Personal Trainer is very concerned about the security and protection of the information they collect in the new information system. Prepare a memo to Gray and Personal Trainer’s staff that explains the input and output security controls that will be built into the new systems and the policies that will enforce these controls.

What will be an ideal response?

Answers will vary, but the memo to Gray should explain that a company must do everything in its power to protect its data. This includes not only the firm’s own information, but that of its customers, employees, and suppliers. Output must be accurate, complete, current, and secure. Some specific suggestions follow:
• Companies use various output control methods to maintain output integrity and security. For example, every report should include an appropriate title, report number or code, printing date, and time period covered. Reports should have pages that are numbered consecutively, identified as”Pagenn of nn,” and the end of the report should be labeled clearly. Control totals and record counts should be reconciled against input totals and counts. Reports should be selected at random for a thorough check of correctness and completeness. All processing errors or interruptions must be logged so they can be analyzed.
• Output security protects privacy rights and shields the organization’s proprietary data from theft or unauthorized access. To ensure output security, you must perform several important tasks. First, limit the number of printed copies and use a tracking procedure to account for each copy. When printed output is distributed from a central location, you should use specific procedures to ensure that the output is delivered to authorized recipients only. That is especially true when reports contain sensitive information, such as pay-roll data. All sensitive reports should be stored in secure areas. All pages of confidential reports should be labeled appropriately.
• Blank check forms must be stored in a secure location and be inventoried regularly to verify that no forms are missing. If signature stamps are used, they must be stored in a secure location away from the forms storage location.
• In most organizations, the IT department is responsible for output control and security measures.
• Systems analysts must be concerned with security issues as they design, implement, and support information systems. Whenever possible, security should be de-signed into the system by using passwords, shielding sensitive data, and controlling user access. Physical security always will be necessary, especially in the case of printed output that is tangible and can be viewed and handled easily.
• Input control includes the necessary measures to ensure that input data is correct, complete, and secure. You must focus on input control during every phase of input design, starting with source documents that promote data accuracy and quality. When a batch input method is used, the computer can produce an input log file that identifies and documents the data entered.
• Every piece of information should be traceable back to the input data that produced it. That means that you must provide an audit trail that records the source of each data item and when it entered the system. In addition to recording the original source, an audit trail must show how and when data is accessed or changed, and by whom. All those actions must be logged in an audit trail file and monitored carefully.
• A company must have procedures for handling source documents to ensure that data is not lost before it enters the system. All source documents that originate from outside the organization should be logged when they are received. Whenever source documents pass between departments, the transfer should be recorded.
• Data security policies and procedures protect data from loss or damage, which is a vital goal in every organization. If the safeguards are not 100% effective, data recovery utilities should be able to restore lost or damaged data. Once data is entered, the company should store source documents in a safe location for some specified length of time. The company should have a records retention policy that meets all legal requirements and business needs.
• Audit trail files and reports should be stored and saved. Then, if a data file is damaged, you can use the information to reconstruct the lost data. Data security also involves protecting data from unauthorized access. System sign-on procedures should prevent unauthorized individuals from entering the system, and users should change their passwords regularly. Having several levels of access also is advisable. For example, a data entry person might be allowed to view a credit limit, but not change it. Sensitive data can be encrypted, or coded, in a process called encryption, so only users with decoding software can read it.