TECHNOLOGY GOVERNANCE: HOW YOUR COMPUTER NETWORK CAN SUPPORT OVERALL BAND GOVERNANCE
R. Grant Rowson CISA,CGA
March 2010
In celebrating its tenth anniversary, AFOA can be proud of many accomplishments. One of those accomplishments is fostering the notion of improved governance within aboriginal public sector organizations. Two of the goals of good governance is to have an agency or First Nations band’s governing council provide oversight to the staff of the organization and to give that staff mandates to carry out the directives of the governing council.
Besides this oversight, there’s many other subtle aspects of governance that can affect chiefs, First Nations Councils, boards of directors (and their chairs), band managers, executive directors, and others involved in the management of organizations. Some of these other – often unwritten – governance issues are:
- Protection of confidential information: What would happen to the reputation of the agency and its governing board if someone got hold of sensitive or personal information of a band member?
- Integrity of information: Is there any way that someone could alter information (financial or otherwise) that’s to be presented to the council?
- Accountability: How can council determine who had access to information or who instigated a change?
Many boards of directors or governing councils do have policies in place to handle the above and other issues. However, many organizations seldom check to see if these policies extend into the realm of their computer networks. Let’s look at an example:
In the “good old days,” theband’spayroll records were kept in a locked filing cabinet. Only the payroll clerk and the band manager had a key to the cabinet. Payroll records were taken out of the cabinet during payroll processing, and were returned promptly upon completion of the payroll cycle. Chief and Council could be reasonable sure that the private information of any band employee was maintained.
In the modern office, the payroll records are now moved to a computer payroll software program, where both the employee data and the program files reside on the band office’s network file server. The payroll clerk has had training in the use of the software, and both the clerk and the band manager have passwords for the program. The example is now parallel to the old paper-based system – or certainly at first glance. We’ll now see how some things could go awry with this situation.
Application-level security: The user passwords act the same as the old filing cabinet keys. Essentially, only the payroll clerk and the band manager have access to the payroll information. The complication: If either of these people share their password with others, then those other people now have access to the payroll data. Essentially, it would be the same as making a copy of the filing cabinet key and handing it to other people. If the board has a policy that payroll information should only be accessible to band manager and payroll clerk, then the sharing of the passwords is now in contravention of that board policy.
Running a bit further with this, what if the manger and clerk use the SAME password for all of their computer logins (a common practice with many people)? That’s the same as having one master key for every filing cabinet – what kind of good security/protection of information is that?
Data-level security: Per above, most program password systems control access to the data from the program interface. But what about access directly to the data itself? The computer industry tends to use generic database products –Microsoft Access, Microsoft SQL, Sun/Oracle’sMySQL, Pervasive, to name a few.
With generic databases comes a lot of generic knowledge with some database programmers. And some of those programmers make money selling administrative tools for managing the database, including PASSWORD tools. For example, for several years, Simply Accounting by Sage used the Microsoft Access database (as did/do other accounting and band management products). Ten minutes (or less) of searching on the Internet will give you access to all kinds of password cracking tools, generally for the $100 price range. With a credit card number handy, you could own such a tool yourself and be merrily hacking into
any MS-Access database within a few minutes/moments. Such tools would bypass all of the application level security mentioned in the first section above, and pretty much give you access to any information stored within the accounting system either directly through the interface (with the revealed password) or through the actual MS-Access database program itself (if you know what you’re doing). Prevention? Well, you can’t stop people from buying/purchasing these tools but, you can make sure the data isn’t stored in any public folder on the network. If the bad guys can’t get to the data itself, then it’s pretty hard for them to crack it.
Network-level security: Building on the previous point, your network administrators should establish “zones”on the network data drives where only certain groups of people have access to certain data. Out of the box, most networks are like any other computer – one big hard drive that anyone can use. By creating security groups and linking these groups to the proper folders, administrators can ensure that only the right people will have access to the proper information.
“This information is Top-Secret”: We’ve all seen spy movies, and get the gist that this type of information must be very important and that only a select group of people should have access to it. All organizations have varying degrees of information classifications – stuff that’s public knowledge, things that are sensitive,and things that would cause great harm to someone or something if it became known too soon.
Band council experiences these situations, and will often have“in-camera”meetings where the proceedings cannot be made public at the given point of time. Though in camera/private, councils, sub-committees, task-forces, etc. all produce some reports or meeting minutes. Where are those reports stored? Are they in word documents saved in public places on the network? Are they kept on somebody’s laptop computer (that could be easily lost)? Worse, are they kept on one of those popular little USB-memory sticks/drives? Before your network administrators can do all of the security group planning mentioned in
the previous point, council/management has to determine some form of information classification scheme and how it will handle information in each category. From that scheme, the network administrator can then build security and data storage policies to support the board/council’s policy. Without this direction – and many organizations really neglect this step – there’s no way that your computer network can ensure that the council’s private/sensitive information couldn’t be found by anyone. Back to our payroll example:
It’s pretty obvious by nowthatwe will go to great lengths to protect the actual payroll software and its data from prying eyes through all kinds of security approaches. What might escape attention, though, is all of the electronic documents (in MS-Word, Corel WordPerfect, OpenOffice, etc.) that have employment contract information, memos to/from staff with personal information or staff performance reviews. These should be categorized with similar sensitivity and should be placed in an appropriately secure area of the network as well. A sample information classification scheme could be as per the chart below.
One person does everything: From an accounting/audit perspective, one of the basic internal controls is the segregation of duties. Essentially, the concept means that in a financial – or in this case managerial – process, an organization could have troubles if one person can entirely handle the process from start to finish. For example, a financial fraud could happen if the accounts payable clerk enters the invoices, prepares the payments, signs the cheques, releases the cheques, and then perform the bank reconciliations
once the cheques clear. Essentially, no other set of eyes could detect if an unauthorized disbursement was inserted. To deal with this situation, we can introduce a control by separating some of the duties. One option would be to have a different person review the actual cheques/invoices and approve them for release.
In the computer network, we have examples of the same problem. The Finance manager controls the usernames and passwords for the accounting staff. Some of the accounting staff also work in the payroll system, where the human resources manager controls usernames and passwords. If we make the assumption that many users would use the same username/password (for convenience) on both systems, we can now observer that the finance manager could gain access to the payroll system – or the HR manager access to the finance system. Segregation of duties would have“failed”on the network. This isn’t the
only type of example: Anyone who can access and change the data of someone else in the process essentially demonstrates the network/computer equivalent of a breach of segregation.
Protection of the network infrastructure: Besides all of the information-specific items mentioned already, the whole network needs some basic protection. The council’s overall objectives for the band/organization would be undermined if outsiders could access the network, tie-up Internet bandwidth, hijack servers for other purposes (on-line gambling, pornography sites, to name a few). The organization would lose considerable respect, if not challenged by the public to which they are accountable, if they were caught being unwittingly involved in such a situation. Therefore, network administrators need to ensure that they have proper equipment to help prevent unwanted access and hijack of resources.
- Hardware Firewall: a device that specifically controls access to/from the network
- Intrusion-detection: a device that specifically tries to determine if someone is attempting or has succeeded in gaining unauthorized access to your network.
- Antivirus : Hardware or software that specifically scans for malevolent software (“malware”) aimed at compromising users’ computers
- Anti-Spyware: Hardware or software that specifically tries to prevent malware that focuses on hijacking your computers for inappropriate use or at gaining access to sensitive information.
The Server died, where’s the backup tape?: So far, all the points in this discussion have been aimed at the security-side of network management. But keeping the best for last, one of the biggest situations where network management can be off-side with overall organizational governance is with its whole business continuity management and disaster recovery process. All bands/agencies are entrusted with providing service to band members. The computer network can strengthen or weaken that overall ability to provide service. Let’s look at a example: Assume that a band decides that social assistance payments must happen on time. What would be the technology ramifications to this decree?
The answer: Critical examination of all technology in context of the policy:
- If the server malfunctions, what is the plan to get a temporary server working?
- Can a replacement be swapped quickly? (and in what time frame, compared to the risk that it would fail when cheque runs are needed)
- Do you have to order replacement equipment from outside the community?
- How quickly can it be delivered?
- What contingency plan is in place if the server becomes unavailable?
- A“hot/warm”server is running elsewhere on the network,with a shadow-copy of the database and social assistance software installed?
- If the database is damaged/corrupted, what’s the plan to restore a working copy?
- Can the restore happen quickly?
- How often should the system be backed up?
- Where should it be backed up?
- Tape is good for off-site protection, in case the whole band office is lost in a fire, etc.
- Tape is NOT GOOD for a quick recovery – meaning the network administration might want to consider a second backup strategy, likely to a second hard drive.
Overall governance of your information technology practices is important. From the examples give above, one can see that good network administrative management can either support the policies of council or undermine them at any stage. The complexity of your network management should be dependent upon the risk to the whole organization if the technology fails to reinforce the council/board’s policies and directives.
| CLASSIFICATION |
DESCRIPTION |
EXAMPLES |
POSSIBLE NETWORK RESPONSE |
| SECRET |
The most sensitive business information
Strictly for use within the band
Unauthorized disclosure could seriously and adversely impact the band, members, business partners or future endeavours.
|
Elements of land claim negotiations
Natural resources
(prospecting, results of
core sample testing)
Prospective economic
development plans
|
The“Information Owner”–
the person most responsible for administering the information – needs to determine the list of people who are privy to the information
Network administrators
need to ensure that only
those people can have
access to the information
In some cases, the network people themselves may not have access to the info and need to resort to tools such as data encryption.
|
| CONFIDENTIAL |
Less-sensitive information that is nonetheless intended for use within the band
Unauthorized disclosure could adversely impact the band, members or other stakeholders – but to a lesser extent than“secret”
|
Certain employment contracts, especially personal financial
information (except
as where the information is to be disclosed by law)
Employee performance
reviews
Social assistance files
Health records of members
Creation of new business ventures and their business plans
|
The Data owner, again, provides a list of who should have access to the data
Network administration
needs to ensure that only those users can get to that information
Unlike“Secret”, there are usually a greater number of people who would have functional access to this information as part of their daily work practices
|
| PRIVATE |
Personal information that is intended for use within the band
Unauthorized disclosure could seriously impact the band and/or its employees
|
Internal operations correspondence
and performance
measures, certain
routine reports, which may contain some sensitive information
Information that ultimately will be disclosed to the public
but at this time is incomplete or misleading (such as
over-expenditures on a project where payment from cost-sharing arrangements hasn’t been yet received)
|
Information of this type
should not be readily available on public-facing web sites or network spaces
Reasonable attempts to limit unauthorized access should be taken
|
| UNCLASSIFIED |
Applies to all other information that does not fit into any of the above
Unauthorized disclosure is against policy but it is not expected to seriously impact the band or members
|
Routine reports
Various internal memos
General internal correspondence
of routine nature
|
Information can be posted in common network spaces
Pending nature, this information may be published to the public on web sites, etc.
|
R. Grant Rowson CISA,CGA is an Information Solutions manager within BDO Business Technology Solutions Inc.’s Thunder Bay Office. Grant consults with aboriginal organizations relating to their financial accounting systems, networks, overall information systems, business continuity management, and risk management.
He writes technology articles for CGA Ontario’s Statements magazine and is a frequent contributor to The Bottom Line, Canada’s trade newspaper for the accounting profession.
Learn more about our services for Aboriginal Businesses
