The Philippine National Bank (PNB) has 716 branches and maintains a mainframe computer system at its corporate headquarters. PNB has recently undergone an examination by the state banking examiners, and the examiners have some concerns about its computer operations. During the last few years, each branch has purchased several microcomputers to communicate with the mainframe in the emulation mode. Emulation occurs when a microcomputer attaches to a mainframe computer and, with the use of the appropriate software, can act as if it is one of the mainframe terminals. The branch also uses these microcomputers to download information from the mainframe and, in the local mode, manipulate customer data to make banking decisions at the branch level. Each microcomputer is initially supplied with a word processing application package to formulate correspondence to the customers, a spreadsheet package to perform credit and financial loan analyses beyond the basic  credit analysis package on the mainframe, and a database management package to formulate customer market and sensitivity information. PNB’s centralized data processing department is responsible only for mainframe operations; microcomputer security is the responsibility of each branch.

Because the bank examiners believe PNB is at risk, they have advised the bank to review the recommendations suggested in a letter issued by banking regulatory agencies. This letter emphasizes the risks associated with end-user operations and encourages banking management to establish sound control policies. More specifically, microcomputer end-user operations have outpaced the implementation of adequate controls and have taken processing control out of the centralized environment, introducing vulnerability in new areas of the bank. The letter also emphasizes that the responsibility for corporate policies identifying management control practices for all areas of information processing activities resides with the board of directors. The existence and adequacy of and compliance with these policies and practices will be part of the regular banking examiners’ review.

The three (3) required control groups for adequate information system security as they relate to PNB are (1) processing controls, (2) physical and environmental controls, and (3) spreadsheet program development controls.

Required: Evaluate the system of PNB and identify at least one (1) control type for each group where PNB might be at risk. Then, recommend a specific control procedure PNB should implement for each of the identified control types.

Transcribed Image Text:

Control Groups Processing Controls Control Types Recommended Procedures Physical and Environmental Controls Spreadsheet Program Development Controls