Role of Controls in Ensuring Security of Information Resources
Nowadays, there is an immense increase in the dependency on information systems which requires identification of the threats and vulnerabilities so that they can be addressed on time. The information resources can be adequately protected only when there are some properly designed set of controls. Controls can be defined as the combination of organizational procedures, methods and policies with the help of which operational adherence of the management standards, security of the organizational assets, and accuracy and consistency of the management standards can be ensured. The most integral part of the design of an information system is its control (Mayer, Aubert, Grandry & Feltus, 2016). This essay is focused on two types of information system controls namely general management controls and application controls along with making differentiation between them. This essay further highlights the security and risk management techniques which are necessary for the purpose of ensuring the security, availability, integrity, reliability and confidentiality of the digital business processes. Moreover, this essay describes how better data quality is supported by auditing.
The computer systems are controlled by grouping of general and application controls. General controls are responsible for performing the functions of controlling the usage, security and design of the computer programs. It also manages the data file security in the organization. General control comprise of the mixture of system software and manual procedures that perform the function of creating complete control environment and are applicable on all computerized application. General controls include computer operations control, software controls, data security controls, administrative controls, control over system implementation process and physical hardware controls (Fenz, Heurix, Neubauer & Pechstein, 2014). There are several types of general controls. Some of the general controls are capable of controlling data centre and network operations which are helpful for the purpose of handling the system’s main storage. On the other hand, there are some general controls which are capable of protecting the computer from the occurrence of any falsified actions by accessing its security controls. There are some types of general controls which are responsible for ensuring the reliability and security of the data file for the purpose of making it highly authenticated while other types of general control secure the equipment, asset or property efficiency.
The term application control can be defined as particular controls like order processing, payroll and accounts payable which are distinctive for each and every computerized application. Application controls comprise of controls the application of which is possible from user functional area of a specific system and from programmed procedures. Input controls, process controls and output controls are included in the application controls (Schou & Hernandez, 2014). Different functions are performed by these controls. Designing of input controls is done for the purpose of assuring the accuracy, validity and completeness of the data which is processed by the computer. On the other hand, processing controls are designed for the purpose of ensuring that the information or data is accurately processed. The data or information referred to here is that which is input into the system. Lastly, the function of output controls is to assure the validity, accuracy and completeness of data or information which is generated by the computer. Some other application controls properly controls the information which belongs to the master file (Stair & Reynolds, 2017).
Overview of General Management Controls
The overall comparison of the application controls and general management controls provides that the general controls can be applied in every area of the organization including IT infrastructure and support services. The basic purpose or objective of this type of control is ensuring the appropriate development and implementation of applications. General control also aims at maintaining the integrity of the computer operations, programs and data files. This can be contrasted with the application controls which ca be defined as the transactions relating to application system that are computer- based and are particular to each and every application. The main objective or motive of application control is ensuring the maintenance, completeness, validity and accuracy of data and information along with updating it on timely basis (Lfinedo, 2014).
With the passage of time, the business processes have become digital due to which there is a requirement for setting up some security and risk management techniques with the help of which the reliability, confidentiality, integrity and security of the processes can be ensured. In the context of information systems, the term risk management can be defined as the technique through which the vulnerabilities and threats to the information resources are identified. The risk management process plays a key role as it is concerned with those information resources which are used by the organization for the attainment of the organizational objectives (McNeil, Frey & Embrechts, 2015). This process is also helpful in making requisite decisions regarding the relevant countermeasures the use of which can result in reduction of the risk to an acceptable level based on the value of information resource to the organization. For the purpose of risk management, certain techniques are required to be adopted that are capable of identifying the risks that are specific to the assets, people and information. The techniques should also have the ability of supporting the businesses with the help of its risk tolerance level and providing the needed protection for removal or reduction of risks. The technique should also accept the responsibility for appropriately managing the risk that remains untreated or is incapable of being treated (Pearlson, Saunders & Galletta, 2016).
The security and risk management technique to be used for digital business processes should clearly provide security risk management is the task of each and every staff member which is required to be carried out on daily basis. The designing of the security risk management process should be done in a manner which makes it logical and systematic and evaluates the changes taking place in the environment with the help of constant monitoring. The continuous evaluation of the dynamic environment will allow the technique to make the requisite adjustments so that the acceptable level of risk can be maintained. Along with this, the technique will also assist in the maintenance of a balance between operational and security needs (McIlwraith, 2016).
Types of General Management Controls
The integrity of the received data can be protected by way of using the technique of hashing of data and then comparing it with the hash of original data. The confidentiality and integrity of data can be ensured through the use of cryptography. Among the existing schemes, GPG can be utilized for digital signing of data. For ensuring confidentiality, file permissions and access control lists can be enforced so that sensitive information can be accessed only by authorized individuals (Naudet, Mayer & Feltus, 2016). The use of encryption of data can also assist in maintaining the confidentiality of the processes. Through encryption data, only right individuals will be able to access the data or information. The business processes should also be properly backed up so that the data is available even when any kind of damage is suffered by the hard drives. The organization should also make the use of an off- site location for storing data such that it can restored in cases where the primary data suffers from any damage.
Security management should be considered as the most important aspect for a business. Every individual in the organization should be provided with a defined role along with the duties and responsibilities required to be performed by them. Security governance should be a part of the risk management technique where the leaders of the business will be considered responsible for the security of information (Solomon, 2016). In other words, security should be treated as an enterprise wide issue. The security needs of the organization should be given enough importance and accordingly the staff should be trained regarding how they can effectively address the risk. The data should also be properly reviewed and audited on timely basis in order to ensure effective security governance and data quality. The behavior of the employees of the organization can also be moulded for encouraging the information security culture in the processes (Peltier, 2016).
Auditing is responsible for the enhancement of data quality. The information system audit includes each and every aspect of the system under inspection such as the accuracy of the calculations made by the computer. Audit performs the function of removing the probability of errors which, in turn, results in the enhancement of data quality. However, a long procedure is followed for the purpose of achieving this result. First of all, the situation under consideration is used for the selecting the audit strategy/ approach and accordingly documentation will be prepared so that it assist in the later stages of the audit process (Hall, 2015). The audit approach will depend on a number of factors such as audit criteria established, reviewing of documentation, high risk areas, required visits to the data center, interviewing of important individuals, etc. the process will then lead to the identification of information sources in order to expand the understanding of the audit area. Network maps, previous audit reports, process maps and system flows will act as the sources of information for the concerned audit. Then, risk assessment is done in order to meet the auditing standards in which certain factors are considered such as business purpose, operating environment of the business, compliance and statutory regulations and technology- specific risk (Cassidy, 2016). After this, the documentation of identified risk is done along with the likelihood of its occurrence, its nature, potential impact and the required control which can be used for addressing the risk. The final audit report will be prepared on the basis of identified risks, current internal controls and audit objectives. In this way, audit will assist in determining the source systems, applications and operational processes suffering from data quality problems in advance which will further assist in addressing it on time (Chen, Smith, Cao & Xia, 2014).
Overview of Application Controls
When out- of- date information is identified and removed on time, data quality is automatically enhanced. This further assists in saving unnecessary costs and improving the services to the customers. Furthermore, the response rates and return on investments are improved. Information system audit leads to the minimization of risks and deletion of the duplicate records so that unnecessary complications and confusions do not arise (Baskerville, Spagnoletti & Kim, 2014). Accuracy, timeliness, reliability, precision, confidentiality, integrity and completeness of data is ensured with the help of auditing. When all these factors are achieved, data quality is automatically improved (Cassidy, 2016).
Therefore, it can be concluded that safeguarding of information resources is the most integral part of the design of a system. Controls can be defined as the combination of organizational procedures, methods and policies with the help of which operational adherence of the management standards, security of the organizational assets, and accuracy and consistency of the management standards can be ensured. The protection of information system can be ensured through certain manual and automated measures. There are general management controls and application controls which are responsible for controlling the computer systems. This essay focused on making comparison between these two types of controls. The essay further highlighted the security and risk management techniques which are necessary for the purpose of ensuring the security, availability, integrity, reliability and confidentiality of the digital business processes. Cryptography, encryption, file permissions, hashing of data are the examples of such techniques. Moreover, the essay demonstrated the manner in which data quality is enhanced through auditing. Improvement in data quality is the result of identification and removal of out- of- date information on time.
References
Baskerville, R., Spagnoletti, P., & Kim, J. (2014). Incident-centered information security: Managing a strategic balance between prevention and response. Information & management, 51(1), 138-151.
Cassidy, A. (2016). A practical guide to information systems strategic planning. Auerbach Publications.
Cassidy, A. (2016). A practical guide to information systems strategic planning. Auerbach Publications.
Chen, Y., Smith, A. L., Cao, J., & Xia, W. (2014). Information technology capability, internal control effectiveness, and audit fees and delays. Journal of Information Systems, 28(2), 149-180.
Fenz, S., Heurix, J., Neubauer, T., & Pechstein, F. (2014). Current challenges in information security risk management. Information Management & Computer Security, 22(5), 410-430.
Hall, J. A. (2015). Information technology auditing. Cengage Learning.
Lfinedo, P. (2014). Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Information & Management, 51(1), 69-79.
Mayer, N., Aubert, J., Grandry, E., & Feltus, C. (2016). An Integrated Conceptual Model for Information System Security Risk Management and Enterprise Architecture Management Based on TOGAF. In IFIP Working Conference on The Practice of Enterprise Modeling (pp. 353-361). Springer, Cham.
McIlwraith, A. (2016). Information security and employee behaviour: how to reduce risk through employee education, training and awareness. Routledge.
McNeil, A. J., Frey, R., & Embrechts, P. (2015). Quantitative Risk Management: Concepts, Techniques and Tools-revised edition. Princeton university press.
Naudet, Y., Mayer, N., & Feltus, C. (2016). Towards a systemic approach for information security risk management. In Availability, Reliability and Security (ARES), 2016 11th International Conference on (pp. 177-186). IEEE.
Pearlson, K. E., Saunders, C. S., & Galletta, D. F. (2016). Managing and Using Information Systems, Binder Ready Version: A Strategic Approach. John Wiley & Sons.
Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Auerbach Publications.
Schou, C., & Hernandez, S. (2014). Information Assurance handbook: Effective computer security and risk management strategies. McGraw-Hill Education Group.
Solomon, M. G. (2016). Fundamentals of information systems security. Jones & Bartlett Publishers.
Stair, R., & Reynolds, G. (2017). Fundamentals of information systems. Cengage Learning.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
