Take steps to prevent IT fraud

Info-Tech Research Group's most recent Info-Tech Advisor has an article that is a reminder that the IT department has access to everything electronic - and thus poses risks for compromising that data. It has some practical tips for dealing with thise risks that take into account the size of the IT department.

Since this is a subscription based service, the article is reproduced here with permission.

For more information about Info-Tech

Take Steps to Prevent IT Staff Fraud

IT staff enjoy unique and often unfettered access to critical corporate information assets. Watch the watchman and put internal controls in place to keep your IT staff honest.

A Good Bunch of Guys, But...

IT staff is responsible for all corporate data, applications, infrastructure, and, in some cases, intellectual property. A compromise to any of these IT assets can cost the company thousands of dollars because it must:

- Plug the security leak and prevent its reoccurrence. - Terminate and prosecute the offending employee. - Hire a new employee.

In spite of this, small- and mid-sized enterprises (SMEs) tend to have few, if any, internal controls in place to prevent either intentional or inadvertent harm to these assets by IT staff.

For example, a disgruntled member of the IT staff can access the corporate salary database, use a simple database query, and increase his or her salary without triggering an exception report. If the employee steals $100,000 in funds, for instance, the company can spend up to $250,000 more to resolve the incident—if they are aware of the fraud. The worst-case scenario is that the fraud occurs and the company remains completely unaware of the incident.

Excluding IT from corporate checks is a risky proposition. Even though fraud is a prosecutable offense, finding the rogue IT professional and prosecuting him or her is expensive and always best avoided. Add to that the cost brought by the malicious activity, prevention is the preferable route.

A Control Framework for IT

Internal controls are a series of actions and activities that provide reasonable assurance that the department is meeting its objectives. Internal fraud controls focus on ensuring that all staff activities comply with corporate regulations and policies, and helps companies reduce asset loss.

Simple internal fraud control for IT can consist of two components:

- Access control. This policy-based mechanism explicitly limits data and application access to users with well-defined business needs. Implementing role-based access control for all data and applications within in an organization provides a robust access control mechanism. Although eliminating users with global (root) access to corporate data and applications is impossible, removing right of use from IT staff that do not need access significantly reduces the likelihood of compromise.

- Monitoring. This component only functions effectively when there are access controls in place. Monitoring focuses on ensuring that all established controls are functioning correctly. All monitoring systems should be flexible and easy to change because changing IT service demands can affect access control and, consequently, monitoring. Companies have two options: Generic software tools that provide internal control documentation. Some vendors include ACCPAC, FaceTime, and Sage Software. Document management tools are capable of application interaction. Vendors include FileNet, GoFileRoom, and EMC Documentum.

Recommendations

1. Start small. IT managers without internal controls should move slowly. Start by establishing policies and identifying any corporate rules, like data updates and signoff policies, which apply to IT. Use these to create processes for ensuring compliance. Establish the controls associated with these processes, and finally develop the monitors to watch these controls.

Be aware of staff perception. Implementing internal controls for the first time is a big shift in corporate culture. In companies where no malfeasance occurred, management’s decision to implement internal fraud controls can easily anger the IT staff. Read "Use a Marketing Approach to Launch New IT Initiatives" from McLean Report and "Keeping Change Management Simple" from Info-Tech Advisor to help with this initiative.

2. Use existing internal controls as a template. IT executives in companies that already have corporate financial controls, for example, can use them as a starting point. This will significantly reduce the implementation timeframe and lower change management overhead since the corporate culture already involves internal controls.

3. Small IT shops should look for alternatives. IT departments with fewer than five IT staff and non-mission-critical applications and data can ignore internal IT fraud controls. Even though the opportunity for fraud still exists, the cost to implement internal fraud controls on this scale can outweigh the benefits.

Use simple alternatives to internal controls like ensuring all IT staff have their own password. Implement adequate back up and off-site storage for all corporate data.

Separation of duty is a reasonable alternative to internal fraud controls. Instead of concentrating power in the hands of a one or two IT staff, spread responsibility more evenly throughout the IT department.

4. Draft a code of ethics for all IT employees. This clearly articulates accepted behavior and provides a baseline for determining fraudulent activity. Use Info-Tech’s "System/Network Administrator Policy as a starting point.

Bottom Line

Overlooking IT as a potential source for fraud is a risky choice. Create internal fraud controls for the IT department as soon as possible and avoid paying the price for IT fraud.

Want to Know More? "Information Technology Controls,” from The Institute of Internal Auditors. “Fraud Investigations: Finding Your DBA with a Hand in the Jar,” from Business Week Online (free registration required).

More @ Info-Tech Advisor Employee...or Saboteur SysAdmin Code of Conduct

GeneralDavid Canton