[Solved] MIS452 information system security and audit

$25

File Name: MIS452_information_system_security_and_audit.zip
File Size: 414.48 KB

SKU: [Solved] MIS452 –information system security and audit Category: Tag:
5/5 - (1 vote)
  1. Ethics and the IT Auditor | Jill Mathews, an IT audit senior for a global insurance company, was recently asked to perform an IT audit of the companys new cloud computing and virtualization migration plan. Her Manager asks that she perform the audit in the next four weeks. She is not familiar with these new technologies, and is worried about being able to complete the requirements of this audit. What are the ethical considerations and professional standards Jill should consider? How would you approach this situation?
[Type your answer here]Limit your answer to approximately 300 words
  1. The IT Audit Planning Memorandum | A well thought out audit planning memorandum provides for an orderly, structured approach to perform the audit. Describe the key components of an audit planning memorandum and why each component is important.
[Type your answer here]Limit your answer to approximately 600 words

Develop the following from reading the case:

  • Risk Assessment
  • Brief the board of directors with the audit universe, risk profile, and how they can start managing that.

Introduction

The ABC Corporation (ABC) is a Federal Business Unit of MAIN COMPANY Insurance that acts as a Federal Government subcontractor. Headquartered in Chicago, Illinois, ABC administers the second largest plan in the Federal Government. The MAIN COMPANY is committed to providing comprehensive health benefits and freedom of choice to over 1 million federal employees.

ABC employs approximately 1,050 ABC employees among its offices in the following cities: Chicago, Rockville, Maryland; Jacksonville, Florida; San Antonio, Texas; Mesa, and Arizona. ABC decentralized operations in 1995, distributing support to the Jacksonville, San Antonio, and Mesa regional offices, then establishing a data center in Jacksonville in 1997.

To ensure ongoing customer service from its distributed operating offices, ABC decided to implement a business recovery program that includes documented business recovery plans. When the plans are fully implemented, ABC will be in a position to continue operating if and when a disruption occurs. Without plans and accommodations for contingencies, ABC may not be able to fully recover from a significant disruption since critical information needed for its business may not be available. Listed below are areas that ABC is interested in accommodating:

  • LAN servers and midrange systems to house critical applications
  • PCs for employees to access third party and LAN applications
  • Connectivity to the mainframe for critical applications and transfer protocols to/from Chicago MAIN COMPANY Home Office
  • Mail sorters and other mail handling equipment
  • Work space for key employees
  • Voice communications
  • Data transmission
  • Vital records
  • Various office automation mechanisms and supplies (printers, copiers, fax machines, etc.)

To better understand the impact of a business disruption to ABC and how this would affect its constituents, ABC engaged the XYZ Consulting Company (XYZ) to conduct a Business Impact Analysis (BIA). The BIA focuses on ABCs computer systems and work area recovery, and addresses two major objectives:

  • Determine operational impacts to ABC that would result from a worst case scenario business disruption the complete loss of a regional office or of the Jacksonville Technology Center.
  • Assist ABC in the development of a recovery strategy that will satisfy ABCs Recovery Time Objectives (RTOs), which is the length of time from disaster declaration to full information system functionality.

Objectives

This study obtained business and system information to assess the impact to ABCs operations from the sudden and unplanned loss of the Rockville headquarters, a regional office (Mesa, San Antonio, and Jacksonville) or the Jacksonville Technology Center. This study is essential to developing an effective business continuity strategy for ABC, since it outlines all of the background information required to justify further plan development. A recovery/continuity strategy will ensure that critical company functions and supporting systems will be restored within acceptable time frames after a disruption. The study was designed to answer the following questions:

Scope

ABCs Request for Proposal (RFP) identified the following critical business functions that were the focus of our study, although a review of other business functions was necessary because they were integral components of the ABC business process flow:

  • Customer Service
  • Mail and Print Services
  • Underwriting/Pricing
  • Claims
  • Eligibility and Enrollment
  • Utilization Management
  • Payroll and Human Resources Processing
  • Facilities
  • Purchasing
  • Accounts Payable
  • Financial Reporting
  • Cash Management
  • Treasury Services

As a result of our discussions, we conducted 32 interviews, gathering information from employees representing both business and technical/operations support functions. Four major steps were performed in this study:

  • Assessed the impact on ABCs employees and customers if claims administration capabilities are lost or severely interrupted.
  • Recommended target RTOs, which represent the amount of time a company function can operate without computer or business function support while recovery efforts are underway.
  • Summarized the hardware and work areas required to support critical company operations during recovery.
  • Recommended appropriate recovery strategies that supply required resources within acceptable time frames to support critical operations in an economical manner.

Computer Systems/Locations Included

The following computer systems were included in the project scope:

  • Mainframe
  • LAN servers and midrange systems
  • Electronic Data Interchange (EDI) systems
  • Selected applications provided by third parties that were determined to be critical to the aforementioned business functions. (MetraHealth, DRG Pricing, Multi-Plan, FACETS, PHCS, etc.)
  • Scanning systems and OCR
  • CAS, CRW, and all supporting systems
  • Mail preparation systems
  • Mainframe interface protocols (file transfer, application access, and other communications)

The following locations were included in the project scope:

  • Rockville Headquarters (15400 Calhoun Drive)
  • Jacksonville Regional Office
  • Jacksonville Technology Center
  • San Antonio Regional Office
  • Mesa, Arizona Regional Office
  • Chicago MAIN COMPANY Group Operations Home Office and Data Center (MAIN COMPANY Plaza)

Note: XYZ Consulting Company visited all of the above sites except for San Antonio and Mesa. It was assumed that the business functions performed at Jacksonville were similar to both San Antonio and Mesa and that our recommendations would be valid and apply to all three offices.

Assumptions

The following assumptions were made in the execution of the project:

  • Data on the network, database and application mid-range servers are backed up, even though some systems do not have an off-site tape rotation methodology in place.
  • The primary business disruption scenario that XYZ Consulting Company used, occurs either at one of ABCs regional offices, the Jacksonville Technology Center, or the Rockville HQ. Because of the distance between the regional offices, it is assumed multiple regional offices will not be affected simultaneously by a disruption. By using this realistic scenario as our model, the recovery plan recommendation can include the use of ABC branch offices.
  • ABCs need for restoring computer systems and other supporting processes are the basis for selecting appropriate continuity strategy, since the primary ABC business processes are critically dependent on technology and technology-related entities.

Organization

Interviewees/Survey Participants

All of the following employees completed project surveys; those with asterisks next to their names were interviewed by XYZ Consulting Company:

Employee(s) who Completed the Form or Was Interviewed Department Location
Janet L. * Planning and Reporting Rockville
Dave R.* Technology Center Jacksonville
Carolyn R.* Customer Service Jacksonville
Bill S.* Customer Service Jacksonville
Kevin V.* Imaging Center Jacksonville
Greg N.* Imaging Center Jacksonville
Margaret L.* Imaging Center Operations Jacksonville
Gary F.* Technology Center Jacksonville
Ron H.* Systems Security/Help Desk Rockville
Harriet G.* Audit Services Rockville
Gene R.* Marketing Rockville
Mike S.* Facilities Rockville
Cyndi J.* Mail/Retrieval Rockville
Linda O.* Human Resources Rockville
Angie G.* Accounting/Treasury Services Rockville
Denise H.* Purchasing Rockville
Debbie Y.* Corporate Training & Development Rockville
Debbie H.* Payroll Rockville
Gloria G.* Exception ProcessingEligibility/Eligibility Reconciliations Rockville
Nancy M.* Accounts Payable Rockville
Bonnie V.* Unix Chicago
Steve P.* Unix Chicago
Howie P.* Unix Chicago
Mary P.* EDI Chicago
June S.* CAS Chicago
Ben L.* CAS Chicago
Nate P.* Corp. Recovery/CSC Chicago
Terry C.* Capacity Planning Chicago
John B.* Print Management Chicago
Dave G.* Cash Management Chicago
Kelly F.* Underwriting and Reporting Chicago
Vicki H.* PCS, G/L Interfaces Chicago

Project Team Members

Project team members from ABC and XYZ Consulting Company included the following:

  • Jim B., Project Lead, MAIN COMPANY
  • Jim H., Project Manager, MAIN COMPANY
  • Ron H., ABC, Rockville
  • Jack S., Assistant Vice President, ABC, Rockville
  • Mary S., Project Manager, XYZ Consulting Company
  • Henry G., Sr. Consultant, XYZ Consulting Company
  • Michael A., Managing Consultant, XYZ Consulting Company

Methodology/Approach

The XYZ Consulting Company project team completed the following tasks for the BIA:

  • Conducted a project kickoff session with ABC senior managers to discuss the project and the information that would be collected.
  • Distributed interview questionnaires to the ABC departmental key contacts for gathering information.
  • Conducted interviews with key ABC employees to validate the information on the questionnaires and to discuss critical continuity-related issues.
  • Evaluated the recovery capability of ABCs current environment, outlining issues and risks.
  • Analyzed and documented ABCs information systems.
  • Mapped systems and applications to ABCs critical business processes.
  • Analyzed business impacts, resource requirements, existing capabilities, and risks.
  • Recommended Recovery Time Objectives (RTOs) and documented them in Section IV, Impact Analysis.
  • Recommended appropriate recovery strategies capable of meeting ABCs requirements.

II. Impact Analysis

Introduction

A Recovery Strategy is based on the fact that when critical computer and support systems are not available to users; important company processes cannot be performed in a timely and efficient manner. The length of time from declaring a disaster until computer resources are operational to support the most critical business processes is commonly referred to as Recovery Time Objective (RTO). Critical is defined as anything (process, computer or resource) required to continue operations (even in a degraded mode) should a business area, computer, or company facility be destroyed or inaccessible for a period of time as deemed unacceptable to ABC. The result of an interruption is generally a financial and/or operational impact to the business function that is affected. When a business function is unable to complete its work, ABCs ability to support enrollees and providers is at risk.

Longer RTO time frames are frustrating to everyone especially since they will have significant impact on enrollee/provider service. Recovery time and data integrity requirements were developed by analyzing the impact information supplied by the business managers we interviewed. Major systems were assigned RTO time frames from four hours to greater than one month. RTOs were assigned based on analysis of the following criteria:

  • Governmental/regulatory requirements
  • System availability to regional offices (Mesa, San Antonio, Jacksonville, Rockville)
  • Timeliness of providing financial information (the letter of credit, etc.) to the government and ABC corporate, while meeting reporting deadlines to regulatory agencies
  • Timeliness of customer claims resolution
  • Existence and effectiveness of alternate processing procedures.

In addition to RTOs, we also examined Recovery Point Objectives (RPOs), which is the amount of data that departments are willing to lose if a disruption occurs. The information in this section will show that the RPO for most of the departments we interviewed is 1 day. This means that they would like to have the previous days backup restored on the system if a disruption occurs. In this situation, data that was entered during the time between when the backup was taken to the point of the disruption is lost and would need to be re-entered into the system to be current. This assumes that data is backed up daily and that tapes are being sent to an offsite storage vendor every day.

The above-noted information was gathered by surveying and interviewing resources identified by ABCs project team.

Financial Impacts

We gathered financial data by survey and interviews. We asked employees to estimate losses by category, over eight points in time ranging from four hours to one month. Dollar losses were expressed in 14 loss ranges extending from zero to $50+ million. These are ABCs estimates developed by line managers and reviewed by CH. Listed on the following page are the financial categories along with their descriptions:

FINANCIAL IMPACT CATEGORY DESCRIPTION
Revenue Loss
Dollar impact of revenue that results from the inability to take and process new customer orders, need to direct customers to other insurance providers, loss of opportunity to sell/provide insurance.
Asset Loss Dollar impact of ABCs assets that would result from a business disruption such as, work in progress, systems development, proprietary systems, etc.
Regulatory/Legal Dollar impacts from contractual agreements, suits brought by members/providers/U.S. Office of Personnel Management, sanctions, fines, penalties for failure to properly provide services or fulfill obligations, not fulfilling service level agreements, etc.
Human Resources Dollar impact that would result from idle employees payroll, health or profit sharing benefits which, if not provided, may result in employee hardship, the loss of employee support, penalties, strikes, etc.
Control Dollar impact that would result from: the use of alternate manual procedures; the lack of information related to cash management, investment management; the inability to manage risk; or the inability to determine quantities within inventory.
Additional Expense Dollar impact that would result from any additional expenses incurred with the start-up and continuation of business or company operations: necessity to purchase supplies; expenses incurred with the start-up and operation of a manual system; stop gap equipment and staff; and overtime to recover backlogged transactions.

Total Financial Losses for the entire company are on the next page. HOWEVER, IT DOES NOT CONTAIN FINANCIAL LOSSES FOR THE DIVISION/DEPARATMENTS THAT ARE INCLUDED IN THE CASE STUDY. AS A RESULT, DO NOT USE ANY OF THE FINANCIAL LOSS INFORMATION ON THE NEXT PAGE FOR JUSTIFYING ANY OF YOUR STRATEGIES IN THE CASE STUDY.

THE FOLLOWING LOSSES DO NOT INCLUDE LOSSES FOR THE DIVISION AND ITS DEPARTMENTS IN THE CASE STUDY. THUS, YOU CANNOT USE THE FIGURES BELOW FOR ANY JUSTIFICATION.

Financial Impacts of a Disruption to ABC

Type of Loss 4 Hours 8 Hours 1 Day 2 Days 3 Days 1 Week 2 Weeks 1 Month
Revenue Loss $0 $0 $0 $0 $0 $200,000 $450,000 $812,500
Asset Loss $75,000 $75,000 $75,000 $75,000 $75,000 $75,000 $75,000 $77,500
Regulatory/Legal $0 $0 $0 $0 $0 $208,000 $510,000 $925,000
Human Resources $207,500 $210,000 $220,000 $220,000 $1,320,000 $1,355,000 $1,385,000 $1,450,000
Control $0 $0 $0 $0 $2,500 $202,500 $452,500 $802,500
Additional Expenses $7,500 $17,500 $17,500 $23,500 $27,000 $79,000 $153,000 $373,500
Total $290,000 $302,500 $312,500 $318,500 $1,424,500 $2,119,500 $3,025,500 $4,441,000

In addition to the detailed loss information shown above, the figure below shows the same data in chart format.

The information in the above charts indicate that financial losses are minimal at the beginning of a business disruption. However, the financial losses increase and continue to do so the longer the disruption continues.

Impacts of an Outage for Critical Departments

This section summarizes the findings associated with the loss of key business functions and support systems for ABC; it provides a detailed summary of the departments where XYZ interviewed key contacts or from whom we received questionnaires. This information is also detailed in Appendix 1, Department RTOs.

The analysis of each departments criticality was based upon the information in Appendix 1. The third column of the chart in Appendix 1titled Department RTOs indicates the RTOs requested by the listed departments. The RTO is the amount of time from disaster declaration to the moment when required information system resources are operational.

As is normally the case in projects of this nature, ABC departments often listed unrealistic, financially impracticable, and unattainable RTOs. Departments will occasionally lose perspective and fail to view their contribution to the organization in the proper context. Objective evaluation of a department the relative importance of its business processes, interconnectivity/ interdependencies with other areas of the organization, and the formation of an acceptable RTO is imperative to the success of a business impact analysis.

To objectively determine RTOs, the team analyzed several components. First, we studied the effect of a sustained loss of the department on the future operations of ABC. For example, the following may have significant affects on the company:

  • Delayed revenue should the letter of credit not reach the appropriate government contacts.
  • Significant impact on customer service during a prolonged loss of communications and/or claims resolution abilities.
  • A profound impact on ABCs competitive edge resulting from a loss of underwriting capabilities if a disaster prevents calculation of proposal pricing information during the May-August time period.

The team also analyzed the relative functionality of a given department to determine the criticality of its business processes. Consequently, the departments that demonstrated the most profound impacts on ABC were those that affected revenue and customer service.

With this in mind, the team evaluated the criticality of a departments functionality not only by the RTOs requested by the department representatives, but also by the relative importance assigned to the department based on business continuity standards and professional expertise. Our analysis showed that the key business, given the nature of ABCs revenue source and the stability of its constituency, customer service/support-related functions are the most critical. ABC derives its revenue from a letter of credit submitted to the Office of Personnel Management (OPM) based upon cleared claim checks. Sustaining efficient operations and maintaining a high-level of customer service are the two primary business objectives, as customer (the Mail Handlers Union) satisfaction results in ABC contract renewal, which in turn drives revenue. With this in mind, the most critical functions are those directly affecting ABC operations and customer relationships (communications and the timely/accurate payment of claims), such as:

  • Customer Relations
  • Claim Payment Activities
  • Customer Phone Contact
  • Operations/Administrative Services

These departments and their ancillary-service providers were rated highest and assigned lower RTOs. Other departments were assigned RTOs based upon:

  • How their services impact the customer base
  • How their functionality affects core operations
  • Regulatory restrictions (financial reporting, government regulations, etc.)
  • Revenue lost, penalties, etc.

The departments assigned still higher RTOs do not directly affect operations or customer service. Such departments include:

  • Accounts Payable
  • Eligibility Reconciliations
  • Exception Processing

Reviews

There are no reviews yet.

Only logged in customers who have purchased this product may leave a review.

Shopping Cart
[Solved] MIS452 information system security and audit
$25