3.

Physical Security

Avatar Financials, Inc., located on Madison Avenue, New York City, is a company that
provides financial advice to individuals and small to mid-sized businesses. Its primary
operations are in wealth management and financial advice. Each client has an account where
basic personal information is stored on a server within the main office in New York City. The
company also keeps the information about the amount of investment of each client on a
separate server at its data center in Bethlehem, Pennsylvania. This information includes the
total value of the portfolio, type of investments made, the income structure of each client, and
associated tax liabilities.
In the last few years, larger commercial banks have started providing such services and
are competing for the same set of customers. Avatar, which prides itself in personal consumer
relations, is now trying to set up additional services to keep its current customers. It has recently
upgraded its Web site, which formerly only allowed clients to update their personal information.
Now clients can access information about their investments, income, and tax liabilities that is
stored at the data center in Pennsylvania. As a result of previous dealings, Avatar has been
given free access to use the computer room of an older production plant. The company feels
believes that this location is secure enough and would keep the data intact from physical
intruders.
The servers are housed in a room that the production plant used to house its legacy
system. The room has detectors for smoke and associated sprinklers. It is enclosed, with no
windows, and has specialized temperature-controlled air ducts. Management has recently
started looking at other alternatives to house the server as the plant is going to be shut down.
Management has major concerns about the secrecy of the location and the associated
measures. It wants to incorporate newer methods of physical data protection. The company’s
auditors have also expressed a concern that some of the measures at the current location are
inadequate and that newer alternatives should be found.

Required:
1. Why are the auditors of Avatar stressing the need to have a better physical
environment for the server? If Avatar has proper software controls in place, would that
not be enough to secure the information?
 The auditors of Avatar Financials, Inc. emphasize the necessity to enhance the physical
environment for the server due to multiple significant factors. Although software controls can be
and are implemented to provide a high level of protection, physical security cannot be
completely disregarded because control systems can be compromised by physical intrusion.
Users interacting with the server directly may tamper or somehow remove or disrupt the
software safeguards with disastrous consequences for the data and hardware.
Furthermore, the current location of the server in an older production plant may not
contain the updated features of environment control like fire suppression systems, temperature
regulation among others which are important in the overall integrity of the hardware and overall
stability of operations. Additionally, modern security systems and legal compliance can entail
sophisticated physical security features not available in the facility typical of a plant. Over the
lifetime of the plant, the security infrastructure could decline as the plant is shut down, thus
making it easier for unauthorized individuals to access it and endanger the environment.
Upgrading to a facility with better security and compliance standards is the only way to prevent
data leaks and guarantee the security of the server area.

2. Name the six essential control features that contribute directly to the security of the
computer server environment.

In order to effectively provide for a secure server environment there are several control
features that are particularly crucial. Physical access control is one of the most important factors
that has to be taken care of; the use of keycards, biometric scanning, and physically secure
locks are very effective in preventing unauthorized people from gaining access to the server
room. These measures avert intruders from accessing the device hence safeguarding the
hardware’s reliance. Besides, there are fixed surveillance systems, such as video cameras, to
oversee the occurrences in and around the server room. It not only serves to discourage any
would-be intruders but also serves as a backup where any incursion that may occur can be
monitored and latter investigated.

Controls are also required in the environment for efficient functioning and longevity of the
server. Climate control systems manage temperature and humidity so as to control the
conditions suitable for the hardware without causing it to heat up or get spoiled by humidity. Fire
protection is in the form of fire suppression systems that are used to reduce the effects of fire on
the building and smoke detectors which alert the people of that building in the event of a fire.
Anti-flood systems also prevent cases of water damage detection systems. Lastly, backup
power systems include; UPS systems, fire backup power and generators to keep the power
running even in the absence of the main supply. These make it possible to have a good blend
that can counter any physical and or environmental risks that are likely to affect it.

4. Disaster Recovery Plans

The headquarters of Hill Crest Corporation, a private company with $15.5 million in
annual sales, is located in California. Hill Crest provides for its 150 clients an online legal
software service that includes data storage and administrative activities for law offices. The
company has grown rapidly since its inception 3 years ago, and its data processing department
has expanded to accommodate this growth. Because Hill Crest’s president and sales personnel
spend a great deal of time out of the office soliciting new clients, the planning of the IT facilities
has been left to the data processing professionals. Hill Crest recently moved its headquarters
into a remodeled warehouse on the outskirts of the city. While remodeling the warehouse, the
architects retained much of the original structure, including the wooden-shingled exterior and
exposed wooden beams throughout the interior. The minicomputer distributive processing
hardware is situated in a large open area with high ceilings and skylights. The openness makes
the data processing area accessible to the rest of the staff and encourages a team approach to
problem solving. Before occupying the new facility, city inspectors declared the building safe;
that is, it had adequate fire extinguishers, sufficient exits, and so on. In an effort to provide
further protection for its large database of client information, Hill Crest instituted a tape backup
procedure that automatically backs up the database every Sunday evening, avoiding
interruption in the daily operations and procedures.
All tapes are then labeled and carefully stored on shelves reserved for this purpose in
the data processing department. The departmental operator’s manual has instructions on how
to use these tapes to restore the database, should the need arise. A list of home phone
numbers of the individuals in the data processing department is available in case of an
emergency. Hill Crest has recently increased its liability insurance for data loss from $50,000 to
$100,000. This past Saturday, the Hill Crest headquarters building was completely ruined by
fire, and the company must now inform its clients that all of their information has been
destroyed.

Required:
 a. Describe the computer security weaknesses present at Hill Crest Corporation that
made it possible for a disastrous data loss.

As it was seen during the fire tragedy, Hill Crest Corporation had poor computer security
that contributed to the loss of a great amount of data. One of the most significant challenges
was the protective elements of the building that housed all the activities. The innovative,
youthful and creative new headquarters situated in a refurbished warehouse with exposed
wooden beams and roof lights had no efficient fire fighting apparatus. Fire extinguishers and
exits ensured basic safety but the essential elements of fire risk were not at all managed in the
structure. Because of the flammable material used in the construction of the building, the fire
could easily spread and bring about the destruction of the facility and the things inside the
facility entirely.
Furthermore, the company lacks a proper data backup policy that can be used during
such moments. While backups of the tapes were taken on a scheduled basis, they were kept
along with the primary data-processing equipment. This practice was the major reason that
when the building was destructed, all the main data also the backups were also destroyed.
There was also no off-site backup storage and a credible disaster recovery plan that could help
the company in regaining the lost information. These weaknesses are a reminder of how
physical security as well as a reliable backup solution are integral to an overall data protection
strategy.

b. List the components that should have been included in the disaster recovery plan at
Hill Crest Corporation to ensure computer recovery within 72 hours.

1. Off-Site Backup Storage. It should secure backup data at a geographically distant location
using encrypted storage media to protect against data loss.
2. Disaster Recovery Site. Establish a recovery site with essential facilities and infrastructure
to continue business operations if the main site is inaccessible.
3. Periodic Simulation and Testing. Regularly conduct drills and simulations to test and refine
the recovery procedures and assess readiness.
4. Detailed Recovery Procedures. Document comprehensive recovery steps, including roles,
responsibilities, and recovery time objectives.
5. Emergency Contact List. Maintain an updated list of key contacts and define
communication procedures for efficient coordination during a disaster.
6. Coverage for Data Loss and Recovery Costs. Ensure adequate insurance and budget for
potential data loss and recovery expenses to mitigate financial impact.

c. What factors, other than those included in the plan itself, should a company consider
when formulating a disaster recovery plan?

When the disaster recovery plan is being developed, things that are outside the plan that
need to be considered are the extent of physical security and other measures like protection
against fire, and the construction materials, which in one way or another contribute to the
stability of infrastructure, need to be considered. It is also critical to review the effectiveness of
the backup processes, such as how frequently the backup is done, the reliability of the backup,
and the safety of the backup media in the case of a disaster. Furthermore, the disaster recovery
plan must be periodically tested and updated to account for new possible threats and novel
tools. They need to be trained regularly, and there should be a way through which the company
can communicate with the clients and other parties in case of disaster.

11. Internal Control Responsibility for Outsourced IT

Explain why managers who outsource their IT function may or may not also outsource
responsibility for IT controls. What options are open to auditors regarding expressing an
opinion on the adequacy of internal controls?

This implies that even though managers choose to outsource their IT function, they
continue to be held responsible for the proper use of IT controls. Although these controls may
be established through the service provider, the latter is still accountable and needs to ensure
and monitor that the particular control standards are being met and incorporated into the
organization’s operations. This involves the monitoring of the service provider to ascertain
whether the control measures that had been put in place are being implemented as planned. In
fact, there are several methods of assessing the reliability of the use of internal controls in the
work of an auditor. There may be documentation review in which aspects of the control
procedures of the service provider may be reviewed, while testing may entail the testing of the
real implemented controls or ways in which the outsourcing relationship has been managed by
the company in question. These help in a way to guarantee that even under outsourcing, the
internal control environment remains robust and effective.