Controls after technological reengineering processes

In a Reengineering process after its implementation, controls are not established, since Reengineering basically concentrates on new and innovative process designs, seeking a marked, dramatic and notable increase in the productivity, efficiency and profits of companies., without counting on the design of controls in the processes. Therefore, it must undergo an analysis for the Implementation of Basic and Essential Controls.and with greater emphasis in the area of Data Processing. Failure to do so will surely cause failures or deviations in the new processes, without being able to determine or auscultate them in a timely manner and avoid failures or errors. These guidelines once developed, must be applied by the entire company and mainly by the personnel who work in the systems area.

The purpose of this work is not to teach you how to reengineer or to explain your methodology. The purpose of this work is to show you that there is a "beyond" after a reengineering and these are the controls and securities on which this work is focused. My intention is to show you the alert points of the areas that are "mostly" in imminent danger, and a less technical way to explain to the business administrator, the ways to prevent them by implementing controls and data security.

implementation-of-controls-after-a-reengineering-process

It is important to also inform the business administrator that although he or she is not an expert in computer systems, he or she must "know" what the basic points should be and to obtain detailed information from the systems expert of his company.

Finally, if the business administrator leads a college, university, industry, banking or commercial company, this work will help you a lot, since it applies to any type of company. Its focus is mainly given to the processing and related areas, but its concepts can be extended even to the other areas.

CHAPTER 1: GENERAL

Reengineering objective

Much has been said about what reengineering is and is not. Among what has been said to be reengineering, we have that it is a program or a methodology that seeks radical change, does not seek incremental improvements, nor only automation, nor only organization, nor only size reduction, nor only the quality.

Process Reengineering is defined as a “balanced” approach that contains elements of the more traditional improvement programs, although it is not a “more” improvement program, since reengineering is much more. Seek decisive progress on important measures that affect performance. Look for multifaceted goals, both in quality, cost, speed, flexibility, customer satisfaction, precision; all of them simultaneously and not one in particular. Reengineering takes the “processes” as a point of view and focuses on them to redesign them and therefore its perspective is neither functional nor organizational.

For what has been explained before and for what you should already know about Reengineering, it seeks to straighten the process, removing the serpentine from it. For this, it defines that a process has borders and that at each border it has at least one control, therefore it will have a minimum of two controls in the process, one for the person making the transfer and the other for the person receiving it, which for Reengineering is inconceivable. The establishment of controls in their view, impairs the flow of the process since they incorporate activities that, at the point of this methodology, do not add value.

The definition of reengineering expects to produce the optimization of workflow and productivity in an organization by measuring both based on business results: increased profitability, market share, return on investment, equity and assets. Reengineering can also be measured by reducing total or unit cost.

Process Reengineering establishes an explicit correlation between the business results (which are of interest to senior executives who choose this program), and the process results: speed, precision and reduction of process time (that the reengineering team try to optimize).

Without establishing this deliberate, quantifiable link between the end and the means, that is, between the results of the business and the results of the process; reengineering programs would be doomed to failure.

Finally, Reengineering responds to the evolution of trends in the business environment where more traditional incremental improvement programs fail. In many cases, only reengineering promises change fast enough and radical enough to keep up with the changing business environment.

Controls Objective

Control is one of the pillars on which the administration is based. A simple concept of what control means would be to "measure current and past results, relative to those expected, either in whole or in part, in order to correct, improve, and formulate new plans." The control itself seeks to systematically collect data to know the implementation of the plans.

With technological advances and the success of communication systems, it is possible in many cases to obtain a “feedback” of the information resulting from the control itself, and use it so that corrective action is automatically initiated, with which, it is not necessary to wait until the results are fully produced to put the corrective action into action: a previously established procedure constantly corrects the action, based on those results, without the need to stop it.

Controls can be automatic, manual, or a combination of both. To get an idea of the ways in which the controls are presented, we have the following example: It has been established as a temperature standard in a specific place that it must be maintained between 20 ° and 22 ° Celsius. In a manual control system, it is necessary to visualize when the thermometer drops below 20 ° C or goes above 22 ° C to adjust the ventilation to comply with the indicated standards.

In an automatic control system, when the temperature reaches less than 20 ° or more than 22 ° C it automatically changes the heating, thus constantly maintaining the temperature at the desired level.

In the administrative field, it is possible to obtain the same applications, for example: in inventories that require replacement points, upon reaching the same, the necessary orders are automatically generated so that the essential elements are not missing while the stock is consumed. This example, carried out manually, also requires manual control of stock levels and replenishment points.

After this brief explanation of what “control” is, we define then that the objective of controls is to provide the company with an element of monitoring and detection of deviations or failures in the processes. They are created in order to secure elements such as:

-Security, timeliness and accuracy of the information according to the requirements of the company.

-Application of protection and control measures on stored data or programs used in the processing center such as the company's microcomputers.

-The design of physical and administrative securities that lead to the support of control measures for the processing center and other entities that operate with official data.

-That the official data of the company is accessed by expressly authorized personnel and with specific attributions, by executing an authorized process that reflects a reliable final product based on the application of the designed processes.

-Authorized personnel, official data (formal data) and authorized processes are part of a whole formality system of the institution, which are continuously examined, reviewed and approved by the company's control mechanisms and which operate recurrently under the security and control schemes that are applied.

-The processes, data and programs that work in a company must always have a tendency towards formalization (whether by users, internal audit, systems, internal control, training and others) when these are relevant to the company, and when their Processing occurs continuously as well as its permanence. This ensures compliance with all the rules, policies and procedures and controls established in the Institution.

-Analyze the possible investments necessary to comply with the rules and procedures for data security and control; evaluating with criteria of the benefits that would be obtained by the investment, and considering at all times the interests of the company that must be safeguarded.

CHAPTER 2: PHYSICAL SECURITY

Physical Security Objective

The objective is to protect the systems in terms of hardware, software, documentation and magnetic media from the risks of loss, loss or physical damage. Likewise, the potential risks can occur in the access of unauthorized personnel without adequate physical security controls; in fires; in power outages; in floods due to water leaks and in logical access controls.

Aspects involving Physical Security

Physical security involves at least the following aspects:

Access ControlFire SecurityEnergy SupplyAir ConditioningWater DetectionSecurity GuardsTelecommunications

2.2.1 Access Control

Although investing in access control systems should not necessarily be onerous, such as the implantation of bulletproof glasses, 24-hour armed guards or video cameras; companies should contemplate adequately reasonable controls to prevent access by individuals and even “unauthorized” personnel to the processing center or to the areas of data handling or official and exclusive information.

These Security systems must contemplate the use of security keys to be entered through an electronic component located in each area or through the use of an encoded plastic card. The key assignment must be given by the representative of the systems area and must be modified periodically to avoid any infiltration into the key master file or the granting of the same between users.

It should be noted that for this purpose there must be an interrelation between each area that makes an individual responsible through the use of a key, and the control area that assigns and controls the keys issued to users. Not knowing about the dismissal, resignation or absence of a specific staff for a specific or permanent time would cause the access control process to be unsuccessful for damages caused by acts of sabotage, theft, assaults, etc.

Accesses must also be granted based on the minimum need and depending on the cases under the supervision of the Head of Systems.

When personnel are reassigned to other functions in which they do not require the access that they had previously authorized; the permit must be revoked once the person is reassigned in her duties. Also in the period of staff vacations this same concept should be applied.

Mobilizations of equipment or magnetic means must be carried out only by authorized personnel and must follow the procedure for control of mobilizations of equipment. The security guard must ensure that the mobilization of equipment or magnetic means of both entry and exit are carried out with the authorizations of the case.

The personnel that correspond to the category of visitors and that need to move around the processing center or related must use a card that indicates their quality as "visitors" and must always be escorted or supervised by personnel of the institution and their entry and exit must be recorded in a blog of the area.

Cleaning and cleaning of the processing center and related facilities must be carried out in the presence of the staff of the institution. Said cleaning personnel must enter prior to identification before the security guard who must verify their name in the register of personnel external to the company and the hours authorized for access.

The entry of personnel with suitcases or bags or objects other than those that constitute or serve for their cleaning and cleaning work should be prohibited.

Access cards to restricted areas as well as visitor cards must be reported immediately in the event of loss, to security personnel and to the Systems Manager in order to revoke the use of said cards.

For emergencies, security personnel must have keys to the processing center and offices. These must be kept in a sealed envelope, under security and periodically reviewed by the Audit.

The schedules of entry and exit of the personnel as well as of the equipment and magnetic means must be reviewed by the Audit personnel periodically and verified that the movements of the equipment have been carried out according to the established controls and that the entry and exit of the personnel is It has been carried out at the established time and with the respective permits for arrivals or departures after hours.

It is important that companies plan to obtain a policy that protects losses or damages of their fixed assets.

Fire safety

The processing center and related must have smoke detectors which must be activated automatically at the time of a considerable smoke emission. These devices should be tested regularly to verify their operation. In the case of fire detectors with automatic water extension, they should be located in areas away from equipment and material not recoverable by contact with water.

The processing center must have sufficient portable fire extinguishers and they must be periodically tested so that they can function in emergencies.

A visual check of your pressurization should be made by sending the fire extinguisher to be loaded or unloaded to the respective maintenance center.

Likewise, the area should be marked in such a way as to specify the areas where smoking or the use of combustible material is prohibited.

The extinguishers to be used vary according to the class of fire that occurs. For this we have type A, B, C and D fires. Type A fires are produced in ordinary solid fuels such as wood, textiles, garbage, etc. Fire of this kind cracks the material, creates embers, leaves ash and spreads from the outside to the inside. It is preferably fought with water-based extinguishing agents.

Type B fires occur in flammable liquids: gasoline, oils, paints, grease, etc. It is characterized in that fire occurs only on the surface. To combat them, we must preferably eliminate the oxygen that is in contact and it is necessary to use extinguishing agents that fulfill this purpose.

Type C fires occur in connected electrical equipment, although this type of fire occurs in solid or liquid materials, they have deserved special classification due to the danger of electric current. Extinguishing agents NON ELECTRICITY CONDUCTORS are used.

D-type fires occur on light metals, chemicals, pharmaceuticals, etc. Upon combustion these materials generate their own oxygen; when attacked with ordinary extinguishing agents, they produce violent reactions, including the explosion. They are combated, preferably with special extinguishing agents such as chemical powder.

Below is an explanatory table of the types of fires and types of fire extinguishers to be used in each one.

FIRE CLASS	EXTINGUISHER
CLASS	TYPE OF FUEL MATERIAL	WATER	FOAM	CO2	POWDER BC	ABC POWDER	SPECIAL AGENTS
TO	Wood, rags, paper, etc. Solid in general	n	n	and	and	n	r
B	Flammable liquids or solids with a low melting point.	r	n	n	n	n	and
C	Live or connected electrical equipment	r	r	n	n	n	and
D	Materials, chemicals, etc.	r	r	r	and	and	n
n Suitable for type / fire	ê Can be used	r Should not be used in this type / fire

The processing and related center must be structured with equipment, furniture and non-flammable material. Non-use of curtains in the processing center is preferred. The electrical equipment such as cables must be installed and prepared by highly qualified personnel.

The power switches must be separated by sections and one that allows the complete shutdown of the power supply for emergencies, which must be protected to prevent accidental manipulation.

Under no circumstances should you smoke in the processing area. Any easily combustable materials, such as sheets, manuals, forms, should be located away from hot areas and possible contact with flammable elements.

Energy supply

-Every company must have a UPS (U ninterruptable P ower S upply / Uninterruptible Power Supply) to protect itself from any suspension or fall of the electrical supply.

-In addition to the UPS there must be a Power Generator to be used in emergency cases as well, which must be periodically tested in order to ensure its operation.

ENERGY GENERATOR

-Both the Power Generator and the UPS must be projected to be used up to 70% of their load.

-It should be noted that the UPS is in constant operation, not only to withstand the absence of light for a certain period but also in flashes or electrical spikes. It is important to make a correct evaluation of the specifications that a UPS must have before purchasing it so that it supports all the equipment of the processing center and related. This evaluation must be carried out by the Head of Systems.

-The equipment must be regularly maintained.

-The energy of the processing center and related must be exclusive and not shared with other areas.

-In emergencies it is important that the personnel of the processing center are familiar with the respective processes so that, when working only with energy provided by the UPS, the non-essential equipment is turned off, in order to lengthen the time alternate power supply.

-As an emergency tool, you should always have battery-powered flashlights.

Air conditioning

-The processing center must be kept at a temperature between 18-19 ° C, with a humidity between 45% -50%.

-For the processing center there must be independent of the central air conditioning system, two “special” air conditioning equipment, one of which acts as a backup for the other when it cannot operate correctly. The characteristic of these equipments is not the common one of the normal air conditioners. These devices mainly automatically condition the temperature, humidity, control the air flow and are silent, thus avoiding damage to computers and other equipment that make up the processing center.

-In cases of contingencies in which the operation of the main air conditioner is not available and in the absence of backup equipment; Pedestal fans may be kept available to cool main equipment for the duration of the emergency.

Water detection

It is very rare for a company to use water detectors in its processing centers not because of their inefficiency but because of a lack of knowledge about the existence of these types of equipment. These devices are very important to keep the processing center away from water leaks, mainly in weak points, such as places near air conditioning equipment.

WATER AND HUMIDITY SENSOR

AUDIBLE WATER DETECTOR

-These devices can be sound or sensitivity water detectors. They can be used individually according to the needs of each company or they can be combined, that is; Water and humidity sensors (places where air conditioning equipment is located) can be used in certain key sectors, and in others audible detectors (near faucets or water pipes) can be used.

-Alarms must be regularly maintained and tested to ensure their operation.

-In a complementary way to the automatic systems, it is possible to visually detect leaks or water emanations in false floors, lying or walls.

Security guards

-The Security Guards must ensure the permanent surveillance of the offices and mainly of the processing center and the like. No unauthorized person may enter the processing center without the respective permission.

-They must also verify that the visiting staff is on the floor and with the person visited. Likewise, the departure of visitors must be registered and must be controlled through the visiting cards and the signature and time of departure by the visitor.

-Depending on the size of the company and the sensitivity of the information they handle, security cameras are usually established by floors or sectors, which are monitored by a group of security guards at the control sites designated for this purpose.

Telecommunication

Communications is defined as the art and science of "Communicating". This simple concept extends to telecommunications, which consist of "Communicating" over some distance, using electronic, electrical, optical, cable, fiber or electromagnetic means. Telecommunications are simply means of transmission, reception and exchange of signals.

-Among the safeguards that must be observed in the field of telecommunications are communication cables and electrical cables must be kept in a protected way to ensure that they function properly.

-Communication equipment such as modems, nodes, controllers, servers, etc. they must be protected within the physical place where they are and in an environment according to the technical specifications provided by the manufacturer and / or supplier of the equipment.

- Throughout the company and mainly in the processing center, the electrical cables must be inside gutters or plastic pipes that are a non-conductive material of electrical energy. In the case of network cables (voice and data transmitter, metallic pipes are generally used).

-The cables, whether they are electric or not, must be in places perfectly indicated for the purpose and ordered, using the necessary elements that are on the market for their protection against circuits or damage caused by negligence, water, rodents, etc.

-Currently the companies dedicated to the design of environments, provide movable walls which have integrated in the paneling, the cable gutters. It is important to emphasize that this type of paneling should be used outside the processing area, since the material that covers them is generally cloth, therefore easy to burn.

Although it is true that the Business Administrator will entrust the Head of Systems of your company with the execution or installation of electrical or structured cabling (for networks), it is no less true that you must know about the points that must be covered in this type of facilities:

-Electrical installation: Project and execution of civil works, laying of ducts (plastic), laying of cables. Provision and installation of: outlets, boards, surge suppressors (voltage stabilizers-UPS), etc.

-Structured wiring: Project and execution of civil works, laying of ducts (metal or plastic), laying of gutters, laying of voice and data cables. Provision and installation of: cabinets, connectors, patches, hubs, routers, etc. provision and installation of computer equipment and its corresponding software.

-Network maintenance service: It can include all the computer equipment (servers, personal computers, printers, etc.), as well as the checking and correction of problems in the laying of the network and its active components. In pre-existing facilities, the Network Certification Service is offered.

CHAPTER 3: CONTROLS RELATED TO SYSTEMS

Logical Access Controls

Need for controls

Logical Access Controls are of vital importance since they allow protecting resources such as programs, files, transactions, commands, utilities, etc.

We will define the guidelines to implement the control mechanisms over the logical access, both local and remote, to the resources of the data processing center and related.

-At a general level, access permissions must be based on the user's need to know the information. This implies that permissions must be supported and justified according to the role of the user.

-In emergency cases in which resources are usually unprotected and in which it is required that someone other than the authorized person make logical access, it must always be done under adequate supervision. After the emergency, that user and password must be unsubscribed or replaced with a new password for security.

-Logical access control systems must contemplate violations. Maintaining a historical record of all accesses including failed attempts or breaches of your security should occur automatically.

-The access codes must be kept in properly sealed envelopes and kept in a safe. In cases of emergency, the person in charge of the safe, with the authorization of the Head of Systems, may deliver to the latter the key that is protected. A record of access to these backed-up passwords and respective authorizations should be kept.

-Users are responsible for the keys assigned to them. Under no circumstances should passwords be disclosed or exchanged with other users. Any result of non-compliance with this point will be exclusively under the responsibility of the respective user.

-The company must establish an entity that is in charge of managing the securities, users and passwords. The assigned functions will be to control and keep updated the list of users and passwords assigned to the different resources and to establish periodic change policies in order to avoid deviations in the security of the resources.

User Identification

-Users should never share their user identifications and passwords or passwords. Each new user must be requested and justified to the Head of systems and once approved, must be channeled through the Securities Administrator for their respective assignment and control.

-It is important that the Systems Manager inform both the applicant and the Security Administrator, which are the types of access that the new user will have, as well as the non-accesses, which could even cover up to terminal-level restrictions.

-No user can be created without their corresponding key or password (password) since this constitutes the only means of security control.

-The passwords must consist of a minimum of 6 alphanumeric characters (numbers and letters), which will be chosen by the user. On other occasions and depending on the resources to which you will have access, the keys are assigned directly by the Securities Administrator and informed to the user, eg: network users and network keys.

-It is important that the User Manager does not have the same password for other users within its records. Should this occur, the password must be changed immediately and the respective user must be informed of the new password. You should also take into account the following factors in this case:

* There must be no passwords for different users with the same characters in the same positions, eg: 123SRRG and 123LRRG.

* The number of numerical characters to be used in the password must be stipulated.

* The maximum number of characters must be stipulated.

-The passwords must be changed at least every 30 days. In cases of highly sensitive user codes, a longer change time should be evaluated.

-The failed attempts should be a maximum of a total of three with the wrong password. After the three failed attempts, the user must be inhibited. These attempts must be registered in the system for later control.

-The keys should not be displayed. Your storage must be in encrypted (encrypted) form.

-Each access to each resource must contain a specific key and not be repeated.

-If the user considers changing their password due to loss of confidentiality, they must request the Security Administrator to assign a new password immediately.

-There are programs that contain user and password by default (default) to facilitate its installation. This must be changed once the program has been installed.

-The keys must be backed up in security envelopes and random tests must be carried out to verify their authenticity and currency.

Suspension of Permits

Permits must be suspended for the following reasons:

-When employees are absent due to Vacations.

-When your username and password have not been used for a period of 30 days.

-An evaluation of the Securities Administrator and Head of Systems for access on weekends and holidays.

-When you exceed the maximum attempts of failed accesses to assigned resources or not.

In any of these cases, the reasons must be analyzed and investigated, and to rehabilitate the user, authorizations must be requested again, depending on the type of suspension applied. In the case of system inactivity suspensions, the latter must request the re-entry of the password again.

Data access

-Data will be stored on magnetic media such as floppy disks, cartridges or tapes. These data can only be accessed by authorized personnel.

-Printed information must be classified according to your security.

-In case of failed access to data, the system must keep such information in detail with the user's name, date, application, files, etc. which were intended to be accessed, as well as the number of attempts.

-In the same way, the system should keep track of successful attempts after several failed attempts. These can be managed through security logs (chronological activity files) that must be reviewed periodically by the Security Administrator.

-Businesses must design the procedure that allows them to successfully ensure the control of data access security.

Access to Programs and Utilities

Access to programs and utilities must be segmented according to the user's profile. The general classification is:

System users System developers and Production staff.

The users of the system are those that can generate real transactions, or use the features of the production system. They will also be able to access the files generated by the system as a result of the transactions.

The programmers should only have access to the testing or development environment. They should not have access to actual transactions or access to system functions in production.

-Production personnel must ensure that they only access the information defined for each user. You will be able to carry out the tasks defined for the production area but preventing access to data using any type of programming tool or through application programs.

-The program and utility libraries must be separated for both development and production.

-It is important that the programs in development are also maintained at the version level and with the date, time and user data that developed it. It is vital to keep at least the last and penultimate update, so in case of reversion you can go to any of the last two versions.

-If necessary, it is possible to allow access to libraries in the development environment for both the system user and production personnel.

-Before a system is put into production, an evaluation must be made of the level of security provided by that program or utility. It is important that a Systems Auditor and the Head of Internal Control verify to determine if the system meets the technical specifications and contains the appropriate safeguards and controls.

-The changes made after production programs must be made according to the Change Control.

Application Controls

Application Controls are those focused on controls by users and controls by systems. Controls by users are given over input data, fixed data, rejected or waiting items, output data. Controls by systems focus on input data, waiting items, and on processing.

User controls refer to the responsibility that the user must have in the preparation and approval of transactions (input data); in the modification of fixed data in the master files and system tables, being responsible for their integrity and accuracy (fixed data); in the control of rejected or suspended transactions, which must be corrected immediately according to their accounting date (rejected and suspended items) and finally is responsible for the errors or deviations presented and detected in the output data.

The Controls by the systems are those that provide and guarantee that the data entered is fully digitized (input data); that the rejected and pending items are correctly identified and remain pending a solution (rejected and pending items); and finally, that the system has control mechanisms for the processing to ensure that the information was processed with the correct data files and also providing, through the different stages of processing, a monitoring of the transaction that allows adequate audit evidence to be maintained (about processing).

Among the different controls by the systems we can mention those of data entry, which are given by generating controls by transactions, controls by totals, controls by sequence, controls by record size, key verification, etc. These controls should not be selected but rather all applied, since they have a specific function throughout the entire path of the input operation.

With Transaction Controls an approval of the same is established before processing, this in automated approvals. For manual approvals it is preferable that this be given at the end of the processing or when the transaction is already complete ,:When an entry of a purchase is made in the purchasing system and the approval of the payment thereof is made before said entry into the system, by signing a document; You will not be sure that the deposit has been made correctly with the amounts, supplier and other data of the original transaction. In order to avoid fraud, it is important in this case to approve or sign once the transaction has been completed, that is, at the end. There are other types of controls that are aimed at maintaining the information, regarding item changes, prices, quantities, etc. With the Total Controls, a registry is established that ensures that all the transactions entered are totaled.The Controls by Sequence are those that automatically or manually generate a sequence of the record either at the level of pre-numbered forms or through a sequence generated automatically by the document that is entered. The Controls of Record size confirm that the length of the message is registered according to the established technical parameters and the transmission of information not contemplated in the transaction is avoided. In some cases, the need to transmit the information in encrypted form can also be evaluated, which will make it more difficult to decipher the information. The latter is widely used when the information is highly sensitive. Application Controls must in any case ensure that users access or affect only what is authorized and defined for each of them.System Programmer Activity Controls.

The activities of the systems programmer must ensure that the designed program meets the requested requirements, security and inviolability of the case. The Systems Manager will be responsible for verifying before the program is put into production, that the programmer has properly documented the program or change, that the validation and verification routines have been carried out and that the system tests have been completed.

It is important that data entry and exit verifications are carried out for all the registers and that it is impossible to manipulate any particular register, for example: Banking application programmers (checking or savings accounts) could program debits or credits to accounts without these being detected with the naked eye. It is vital that a control and verification mechanism is implemented that certifies that the program in question meets the requested requirements and the safeguards of the case.

3.1.7.1 Real Cases of unauthorized access to computer systems and fraud - The Pentagon, Citibank, Barings Bank of London, Spring Arbor University of Michigan and Proinco-Ecuador

Case 1: Access to the Pentagon System.

Due to the political and strategic implications that the US experienced in the crisis with IRAQ, the news was immediately disclosed. Deputy Defense Secretary John Hamre was quick to deny that the hacker's access to the Pentagon has been made to his secret systems. He pointed out that if there were entries, but these went to the unclassified information network. He also tried to visualize the attack as "a game" according to their expressions, with the purpose of taking away the drama of the situation.

Within days of the attack, the young man suspected of having illegally entered the Pentagon's computers was finally arrested. The pirate appears to have been an 18-year-old Israeli named Edhud Tenebaum whose fictitious name (nick) is "the analyst" and who logged in from his school's computers and network so as not to leave personal traces of his virtual tour of the military installations. American.

In addition to the Pentagon, the young man would have hacked various other agencies in Israel and many others in the United States. The contrasted information collected by these two countries would have finally led to discovering the identity of the young man.

In addition to "the analyst", a group of youths who allegedly collaborated in their entry into the Pentagon system were also arrested. Once this entry was discovered, those responsible for it put a total of 47 FBI agents on the trail of the hacker.

But as a result of this case, a highly detailed documentary appeared on the Discovery Channel during the first months of 1998, indicating that the same Department of Defense had already been attacked by a hacker in 1994, but that for security reasons in At that time, the problem was poorly disclosed.

As this case, there are many more that have been presented to the general public about computer fraud to financial entities, in which hackers access their central computers, manipulating bank account balances in their favor by means of a not so complex method, but with a large group of people specialized in this type of fraud. Therefore, it is advisable that together with technological advances, companies prepare and prepare their systems, investing in cutting-edge technology that reduces risks and in many cases eliminates them completely.

Case 2: Fraud to Citibank

This case is the only one documented in the history of bank robberies through their systems. The robbery was carried out by a hacker named Vladimir Levin, a Russian national, who devised and designed the best-known robbery in history in 1994 for an amount of $ 10 million from Citibank Bank.

This case was widely publicized in both the United States and Europe. The way of operating this hacker (hacker) was by accessing the Citibank system and allocating millions of dollars from various customer accounts in different Citibank offices around the world, to the accounts of his accomplices located in: California, Israel, Finland, Germany, the Netherlands and Switzerland. All this he did from Saint Petersburg in Russia and without leaving his keyboard. He was arrested by Interpol in 1995.

This case is extraordinary, not only because of the amount of money that was stolen or the method used, but because of the stir it caused in the Financial community and the Internet Security Industry.

With this case, questions were renewed about how computer crime prevails and why the financial and commercial sector are adverse to reporting them.

In this regard, comments from the financial sector and from the prosecutors and investigators of the case arose at the time. For its part, the banking sector through its representatives indicated that the Citibank incident was a coincidence and that according to the law, the financial sector must report the losses experienced in these cases and that, suggesting that they hide information is a error.On the other hand, the prosecutors and investigators oppose these statements, indicating that the case was not a mere coincidence and that, in the experiences gained working with the financial and commercial sector, it happens that when they see problems, they deny them and cover all the evidence of what happened in order to avoid losing the trust that the public places in the industry, and also to avoid having problems with their superiors.

Currently the New York FBI since the Citibank case indicate that they have been able to venture into the private sector in approximately 500 companies, and although they have not had a great response, they know that the path they follow is the correct one to protect companies.

Crimes committed through computers extend beyond the theft of cash or through credit cards. They also spread greatly to theft of trade secrets and corporate strategies.

Finally, Citibank expressed through Amy Dates, spokesperson for the Bank; that despite this incident, they did not lose a single client and that they are glad that they had taken the event very seriously and that

they will work vigorously with the justice system to determine those responsible for these acts.

Case 3: Fraud at Barings Bank of London

In February 1995, London's oldest bank, Barings Bank fell apart with losses of more than One Billion dollars. The scandal shook the international banking world as it was caused by a 28-year-old Bank employee named Nicholas (Nick) William Leeson, who was serving as the Bank's Trader (trader) and who was blamed for the great disaster. Currently, after having remained in the prisons of Germany, he was extradited to Singapour where the process is continued. Leeson was the only one involved in the Barings Bank collapse, although investigators say the Bank Executives were also guilty.

The case has been analyzed by politicians, investigators and people from international banks, and everyone agrees that the error was in the same bank, allowing Lesson to start and end an operation without any control or supervision of his activities. He was director of both the front-desk, that is, responsible for operations; as well as the back-office, that is, the daily evaluation of the commitments made, that is, the level of risks acquired. In other words, the same person had to make the decisions and control those decisions to prevent them from taking too many risks.

Ultimately, the fall of the British Bank was due to accumulated losses due to bad negotiations by Leeson. The study of two official investigators revealed that the collapse of Barings Bank was really due to “Incompetence” in the Administration and the lack of vigilance in three important areas where major mistakes were made and these were: Systems, Supervision and Internal Control.

In all three areas the importance of control was completely neglected. And the “importance of control” is indicated since Barings Bank had internal auditors, but the reports presented by said auditors were not given importance. It was evident that its officials did not have the knowledge and skills necessary to cover every part of the business. Barings Bank had information, but it was not used for negligence.

And all this seems true, since the London management of the Barings was informed of the operations that Leeson was carrying out, since he transferred large sums during the two months prior to the bank's fall (£ 400 million lent by about twenty Japanese banks). Perhaps Nick Leeson lied about the real reasons why he was requesting these transfers, however, it seems strange the lack of curiosity of the directors regarding the destination of large sums of money.

Actually the Barings catastrophe could have been avoided. The Bank's Internal Audit Reports in 1994 (one year before the event) mentioned the need for changes in the Bank's operation. If this report had been given the importance of the case, the collapse would have been warned and prevented since, the auditors clearly stated in their report the danger that Nick Leeson has both responsibilities in the negotiation, as well as his ability to infringe the bank system. The Bank's Administrators, eager for easy money as a result of the negotiations, did not follow these recommendations and the consequences were dramatic.

Case 4: Fraud at (Christian) Spring Arbor University in Michigan.

In May 1995, another fraud scandal broke out. This time it was Spring Arbor University located in Michigan. The Defendant: John Bennett, 57, an evangelical Christian who enjoyed an unblemished reputation in altruistic circles in Philadelphia.

Bennett's way of operating was to apply the classic Ponzi Pyramid system, which allowed Charles Ponzi to strip several people from Boston of their money who lost all their savings. Ponzi convinced people to turn in their money in exchange for giving them a 50% revenue after three months. With the funds of those who were encouraged to invest, Ponzi settled the accounts that were maturing, but most of the first “beneficiaries” reinvested their earnings. As expected, the gigantic pyramid eventually collapsed and thousands of people were swindled.

Bennett's system was consequently a pyramid, which was discovered by Albert Meyer, a professor of accounting at Spring Arbor University and also an accountant. Meyer saw in the University account statements, high money transfers to a bank account belonging to a foundation called Securities Inheritance. Investigating the case, Meyer was informed that Herencia de Valores was a foundation that served as an intermediary between the University and the New Era Foundation (based in Pennsylvania) of which Bennett was its Director. Bennett indicated to the seized institutions that he was distributing money from anonymous benefactors. So if a nonprofit institution collected a certain amount in donations such as Spring Arbor University,“The benefactors” promised to contribute an equal sum.

When Meyer knew this information, his doubts about whether or not it was a Ponzi pyramid, were cleared. After spending time in which he continued investigating the subject and conversing with several Spring Arbor officials, she received her money with the offered revenue. In these circumstances, the University could not be suspicious when they received their grown money on time, they simply took it as an unsecured loan, which was always repaid on time.

Meyer then sharpened his investigations and even went to the highest administration of the University to express his concern, but in response he obtained that "it was hard to grow the funds and that they did not need their interference." Despite this, Meyer requested copies of the tax returns from the Tax Collection Service. Here he was able to observe that despite receiving the investments in full hands, there was no record of them.

After Meyer's series of investigations and inquiries, the Fraud was fully discovered. Bennett was charged with financial fraud and improperly transferring more than $ 4.2 million from the foundation's accounts to that of his own businesses. Estimated losses amount to more than $ 100 million.

Case 5: Proinco Sociedad Financiera SA (Ecuador)

In June 1999, a loss of more than five million sucres was discovered against Proinco Sociedad Financiera SA, by a subject who used the mastercard gas card illicitly # 550141007500776. Although it did not mean much money, this case was an example how this Ecuadorian entity was swindled with the use of a card that had not been canceled by mistake.

This case is not the only nor will it be the last of many forms of plastic money fraud that occur worldwide and in which our country is no exception. There are specialized movements for plastic money fraud, ranging from mounting fake ATMs, cloning cards, to buying low-moving account numbers to steal money without being detected easily. These groups work regularly with personnel inserted in the same institutions that carry out the frauds.

These anomalies are usually detected only when the client submits his claim to the financial institution, however, many of these cases are not solved due to the lack of control in the processes. Normally the same person who commits the fraud is who receives the claim or who processes it, which makes it difficult to detect fraud.

3.2 Exchange Control

Reasons to establish a Change Control

It is very important to determine mechanisms to comply with a Control of changes made in any element of the production environment such as programs, equipment, utilities, etc. With this, a formality structure is given to the administration of changes so that these are technically evaluated at the company or business level and, so that the changes are incorporated in a consistent manner with the respective authorization of the Head of systems.

Likewise, the change control is completed with the impact analysis on the end user, which must be fully aware of them. These risks must be evaluated and analyzed in advance.

Change control is a fundamental tool to keep a chronological record of what is happening in our computer system or its devices. It is not only a means of information that enables technical documentation to be updated, but also allows decision-making regarding the solution of failures or inconsistencies presented after the implementation of said changes.

As an example, a simple case is cited in the billing area of a company that does not contemplate exchange control. Due to the effects of the tax laws, a company decides to eliminate the Retention at Source from the invoicing. This change is requested by the Administrative Manager to the Systems Manager. The change is made and the next invoice no longer shows the withholding value at the source, but it is determined that the Subtotal plus the Value Added Tax does not coincide with the Total of the invoice.

The Administrative Manager communicates to the Systems Manager the individual and the latter looks for the programmer who made the change to expose the problem. The programmer is not here, he is on vacation. What do you consider to be the result of this case? Well many, loss of time, lack of documentation, inability to delegate work to another programmer due to lack of information, delays in billing, costs for non-compliance with billing, affectation in cash flow and many other problems. Now the solution to the problem was really simple if you had the information of the Change that had been made by the programmer, whose work went into production without the supervision and due approval. The problem was that when the programmer structured a new algorithm for the Total invoice field,it only took the Subtotal field and removed the withholding field and unfortunately the VAT field as well. These problems could have been solved by carrying out a Change Control.

Exchange Control Procedure

In the case of changes in programs or utilities, the following procedure will be followed.

-Reception of the request by the authorized user.

- Evaluation of the impact to be caused with the change.

- User approval of the risks and impact caused by the change.

- Execution of change in development environment.

- Definition of evidence of the requested change.

- Evidence of change by development personnel in a development environment.

- Systems audit to the change to be made.

- Internal Control of the change to be made.

- Debugging of the change after internal audit and control.

- Evidence of change by users, in a development environment.

-Formal approval of the User in the change control registry.

- Formal approval of the Head of Systems in the change control register.

-Determination of written Instructions and criteria, necessary for the correct transfer to the production environment and its reversal in case it is necessary to execute it.

-Determination of place, date, time, physical and human resources required for the implementation of the change in the production environment.

In the case of changes in equipment (hardware), the following procedure will be followed.

-Reception of the request by the authorized user.

-Evaluation of the impact to be caused by the change

-User approval of the risks and impact caused by the change.

-Definition of evidence of the requested change

-Determination of Instructions and criteria in writing, necessary for the correct change of hardware.

-Determination of place, date, time, physical and human resources required for the implementation of the change in the production environment.

-Execution of the change.

-Formal approval of the User in the change control registry.

-User training

-Update equipment inventory

-Update of equipment configuration inventory and plans of the computer room.

-Revision of maintenance contracts and guarantees for the equipment, so as to ensure the necessary support for the configuration carried out.

Model of Format for Control of Changes Production and Operations

Criteria to be applied in Production and Operations controls

The criteria are given in the operation of solid, consistent, reliable and safe standards that allow the service to be delivered with the highest quality.

These criteria will be applied to the organizational, scheduling, production monitoring, storage media, documentation and problem management aspects.

Production function procedures and

In the case of the Organization of the production and operations area, the following will be considered:

- The operating personnel must not play any role in the creation or modification of programs or applications or systems.

- You should not have responsibilities for updating the operating system.

- You should not have access as a user to specific applications.

-They must have a specific job description and duties and be adequately trained to fulfill their responsibilities.

-You must have adequate supervision to ensure the proper fulfillment of your duties.

In the case of planning and monitoring of production, the following will be considered:

-Only authorized tasks will be processed with production data, thus minimizing the risk of omission and with predictable order and planning.

-It is preferable that the activities of load planning, execution and monitoring of processes are as automated as possible.

-In cases where operator intervention is unavoidable, precise instructions must be provided for the activities to be carried out, which must be recorded and subsequently analyzed.

-In case of emergent results, there must be contingency procedures to respond to said results.

-Process planning must consider its priority among the different applications.

- Controls must be implemented to prevent or detect the execution of tasks not authorized by production planning.

-For cases where users require tasks not established or included in production planning, an exception procedure must be established, properly controlled and with the corresponding authorizations.

-The production environment and operating procedures should ensure that the correct version of programs and respective files are used.

In the case of Protection of storage media, the following will be considered:

-Operations, is responsible for the data stored in magnetic media are adequately protected, controlled and auditable.

-To control the physical security of media such as tapes, cartridges and floppy disks, these must be stored in a protected area, with a record of the location of all the magnetic media used in the systems area.

-They must record all the inputs and outputs of magnetic media of the installation.

-The stored magnetic media must be properly labeled with their content, dates and chronological order.

In the case of documentation, the following will be considered:

-A daily planning or primer, step by step of the normal activities of the operator.

-A daily planning or primer of the processes with start and end of each operation.

-Contingency procedures for processes

-Contingency procedures for hardware, software and telecommunications failures.

-Instructions in the handling of magnetic media and records of those who enter or are removed from the room.

-The record of problems of the operations area

-The registry of accesses to the computer room.

-The person in charge of the systems area must ensure that all documentation required for operations is complete, correct and up-to-date.

In the case of problem management, the following will be considered:

-All operational failures and abnormal incidents should be recorded in a Problem Report, with details of time, type of problem, symptoms and initial actions taken. Each report should be uniquely identified and responsibility for its investigation and resolution should be assigned as quickly as possible.

-Maintain a record of the problems which must be periodically reviewed by the Systems Manager.

-All calls that require the support of providers or systems personnel, must be recorded with information on the response time of such calls and the actions taken, for subsequent analysis.

-There must be a regular review procedure that includes a trend analysis of the problems and ensures that all are solved.

-The evidence registered in the problem management system should be considered, in order to make decisions regarding the opportunity for routine maintenance and equipment replacement.

-All solutions identified as changes to be incorporated into the production environment must be registered, followed and managed by the change control procedures. Additionally, the origin of the solution must be registered, identifying what the problem or failure was.

-Inform all users affected by the impact of the identified problems and the progress made in solving the problem.

CHAPTER 4: SUPPORTS AND RECOVERY OF PROGRAMS

Program Backup and Recovery Procedure

-The Backups must be made according to the periodicity depending on its content. It is important that daily, weekly, bi-weekly, and monthly backups of highly sensitive information are maintained. To analyze the periodicity of the backup, the volume of information lost in the event of a contingency and the date of the last backup must be taken into account. For example, if the backup is made daily and a contingency arises on a Wednesday, unsupported information equivalent to a single day will be lost, based on the existence of the daily backup on Tuesday.

-Operating systems and programs in general must be kept in their original version and the one used in production.

-In case of changes, the original versions, the version before the change and the product version of the change must always be supported, resembling a generational scheme of grandfather, father and son.

Magnetic Media Storage Procedure

-High-sensitivity programs and data backups should always be kept in external, fireproof vaults. Preferred sites will be chosen, one in the city where the company operates but distanced from it, and another outside the city. A copy of the key files can be kept within the company premises with the necessary security, to allow their use in recovery processes.

-Additionally, controls associated with the transportation of said backrests must be considered. These controls may be given by use of locked bags, records of backrest movements to and from security vaults or safes, and Use of security vehicles where appropriate.

-Magnetic media must be appropriately labeled in such a way as to allow them to be obtained and easy identification and recovery of the required files.

-Normally the backups that are required and that would be considered as highly sensitive information are:

* Programs prepared by the company itself

* Programs purchased under license and subject to permanent updates and / or customizations.

* Data Files: Accounting, financial, administrative, purchasing, and production information and others that the company deems sensitive.

-The backup procedures must be continuously tested in such a way that their effectiveness is verified through their restoration and verification.

-Also, the backup sites, their ease of access and the access control procedures for the stored magnetic media must be periodically evaluated.

-At least annually, tapes, cartridges and floppy disks kept for long periods of time in the security vaults must be checked. They must be tested to verify their operation.

-Additionally, all the necessary requirements must be established to implement the basic controls in the recovery of programs or data. These will be the responsibility of the analyst who developed the program, or the user in the case of Data recovery. It is important that the Data Security Administrator advise on these requirements.

-Along with the magnetic storage of programs, the storage of documentation that corresponds to the operating procedures for executing backups, Procedures for recovery from minor failures using installation backups, Procedures for recovery from major failures using external backups should be considered., Backup Procedures after Recovery for minor and major failures (return to normal).

Backup Control, Recovery and Storage Format Models.

EXAMPLE OF BACKUP STORAGE AND CONTROL FORM
Obtaining the Support (Place and date)
Hour
Backup Identification
Detail-content
Responsible for obtaining support
Firm
Backup Medium and Quantity
Signature of responsible Head of Area
obtaining backup
ACKNOWLEDGMENT OF RECEIPT OF THE RESPONSIBLE FOR BACKUP SECURITY
Site1 Backup Delivery (Date)
Head of Reception
Reception time
Firm
Site2 Backup Delivery (Date)
Head of Reception
Reception time
Firm
Site3 Delivery of backup (Date)
Head of Reception
Reception time
Firm
ACKNOWLEDGMENT OF RECEIPT OF THE RESPONSIBLE FOR BACKUP SECURITY
Site1 Backup Delivery (Date)
Head of Reception
Reception time
Firm
Site2 Backup Delivery (Date)
Responsible for Reception
Reception time
Firm
Site3 Delivery of backup (Date)
Head of Reception
Reception time
Firm

Site1 = On-site	Site2 = Local external site	Site3 = External site another city

EXAMPLE OF BACKUP RECOVERY FORM
Requested for: Update Restoration	Place and date:
Backup Obtained from	Place:	Date:	Hour:
Backup Identification
Detail-content
Backup Medium
Backrest location:
Site1, Site2, Site3
Requested by		Firm:
Requested A		Firm:
Custodian who delivers (Name)		Firm:

CHAPTER 5

CONTROLS APPLIED IN THE PERSONNEL ADMINISTRATION.

Personnel management is an area where various disciplines converge; It includes concepts of organizational and industrial psychology, industrial engineering, labor law, safety engineering, occupational medicine, systems engineering, etc. The topics are diverse and the disciplines mentioned above are diverse. Therefore, Personnel Administration refers to both internal aspects of the organization and external or environmental aspects.

We can then define that the Personnel Administration consists of independent subsystems as indicated in the table below:

Personnel Management Subsystems.	Covered Chapters
Human Resources	· Human Resources Planning. · Recruitment of personnel · Staff pick
HR application	· Description and analysis of charges · Human performance evaluation
HR maintenance	· Compensation · Social benefits · Hygiene and safety · Labor Relations
HR development	· Training and staff development · Organizational development
HR control	· Database and information systems. · Human Resources Audit

These subsystems are closely interrelated and interdependent, but despite this, there is no unique way to establish them, since this is in accordance with the company and depending on various factors such as organizational, human and technological factors.

For this purpose, policies or rules are created to direct the functions and ensure that these are carried out in accordance with the desired objectives.

Some of these rules are created to establish “Administrative Controls” intended to prevent employees from performing functions that do not belong to them or jeopardize the success of specific functions.

Controls applied to Personnel Administration focus on all subsystems and mainly on the topics that will be discussed in the course of this chapter.

Objective of the Administrative Controls

This chapter deals with the controls that must be established in the sensitive points of the administrative area and on which the subject will focus, such as personnel, hiring, vacations, among others.

Contracting and termination of Contracts

The process of Recruitment and Hiring of personnel as well as external services must be perfectly evaluated. The contracts must contain integrated in their clauses, the data security policies and standards that the company carries out.

External service personnel must be evaluated according to the same security criteria applied for permanent company personnel.

When an internal or external employee ceases to provide services, the authorizations that this has both logical and physical access to the facilities, systems or data must be suspended. The chief executive of the area to which the employee belonged is responsible for reporting, in accordance with the policies established by the company, the permanent absence of the employee.

The Administrative Department, for its part, must revoke all the access permissions that the employee has had, as well as retrieve the magnetic access cards and credentials of the company and disable them. The return of all confidential documentation that has been handled by the employee must be verified.

Administrative Policies Holidays

The personnel who must take vacations and mainly from the systems area of the company, will do so in accordance with internal regulations. It is suggested that said staff have not stopped taking their own vacations for a period of 2 years. Some computer frauds tend to be discovered when those who report them take vacations; time in which they do not have access to the system or are replaced during their vacation. It should be pointed out to the Business Administrator that this is a basic security point that must be carefully taken into account within administrative controls.

5.3.2 Training

Systems personnel must adhere to the training plan that the company has, following the data security standards and procedures and the specific security aspects of their workplace.

5.3.2 Use of Computational Resources

The use of computational resources for personal affairs should be prohibited.

The software that each user operates must be assigned according to its use and which must have the respective licenses.

Employees should be familiar with the storage of sensitive or confidential data.

It should be noted that each user is responsible for the assigned equipment, software used, data contained in it and utilities that it operates.

The company must establish clear policies and regulations regarding the use of illegal (unlicensed) software and those that do not correspond to company standards. Likewise, the company must establish a clearly established use and ownership of the programs drawn up or developed by internal personnel, which is normally left regulated within the employment contracts.

CONCLUSIONS

- All company processes must contain control and security activities. Any company process with or without the application of Reengineering cannot remain without the controls and assurances both in its data and in its components.

- The absence of controls is ALWAYS presented in a Re-engineered process and ALMOST ALWAYS in processes without any application of tools to improve efficiency and productivity. Reengineering is an excellent methodological tool, viable and with great results and dramatic improvements, but it is no less true that it leaves the processes fragile and weak, since, in its desire to eliminate activities that do not add value; they create a process that lacks satisfactory and therefore indispensable controls. Likewise, processes that have not undergone Reengineering may present absence of controls if these have not been considered strategically.

- The modeling of human behavior is not ENOUGH to ensure satisfactory levels of controls and security. There are many precursors of new techniques and methodologies aimed at modeling human behavior and opposed to the usual controls and securities. Human modeling is not “sufficient” to ensure that mistakes or fraud will not be made in the processes. Human modeling applies to marketing, strategic and human relations issues in which they are very useful, but these do not apply in operational and security terms.

- Finally, the benefits of having a security system can never be fully measured, because most companies will not really know "WHEN" someone will try to break their securities. However, it is easy to objectively determine that the benefits will be great, as a result of the costs avoided. It is then, in these circumstances, where security systems are “Invaluable. The only advantages and disadvantages that you could find in security systems are given in the alternativeof security that you choose and implement, which will provide more or less security to your processes. The other alternative that can be offered is simply not having any security system; which would be absolutely negligent.

RECOMMENDATIONSThe business administrator must remember that manual or automatic processes must be adequately and sufficiently controlled without falling into negligence or excess. Here in this work a tool has been provided that allows you to at least be able to draw up a list of the weak points in your company and know that you must control them. Do you think that everything in your company is going well and you do not need absolutely anything suggested in this work? If your answer is yes, I recommend that you read the paper again if you have already read it; then meet with your Systems executive who is most involved in the implementation of controls and data security, and ask them to tell you in detail what each area of the systems department does. I assure,that you will be surprised to know that you can apply each item on your list and that you will be able to enter that fabulous world; that was previously unknown and unintelligible to you. The business administrator must study all the alternatives and, if he chooses Reengineering; must know what the redesigned new processshouldbalance it with the implementation of sufficient and satisfactory controls and assurances. Perhaps it will not be possible to do it with the same Reengineering personnel, since the concepts of Reengineering and controls do not take much of the say. I therefore recommend that the administrator consult with her head of Systems and her head of Reengineering to reach an agreement both in terms of productivity and efficiency of the process as well as its security. The Business Administrator should be more involved in all the processes of her Only then will you have a total idea of how each link in your company's process chain is linked. No matter how much you invest in system security to protect your networks, components or data, never think it will be a quantity“Enough” since technological advances always demand more to keep intruders out. With this then you will not see the acquisition of security as an expense, but as an investment.

BIBLIOGRAPHY

-Data Security, Price Waterhouse Coopers Methodology 1992

-Contingency Plan, Price Waterhouse Coopers Methodology 1997

-How to Reengineer, Raymond L. Manganelly and Mark M. Klein

-Human Resources Administration, Idalberto Chiavenato 1994

-Business Administration (theory and practice, second part), Agustin Reyes Ponce 1994.

-Magazine “Mundo Informático” Edition April 1998

-Journal “Selections” Edition June 1996

-Journal the Universe ”Events Section” July-5-1999

Internet sites for inquiries:

Water detectors	http://www.cam.surf1.com
Fire extinguishers	http://www.pp.okstate.edu/ehs/modules/apw.htm
Air conditioners	http://www.liebert.com/products
Uninterruptible Power Sources (UPS)	http://www.exide.com
Cabling	http://www.wit-sa.com.ar www.sidicom.net
Security systems	http://protectiontech.com/
Citibank fraud case	http://www.infowar.com www.discovery-channel.com/area/technology/hackers/levin.html
Fraud case at the Baring Bank in London.	http://www.imd.ch/pub/pfm_9601.html www.fsa.ulaval.ca/personnel/vernag/PUB/Barings.E%20.html
Fraud case at Spring Arbor University in Michigan.	http://cgi.pathfinder.com/time/magazine/archive/1995/950529/950529.scandal.html
Pyramid Fraud System.	http://cnet.bigpond.com/Briefs/Guidebook/Crime/ss03a.html

AUTHOR'S DATA

Name	Sonnia Rosado García
Age	28 years
College degree	Commercial Engineer (Business Administrator)
Email	[email protected] [email protected]
Country City	ECUADOR / Guayaquil
Experience in Reengineering, Total Quality, Contingency Plans and Physical Security processes.