspective they become a way of life. Wheelwright4 defined three key elements in defining the impact of ethics on decision making:
1. Ethics involve questions requiring reflective choice
2. Ethics involve guides of right and wrong
3. Ethics are concerned with consequences of decisions
In respect to information systems, ethical issues commonly involve the use to which information is put and can be seen with and for specific areas of concern, namely, privacy, accuracy, intellectual property, and access.
As has been described earlier, privacy deals with the collection and use or abuse of computer store data. Accuracy and its risk equivalent inaccuracy can create havoc to individuals and organizations because the use of computerized systems involves an implicit trust in the accuracy and completeness of information provided. Intellectual property rights reflect the ownership and use of information including who has the right to buy or acquire the information as well as who determines the value of intellectual property. Access, as an ethical issue, is concerned with the ability of individuals to gain entry into information and information systems.
CORPORATE CODES OF CONDUCT
One of the common controls in this area is the implementation of a Corporate Code of Conduct. Such codes are directive controls and do not enforce ethical behavior. Where they are combined with detective controls designed to identify breaches of the code and corrective controls designed to take effective action where such breaches are identified, they may serve as a means of expelling non-conforming members of a population.
Codes of conduct should be in place for all companies (recommended in 1987 by the Treadway Commission and confirmed by King II5) and should be enforced. They assist in setting an ethical tone at the top of the organization and must apply to all levels from the top down. They open channels of communications between management and employees and assist in the prevention of, for example, fraudulent reporting.
Codes of conduct are based upon a shared understanding of the values including but not limited to:
· Honesty. No intentional deception
· Integrity. One standard of conduct for all involved
· Morality. Acting in terms of accepted social norms
· Equity. Acting in a fair manner with equal treatment for all
· Equality. Provision of equal opportunities to compete and collaborate in business activities
· Accountability. To accurately record an individual’s actions and to account to the stakeholders responsibly for those actions
· Loyalty. Trustworthy commitment to all those with whom an individual has dealings
· Respect. Recognition of the worth of superiors, subordinates, suppliers, and customers
These values are normally aligned to the values statement to form the basis for the agreed code of conduct.
Codes of conduct may typically take two forms:
1. Positive statement of honest intentions (all embracing but impossible to control)
2. Lists of improper behavior (easier to audit but difficult to keep comprehensive)
Codes that have been observed to be most effective contain a combination of positive generalizations and specific prohibitions. They include the basic rules of acceptable and unacceptable behavior and cover corporate positions and rules concerning:
· Acceptance of gifts
· Conflicts of interest
· Standards of corporate practice
It is inevitable that in the conduct of business ethical dilemmas will arise that have to be faced and resolved as a result of conflicting values among various stakeholders. There is often no way of telling which values are correct or incorrect because different people have different values that they pursue.
The word “govern” is derived from the Latin word gubenare, referring to the steering of a ship, and the word “governor” is derived from gubenator, which refers to the captain of a ship or steersman. Business and corporate governance place the goal of business success within the context of honest business behavior and sound stakeholder relations. The purpose of good governance is to match business behavior and management conduct with the organizational intentions, mission, and objectives.
Following a variety of well-publicized breaches of the principles of good corporate governance, it was inevitable that IT governance would emerge as one of the more critical issues in the IT field. In well-managed companies IT governance was implemented in order to ensure the overall achievement of good management principles within the organization. In others it has become just another set of rules to be complied with. Governance responsibilities include setting the strategy, managing the risks, delivering perceived value, and measuring achieved performance.
These responsibilities, overall, have been driven by the need to demonstrate the transparency of risks to the enterprise, but the impact of IT and the organization as a whole has created a dependency requiring specific focus on IT governance. Risk management in these areas include the management of IT’s impact and business continuity as well as reputational risk as a result of failures within IT itself. Generally then, IT governance is intended to facilitate the sustaining of organizational operations directed toward implementation of its general business strategies in the present and in the future.
IT governance itself has been defined as:
. . . the responsibility of the Board of Directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategy and objectives6
This indicates a clear difference between IT governance and IT management. Governance is concerned with IT achieving the current and future information needs of the organization in a controlled manner. Management focuses on ensuring an ongoing supply of quality services and products at an acceptable cost.
From a governance perspective, the ultimate responsibility lies with the board of directors or governing body of the particular institution. A critical part of the execution of this responsibility lies in ensuring that the managerial levels understand part of the play in achieving good governance and implement the appropriate control structures in order to achieve that. Overall, the primary responsibility for implementing the strategic plans and policies of the organization as laid down by the board rests on the Chief Executive Officer.
Given the critical role of information systems in achieving corporate strategies, the IT manager has a critical role to play in achieving good governance. The IT manager sets the operating objectives for the IT function ensuring alignment with the organizational strategic objectives in order to provide the initial goals for the IT function. Management control is achieved by creating a continuous feedback mechanism for measurement of performance, comparison to objectives, refinement of processes where necessary, and realignment of objectives where required.
One critical element of the government’s process is the placement of the decision-making role for IT within the organization. Centralized versus decentralized was the traditional choice, but a more modern alternative is the Federal structure combining the efficiencies of the centralized structure with the flexibility of the decentralized.
Because IT governance occurs at different layers within the organization, Control Objectives for Information and Related Technology (COBIT©) addresses the governance issues via key goal indicators and key performance indicators. The Board Briefing on IT Governance includes IT governance checklists, a Board IT Governance toolkit, a management IT Governance toolkit, and detailed breakdowns of roles and responsibilities in achieving good IT governance.
Because both internal and external auditors are part of the conformance function of corporate governance, it is critical that IT auditors are familiar with the roles and responsibilities laid down in this document.
The far-reaching Sarbanes-Oxley Act (2002)7 in the United States provides stringent legal requirements to enforce sound corporate governance requirements on all U.S. Securities and Exchange Commission (SEC) registrants as well as their subsidiaries and associated entities, wherever established and operating in the world. All contain references to the important role of Audit Committees and Internal Audit in assisting management to ensure the effectiveness of the corporate governance processes.
The Act itself primarily focuses on what is required for acceptable financial reporting; however, the suggested internal control framework (Committee of Sponsoring Organizations [COSO]) to be used for compliance with the Sarbanes-Oxley Act, as recommended by the SEC, addresses the topic of IT controls, although it does not dictate requirements for such control objectives and related control activities, leaving such decisions to the discretion of each organization. Section 404 of the Act requires that the management of public companies specified within the Act assess the effectiveness of the internal control over financial reporting and report annually on the result of that assessment. Given that financial reporting in such companies is directly dependent on the establishment of a well-controlled IT environment, SEC registrants must provide assurance that their IT controls are effective within their financial reporting context.
In its document “IT Control Objectives for Sarbanes Oxley,”8 the IT Governance Institute discusses the IT control objectives that might be considered by organizations for assessing their internal controls, as required by the Act.
PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS 9
With the increasing electronic commerce utilizing payment by electronic cards, the Payment Card Industry Security Standards Council developed a set of standards to encourage cardholder data security and facilitate the adoption of consistent data security measures on a global basis. The second version became effective in January 2011 and consists of 12 significant requirements and multiple sub-requirements that contain numerous directives against which businesses may measure their own payment card security policies, procedures, and guidelines.
The Standards encompass:
· Installing and maintaining a firewall configuration to protect cardholder data
· Changing vendor supply defaults for system passwords and other security parameters
· Protecting stored cardholder data
· Encrypting transmission of cardholder data across open, public networks
· Use of regularly updated antivirus software
· Development and maintenance of secure systems and applications
· Restriction of access to cardholder’s data by business need-to-know
· Assignment of a unique ID to each person with computer access
· Restriction of physical access to cardholder data
· Tracking and monitoring of all access to network resources and cardholder data
· Regular testing of security systems and processes
· Maintenance of policies that address information security for all personnel
While the Standards have not yet been fully adopted on a worldwide basis, nevertheless in the United States some 46 states have implemented strict Security Breach Notification Laws with some states such as Nevada, Massachusetts, and Wisconsin specifically mentioning the Payment Card Industry Data Security Standard (PCI DSS) and/or Information Security Policies.
Housekeeping procedures are intended to reduce the risk of loss or destruction of software and information and to ensure that sensitive output does not fall into unauthorized hands. Such procedures typically relate to the use of supplies, storage of software programs, handling of files including backups, distribution of outputs, and general care of the hardware itself.
In a centralized information processing facility, housekeeping controls and procedures are normally well established to ensure minimization of such risks. In a distributed, user-controlled environment, however, such controls may not be as obviously required, leading to food and beverage contamination of hardware; fire hazards caused by the use of multiple electrical adapters; data files and backups lost, stolen, or strayed; and confidential information either left lying around or sent to the wrong recipients.
The auditor must ensure that basic organizational controls are in place and effective in order to minimize such elementary risks.
1 Press conference in Washington, D.C. John McCain (R-Ariz.,) April 12, 2011.2 David Goldstone. Prosecuting Intellectual Property Crimes, Office of Legal Education Executive Office for United States Attorneys, http://www.usdoj.gov/criminal/cybercrime/ipmanual.htm.3 D. Rossouw. Business Ethics in Africa, 2nd Edition. Cape Town, Oxford University Press Southern Africa, 2002.4 P. Wheelwright. A Critical Introduction to Ethics, 3rd Edition. New York: Odyssey Press, Inc., 1959, p 4.5 The Institute of Directors (IOD), The King Report on Corporate Governance for South Africa, 2002.6 IT Governance Institute, Board Briefing on IT Governance, 2nd Edition, www.itgi.org, 2003.7 The Sarbanes-Oxley Act (2002), 107th Congress of the United States, Washington, January 2002.8 IT Governance Institute, IT Control Objectives for Sarbanes-Oxley, www.itgi.org, 2004.9 https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf.