Information System Audit: Analyzing Cybersecurity Risks & Controls

Verified

Added on 2023/06/13

AI Summary

This document presents an information system audit report focusing on cybersecurity risks, controls, and recommendations, using the Atlanta cyber attack as a case study. It begins with an introduction to the importance of cybersecurity audits, highlighting the increasing threats to businesses. The report details the background of the Atlanta cyber attack, emphasizing the vulnerability of local governments. It identifies key IS risks such as ransomware and social engineering, stressing the need for comprehensive risk assessment and employee awareness. The audit plan outlines objectives and procedures for assessing security and internal controls, including background checks, head approval processes, and risk assessments. The report concludes with control recommendations for enhancing the control environment and risk assessment policies, emphasizing the importance of accurate financial reporting and authorization controls. Desklib provides this and other solved assignments to aid students in their studies.

qwertyuiopasdfghjklzxcvbnmqwertyu
iopasdfghjklzxcvbnmqwertyuiopasdfg
hjklzxcvbnmqwertyuiopasdfghjklzxcv
bnmqwertyuiopasdfghjklzxcvbnmqwe
rtyuiopasdfghjklzxcvbnmqwertyuiopa
sdfghjklzxcvbnmqwertyuiopasdfghjkl
zxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyu
iopasdfghjklzxcvbnmqwertyuiopasdfg
hjklzxcvbnmqwertyuiopasdfghjklzxcv
bnmqwertyuiopasdfghjklzxcvbnmqwe
rtyuiopasdfghjklzxcvbnmqwertyuiopa
sdfghjklzxcvbnmqwertyuiopasdfghjkl
zxcvbnmqwertyuiopasdfghjklzxcvbnm
rtyuiopasdfghjklzxcvbnmqwertyuiopa
sdfghjklzxcvbnmqwertyuiopasdfghjkl
zxcvbnmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqwertyu
iopasdfghjklzxcvbnmqwertyuiopasdfg
hjklzxcvbnmqwertyuiopasdfghjklzxcv
IS Audit Report
1

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Information system
Case study article - https://www.nytimes.com/2018/03/30/opinion/local-government-
cyberattack.html?rref=collection%2Ftimestopic%2FComputer%20Security
%20(Cybersecurity)

Information system
Executive Summary
Cybersecurity has assumed a place of vital importance because business is exposed to huge
risks and uncertainties. With the advent of technology and its uses, the dependence is huge on
the technology that is exposing the business to potential risks. Cyber attacks and other
potential harm are on the increase and hence needs a sharp attention. In this report, the major
emphasis is on the information system risk. The selected article sheds light on the fact that
ransomware is a potential threat to data and blocks the assess until a ransom is paid.

Information system
Contents
1. Introduction.....................................................................................................................................................4
2. Background to the Case...................................................................................................................................5
3. IS Risks.............................................................................................................................................................5
4. Audit Plan, Objectives and Procedures...........................................................................................................5
5. Audit Questions and Documents.....................................................................................................................6
6. Control Recommendations..............................................................................................................................6
7. Conclusion.......................................................................................................................................................7
References................................................................................................................................................................7

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Information system
1. Introduction
With the due passage of time, the threat tends to change and attracts immense problem for the
business. Further, the information system is the major weapon of the organization and helps
in the controlling the infrastructure of the entity. The report defines the business case together
with the risks that are present in the business environment followed by the audit plan. Going
by the happening of the event, it needs to be noted that cybersecurity is not only the concern
of the I.T department rather the same must be encountered through audit plans and objective
(Barney & Ray, 2015). The application of a strong audit system will help in the prevention
and mitigation of the future attack and build a strong organization.

Information system
2. Background to the Case
The case relates to the cyber attack on Atlanta, where the computers of the municipal
government and other services were affected by a ransomware attack. It clearly indicates that
the local government is prone to cyber threats. It needs to be noted that the local government
of every size and locations operates on a wide scale. The system is complex owing to the
presence of a wide variety of features. The introduction of technology systems such as
laptops, internet connected system, mapping and the informational system is an indication
that the system is complex and needs to be tamed in an effective manner. The local
government located in the United States does not have a strong control over the policies and
regulations so they are unable to safeguard their system from attacks. This is of immense
concern because the cyber attack can erode the entire system (Mcgalliard, 2018). It is being
reported by forty percent of local government that cyber attack is a common happening on an
hourly basis. Further, the biggest drawback that lies in this scenario is that a high percentage
of government does not know the intensity and happening of the attack.
3. IS Risks
The provided case study shows the prevailing danger of the cyber attacks which are made on
the general public systems by the use of ransom wares and cyber threats which use social
engineering. The cyber threats are the most underrated risks in today’s business world. The
cyber risk may be of many kinds some of which are a risk to finances, IT systems of the
organization and the status of the firm which may cause huge losses to the firm because of
the vast spread of the digitalization and improvement of interconnectivity between
technological devices (Carroll, 2014). The risks of the firm relating to the cybersecurity
should not only be bear by the It department of the firm, but also the other employees who
work for the firm should also be concerned about such threats and risks. An organization
should perform regular checks on the cybersecurity risks which may prevail upon it. Hence it
should always be updated about the risks or threats and thus make the technological
advancements in the firms IT sector so as to prevent the system from any type of hazardous
activity. There should be awareness among the employees about the cyber risks which may
be prevailing upon the firm. They need to identify any kind of technological risk that is
present in the firms IT system (Van & Venzke, 2015). They should also be able to find and

Information system
report the threats and vulnerabilities which can be used by the third parties or outsiders to
exploit the firms IT system thus leading to a huge cyber loss (Francen, 2014). Also, it is the
duty of the firm to remain as safe as possible by introducing new cyber solution which may
help the firm to remove the present vulnerabilities and thus giving it a chance to move
towards success by accelerating towards a greater lifespan of the firm (Zissis & Lekkas,
2012).
Internet connects all servers to each other and thus making it a powerful tool for the firms to
discuss all the types of problems faced by them. This also increases the security risk thus
exposing them to threats:
 Every day there are new softwares and methods launched in the world which are used
by the blackhead hackers to exploit the firm’s database. These tools are available
easily on the darknet and improved by every means. These tools thus increase the
number of criminals as they provide them with the basic equipment which they use to
manipulate the data of specific servers (Hanson et. al, 2011).
 There has been a considerable increase in the spam operations like virus injection,
hacking, data tampering, phishing, and bugging. These spams have increased with the
time thus making the cyber threat a gradually offensive state which may destroy the
present technological advancements (Hanson et. al, 2011).
 The improvement in the authentication and authorization of the users lead the hackers
to use the methods of social engineering which uses manipulation of the user's mind
thus making them lose their security (Travica, 2015).
 With the increase in the literacy of the computer knowledge in today’s world, the next
generation will be more hazardous as they will be creating much more dangerous and
harmful threats which will lead to the deployment of an entirely new range of
cybersecurity fails. The use of instant messaging over the email have been observed
because of faster communication which makes the cyber threats more progressive
thus leading to the introduction of many such harmed technologies in the world
(Wagener & Hollenbeck, 2014).
 Wireless technologies are more easy to be hacked thus increasing the factor of cyber
threat to increase. Also, the falling prices of the computer systems have also lead to
increase in the approach of the consumers thus leading them to be provided with more
information about the new technological advancements and thus increasing the cyber
bullying in the fields (Miller & Pellen, 2014).

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Information system
4. Audit Plan, Objectives and Procedures
The main objective of the audit process is to assess the security. Another objective would be
to find the type of information which is needed to be audited. Also, the auditor may evaluate
that the necessary controls and functions of the firm are being carried out in a specified
manner or not.
Internal audit proves to be helpful in the assessment of the ongoing fight of the firms with the
cyber attacks. They may prove to be successful by identifying the proper risks and thus
leading to help the firm find the ways of coming up with the flaws present in the system of
the firm (David, 2009). It also helps the board of directors to understand the possible ways by
which their firm may be affected by the various factors relating to the risks of the digital era.
The formulation of security enhancements in the firm may help it to develop the firm’s
capability of handling the cyber threats in an uncomplicated way. By performing an internal
audit various possible factors affecting the cybersecurity of the firm may be found. This
information can be used by the IT sector of the firm to improve its technology and prevent
the risks of cyber attacks (Christensen et.a l, 2016). Also, some people use to get valuable
additional information by performing maturity analysis approach which helps the firm to get
sudden visual references that gives clear information to the firm about the areas which it
needs to improve. Also, the information may be used to create paths which may help the firm
to fill the cyber security gaps thus helping it to improve its functioning. The five stages of
maturity — Initial, Managed, Defined, Predictable and Optimized helps the firm to know
about its progress and thus helping it to find the security advancements it needs to make in its
system (O'Brien & Marakas, 2009). This will help to complete the firm's target thus letting
the board of directors meet the desired maturity level it needed to achieve.

Information system
5. Audit Questions and Documents
Maintaining and enhancing security capabilities
Background checks – The ground procedure. The user of the system will be asked to
complete the ground check by providing the relevant credentials. A list will be
prepared of the employees who have an access to the system
Head approval – Does the access to data needs head approval?
Personal devices, mobile will be barred from storing sensitive data. To test the validity
of the process, the employees need to sign the paper and then carry personal devices.
The external devices will be banned from inserting into the computer.
Performing risk assessment – the risk and difficulties faced by the business will be
recorded and the extent of problem needs to be ascertained.
Does the organization have the appropriate tool to combat the cyber attack? What is
the frequency of attacks faced by the business?
The attacks faced by the business needs to be recorded and the same needs to be
ascertained. This will help to have a proper knowledge of the attacks encountered and
will enable to strengthen the system (Heeler, 2009).
6. Control Recommendations
Control environment
The control environment should rest on the values of the undertaking adhering to the
practice, as well as guidelines. The key process needs to be documented so that a proper
control is developed in a systematic manner (Gay & Simnet, 2015)
Risk assessment
It is recommended to have a risk assessment policy to identify and evaluate the risk that can
impact the attainment of the targets that are specified in nature so that those risks can be
eliminated (Gay & Simnet, 2015).
Control

Information system
It will comprise of automatic and manual reconciliation that will merge into the process with
the main aim of ensuring the accuracy of the financial reporting. The key method will even
consist of authorization and controlled mechanism (Heeler, 2009)

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Information system
7. Conclusion
There have been considerable increases in the cyber risks because of the increased frequency
of the types of information which have been provided over the internet. This information can
be used to gain substandard knowledge thus leading to the increase in such threats. Most of
the firms have already taken necessary actions for their prevention from the cyber risks by
combating the dangers thus leading to the companies’ appraisal in the cyber security
functions.

Information system
References
Barney, J. and Ray, G. (2015) How information technology resources can provide a
competitive advantage in customer service. Planning for Information Systems [online]. 3(2),
pp. 444-460. Available from
https://pdfs.semanticscholar.org/fe0d/ca770f19b8bbbfd7c84ea891c88ec5e8630c.pdf
Basta, A., Basta, N. and Brown, M. (2013) Computer security and penetration testing (2nd
ed.). Cengage Learning.
Carroll, J.M. (2014) Computer security (3rd ed.), Butterworth-Heinemann.
Christensen, C.M., Bartman, T. And Van Bever, D. (2016) The hard truth about business
model innovation [online]. Available from https://sloanreview.mit.edu/article/the-hard-truth-
about-business-model-innovation/. [Accessed 6 March 2018].
David, F.R. (2009) Strategic Management: Concept & Cases. NJ: Pearson Prentice Hall
Francen, E. (2014) The 5 W’s of Information Security [online]. Available from
http://www.frsecure.com/the-5-ws-of-information-security/ [Accessed 6 March 2018].
Gay, G. and Simnet, R. (2015). Auditing and Assurance Services. McGraw Hill
Hanson, D., Hitt, M., Ireland, R.D. and Hoskisson, R.E. (2011) Strategic Management:
Competitiveness and globalization. South Melbourne: Cengage Learning Australia
Heeler, D. (2009) Audit Principles, Risk Assessment & Effective Reporting. Pearson Press
Layton, T.P. (2007) Information Security: Design, Implementation, Measurement, and
Compliance. Auerbach Publication
Mcgalliard, T. (2018) How local government can prevent cyberattacks [online]. Available
from https://www.nytimes.com/2018/03/30/opinion/local-government-cyberattack.html?
rref=collection%2Ftimestopic%2FComputer%20Security%20(Cybersecurity)