LOCAL AREA NETWORK (LAN)

LOCAL AREA

NETWORK

(LAN)

Local Area Network (LAN) is defined as a data communication system that allows a number of independent devices to communicate directly with each other within a moderately sized geographic area and offer a physical communications channel providing moderate transfer rates.

Network computing provides the capability for users who are working on different personal computers, micro-computers or work stations to communicate with each other via network It is also possible for users to share network resources and also use any of the services that the network provides. Network consists of a complex of hardware, software and communications with a number of components located over a large area. Major components in a network are

i. Network filesemr and netware ii. Network workstations iii. Transmission media.

Network file server and netware

A file server is a micro computer. This runs on an operating system to control the network resources associated with the file server. Network operating system co- ordinates LAN activities. This decides as to who can access which files, as to who can make changes to data and who can use the network printers.

To network, files

an

stored on a hard disc drive located on the server. Naturally the hard disc

drive

capacity is very high.

Network

workstations

Work stations are personal computers.

Network

users

do their work on these computers. These work stations can process their

own

files and

run

their own operating systems. However, the network workstations are capable of accessing files not only from the local drives but h m fles elsewhere

in

the network.

Workstations use two pieces of software to communicate with the file server. They are:

(a) The shell @) The protocol

The shell redirects the requests from work stations across the network

as

necessary. The protocol lays down the rules and procedures and provides a common communication mechanism between the workstation and the fileserver.

Transmission media

The

transmission media can be any

of

the

following:

*

_{Twisted pair and co-axial cable made of copper}

*

_{Fibre optics or fibre plastics}

Information flows between work stations and the servers File server which is

a micro computer operates as a "host computer" with which other entities like printer, other terminals e t c interact. Hardware and software components are put together to operate as a whole by the operating system of the network. Workstation in a network can be and may be W ~ e c t e d to one or more file s e m r s .

It is possible for one network to be connected to several other networks.

Distributed or decentralised computing facilities can be set up in different geographical areas. However, in a distributed environment data is exposed to more threats. However, the risks can be minimised by building "trusted network computing facility".

PROBLEM

AREAS

Communication systems have become a vital strategic asset for many organisations. In the commercial organisations management has realised that networking, marketing, production and finance and other vital functional areas gives them information power.

With the dynamic marketing effort put in by vendor of network systems, coupled with "image creation", amongst others in the field has resulted in proliferation, more and more organisations have started "networking" their computer environment. An effective management of the organisations' telecommunication resources can no doubt offer substantial benefits, but sound control procedures are needed to enhance the network's ability to adapt and grow with the organisation. The internal auditor in the normal circumstances should examine the policies and

procedures and the tekcommunication function iwlf to evaluate the effectiveness of the networking function However, the present practices are not as expected There a n no policies and procedures which are very essential for managing network operations. There a n no procedures regarding compatibility of hardware and software, protection of confidential information, procedures regarding procurement There is no detailed definition of requirements, detailed evaluation, contract terms and conditions.

Communication network is an area where it is essential to have hardware and software compatibility. The introduction of new technology very often changes the definition of compatibility and hence it is necessary to constantly review the policies to ensure its currency.

In

the present day practices, there are no policies and procedures in most of the organisations with the result the question of its being current does not arise. It is not uncommon to find elaborate complicated arrangements which are quite unsatisfactory, being made to have the latest version of the software to work on an outdated hardware. Amongst the other, more important present practices are: i. Lack of systems development life cycle methodology.

ii. In most organisations, the concept of SDLC is absent and when a network is implemented, the same culture is continued, with the result there is total absence of established objectives, cost estimates, acceptance criteria, etc.

Change management

There are no welldocumented procedures regarding alterations or modifications to hardware and software.

Security authorisation

T h e n is no well-established corporate security policies in most of the cases In a few cases where it does exist, though vaguely, procedures for accessing network facilities, maintenance of audit trails, using diagnostic hardware are not clear and

well-laid down

Problem reporting and anrveillann

There are no well-laid down procedures regarding preparation of reports connected with security violations or hardware problems. The organisations when an individual may be held responsible for follow-up iction on such reports, is also given other responsibilities. In the circumstances, performing the duty of system administrator becomes incidental. There is no supervision of the systems administrator's work There has been a reported case of the system administrator himself having been a party to security violation.

Contingency and disaster recovery plan

It is absolutely imperative to have well- documented standards and guidelines regarding the contingency planning generally and more so when networking is introduced. A study of the present practices reveals that there is no such well- documented standards or guidelines. It is only a case of crisis management While segregation of duties is an important element of system of internal control, in not so big organisations, it becomes difficult to implement this principle. In the circumstances, it becomes more important to have an effective contingency plan. In most of the organisations it is absent.

Five users were selected at random for study in a large public limited company

with a turnover of several cram of rupees and a widely dispersed ofice where the concept of IAN was introduad Discussions with the senior executive of the company incharge of computer operations revealed that users were permitted to make "sunple changes" to programs which were relevant to their departments in

violation of the generally accepted discipline that users should use the program only in the ''Execution Node".

The

programs were accessed from the file server and modifications made at the user e n d The print out at the file server node provided this information. It was informed that there is a systems administrator who periodically files the printsuts. Further discussions revealed that most of the security considerations are being violated on the basis of the trust on the 'loyal staff'. In another organisation which was also a public limited company, access control procedures were inadequate. A member of the staff made an unauthorised access to a confidential file and obtained the information to use against the organisation. This instance was discovered after the incident by a casual viewing of the print-out at node which had

an

important file. Subsequently, steps were taken to review "Access Procedures".

In a nationalid bank, the manager was provided with a Node to facilitate his giving the passward at appropriate situations, like "permitting overdraft to certain customers". It was found that using manager's password had been converted into part of operating instructions. Discussion with the manager revealed that these procedures were violated again in view of the trust they have on the staff. A programmer in a foreign country who opened an Account in the Bank and took advantage of the vulnerabilities in the procedures had absconded with

a

large

sum

of money befoxc the same was discovered. In all the fivc cases, the auditors were blissfully ignorant of the risks and exposures

STANDARD ACCEPTJD PROCEDURES

The main purpose of having controls is to minimise the exposures. The additional controls that arc needed in an online system are:

k Security control Access Authentication Authorisation

*

Privacy

*

Process environment Program changes

Authorising execution of program Operating systems

B. New components control Data communication Terminals

C Controls to provide adequate trails Audit trail

Documentation of magnetic medium

Audit trails from transactional loss to create recovery controls Figure given below highlights the. new controls that are needed.'

'

Adopted from Javier EKuong, "Controls for Advanced On-line Data B u e

ON-LINE SYSTEM CONTROLS AND AUDIT PROBLEMS User Repom lnpS Phase Consde

;zl

ONLINE SYSTEM

/"

Online Process Phase I Integrtty A Accuracy C Conbnuw DB Dumps BACK UP 6 RECOVERY

Wu( Ph8e.e

Adopted from W sb On-L,ne WbSase Sjdmns by Jawr F Kuonp, MaruOemsnl Adnsoly W b o n s . Mass

Prwiding on-line qstcrns controls

Generally systems are designed to provide built in controls to enswe the following:

Accuracy Security Continuity

In order to design appropriate internal controls an oveniew of the designing of the controls needs to be made. The control points could be considered under the following heads:

i. Data entry ii. Data communication

At the point of data ently control mechanisms are built in to minimise consequences of the following threats :

Entering wrong transactions Entering unauthorised practices

Improper adjustments by misusing error matior, practices Absence of audit trails

Loss of transactions

To maintain Access control, security and privacy, standard practices to be

T h e n should be automatic sign off of all operaton when a major system failure is detected

There

should be restricted menu display for each user. T h e n should

k

specific passwords for users.

There should be supervisory passwords for special functions. Automatic disabling of terminals after trials.

Logging of unsuccessful trials and keeping count of the same. Disabling of terminals after working houn.

T h e n should be logging after oftlour use of terminals and importance should

be attahced to accountability of entries.

There should be effective security surveillance procedures.

Password control

Password display on terminals should be suppressed.

There should be separate password for identification and authentication

Establish an effective administrative procedures for password change and maintenance as follows :

All password changes should be reviewed and there should be a security surveillance.

For sensitive positions there should be tightly accounted procedures for changes in passwords when there is change in the personnel.

P a w o r d s should be invalidated automatically after the lapse of a certain pn-determined time.

P a w o r d tabks should be inaccessible other than to the super user.

Control procedures should be adequate to specify the following contml objectives:

The terminal should always be capable of being identified.

*

_{The user should be identified and authenticated.}

The user should be capable of only operating within limits that he is authorised to do.

The terminal should be capable of logging all deviations from normal operations.

The operation at any terminal should be so designed to provide continuity of operations in case of breakdown or interruption

Standard prnctica

-

Audit procedures

O n line computer systems have an impact on the audit procedures. The matter is of particular importance to auditors in an online system which are:

Authorisation Completeness

Integrity of records and processing specially in view of the fact that in a networked system, the system is accessible to many users and programmers.

C h n p r in the performance of audit procedures due to the following: Transaction trails becoming invisible

The necessity for the auditon who have proper skills in an online system.

Adequate knowledge of procedures during (i) Audit planning stage

(ii) Concurrently with online processing (iii) After processing has taken place.

Generally in a well designed online computer system, the auditor would rely more on internal controls. It is accepted that the auditor would have adequate knowledge of internal controls in an online system so that he will follow the appropriate audit procedures.

Audit procedures performed concurrently with online processing would require testing of controls on the line applications.

Procedures associated with audit after processing has been completed would include:

Compliance testing of controls for transactions already logged in for (a) Authorisation

(c) Accuracy

*

_{Substantive testing of transactions and processing results}

Reprocessing of certain transactions where necessary.

It is generally recommended and found more effective for an auditor to perform a pre- implementation review of new online applications.

Audit

Information was gathered from a sample of 30 auditors regarding the procedures they would adopt in organisations where computers were net-worked using

LAN

utilised for important areas of operations.

The auditors neither internal nor external were aware of the risks associated with LAN environment. There was no audit being performed. The auditors in spite of being aware that computers were installed in all the functional departments and networked, they were ignorant of the type of applications. The audit in that area was totally absenr Counter-checking of this fact was made with organisations having LAN who confirmed the fact that no audit was performed.

Controls

A random sample of 5 organisations which had installed LAN was taken to study the control aspects.

ANALYSIS

AND

FINDINGS

Role of the auditor

In the sample number of organisations chosen for sutvey of control and audit procedures, it was found neither the internal auditor nor the external auditor was performing

an

audit of the

LAN

environment

As

a matter of fact, the audit operations did not include evaluation of internal controls in a wmputerised environment generally. The auditors are totally unaware of the risks associated with a

LAN

environment and the accepted well established controls which needs to be implemented to minimise those risks. This fact of the auditors in evaluating the controls in a LAN environment was independently confirmed by the organisations which had a

LAN

environment.

CONTROLS

In none of the organisations, there were any documented procedures and guidelines regarding implementation of LAN. While in some of the organisations, there was a network diagram in other organisations, there was no network diagram. Even

in

the organisations which had the network diagram it was not updated and hence i n c o n e d There was no specific terminal designated to monitor activity within the online system. In one of the organisations, a user department was permitted to have access of program from his node make a change in the program and executed at its terminal. Though this situation was reflected in the print out at the network administrator's terminal, apart from the fact that the print out was filed no further action was taken.

In most of the cases, no review of controls or procedures

are

undertaken.

In

one other organisation, it was discovered later that important management information which should be available only at one terminal was accessed at another terminal during luch time. Much after the event, it was discwered and corrective action taken.

The discipline associated with the password is not generally being adhered to. Passwords in many instances have become part of operating instructions and passwords in some cases are known to more than one person.

In all the cases, there have been instances of violation of security, lack of integrity, loss of data. Corrective action has been taken subsequent to its occurence.

Even in organisations with LAN environment like other organisations, the Disaster Recovery Planning is totally inadequate. Othcr than having a copy of the program and copy of important data stored in the same installation, there was no other evidence of an effective DRP. D i a s t e n have occured and recovery had been made with much difficulty.

SUGGESTIONS

In view of the operations of an organisation being distributed, it becomes necessary to have computer operations located at the place of the operation. However, to have an overall control of the organisation, information and at the same

timc

dowing each of the

usen

to haw a mfor such information as

may

be neceuary it bewms imperative to have n e t w o r b k

Local Area Networks

(LANS)

have designed a new domain of networks that

can

be installed and managed by user groups The dynamic nature of the tekmmmunication envimnrncnt along with the strategic importance of networks g h s tekmmmunications high visibility. This necessitates the need for an effective control.

In view of the importance of mntrols in

LANS

in ensuring integrity, security, coddentiality and continuity of informations effective auditing of such system is very

irnpottanL

A study of standard accepted procedures for mntrols and audit in comparison to the actual practice as revealed by the survey conducted showed up a big gap.

Taking into consideration the environment in India the following suggestions need to be considered in the areas of control and audit in a

LAN.

Contml of completeness and accuracy

There should be clear guidelines and procedures laid down by the Management regarding usage of network additions of nodes, job responsibilities, security e t c

There should be corporate policy laiddown regarding procedures to be

The procedure at its least should include controls regarding

*

Time and date stamp Sequence number checking

*

Transaction terminal

Periodic message reconciliation

*

_{Back up equipments and facilities}

Recovery procedures

Network recurily

Clear guidelines should be provided regarding classification of critical information.

There should be well documented security policies standards and procedures. Audit and legal department should be associated in security planning.

Acquisition of equipment sonware and semces

There should

be

a central department who should have the knowledge of organisational interesq who would be able to establish product specification and bench marks.

Auditors and users should have an important role in product acquisition.

Change management

There should be an authorised procedure for any tele communication change. The p r w d u r e should include documentation requirements and approval. There should be a post implementation review of telecommunication changes.

Suggestions for audit procedum

Analysis of the procedures in a sample of s u m y of organisations having a LAN environment revealed that there is no role performed by either the internal auditor or an external auditor. While an external auditor as of now a a y claim that EDP Audit is not part of the statutory audit, internal auditor would be fa~:.ng in his duty if he does not evaluate the internal controls in the

LAN

environment of his organisation. Broadly the audit program should include the following at its minimum

*

_{Check the existence of policies and procedures from the management}

regarding implementation and maintenance of LAN.

*

_{Check an inventory of data communication equipment}

Verify whether there lr a network diagram which will clearly denote the physical and logical action between various communication equipment.

Verilying integrity

Is any particular terminal designated specifically to monltor activity within the Online system?

Is there any documentation of hardware failures and software failures? Are there any procedures to ensure that all transactions are received? What is the procedure regarding transactions messages that may be deplicated unaccounted or lost? Thus, the software log of errors and re- transmission. Is there any review of such error logs?

Physical security

Access to test equipment restricted only to authorised personnel? Are cables adequately scheduled to prevent physical tampering?

hgical security

Are password systems in use?

Are only authorised persons permitted to access communication software? Are the users prevented from making unlimited number of unsuccessful attempts?

QUESTIONNAIRE

-

AUDIT

CHECKLIST FOR AUDIT

OF TELECOMhlUNICATION

SYSTEM Yes i

No

GENERAL

Have you checked whether there is any inventory of audit communication equipmenf terminals, modems, e t c ?

Have you checked network diagram in connection with physical and logical connections of communication equipment?

Are there any written authorisations regarding connected physical and logical connections, the terminals?

Is supenisor approval needed to use terminals outside authorised usage hours?

Are there written guidelines to determine any errors in the communication equipment? Are there established procedures that all transactions are recorded?

Is there a review procedure for transaction which may not be accounted or corrupted?

Is there accountability for reviewing error logs? Is there a journal of messages and does the message have the following?

139

Yes I

No

Terminal, User, Data, Message No. end of

message, end of Transmission

Have you satisfied yourself with back-up facilities for the online system is adequate?

Have you verified the restart recovery procedure in case of hardware, software failure?

PHYSICAL SECURITY

Are there policies and guidelines regarding providing physical security for terminals? Are the cables electrically shielded to protect from physical tampering of other damage?

Is test equipment and diagnostic software used only by authorised people?

LOGICAL SECURITY

Are only authorised personnel permitted to access communication software?

Are users prevented from making unlimited number of unsuccessful attempts?

If sensntive information is being processed, are there adequate controls that they can be accessed only by authorised personnel?

When was the last audit conducted? Within one year? Within two years?

QUESTIONNAIRE

-

GENERAL

Yes

I

No

Does your department have any policies and guidelines regarding installation of network, adding nodes, job responsibility, reporting structures etc? Has an audit been ever conducted of the networking configuration and the applications?

COMPLETENESS AND ACCURACY

Do you employ built-in controls in your communication systems to ensure completeness and accuracy?

NGIWORK

SECURITY

D o you have any well-laid out policies and procedures regarding the network security? Is the information classified according to its criticality and sensitiveness?

Has the auditor or the legal advisor been associated in security planning?

In the last two years have there been any security lapses?

ACCESS CONTROL

Are all your terminals physically protected from unauthorised access?

Do you have logging facilities? Do you have surveillance facilities? Is there a review of violation reports?

141

Yes 1 No

Have there been any violation in the last two years regarding acocu?

ACQUISITION OF EQUIPMENT Are there any established Benchmarks? Does the user have any role? Does the auditor have a role?

CHANGES IN NEIWORK

Are there any written procedures and guidelines regarding change management?

Are there any check lists, documentation request in the change management procedure?

Are there any post-implementation renew of the changes?