Some offices, departments, college or divisions have Excel spreadsheets or Access databases that are critical to their operations. Is your unit one that has a spreadsheet or database to track clients, customers, students or others who interact with your department/office, and would your operations be affected if such a spreadsheet or database would be lost?
Faculty or staff members who answered ‘yes’ to either question should consider “End User Application Security Controls,” said Tom York, director of internal audit.
According to York, end user applications, sometimes called User-developed Applications (UDAs) are the subject of a Global Technology Audit Guide (GTAG) published by the Institute of Internal Auditors.
The guide describes UDAs as “spreadsheets and databases created and used by end users to extract, sort, calculate and compile organizational data to analyze trends, make business decisions or summarize operational and financial data and reporting results. Almost every organization uses some form of UDAs because they can be more easily developed, are less costly to produce and can typically be changed with relative ease versus programs and reports developed by IT personnel. However, once end users are given freedom to extract, manipulate, summarize and analyze their UDA data without assistance from IT personnel, end users inherit risks once controlled by IT.”
York noted that most people do not think about spreadsheets as they do data in Banner, but such unit-level applications are information assets that require security controls. “Unlike Banner, your spreadsheets and databases start and remain unprotected unless you take specific steps to address several key risks. The major risks include data integrity, availability and confidentiality.”
Data integrity is the most significant risk, according to the GTAG. Integrity can be thought of as reliability – can the data in a UDA be trusted to accurately reflect what it is supposed to present?
“UDAs usually lack the formal development and testing process that third party or centrally developed applications receive,” said York. “Managing changes to enterprise applications is a very precise process that imposes segregation of duties, pre-deployment testing and formal documentation. Changes to local spreadsheets and databases rarely receive such treatment and can lead to unintended consequences.”
Multiple users of the application increase the risk from data entry errors and unintentional functionality changes, he added. “Documentation of the design and functionality of the UDA is often nonexistent, residing only in the head of its developer, who alone knows how the application works and is the only one who knows how to fix it when it doesn’t. Simple things like hidden rows or columns become major issues if you don’t know they are there.”
Availability risks exist because UDAs can be stored on media (individual computers or USB drives) that can be lost or destroyed easily. In addition, they may not be part of any automated, periodic backup process.
“Remotely accessing the application or data may be desirable, but it depends upon where and how they are stored. Also, if the only person who can get to the application is unavailable, this will hinder accessing it,” said York.
Where an application resides and who can get to it are critical concerns, too, York noted. “Both Excel and Access have basic access controls that employees can use to limit who uses the application and what they can do once inside. Confidentiality risks also exist because a UDA and its data can easily be transmitted outside the department via email or downloaded to a USB drive. Depending upon the type of data in the application, various federal privacy regulations may be involved that require specific security measures.”
The risks of data integrity, availability and confidentiality are not insurmountable and can be adequately addressed with proper planning and attention to detail. According to York, the GTAG has a section (4.2, page 13) devoted to best practices for controls over UDAs. The techniques described do not require costly or sophisticated technology, just some time and thought.
“This investment now can prevent the need to invest more time and thought, along with costly technology or outside support, in the likely event that your local application goes awry,” York stated. “Internal audit can provide an assessment tool and workbook to help units evaluate their local applications. Also the Skillport catalog through the employee learning and development office within HR has e-learning offerings on Microsoft Office that can provide training to implement the GTAG suggestions. The ITS Service Desk is a resource for specific ‘how to’ questions on application security measures, too.”