Question

Background

StellenTEK (the company) specializes in providing healthcare services and encouraging healthy living by connecting health managers to clients through a proprietary software. The company made waves in the healthcare sector as an IT start-up six years ago and has grown significantly. Recently, the company began selling high-end healthcare products as an additional way to support its clientele.

The company is managed by young entrepreneurs and co-founders, Luca Stellen and Blaire Alden. Luca and Blaire met while working at the student newspaper at their alma mater, Stanford University. Luca graduated with a PhD in computer science. Blaire studied medicine and completed her MD/PhD in biomedical informatics. Shortly after graduating, they combined their love of technology and health to launch StellenTEK, named after Luca's grandfather who encouraged Luca to pursue his dream of earning a PhD.

Luca and Blaire started the company on a shoestring budget. They quickly realized the need for a partner with a business background to help manage the process of raising funds through venture capital investments. The? hi?ed Blai?e?? childhood f?iend, Ca?oline Ande??on. Caroline and Blaire grew up together in a suburb of Washington, DC. Caroline obtained her MBA at the Wharton School at the University of Pennsylvania.

As StellenTEK expanded, Luca and Blaire continued to hire friends they knew and trusted. This created a very warm, inclusive corporate culture and makes StellenTEK a great place to work.

The primary computer system at the company is called Critical. This system tracks health related and private data for each of StellenTEK patients. The software is a commercial-off-the-shelf application and the data is stored in an Oracle database on a server. The system is hosted in one location within the compan??? primary data center within the corporate headquarters in Washington, DC.

The IT audit

Luca and Blaire heard about your team's expertise in IT auditing through their most significant investor. They have requested that you perform an assessment of the IT environment, including relevant controls, to provide process recommendations with a focus on their most important computer system, Critical. This is the company first IT controls assessment. Your team has been working together for a very short time but brings a variety of skills and expertise to the table. This is a terrific client to add to your portfolio.

To get your team started on this project, the IT staff provided you with a summary of relevant controls and processes.

Process summary

Access control process

When hiring a new employee, no background check is performed. The company views everyone as ethical and honest. Prior to gaining access to the Critical system, an end user will request access via his or her supervisor. The supervisor will then acknowledge to the administration office for Critical that the end user is an authorized user and that the access that he or she is requesting is appropriate. In many cases, no record of the access request or approval is retained and the system does not record the date when access was granted.

After the initial system access is granted, all further access requests are made directly by the End-User and the administration office for Critical. When an employee no longer works for StellenTEK, his or her system access is deactivated.

Process flow

Members of the sales team have end-user access to the Critical system. This enables them to enter data in the Critical system daily to capture the items sold to their specific customers. Sales managers are granted access as power-users and can enter data into the system for all customers. All members of the sales team receive quarterly bonuses based on the number of new customer accounts they create. When a new customer is created, the system automatically scans the other customer names looking for duplicates. If no d?plica?e? a?e fo?nd, ?he acco?n? i? ma?ked ?ne?.?

In addition to connecting healthcare managers with their clients, StellenTEK also sells an exclusive line of health supplements. The system tracks the amount and location of each product sold. Every day, the inventory is replenished as necessary. There is a separation of duties between various departments. A summary of the products sold and the location is available every day using the corporate data warehouse. Some managers prefer to see their results in a paper report.

Configuration management process

Requests for software changes are made in the Rational ticketing tracker, which establishes a workflow for change approvers. All changes must be tracked in the Rational ticket tracker. Changes must be approved by the Change Manager (CM) prior to being assigned to a software developer.

After development, changes are reviewed by the Change Control Board (CCB), which meets on a weekly basis, prior to being approved for production. As a note, all software testing is performed in the testing environment and then moved into the development environment. Testing is completed by compa?ing ?he ?of??a?e?? f?nc?ionali?? ?o ?he ?eq?i?emen??. The Q?ali?y Assurance (QA) team allocates its time testing updates based on which updates are determined to be significant.

After approval, the new version of the software is moved into the Production environment and end users can use the new software. During the CCB meeting, the change and the testing results are reviewed for the security impact and for the impact on the other systems. Changes must be approved by the CCB prior to implementation into production. This process requires a lot of coordination and takes some time. StellenTEK is in the IT business, so software updates cannot be delayed. The CCB review and approval process is sometimes skipped if the project is running behind.

This simulation is a work of fiction. Any names of persons, companies, events or incidents, are fictitious. Any resemblance to actual persons, living or dead, companies or actual events is purely coincidental.

Contingency planning process

Data in the Critical system is replicated every Wednesday from the primary processing site in Washington, DC to an alternate processing site in Omaha, Nebraska on a near real-time basis. The server room is open to all employees to enable easy coverage for the IT team, should someone be out of the office. Critical has a security categorization of High, a recovery time objective (RTO) of six hours and a recovery point objective (RPO) of one hour. There is a policy that requires that functional tests be performed at least every other year for systems with high security categorizations. Company management has not performed a functional exercise in five years due to resource limitations. The security manager and program manager performed a test five years ago when they reviewed the contact information in the Information System Contingency Plan.

Please respond to the following questions

1.Identify the controls in place, describe how you would test whether the controls are operating effectively? Also identfy the documentation you would need from the client to test each control.

2. identify and describe the control weaknesses and for each weakness document the condition, criteria and effect of the weakness.

3. Provide overall observation about risks presented by IT controls.

Answer 1

Ans 1 : The Controls in place at StellenTEK-

1. Access control system-to gain access to the Critical system, an end user will request access via his or her supervisor. The supervisor will then acknowledge to the administration office for Critical that the end user is an authorized user and that the access that he or she is requesting is appropriate.

# Documentation required from client to test this control-no doc require, we will just check whether a new user is able to access without permission.

2. Changes are to be approved by the Change Manager (CM) prior to being assigned to a software developer.After development, changes are reviewed by the Change Control Board (CCB), which meets on a weekly basis, prior to being approved for production.

# Documentation required from client to test this control-recorder from CCB.

3. All software testing is performed in the testing environment and then moved into the development environment.

# Documentation required from client to test this control-Recordes from Development section.

4. Approval by Quality Assurance Team, before the software version moved for Production.

# Documentation required from client to test this control-Recordes from Production, for each new software developed.

5. Changes have to be approved by the CCB prior to implementation into production.

# Documentation required from client to test this control-records from CCB.

# How we will test whether the controls are operating effectively-we will check it by observing the Documentation recordes made for that particular Person or process.

Ans 2 : Control Weaknesses,condition, criteria and effect of the weakness.

• Weakness-The CCB review and approval process is sometimes skipped.

Condition-if the project is running behind.

   Effect of the Weakness-it may affect the quality of the software.

• Weakness-The server room is open to all employees.

Condition-to enable easy coverage for the IT team.

   Effect of the Weakness-Security threats to system & Data.

• Weakness-Company management has not performed a functional exercise in five years.

Condition-due to resource limitations.

   Effect of the Weakness-it will not be easy to calculate Productivity.

Ans 3 : overall observation about risks presented by IT controls : the company don't have a secured system for access control, must be careful in Providing Access control to all new Inductees.the Change Control Board (CCB), which meets on a weekly basis, should meet more frequently to make the change approval Process faster and to ensure nothing left without approval.

All Software must be tested and Record maintenance practice should be Followed to minimize the risk of Software Failure.The CCB review and approval process is sometimes skipped if the project is running behind, this may lead to Risk of producing inferior quality Software and Loss of money and Consumers crediability.