1. Information systems Integrity Protection

3. Facts on fraud  UK computer fraud 400 Million £  17 000 on 136 000 companies  avg case 46 000 £  France  total amount computer fraud 5 000 000 000 FF

4. Delay of survival Investigation in 490 companies in the EEC Sector a few hours a few days longer Average 20% 48% 32% Banks 33% 50% 17% Industry 16% 48% 36% Difference between IT-manager and General manager

5. Integrity Violation - Physical access - Personnel - Equipment - Technical organization - System software - System development - Application development - Operational aspects - Calamities - Backup centers - Insurance - Fraud

6. Physical access  Management  Define access procedures  Task definition of security personnel  Security areas  Practical execution  Nominate a security manager  Procedures for key management  Procedures in case of theft or forgetting  Destruction  Visitors procedures  Validation period  Cleaning and maintenance personnel  Contractors  Overtime

7. Personnel  Recruitment  guidelines for recruitment service  reasons for dismissal  selection security personnel  Personnel registration system  presence ( individually identified )  overtime  vacation ( required )  Functions  sufficiently trained and experienced  rules for replacement  job rotation  function descriptions ( access limited to the job )  personnel assessment  no personal interest ( report anomalies to at least two persons )  Dismissal procedures

8. Equipment  Acquisition, rental  negotiate security aspects  documentation  installation and acceptance  Maintenance  maintenance contracts  third parties  remote maintenance  Breakdowns  user recovery procedures and awareness  internal and external mentioning procedures  internal control on repairs  fault tolerant systems  disaster plan tested  Breakdown history

9. Technical organization  Periodical maintenance  Incident reports  Incident registration  Documentation  floor-plan  equipment inventory  list of maintenance contracts

10. System software  Programs  Interfaces  Management of releases and versions  System programs reports ( manufacturer news bulletins )  weigh security against efficiency  Documentation  Establish documentation center  System files  Three level documentation  Management  Program library  Identification of system programs  Change management  Testing

11. System development  Organization  Strategic plan  Information plan  Project organization  Security plan  Methodology  Execution  Selection criteria for packages  Guidelines for backup and recovery  Usage of 'emergency programs' and file correction programs  File and disk management  File exchanges with third parties  Documentation  Acceptance procedures

12. Application programs  Programming  Programming technique  Program environment  Name giving  Conflict security efficiency  Documentation  Programs  Files  Changes  Security  Management  New program requests  Requests for changes  Library management  Testing

13. Data security  Management data carriers  Pass words  Encryption  Authorization and access  Network security  Electronic signature  Private and public keys

14. Operational aspects  IT department independent from other departments  Transactions and controls separated  Clearly defined responsibilities  Job preparation  Production planning  Breakdowns  Input / output controls  Separation production - development - data entry  Control on usage of input documents  Control on completeness of reports

15. Calamities Fire  modern fireproof building  computer room separated from flammable materials  fireproof walls and doors  24 hours protection ( operators or extinguishers )  training for fire extinguishers  enough fire and smoke detectors  emergency lighting and exits  enough water available  emergency lighting and exits  fire brigade in approximately  no smoking

16. Calamities 2  Power failure No break  Backup - recovery ( images before and images after )  Falling water  No plumber's work on the ceiling  Stopcocks available and reachable  Sprinkler system only ( where needed )  Water outlets in computer room  Ground water  Water detectors under computer floor  Water-pipes equipped with valves

17. Insurance  Equipment  Media  Extra expenses  Business interruption  Computer crime  Errors and omissions  Location

18. Fraud  Manipulation of input data  Incorrect additions to master data  Manipulation of data in correction accounts  Manipulation or destruction of output  Unauthorized manipulations of JCL  Unauthorized additions to programs  Unauthorized manipulations in operating system

19. users -profiles End-users Login Authentication Authorization system Database Schema’s Transaction Manager Data Manager Database Security rules Authorization rules DBA Security Administrator Application programmer Application Programs Auditor DBMS Log file