Gary C. McWilliams, a manager in the Chicago office of Coopers & Lybrand's Computer Audit Assistance Croup, directs the electronic data processing audit activity which includes security and controls reviews for state agencies, municipalities, park districts, large insurance companies, and various small businesses. A Certified Information Systems Auditor, he holds a BA in mathematical sciences from the University of Iowa and an MBA in finance from Northwestern University.

Security for the small computer

by Gary C. McWillams
Manager, Computer Audit Assistance Group
Coopers & Lybrand

Computers are moving into more and more local municipalities and park districts. It is rare to find a business manager or park district superintendent who is not taking advantage of the computer already or who is not planning for the use of the small business computer which he has ordered. This same manager, however, who has planned every detail of the operation of his department, probably has not planned for the security of his computer system.

Computer security planning should take place before installing the computer. If the computer already is installed, however, it is not too late to review security and internal controls to identify what should be done.

Three areas of security and control need to be considered: environment, data, and programs. To provide a secure environment, there should be physical protection from intruders and natural disasters. Similarly, the protection of data and programs must cover intentional and accidental situations.

One of the first considerations of physical security is the computer's location. Guidelines for large computer installations always have called for placing the computer in an inside room, physically removed from the rest of the business with only one entrance. Although most fire codes require a second exit from the room, the basic guidelines are good: they keep the computer as widely separated from intruders and outside disturbances as possible.

Typically, a park district manager will not have the luxury of providing a separate physical facility for the computer to give him total security. He should be aware, therefore, of the numerous individual security items to review in making his plans and should identify and evaluate the various security factors which exist in his facility. Who has access to the building? Which employees work nights and weekends? Do employees carry I.D. cards? Are doors and windows secured? These are a few of the questions whose answers begin to define what protection exists from intrusions.

To assess and plan for the other half of environmental security—protection from disasters—other factors have to be considered. Fire can be detected by humans or sensing devices. Humans need to be trained in what to do—turn on the alarm, evacuate, save critical files of information, fight the fire with an extinguisher, turn off a master electrical switch first, etc.

If a fire is detected by a sensing device, what hapens? A smoke detector might sound an alarm, but what good is it if it's a weekend when no one is around? Other devices, such as sprinkler systems, may cause more damage to computer electronics than the disaster they're intended to combat. Among disasters to be considered when planning the computer's environment, are those caused by water, wind, severe temperatures (especially heat), and electrical problems.

The elements of environmental security are geared to prevent or minimize what could be huge losses but whose likelihood of occurence is very small. In the areas of data and program security, the concern is for much more subtle dangers but which are much more likely to occur and go undetected, thus leading to possibly greater losses.

Data security and program security have much in common. Both data and programs are stored in the computer system, usually on a magnetic recording device called a disk. Both are subject to possible loss, destruction, manipulation, and error. Without sufficient precautionary measures and detection procedures, the integrity of data and programs can be significantly compromised.

Controls and security procedures for the two, however, are different. Programs usually change very infrequently. Data, on the other hand, may be updated several times a day. Programs are usually under the domain of programmers and operators; data are controlled and updated by non-technical people in the various business areas of the office.

In any business environment, internal accounting controls procedures are important. With a computer they are even more important. Because it is impossible to know if programs and data are intact by looking at the magnetic disk on which they are stored, it is necessary to have procedures which assure the security of those programs and data.

There are a couple of ways to do this. One way is to have the computer programmed to print out all data every time it is used (either updated or referenced) and to print the details which show how the data have been used. A person manually checking this information

Illinois Parks and Recreation 10 March/April 1982

and reperforming what the computer has done, is insurance that both the data and the programs are correct.

An alternative approach is to have security procedures which monitor and control the programming and operating of the computer. These procedures are designed to insure that no unauthorized changes have been made to programs, that the correct versions of programs and data have been used for processing, and that unusual occurrences were handled properly.

These procedures are common in large computer installations, but may not have been thought of by a first-time computer user or may seem impractical in a park district office. Irrespective of the size of computer installation, however, security and control is strengthened by the separation of computer duties. By having two different people responsible for programming and operating the computer, a reasonable framework of internal control can be started by having one check the other's work. They both will be interested in seeing that the other person does the job correctly so that it doesn't cause extra work to recover. Both will need to work together to keep programs and data synchronized if something does go wrong.

Don't assume it's too late or that nothing can help.. Astute park district managers do not have to be at the mercy of computer technology. Sound computer security and control techniques fit their environment and answer their needs for protecting both programs and data. It will take some effort to put procedures in place, but the benefits make such efforts worthwhile.

Illinois Parks and Recreation 11 March/April 1982