Abstract
M.Comm.
Business have traditionally relied on private leased lines to link remote office
together so that distant workers could share information over a Wide Area Network
(WAN). However, while providing a high degree of privacy, leased lines are
expensive to set up and maintain. The Internet is fast becoming a requirement for
supporting business operations in the global economy. The major concern in
using a public network, like the Internet, for data exchange is the lack of security.
The Internet was designed to be an "open" network, accessible to anyone with low
or none security consideration.
Virtual Private Networks (VPN) using Point-to-Point Tunneling Protocol (PPTP)
has emerged as a relatively inexpensive way to solve this problem. The primary
objective of this dissertation is to evaluate validity and accuracy issues in
electronic commerce using VPN as a secure medium for data communication and
transport over the Internet. The inherent control features of PPTP were mapped to data communication
control objectives and the control models show how these address validity,
completeness and accuracy. After analysing and evaluating the inherent control
features of PPTP, the overall result is that:
PPTP enables a valid communication link to be established with restricted
access (validity);
the PPTP communication link remains private for the full time of the connection
(validity);
data can be sent accurately and completely over the PPTP connection and
remains accurate during transmission (accuracy); and
all data sent is completely received by the receiver (accuracy). By deploying a Point-to-Point Tunneling Protocol for virtual private networking,
management can mitigate the risk of transmitting private company and business
data over the Internet.
The PPTP analysis and evaluation models developed intend to give the auditor a
control framework to apply in practice. If the auditor needs to perform a data
communication review and finds that a virtual private network has been
established using PPTP, the control models can assist in providing knowledge and
audit evidence regarding validity and accuracy issues.
The auditor should however, not review PPTP in isolation. Validity and accuracy
control features inherent to TCP/IP and PPP should also be considered as well as
controls on higher levels, e.g. built-in application controls.