IS Security and Risk Management
VerifiedAdded on  2023/06/08
|8
|2824
|450
AI Summary
This essay focuses on the types of information system control and analyses the difference between the general management control and application controls. It also evaluates the security and risk management techniques that are needed for the purpose of ensuring the confidentiality, reliability, integrity, availability and security of digital business processes.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
RUNNING HEAD: IS Security and Risk Management
IS Security and Risk Management
IS Security and Risk Management
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
IS Security and Risk Management 1
A well- designed set of control is required for the protection of the information resources. The
information systems can be safeguarded by a combination of automated and manual measures
which will also ensure its performance in accordance with the management standards. Controls
comprise of all the policies, methods and organizational procedures through which the reliability
and accuracy of the accounting records, safety of the organizational assets and operational
adherence of the management standards can be ensured. Earlier, the control of information
system was addressed only after the end of implementation and before the installation of the
system. However, with the passage of time, the dependency on the information systems has
increased to a great extent which, in turn, has necessitated the identification of the threats and
vulnerabilities as early as possible (Peltier, 2016). The control of an information system is
considered to be the most essential part of its design. The builders and users of the system are
required to pay greater attention to controls throughout the life span of the system. This essay
focuses on the types of information system control and analyses the difference between the
general management control and application controls. This essay also evaluates the security and
risk management techniques that are needed for the purpose of ensuring the confidentiality,
reliability, integrity, availability and security of digital business processes. At the end, the essay
demonstrates how data quality can be supported by auditing.
A combination of general and application controls are responsible for controlling the computer
systems. General controls can be defined as those controls that perform the function of
controlling the security, design and usage of the computer programs along with managing the
security of data files throughout the organization. In other words, general controls consist of a
combination of manual procedures and system software that are responsible for creating an
overall control environment and are applied to all computerized applications. On the other hand,
application controls can be defined as the specific controls such as accounts receivable, payroll
and order processing that is unique to every computerized application. They comprise of both
controls applied from programmed procedures and from user functional area of a specific system
(Nazareth & Choi, 2015).
Software controls, control over the implementation process of the system, computer operations
control, physical hardware controls, administrative controls and data security controls are
included in the general controls. On the other hand, application controls include input controls,
A well- designed set of control is required for the protection of the information resources. The
information systems can be safeguarded by a combination of automated and manual measures
which will also ensure its performance in accordance with the management standards. Controls
comprise of all the policies, methods and organizational procedures through which the reliability
and accuracy of the accounting records, safety of the organizational assets and operational
adherence of the management standards can be ensured. Earlier, the control of information
system was addressed only after the end of implementation and before the installation of the
system. However, with the passage of time, the dependency on the information systems has
increased to a great extent which, in turn, has necessitated the identification of the threats and
vulnerabilities as early as possible (Peltier, 2016). The control of an information system is
considered to be the most essential part of its design. The builders and users of the system are
required to pay greater attention to controls throughout the life span of the system. This essay
focuses on the types of information system control and analyses the difference between the
general management control and application controls. This essay also evaluates the security and
risk management techniques that are needed for the purpose of ensuring the confidentiality,
reliability, integrity, availability and security of digital business processes. At the end, the essay
demonstrates how data quality can be supported by auditing.
A combination of general and application controls are responsible for controlling the computer
systems. General controls can be defined as those controls that perform the function of
controlling the security, design and usage of the computer programs along with managing the
security of data files throughout the organization. In other words, general controls consist of a
combination of manual procedures and system software that are responsible for creating an
overall control environment and are applied to all computerized applications. On the other hand,
application controls can be defined as the specific controls such as accounts receivable, payroll
and order processing that is unique to every computerized application. They comprise of both
controls applied from programmed procedures and from user functional area of a specific system
(Nazareth & Choi, 2015).
Software controls, control over the implementation process of the system, computer operations
control, physical hardware controls, administrative controls and data security controls are
included in the general controls. On the other hand, application controls include input controls,
IS Security and Risk Management 2
output controls and processes controls. There are different types of general controls. Some have
control over the network operations and data centre which are responsible for dealing with the
main data storage of the system while some other have access to the security which are
responsible for the protection of the computer from any fraudulent actions. There are also some
general controls which performs the function of securing the efficiency of asset, equipment or
property while some controls ensures the security of the file for its reliability in order to make it
highly authenticated (Safa, Von Solms & Furnell, 2016).
As far as the application controls are concerned, input controls are designed for assuring the
validity, completeness and accuracy of the information processed by the computer. The
designing of processing controls is done for the purpose of assuring the accurate processing of
the data that is input into the system. Output controls perform the function of assuring the
accuracy, validity and completeness of the data generated by the computer. There are also some
application controls which are capable of controlling the information belonging to the master file
(Webb, Ahmad, Maynard & Shanks, 2014).
Therefore, the comparison of general management controls and the application control provides
that the application of general control is possible to all the areas of the organization including
support services and IT infrastructure. The objective of general control is to ensure the proper
implementation and development of applications along with the integrity of the data files,
programs and computer operations. On the other hand, the application controls refers to the data
and transactions that relate to the every computer- based application system and are specific to
every application. The objective of application control is to ensure the accuracy, validity,
maintenance and completeness of information along with its update from time to time (Mayer,
Aubert, Grandry & Feltus, 2016).
With the digitalization in the business processes, there is greater need for setting certain security
and risk management techniques which have the ability of ensuring confidentiality, reliability,
security and integrity of the processes. The term risk management can be defined as the process
which assists in the identification of the threats and vulnerabilities to the information resources
that are utilized by an organization for the achievement of the business objectives. The process
further helps in making decisions regarding the countermeasures which can be used for the
purpose of reducing the risk to an acceptable level on the basis of the value of the information
output controls and processes controls. There are different types of general controls. Some have
control over the network operations and data centre which are responsible for dealing with the
main data storage of the system while some other have access to the security which are
responsible for the protection of the computer from any fraudulent actions. There are also some
general controls which performs the function of securing the efficiency of asset, equipment or
property while some controls ensures the security of the file for its reliability in order to make it
highly authenticated (Safa, Von Solms & Furnell, 2016).
As far as the application controls are concerned, input controls are designed for assuring the
validity, completeness and accuracy of the information processed by the computer. The
designing of processing controls is done for the purpose of assuring the accurate processing of
the data that is input into the system. Output controls perform the function of assuring the
accuracy, validity and completeness of the data generated by the computer. There are also some
application controls which are capable of controlling the information belonging to the master file
(Webb, Ahmad, Maynard & Shanks, 2014).
Therefore, the comparison of general management controls and the application control provides
that the application of general control is possible to all the areas of the organization including
support services and IT infrastructure. The objective of general control is to ensure the proper
implementation and development of applications along with the integrity of the data files,
programs and computer operations. On the other hand, the application controls refers to the data
and transactions that relate to the every computer- based application system and are specific to
every application. The objective of application control is to ensure the accuracy, validity,
maintenance and completeness of information along with its update from time to time (Mayer,
Aubert, Grandry & Feltus, 2016).
With the digitalization in the business processes, there is greater need for setting certain security
and risk management techniques which have the ability of ensuring confidentiality, reliability,
security and integrity of the processes. The term risk management can be defined as the process
which assists in the identification of the threats and vulnerabilities to the information resources
that are utilized by an organization for the achievement of the business objectives. The process
further helps in making decisions regarding the countermeasures which can be used for the
purpose of reducing the risk to an acceptable level on the basis of the value of the information
IS Security and Risk Management 3
resource to the business (Aven, 2016). The techniques adopt should be capable of making the
identification of specific risks to information, people and assets, the level of risk tolerance
supported by the businesses, appropriate protection for the reduction or removal of risks and
accepting the responsibility for the residual risk which still remains untreatable (Dashti, Giorgini
& Paja, 2017). The security and risk management technique to be adopted should be such which
provides that security risk management is the business of each and every member of the staff and
should be undertaken as the part of day- to day business. The technique should involve the
security risk management process which is systematic and logical and should take into account
the changes taking place in the threat environment though the adoption of continuous
monitoring. The technique should also make the required adjustments for the purpose of
maintaining the acceptable level of risk and a balance between security and operational needs
(Agrawal, Campoe & Pierce, 2014).
Data integrity and confidentiality can be ensured with the help of cryptography. Other methods
that are commonly used for the protection of data integrity include hashing of the data received
and making its comparison with the hash of original message. Existing schemes such as GPG can
also be used as a security technique for digitally signing the data. The confidentiality of data can
be ensured through the enforcement of access control lists and file permissions so that the access
to sensitive information can be restricted (Alles, Brennan, Kogan & Vasarhelyi, 2018).
Confidentiality can also be protected through encryption of the data. With the help of encryption,
the information will be read only by the right people. Moreover, availability of data can be
ensured through backup. Site back- ups can be taken from time to time which can work in the
times when the hard drive suffers from any damage. The organizations should also have an off-
site location where the data is stored so that it is ready to be restored in cases any damage occurs
to the primary data (Soomro, Shah & Ahmed, 2016).
The risk management technique should involve security governance where the term security is
considered as an enterprise wide issue and the leaders are held accountable for the security of the
information and data. The risk to security can be reduced when its management is viewed as the
basic requirement of business and there is proper segregation of the roles, responsibilities and
duties of each and every individual in the organization. The staff of the organization should be
trained and made aware from time to time regarding the security needs of the organization and
resource to the business (Aven, 2016). The techniques adopt should be capable of making the
identification of specific risks to information, people and assets, the level of risk tolerance
supported by the businesses, appropriate protection for the reduction or removal of risks and
accepting the responsibility for the residual risk which still remains untreatable (Dashti, Giorgini
& Paja, 2017). The security and risk management technique to be adopted should be such which
provides that security risk management is the business of each and every member of the staff and
should be undertaken as the part of day- to day business. The technique should involve the
security risk management process which is systematic and logical and should take into account
the changes taking place in the threat environment though the adoption of continuous
monitoring. The technique should also make the required adjustments for the purpose of
maintaining the acceptable level of risk and a balance between security and operational needs
(Agrawal, Campoe & Pierce, 2014).
Data integrity and confidentiality can be ensured with the help of cryptography. Other methods
that are commonly used for the protection of data integrity include hashing of the data received
and making its comparison with the hash of original message. Existing schemes such as GPG can
also be used as a security technique for digitally signing the data. The confidentiality of data can
be ensured through the enforcement of access control lists and file permissions so that the access
to sensitive information can be restricted (Alles, Brennan, Kogan & Vasarhelyi, 2018).
Confidentiality can also be protected through encryption of the data. With the help of encryption,
the information will be read only by the right people. Moreover, availability of data can be
ensured through backup. Site back- ups can be taken from time to time which can work in the
times when the hard drive suffers from any damage. The organizations should also have an off-
site location where the data is stored so that it is ready to be restored in cases any damage occurs
to the primary data (Soomro, Shah & Ahmed, 2016).
The risk management technique should involve security governance where the term security is
considered as an enterprise wide issue and the leaders are held accountable for the security of the
information and data. The risk to security can be reduced when its management is viewed as the
basic requirement of business and there is proper segregation of the roles, responsibilities and
duties of each and every individual in the organization. The staff of the organization should be
trained and made aware from time to time regarding the security needs of the organization and
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
IS Security and Risk Management 4
regarding the manner in which the risks can be properly addressed. Moreover, the effective
security governance should ensure proper reviewing and auditing of the data so that the data
quality is enhanced (Aven & Zio, 2014).
The organizations should ensure the culture of information security by way of bringing the
respective changes in the behavior of employees. For the management of the information
security culture in the organization, five steps needs to be followed namely pre- evaluation,
strategic planning, operative planning, implementation and post- evaluation (Schou &
Hernandez, 2014).
The information system audit covers the complete lifecycle of technology under inspection and
also involves the accuracy of computer calculations. At the end, the data quality is enhanced and
the chances of errors are reduced to minimum. Firstly, the audit approach/ strategy to be adopted
is defined in accordance with the given situation along with making the documentation that will
be needed for the subsequent phases of the auditing process. The approach adopted will be based
on steps such as interviewing of key individuals, reviewing documentation, establishment of
audit criteria, conducting visits to the data center, reviewing of high risk areas, documentation of
findings and preparation of report (Silva, de Gusmao, Poleto, e Silva & Costa, 2014). After this,
the sources of information are identified for the expansion of understanding of the audit area.
The sources of information to be considered include previous audit reports, network maps,
system flows and process maps, etc. Then for the purpose of meeting the audit standards, risk
assessment is done which considers statutory and compliance regulations, environment in which
the enterprise operates, business purpose and technology- specific risk. The identification of risk
is then documented by the IS auditor along with its nature, likelihood of occurrence, potential
impact and defining of necessary control that have the capability of addressing the risk. The
results of the assessment of identified risks, audit objectives and current internal controls will
assist in the determination of final audit scope along with the strategies for the accomplishment
of audit goal. The data quality problems that are originated within the applications, source
systems and operational processes can also be determined in advance and can be addressed in
time (Knechel & Salterio, 2016).
In other words, the data quality is enhanced due to the identification and removal of out- of- date
information which further allows saving budgets and bringing required improvements in
regarding the manner in which the risks can be properly addressed. Moreover, the effective
security governance should ensure proper reviewing and auditing of the data so that the data
quality is enhanced (Aven & Zio, 2014).
The organizations should ensure the culture of information security by way of bringing the
respective changes in the behavior of employees. For the management of the information
security culture in the organization, five steps needs to be followed namely pre- evaluation,
strategic planning, operative planning, implementation and post- evaluation (Schou &
Hernandez, 2014).
The information system audit covers the complete lifecycle of technology under inspection and
also involves the accuracy of computer calculations. At the end, the data quality is enhanced and
the chances of errors are reduced to minimum. Firstly, the audit approach/ strategy to be adopted
is defined in accordance with the given situation along with making the documentation that will
be needed for the subsequent phases of the auditing process. The approach adopted will be based
on steps such as interviewing of key individuals, reviewing documentation, establishment of
audit criteria, conducting visits to the data center, reviewing of high risk areas, documentation of
findings and preparation of report (Silva, de Gusmao, Poleto, e Silva & Costa, 2014). After this,
the sources of information are identified for the expansion of understanding of the audit area.
The sources of information to be considered include previous audit reports, network maps,
system flows and process maps, etc. Then for the purpose of meeting the audit standards, risk
assessment is done which considers statutory and compliance regulations, environment in which
the enterprise operates, business purpose and technology- specific risk. The identification of risk
is then documented by the IS auditor along with its nature, likelihood of occurrence, potential
impact and defining of necessary control that have the capability of addressing the risk. The
results of the assessment of identified risks, audit objectives and current internal controls will
assist in the determination of final audit scope along with the strategies for the accomplishment
of audit goal. The data quality problems that are originated within the applications, source
systems and operational processes can also be determined in advance and can be addressed in
time (Knechel & Salterio, 2016).
In other words, the data quality is enhanced due to the identification and removal of out- of- date
information which further allows saving budgets and bringing required improvements in
IS Security and Risk Management 5
customer services. This, in turn, helps in improving the return on investments and response rates.
Through the audit of the information system, the risks are minimized and duplicate records are
deleted so that it does not lead to any further confusions and complications. Auditing of the data
ensures its accuracy, precision, reliability, completeness, integrity, timeliness, and confidentiality
along with the quality of data (Barton, Tejay, Lane & Terrell, 2016).
Therefore, it can be concluded that the protection of information resources plays the most
important part in a system’s design. The safeguarding of information system can be done with
the help of some automated and manual measures. Controls comprise of all the policies, methods
and organizational procedures through which the reliability and accuracy of the accounting
records, safety of the organizational assets and operational adherence of the management
standards can be ensured. The computer systems are controlled by a combination of general and
application controls. This essay assisted in making comparison among these two types of
controls. Furthermore, this essay focuses on the security and risk management techniques which
can be applied in the digital business processes for the purpose of ensuring its confidentiality,
reliability, integrity, availability and security. The techniques include encryption, cryptography,
hashing of data, enforcement of access control lists and file permissions, etc. At the end, the
essay demonstrated how data quality is enhanced with the help of auditing. Audit assists in the
identification and removal of out- of- date information which further helps in reducing costs and
bringing required improvements in customer services.
customer services. This, in turn, helps in improving the return on investments and response rates.
Through the audit of the information system, the risks are minimized and duplicate records are
deleted so that it does not lead to any further confusions and complications. Auditing of the data
ensures its accuracy, precision, reliability, completeness, integrity, timeliness, and confidentiality
along with the quality of data (Barton, Tejay, Lane & Terrell, 2016).
Therefore, it can be concluded that the protection of information resources plays the most
important part in a system’s design. The safeguarding of information system can be done with
the help of some automated and manual measures. Controls comprise of all the policies, methods
and organizational procedures through which the reliability and accuracy of the accounting
records, safety of the organizational assets and operational adherence of the management
standards can be ensured. The computer systems are controlled by a combination of general and
application controls. This essay assisted in making comparison among these two types of
controls. Furthermore, this essay focuses on the security and risk management techniques which
can be applied in the digital business processes for the purpose of ensuring its confidentiality,
reliability, integrity, availability and security. The techniques include encryption, cryptography,
hashing of data, enforcement of access control lists and file permissions, etc. At the end, the
essay demonstrated how data quality is enhanced with the help of auditing. Audit assists in the
identification and removal of out- of- date information which further helps in reducing costs and
bringing required improvements in customer services.
IS Security and Risk Management 6
References
Agrawal, M., Campoe, A., & Pierce, E. (2014). Information security and IT risk management.
Wiley Publishing.
Alles, M., Brennan, G., Kogan, A., & Vasarhelyi, M. A. (2018). Continuous monitoring of
business process controls: A pilot implementation of a continuous auditing system at
Siemens. In Continuous Auditing: Theory and Application (pp. 219-246). Emerald
Publishing Limited.
Aven, T. (2016). Risk assessment and risk management: Review of recent advances on their
foundation. European Journal of Operational Research, 253(1), 1-13.
Aven, T., & Zio, E. (2014). Foundational issues in risk assessment and risk management. Risk
Analysis, 34(7), 1164-1172.
Barton, K. A., Tejay, G., Lane, M., & Terrell, S. (2016). Information system security
commitment: A study of external influences on senior management. Computers &
Security, 59, 9-25.
Dashti, S., Giorgini, P., & Paja, E. (2017). Information Security Risk Management. In IFIP
Working Conference on The Practice of Enterprise Modeling (pp. 18-33). Springer,
Cham.
Knechel, W. R., & Salterio, S. E. (2016). Auditing: Assurance and risk. Routledge.
Mayer, N., Aubert, J., Grandry, E., & Feltus, C. (2016). An Integrated Conceptual Model for
Information System Security Risk Management and Enterprise Architecture
Management Based on TOGAF. In IFIP Working Conference on The Practice of
Enterprise Modeling (pp. 353-361). Springer, Cham.
Mayer, N., Grandry, E., Feltus, C., & Goettelmann, E. (2015, June). Towards the ENTRI
framework: security risk management enhanced by the use of enterprise architectures.
In International Conference on Advanced Information Systems Engineering (pp. 459-
469). Springer, Cham.
References
Agrawal, M., Campoe, A., & Pierce, E. (2014). Information security and IT risk management.
Wiley Publishing.
Alles, M., Brennan, G., Kogan, A., & Vasarhelyi, M. A. (2018). Continuous monitoring of
business process controls: A pilot implementation of a continuous auditing system at
Siemens. In Continuous Auditing: Theory and Application (pp. 219-246). Emerald
Publishing Limited.
Aven, T. (2016). Risk assessment and risk management: Review of recent advances on their
foundation. European Journal of Operational Research, 253(1), 1-13.
Aven, T., & Zio, E. (2014). Foundational issues in risk assessment and risk management. Risk
Analysis, 34(7), 1164-1172.
Barton, K. A., Tejay, G., Lane, M., & Terrell, S. (2016). Information system security
commitment: A study of external influences on senior management. Computers &
Security, 59, 9-25.
Dashti, S., Giorgini, P., & Paja, E. (2017). Information Security Risk Management. In IFIP
Working Conference on The Practice of Enterprise Modeling (pp. 18-33). Springer,
Cham.
Knechel, W. R., & Salterio, S. E. (2016). Auditing: Assurance and risk. Routledge.
Mayer, N., Aubert, J., Grandry, E., & Feltus, C. (2016). An Integrated Conceptual Model for
Information System Security Risk Management and Enterprise Architecture
Management Based on TOGAF. In IFIP Working Conference on The Practice of
Enterprise Modeling (pp. 353-361). Springer, Cham.
Mayer, N., Grandry, E., Feltus, C., & Goettelmann, E. (2015, June). Towards the ENTRI
framework: security risk management enhanced by the use of enterprise architectures.
In International Conference on Advanced Information Systems Engineering (pp. 459-
469). Springer, Cham.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
IS Security and Risk Management 7
Nazareth, D. L., & Choi, J. (2015). A system dynamics model for information security
management. Information & Management, 52(1), 123-134.
Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for
effective information security management. Auerbach Publications.
Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model
in organizations. Computers & Security, 56, 70-82.
Schou, C., & Hernandez, S. (2014). Information Assurance handbook: Effective computer
security and risk management strategies. McGraw-Hill Education Group.
Silva, M. M., de Gusmao, A. P. H., Poleto, T., e Silva, L. C., & Costa, A. P. C. S. (2014). A
multidimensional approach to information security risk management using FMEA and
fuzzy theory. International Journal of Information Management, 34(6), 733-740.
Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs more
holistic approach: A literature review. International Journal of Information
Management, 36(2), 215-225.
Webb, J., Ahmad, A., Maynard, S. B., & Shanks, G. (2014). A situation awareness model for
information security risk management. Computers & security, 44, 1-15.
Nazareth, D. L., & Choi, J. (2015). A system dynamics model for information security
management. Information & Management, 52(1), 123-134.
Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for
effective information security management. Auerbach Publications.
Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model
in organizations. Computers & Security, 56, 70-82.
Schou, C., & Hernandez, S. (2014). Information Assurance handbook: Effective computer
security and risk management strategies. McGraw-Hill Education Group.
Silva, M. M., de Gusmao, A. P. H., Poleto, T., e Silva, L. C., & Costa, A. P. C. S. (2014). A
multidimensional approach to information security risk management using FMEA and
fuzzy theory. International Journal of Information Management, 34(6), 733-740.
Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs more
holistic approach: A literature review. International Journal of Information
Management, 36(2), 215-225.
Webb, J., Ahmad, A., Maynard, S. B., & Shanks, G. (2014). A situation awareness model for
information security risk management. Computers & security, 44, 1-15.
1 out of 8
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
 +13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024  |  Zucol Services PVT LTD  |  All rights reserved.