Protecting Data Integrity
Introduction
Information Security is not only about keeping information private. It also ensures data integrity, meaning the information stored in your IT and cloud systems is an accurate representation of the knowledge it contains, and that it is protected from accidental or malicious corruption.
Integrity is one of the more challenging aspects of information security to manage, because the effects of a compromise may be difficult to detect and reverse. Integrity and availability are typically compromised in the same manner: application error, hardware failure, human error, or malice. If a server goes offline, an application crashes, or a folder full of files is deleted, the availability failure is generally noticed right away, and recovery is usually straightfoward. But integrity failures may not be discovered until days, weeks, or years later, and only if someone goes looking for it. And recovery, if it's even possible, may require a tremendous amount of investigation and analysis.
Examples of Integrity Failures
Here is an brief list of some ways in which data integrity can be compromised:
- A desktop customer management application displays one customer's information on the screen, but orders entered by your salesmen are linked to another customer due to an indexing problem within the software.
- Someone pulls up an old copy of a massive spreadsheet he's collaborating on with a co-worker, spends hours entering information and editing formulas, and saves it. The other user opens a different copy and makes her own edits. Eventually, the two workers realize what happened. However, neither kept their source information organized or notes on what formulas they changed and why, so they have no way to reconcile their work, and the spreadsheet is considered a total loss.
- You intended to have mirrored virtual database servers on your customer-facing cloud-based ordering application, but your system was misconfigured, and no one in management made aware of this. One day, the primary database server crashes and the backup takes over as expected. But, of the orders placed by your customers in the ten minutes prior, only the order number was duplicated to the backup server, and the details of the orders were lost. Your application continues to run as if the purchases are ready for fulfillment, but the pick tickets transmitted to your warehouse all have an empty list of products.
- Your bookkeeper enters expense information from paper records into your accounting system. Another bookkeeper later finds scans of these, and enters them again. Your books don't balance.
- Your accounts payable administrator enters invoices from a fake company he set up, then finds a flaw in the system that enables him to show them as approved when they never were, allowing him to pay the invoices by ACH transfer into a bank account he controls.
Integrity problems can, as you can see from the last two examples, have little or nothing to do with the technology, highlighting why information security is the province of management, not your IT department.
Preventing Integrity Problems
The above list illustrates that proper operational procedures and IT system design are important aspects of preventing integrity violations. In regard to developing such procedures and design, here are some factors of your applications and operations to consider, and how they impact the manner in which integrity is assured:
- Volume: For applications that are handled by one or a few people, integrity is best checked through manual review. But a similar application in which a dozen, hundreds, or thousands of users can log in and enter data will need an auditing procedure, including technological controls, to prevent errors.
- Significance of the business process handled by the application: If applications are readily available through which users can initiate large transactions (such as paying invoices, initiating financial transactions, or generating purchase orders), or if there are complex calculations done for analysis of past results, job cost estimating, or forecasting of operations or finance, then stricter procedures and controls will be necessary, such as a manager approval and/or review process to ensure accuracy prior to entry, or separate scheduled reconciliation reports that require sign-off by the CFO.
- How separate database systems share information: For example, if your ordering system directly updates the general ledger, you will manage integrity checking differently than if it exports its data to be entered into your general ledger later.
Although primarily concerned with preventing theft, fraud prevention procedures also serve to protect data integrity. Effective procedures to forestall fraud include job rotation and separation of duties—that is, not allowing a single person to have end-to-end control over significant transactions.
In addition to procedural controls, of course, there are technology solutions, such as:
- Continuous Transaction Monitoring (CTM), which is software that integrates with your ERP or accounting systems, and performs timely analysis on transactions to detect fraud or errors. A sufficiently sophisticated CTM application can identify patterns in seemingly unrelated activities to uncover errors or theft. It can provide additional benefits unrelated to integrity, such as identifying purchasing agents who overspend, by, for example, finding the same items being purchased by other managers for less. More basic CTM can be simply configured to send alerts on given types of transactions over a specified amount.
- Bar-coding or an RFID system in a warehouse to ensure integrity in inventory.
Epilogue
As with all aspects of Information Security, but particularly because of its greater reliance on administrative and procedural controls, ensuring the integrity of your information assets is best managed by establishing an Information Security program.
To get started, contact J.D. Fox Exec today.