SYSTEM INTERFACES
A system is a set of elements, including hardware and software, that work together to run one or more computer
SYSTEM INTERFACES exist where data output from one application is sent as input to another, with little or no human interaction.
Interfaces that involve humans are usually called user interfaces.
ability to transfer data 📤 📥even if the systems use different programming languages or were created by different developers
offers organizations a greater level of flexibility to choose the applications that best serve different areas, even if those areas need to share data
RISK ASSOCIATED WITH SYSTEM INTERFACES
data transfers through system interfaces can be sorted into three categories
system-to-system
partner-to-partner
person-to-person
interfaces occur when data is transferred between two
systems, whether internal or external.
uses have increased in part because of the growing popularity of business analytics
Data may also be transferred to
specialized tools for analysis.
which involves transferring data from a repository to an analytic tool to obtain intelligence and insights via data mining.
interface occurs when two partners 👥are continuously transferring data back and forth 🔄across agreed-upon systems. 🖥
the most unnoticed and unmanaged
as easy as attaching a data file to an email and sending it.
forms of transfer tend to be more difficult to observe, manage, secure and control.
organizations are focusing centralized methodology for tracking and managing system interfaces 🔴and that there are documentation and audit trails for relevant government regulations
Unmanaged interfaces can add to the risk regarding data security, privacy and error
It is critical that organizations are able to rely on the integrity of the data exchanged through system interfaces #
interface is not functioning correctly, one possible consequence is that incorrect management reports (e.g., research, financial, intelligence, performance and competitive)
have a significant negative impact on a business and decision-making.
CONTROLS ASSOCIATED WITH SYSTEM
INTERFACES
IS auditor should ensure ⚙that the organization has a program that tracks and manages all system interfaces and data transfers, whether internal or external, in line with the business needs and goals
includes the ability to see all the transfers made, including those that are ad hoc, whether the organization is using a commercial or custom managed file transfer (MFT) system
. IS auditors should ensure that the program is able to:
• Manage multiple file transfer mechanisms.
• Use multiple protocols.
• Automatically encrypt, decrypt and electronically sign data files.
• Compress/decompress data files.
• Connect to common database servers.
• Send and retrieve files via email and secure email.
• Automatically schedule regular data transfers.
• Analyze, track and report any attributes of the data being transferred.
• Ensure compliance with appropriate regulatory laws and mandates.
• Offer a checkpoint or restart capability for interruptions.
• Integrate with back-office applications to automate data transfers as much as feasible.
Controls need to be implemented with the objective of ensuring that the data residing on the sending system are precisely the same data that are recorded on the receiving system
IS auditors should also ascertain if the organization is using encryption, as appropriate for each use, to protect data during the transfer
transfer process may require strong access and
authentication controls, and the data files might be password-protected.
Encryption is necessary when the risk of unauthorized access or interception is relatively high
should be a control over nonrepudiation, which ensures that the intended recipient is the actual recipient of the data.
To ensure that an audit trail is associated with the system interface
organization needs to capture important information, including ,
includes assessing automated logs of servers along the path, especially if the data are transmitted to an external system where they touch multiple Internet hosts
Beyond an effect on business value, even a small error can invoke potential legal compliance liability.
who sent the data,
when they were sent
when they were received
what data structure (e.g., xls, csv, txt or xml) was used,
, how the data were sent
and who received the data.
intended recipeint = actual recipient