THE ABSENTEE PASSWORD

A Case Study Analysis

FACTS AND ISSUES OF THE CASE

It is the Saturday Lotto Draw and it was raining very hard. In fact, some of the streets in Metro Manila were already flooded. In the PCSO Lotto Draw, the first step is to define the next draw date or what they call the Draw Definition Option. The PCSO Lotto Draw System requires the definition of draw dates as part of its processing procedures. This is to be able to perform end-of-day processing, to execute the closing or inactivation of all communication processors connected to the different on-line terminals at a designated time which is 8:30 PM and to determine and generate the total sales for that scheduled draw date. The Lotto System requires the draw definition of six draws in advance. This feature gives the chance for lotto bettors to make their bets in advance. For the Draw Definition Option, on Mr. General and his alternate Mr. Colonel are the only ones granted access. As contingency measure, the password of Mr. Colonel is placed in a sealed envelope signed by both the Internal Auditor and the Resident Auditor and placed in locked safety box inside the locked vault so that in case of any eventuality, a back-up procedure is in place. A list of Telephone and Contact Nos. are posted in the Bulletin Board for emergency purpose. In every draw, a representative from the PCSO Internal Auditor Office, representative from the Office of the Resident Auditor and a representative from the ITC witness the draw proceedings. That raining Saturday, Mr. General is the one scheduled to define the next lotto draw. The Draw Definition procedure is performed at 8:15 PM. It was already 8:15 and Mr. General has not yet arrived. Somebody should make the decision on who shall perform this procedure. The Team Leader of the Lotto Draw Team, Mr. Captain, approached the Resident Auditor and the Internal Auditor and discussed with them the contingency control procedure for such eventuality. According to the existing standards operating procedure, the password of Mr. Colonel which is kept in sealed envelope inside the vault shall be opened in the event that Mr. General and Mr. Colonel failed to attend the Lotto Draw. However, since the control measure did not identify who shall be authorized to unlock and unseal the password of Mr. Colonel, Mr. Captain, being the Team Leader of the Draw Team, decided to assume the responsibility but he will only do it in the presence of and with the approval of the Internal Auditor, the representative from the Office of the Resident Auditor and the ITC, who is

known to be very mataray expressed her approval but inform them that this form part of her observation in back-to-office report. SO the Team Leader opened the sealed envelope containing the password, after reading it, showed it to the Internal Auditor, the Resident Auditor and ITC representative, then returned the password in the safety box inside the vault and locked it. With the access password, Mr. Captain was given permission by the system to perform the Draw Definition procedures, the next Monday; it was Mr. Colonels turn to define the draw. He was inform last Saturdays incident and he expressed his appreciation for the immediate action undertaken by Mr. Captain but he did not make any action on the sealed password, instead he used the same in that draw.

STATEMENT OF THE PROBLEM

Is the Password control and maintenance procedure of the Philippine Charity Sweepstakes Office (PCSO) Lotto Draw System adequate to ensure the integrity, accuracy and reliability of systems and data? If not, so how can they improve and tighten their control procedures?

OBJECTIVES
y To determine the adequacy of the Password control and maintenance procedure of the Philippine Charity Office (PCSO) Lotto Draw System. y To pinpoint lapses or weaknesses of their internal control procedures that can somehow impair the integrity, accuracy and reliability of their systems and data. y To formulate recommendatory procedures to strengthen the Password

maintenance procedure of the PCSO Lotto Draw System.

ALTERNATIVE COURSES OF ACTION

y The back-up password should be only used once. Another set of password should be created once the back-up password, which is kept in sealed envelope inside the vault, has been opened in the event that Mr. General and Mr. Colonel failed to attend the PCSO Lotto Draw. This new set of password should be known only by Mr. General and Mr. Colonel with the knowledge of the Internal Auditor and the Resident Auditor. This new password will be the one to be used on the following PCSO Lotto Draws and in the event that Mr. General and Mr. Colonel will then be absent again.

The existing standard operating procedure should be amended and should specify the Particular Individual who shall be authorized to unlock the back-up password for accountabilities and responsibilities purposes. There should be a timely review, evaluation and amendments, if necessary, to the existing standard operating procedure of the PCSO Lotto Draw System. They should amend their operating procedure and specify there the particular individual who shall be authorized to unlock the back-up password in order to easily trace the accountable and responsible person, if ever there might be any irregularities to occur.

EVALUATION Alternative Action Function/s

The back-up password should be only used once.

This action could enhance the general controls of the PCSO Lotto Draw System specifically on their Data Security Controls. This action can prevent the possibilities that the individual who has opened the back-up password can use the said password again in accessing and changing the important files of the organization even without any proper authorization.

The existing standard operating procedure should be amended and should specify the Particular Individual who shall be authorized to unlock the back-up password for accountabilities and responsibilities purposes.

This course of action is important because the organization can pin down the accountable and responsible individual if ever there are some irregularities and any suspicious performance of the system that have been discovered. With this action, the organization can easily trace down the channel of accountabilities and responsibilities. This can encourage also the individual in charge to be more precautious and to be more responsible of the assigned responsibility.

RECOMMENDATIONS AND CONCLUSIONS

After scrutinizing the case, our group comes to a decision that the Password control and maintenance procedure of the Philippine Charity Sweepstakes Office (PCSO) Lotto Draw System is inadequate and is prone to any disaster, computer crime and breaches of security. The lapses and weaknesses of their internal control procedures have resulted from the following two reasons: y Mr. Colonel did not make any action on the sealed password after it had been opened by Mr. Captain which provides chance to Mr. Captain to remember the said password and which could encourage or which could open the possibilities that Mr. Captain can access and can change the important files and data of the system even without any authorization. y The control measure of the organization did not identify the particular individual who shall be authorized to unlock and unseal the sealed back-up password of Mr. Colonel. This deficiency of their control points can open the possibility that the organization cannot directly identify the accountable and responsible individual once there are any irregularities and breaches of security. If there will be no necessary actions taken by the PCSO to solve the weaknesses of their internal control procedures stated above, these weaknesses can possibly be used as an entry point of any threats that can impair the integrity, accuracy and reliability of systems and data. In order to solve the deficiencies of their internal control procedures, our group would like to recommend that the two alternative courses of action will be adapted and implemented by the organization. They should keep an eye on having an effective control measure of securing the back-up password and of having the necessary accountable and responsible individual every time that either Mr. General, Mr. Colonel or both are absent during the Lotto Draw Definition. Of course, in the implementation of these control measures, we have to consider the cost and benefits of them. The group also has provided some recommendatory procedures in order to help the organization to decide the specific preliminary and immediate actions to conduct. They are as follows:

Terminals can be physically restricted so that they are available only to authorized individuals.

Additional sets of passwords and security restrictions can be developed for specific systems and applications.

Written policies and procedures establish formal standards for controlling information system operations. Procedures must be formalized in writing and authorized by the appropriate level of management. Accountabilities and responsibilities must be clearly specified.

Supervision of personnel involved in control procedures ensures that the controls for an information system are performing as intended. With supervision, weaknesses can be spotted, errors corrected, and deviations from standard procedures identified. Without adequate supervision, the bestdesigned set of controls may be bypassed, short-circuited, or neglected.

Prepared by: Leo A. Omamalin Jeniecel G. Alico Junegil Fabular Jay-jay Ree Jee A. Feniquito Ma. Luz Mercedez