Case Question for Internal Control
MailMed Inc. (MMI), a pharmaceutical firm, provides discounted prescription drugs through direct mail. MMI has a small systems staff that designs and writes MMI=s customized software. Until recently, MMI=s transaction data were transmitted to a service bureau for processing on its hardware.
MMI has experienced significant sales growth as the cost of prescription drugs has increased and medical insurance companies have been tightening reimbursements in order to restrain premium cost increases. As a result of these increased sales, MMI has purchased its own computer hardware. The computer center is installed on the ground floor of its two story headquarters building. It is behind large plate glass windows so that the state of the art computer center can be displayed as a measure of the company=s success and attract customer and investor attention. The computer area is equipped with halon gas fire suppression equipment and an uninterruptible power supply system.
MMI has hired a small computer operations staff to operate this computer center. To handle MMI=s current level of business, the operations staff is on a two shift schedule, five days per week. MMI=s systems and programming staff, now located in the same building, has access to the computer center and can test new programs and program changes when the operations staff is not available. As the systems and programming staff is small and the work demands have increased, systems and programming documentation is developed only when time is available.
Periodically, but not on a scheduled basis, MMI backs up its programs and data files, storing them at an off site location.
Unfortunately, due to several days of heavy rains, MMI=s building recently experienced serious flooding which reached several feet into the first floor and affected not only the computer hardware but also the data and program files that were on site.
a. Describe at least four computer security weaknesses that existed at MailMed Inc. prior to the flood occurrence.
b. Describe at least five components that should be incorporated in a formal disaster recovery plan in order that MailMed Inc. can become operational within 72 hours after a disaster affects its computer operations capability.
c. Identify at least three factors other than the plan itself, that MailMed Inc. should consider in formulating a formal disaster recovery plan.
(Source--CMA EXAM)
Answer for question 1
a. Describe at least four computer security weaknesses that existed at MailMed Inc. prior to the flood occurrence.
1. Files are backed up periodically, not on a scheduled basis.
2. The computer center is on the ground floor, behind glass - not secure.
3. Systems and programming staff has access to the computer center when operations staff is not available. Programmers should not be able to modify Alive@ production environment, should not be unsupervised.
4. Documentation is inadequate - systems documentation is developed only when time is available.
b. Describe at least five components that should be incorporated in a formal disaster recovery plan in order that MailMed Inc. can become operational within 72 hours after a disaster affects its computer operations capability.
1. Contact List: Names and telephone numbers of operations manager, programming staff, building maintenance manager and key personnel (disaster and recovery team).
2. Offsite storage: Facility used for data backups. Authorization for several disaster recovery
team members to pick up backups.
3. Detailed backup strategy: Should include daily, weekly, and month end back up, stored offsite.
4. Select a Ahot site@: Another computer facility that can be used in an emergency.
5. Test: Both hot site and data restoration on existing computer on a regular basis.
6. Signed contracts and authorizations so that key disaster recovery team members can deal with computer vendors and suppliers for replacement hardware or supplies.
7. Procedures for reinstating files, rerunning programs, and recalling contaminated output.
c. Identify at least three factors other than the plan itself, that MailMed Inc. should consider in formulating a formal disaster recovery plan.
1. Selecting the proper team within the company.
2. Proper computer room design and layout.
3. Preventative maintenance program.
4. Implementing proper security measures: such as scheduled back ups, locked computer room, limited access to computer room, program change control procedures (so live system cannot be changed until properly tested), etc.