STUDY OBJECTIVES
This chapter will help you gain an understanding of the following concepts:
An overview of internal controls for IT systems
General controls for IT systems
General controls from a Trust Services Principles perspective
Hardware and software exposures in IT systems
Application software and application controls
Ethical issues in IT systems
On Christmas day in 2011, a loosely organized hacker group called Anonymous hacked into the U.S. data security firm Stratfor, based in Austin, Texas. A few days later, Anonymous revealed that it had collected 200 gigabytes of data from Stratfor, including clients' credit card numbers, e-mail addresses, passwords, and mailing addresses. It posted the credit card numbers of over 30,000 Stratfor clients.
In 2007, a hack of TJ Maxx computers resulted in over 46 million credit and debit card numbers stolen. Some of the same hackers also hacked into Heartland Payment Systems and stole 130 million credit card numbers. One of the ringleaders of the group, Albert Gonzalez, was sentenced to two consecutive 20-year prison terms.
These kinds of computer security threats continue even as companies try to prevent them. As of 2011, the average costs of cyber crime to large U.S. companies is $3.8 million per year.
While it will never be possible to prevent all such computer network breaches, companies must implement proper controls to try to reduce the chance of computer security problems. Controls are necessary to protect company and customer data. This chapter describes the inherent risks in IT systems and the IT controls that should be implemented to reduce them.