7.11. BACKUP SYSTEM SECURITY ADMINISTRATOR
The movie Jurassic Park, based on the novel by Michael Crichton, provides an excellent example of how not to administer security over a high-risk system.[] In the movie, Jurassic Park is a giant, computer-controlled tropical theme park with Tyrannosaurus rexes, velociraptors, and numerous other live dinosaurs as its main attractions.
Any IS auditor who saw the movie should remember the part where the system programmer was bribed into stealing several dinosaur embryos. To facilitate his theft and getaway, he had programmed the system to unlock secured doors to the research facility where the embryos were located while the primary console terminal for the system displayed what appeared to be typical processing. The system was actually locked to prevent anyone from accessing the system without the appropriate password. To complicate matters further, a severe tropical storm was battering the park. The resulting power outages enabled some of the predatory dinosaurs to escape and attack the humans.
The embryo theft and escape of dinosaurs were possible because the data processing facility suffered from a severe lack of internal controls. Complete control over tens of millions of dollars' worth of research facilities and dinosaurs was granted to a single individual—a classic example of inadequate segregation of duties. There was no trained backup system security administrator, no BRP, and no procedures to back up software and data to enable ...
Get Auditing Information Systems, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
