6. Conduct Operations Reviews. Sound management of a computer complex requires that actual
performance schedules be compared to scheduled performance. Any variations should be noted,
investigated, and explained. Production schedules and run control logs are essential input to this
7. Other Security Control Measures.
a. Input/Output Controls. Quality controls and checks on all input/output should be maintained.
This should be done by a separate data control group. This is required, not just for control, but it is
essential for detecting and correcting errors.
b. Program Change Control.
Changes to procedure programs should occur only upon
authorization. This should be verified by internal audit groups.
c. Master File Control. Master file changes should be made only by authorization, and they should
be subject to an internal system of checks and balances.
d. Password Controls.
(1) A password is a protected word or string of characters. It identifies or authenticates a user,
specific resource, or access type.
(2) All persons having access to the passwords used on such systems must be carefully taught
about password sensitivity. They should know the meticulous care with which such critical data must
be protected. They should be very aware of the individual's personal duty and obligation to help in
safeguarding such passwords.
(3) Knowledge of the password must be tightly limited to a minimum number of persons. These
must have a need to know. Limiting the number of people who know the password will ensure effective
(4) Whenever possible, initial issue of systems passwords will be made by direct personal
contact. This will take place between the user and the automated data processing system security
(5) Single passwords will be issued only once, and they will be retired when the time limit on its
use has expired. Passwords may also be retired when the user has been transferred or reassigned.
e. Auditing Support. Skilled and experienced audit personnel on the post may increase computer
security. They can do so by taking part in the development and maintenance of standards and