Establishing a framework for security and control

Establishing a framework for security and control

Information system control: IS control are both manual and automated. It consists of:

1. General control: It governs design, security and use of computer programs along with security of data files in general all over organization’s IT infrastructure. It is applied to all computerized applications. It is a combination of manual procedures, hardware and software to create overall control environment. General controls are on the whole controls that guarantee the effective operation of programmed procedures. Types of general control are listed below:

• Software control: Monitor the use of system software and prevent unauthorized access of software program. It governs the use of the system software for the operating system, which regulates and manages computer resources to facilitate the execution of application programs.
• Hardware control: Ensure that computer hardware is physically secure and ensure for break down (malfunction) of the equipment. Computer hardware must be physically protected, hence it can only be accessed by authorized user. Access to rooms where computers operate should be restricted to computer operations personnel. Computer terminals in PCs or other areas can be kept in protected rooms. Computer equipment should he particularly sheltered from fires and edges of temperature as well as humidity. Organizations that are dangerously reliant on their computers must also make provisions for urgent situation backup in case of power supply cut off.
• Computer operation control: Oversee the work of computer department to ensure that the program, procedures are consistently and properly functional to the storage as well as processing of data. They include controls over the setup of operations software, computer processing tasks, computer operations, backup and recovery procedures for processing that ends unusually.
• Data security control: Guarantee that valuable as well as important business data files on either storage media or disk are not subject to change, unauthorized uses, or destruction. Such controls are required for data files when they are in use and when they are being held for storage. It is easier to control data files in batch systems, since access is inadequate to operators who run the batch tasks.
• Implementation control: Audit the system development process at various points to ensure that the process is properly controlled and managed.
• Administrative control: Formalize standard rules, procedures and control discipline to ensure that the organization’s general and application control are properly executed and enforced.

2. Application control: Application control is specific control unique to each computerized applications such as payroll or order processing. It includes both automated and manual procedure. It ensures that only authorized data are completely and accurately processed by that application. It includes:

• Input control: It checks data for accuracy and completeness when they are entered into the system. The specific input controls are: authorization, conversion, editing and error-handling.
• Processing control: It establishes that data are complete and accurate during updating. The
• major processing controls are run control totals, computer matching, and programmed edit checks.
• Output control: It ensures that the result of computer processing is accurate, complete and properly distributed. Typical output controls include the following: Balancing output totals with input and processing totals; Reviews of the computer processing logs to determine that all of the correct computer jobs were executed properly for processing

Risk assessment: It determines the level of risk to firm if a specific activity or process is not properly controlled. All the risk cannot be measured but the organizations needs to be required to identify some risks they may face. A manager should measure the impact made by a risk and should develop policies and control mechanism to minimize the risk and loss. A manager should also know about threat, probability of risk occurrence, potential loss, value of threat and expected annual loss.

Security policy:

• It ranks information risks, identifies acceptable security, goals and identifies mechanism for achieving these goals.
• It address the following statements:

1. What are the firm’s most important information assets?
2. Who generates and control this information in the firm?
3. What are the existing policies to protect the information?

The security policy drives other policies:

1. Acceptable use policy (AUP): Defines acceptable uses of firm’s information resources and computing equipment.
2. Authorization policy: Determines different levels of users to access information assets.

Identity management

Business processes and tools to identify valid users of system and control access.

• Identifies and authorizes different categories of users.
• Specifies which portion of system a user can access.
• Authenticating users and protect identities

Identity management system captures access rules for different levels of users.

Disaster recovery planning: It is a designed plan for restoration of damaged or disrupted services. Business continuity planning focuses on restoring business operations after disaster. It focuses on:

1. Business impact analysis to determine impact of outage.
2. Management must determine which system restore first.
3. Indentify firm’s most critical system.

MIS audit: Firm’s overall security environment as well as controls governing individual information system. It reviews technologies, procedures, documentation and training. It may even stimulate disaster to test response of technology, IS staffs and other employees. It list and rank all control witnesses and estimate probability of their occurrence. And assess financial and organizational impact of each threat.

Technologies and tools for protecting information system

1. Identity management software: Automates keeping track of all users. Authenticate users, protecting identities and controlling access
2. Authentication: It includes password system, token, Smart card, biometric authentication, etc.
3. Firewall: Combination of hardware and software that prevents unauthorized users from accessing private network. The firewall is placed between the firm’s private network and the public internet to protect against unauthorized traffic.
4. Antivirus and antispyware software
5. Securing wireless network: Assigning unique name to network’s SSID and not broadcasting SSID.
6. Encryption: Transforming plain text or data into cipher text (secret code/text) that cannot be read by unintended receivers. There are two methods of encryption:
7. Symmetric encryption: Sender and receiver uses single, shared key.
8. Public key: Public key to encrypt and private key to decrypt.
9. Digital certificate: Certification authority verifies user’s identity, stores information in CA server which generates encrypted digital certificate containing owner ID information and copy of owner’s public key.
10. Ensuring software quality
11. Securing mobile platform: Security policies should include and cover any special requirement for mobile devices.

Reference

Laudon, Laudon, "Management Information Systems Managing the Digital Firm", twelfth edition