CASE 3: BIG APPLE

FINANCIALS
PHYSICAL SECURITY

BIG APPLE FINANCIALS, INC.

It is a financial services firm located in New York City.
It keeps client investment and account information on
a server at its Brooklyn data center.
Such information include the total value of the
portfolio, type of investments made, the income
structure of each client, and associated tax liabilities.
The company has recently upgraded its website to
allow clients to access their investment information.

BIG APPLE FINANCIALS, INC.

Data center is in the basement of a rented building.
Management believes that location is secure enough
to protect their data from physical threats.
Controls implemented for servers: housed in a room
with smoke detectors, sprinklers, enclosed with
temperature-controlled air-conditioning.
Auditors Concern - Some of the measures at the
current location are inadequate and newer
alternatives should be explored.
Managements Concern High cost of purchasing
new equipment and relocating its data center.

REQUIRED
1. Why are Big Apples auditors stressing the need to
have a better physical environment for the server?
2. Describe six control features that contribute to the
physical security of the computer center.
3. Big Apple management is concerned about the cost of
relocating the data center. Discuss some options open
to them that could reduce their operating costs and
provide the security the auditors seek.

BETTER PHYSICAL
ENVIRONMENT
The auditors of Big Apple Financials, Inc. see the need to have a
better physical environment because all the information needed to
conduct the operations are contained in the server. Environmental
hazards such as fires, floods, wind, earthquakes, or power outages pose
an equally aggravating threat like those arising from human factors.
Although these incidents may not happen frequently, they may
paralyze the companys actions and bring about financial and
operational ramifications. The placement of the data center in the
basement greatly enhances its exposure to floods. Also, the software
checks and other control measures currently being employed by the
company are insufficient to avoid such losses. Thus, it is of great
importance for Big Apple Financial, Inc. to have a workable disaster
recovery plan in place to protect the server in the event of an adversity.
Such recovery plan should be feasible, delegated to responsible
persons and well-communicated to all members of the organization.

CONTROL FEATURES
Physical Location: The computer center should be located
in an area that minimizes its exposure to human-made and
natural hazards, such as processing plants, gas and water
mains, airports, high-crime areas, flood plains, and geological
faults. It should also be away from normal traffic, such as the
top floor of a building or in separate, self-contained building.
Construction: Ideally, a computer center should be located
in a single-store building of solid concrete with controlled
access. Utility and communication lines should be
underground. The building windows should not be
excessively large and locking devices on doors and windows
should be maintained as a security strategy. An air filtration
system should be in place that is capable of excluding dust,
pollen, and dust mites.

CONTROL FEATURES
Access: Access should be limited to operators and other
employees who work there. Physical control, such as locked doors,
should be employed to limit access to the center. Programmers
and analysts who need access to correct program errors should be
required to sign in and out. Accurate records of such events must
be maintained. The main entrance to the computer center should
be through a single door. Alternative routes, such as fire exits,
should be accessible only when the situation is necessary. Video
surveillance and other controls are also advisable.
Air Conditioning: Computers operate best in a temperature
range of 70 to 75 degrees Fahrenheit and a relative humidity of 50
percent. Logic errors and static electricity risks can be lessened
through the proper use of air conditioning. There is an increased
risk of circuit damage from static electricity when humidity drops.
On the other hand, high humidity can cause molds to grow and
paper products to swell and jam equipment.

CONTROL FEATURES
Fire Suppression: The system should be protected by using an
automatic fire-fighting scheme (automatic and manual alarms
placed in strategic locations connected to fire stations). An
automatic fire extinguishing system that dispenses the appropriate
suppressant (carbon dioxide systems or halogen agents) are
recommended instead of water. Manual fire fighting equipment (i.e.,
fire extinguishers) should also be readily available and staff should
be properly trained to use these and other protective equipment.
Clearly marked and illuminated fire exits must exist.
Fault Tolerance Controls: Commercially provided electrical power
presents several problems that
include total power failures,
brownouts, and power fluctuation. The company should consider the
use of voltage regulators, surge protectors, generators and backup
batteries in order to prevent the system from crashing and mitigate
the negative effects associated with these disruptions. The use of
redundant array of independent disks (RAID) may also be
considered.

HOW TO REDUCE THE OPERATING

COSTS
The auditors and the management of Big Apple Financials, Inc. could meet
in between by taking into consideration the outsourcing option. Outsourcing
the IT function is well-liked nowadays since the costs, risks, and responsibilities
associated with maintaining an effective corporate IT function are significant.
Some of the benefits that could be derived by the IT outsourcing are improved
core business performance, improved IT performance, and reduced IT costs.
The management could choose between the traditional outsourcing and the
more flexible cloud computing approach, depending on the nature of
applications that Big Apple uses in its operations. Some of the readily
accessible classes under the cloud computing approach for financial services
firms are Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS).
Since outsourcing vendors can perform the function more cheaply than the
client firm could accomplish, economies of scale can be attained. Thus,
reducing the operating costs of relocating the data center.

SUBMITTED BY:
Bondoc, Jessa Krizzel D.
Chancoco, Maria Jasmine Rhei A.
Gonzales, John Kenneth M.
Lauricio, Helena Marie Q.
Manalese, Aarone Jan T.
Group 5 (A-531)