IS Security and Risk Management: An In-Depth Analysis Report
VerifiedAdded on 2021/04/21
|15
|3343
|90
Report
AI Summary
This report delves into IS security and risk management, focusing on the IS model within an organization. It provides a comparative analysis of general management control and application control, crucial components for effective information system governance. The report evaluates IS-related security and risk management techniques, offering insights into identifying, mitigating, and categorizing risks. Furthermore, it underscores the significance of IS auditing and its role in safeguarding data quality, emphasizing the importance of reliable internal controls and data integrity. The study uses A. T. Kearney as a case study to exemplify the practical application of these concepts, covering topics such as software controls, hardware controls, data security, and implementation controls to ensure comprehensive security and risk management. The report concludes by highlighting the role of IS auditing in supporting the auditor’s judgment and maintaining data validity.
Running head: IS SECURITY AND RISK MANAGEMENT
IS Security and Risk Management
Name of student
Name of University
Author’s Note
IS Security and Risk Management
Name of student
Name of University
Author’s Note
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
1IS SECURITY AND RISK MANAGEMENT
Executive Summary
The purpose of the study is to understand the IS model for an organization and compare the
General Management Control and Application Control for the IS. It has some risk management
and security technique that has evaluated and finally provided with the importance of IS auditing
and safeguarding the data quality.
Executive Summary
The purpose of the study is to understand the IS model for an organization and compare the
General Management Control and Application Control for the IS. It has some risk management
and security technique that has evaluated and finally provided with the importance of IS auditing
and safeguarding the data quality.
2IS SECURITY AND RISK MANAGEMENT
Table of Contents
Introduction..................................................................................................................................................2
IS model of an organization (MIS)..............................................................................................................2
Compare General Management Control and Application Control for IS....................................................3
Evaluation of IS related security and risk management techniques............................................................5
Importance of IS Auditing and Safeguarding Data Quality........................................................................8
Conclusion.................................................................................................................................................10
Table of Contents
Introduction..................................................................................................................................................2
IS model of an organization (MIS)..............................................................................................................2
Compare General Management Control and Application Control for IS....................................................3
Evaluation of IS related security and risk management techniques............................................................5
Importance of IS Auditing and Safeguarding Data Quality........................................................................8
Conclusion.................................................................................................................................................10
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
3IS SECURITY AND RISK MANAGEMENT
Introduction
The study provides the IS model for an organization. In the study, further discussion has
been done by comparing the general management control and application control of IS. Later, the
evaluation has done on the security and risk management technique of IS. Finally, providing with
the information of the importance of IS auditing and safeguarding the data quality.
IS model of an organization (MIS)
A. T. Kearney has experience in transforming and improving Management Information
System (MIS). The company has the best possible information formats and feature of MIS that
provide an accurate and up-to-date information to make a valid decision (Hu 2016). MIS
contains the expenses, sales figures, workforce data and investments made by the company for
the past five years and provide an accurate report to make a proper decision. Since MIS has the
feature to take key decision that is built in, the decision has influenced by changes made in
different variables (Arvidsson, Holmström and Lyytinen 2014). The organization can see the
changes by reducing the staff levels or by increasing the promotion budgets to see what changes
happen to the revenue, profit and expenses. With MIS system the company can make a possible
realistic scenario (Dwivedi et al. 2015). Any decision made by the project manager can result in
modification to the business strategy and the overall goals of the company. When the company
make a decision, it specify a goal in mind from MIS and track the result of the company by
analyzing it and ensuring that it has developed as planned. MIS provide data needed by the
company to determine the desired effect of the decision that they made and whether any correct
action being taken to achieve the goals (Khansa et al. 2017). Whenever the organization goals
are not on track, they can use MIS to evaluate and decide to take some additional measures for
Introduction
The study provides the IS model for an organization. In the study, further discussion has
been done by comparing the general management control and application control of IS. Later, the
evaluation has done on the security and risk management technique of IS. Finally, providing with
the information of the importance of IS auditing and safeguarding the data quality.
IS model of an organization (MIS)
A. T. Kearney has experience in transforming and improving Management Information
System (MIS). The company has the best possible information formats and feature of MIS that
provide an accurate and up-to-date information to make a valid decision (Hu 2016). MIS
contains the expenses, sales figures, workforce data and investments made by the company for
the past five years and provide an accurate report to make a proper decision. Since MIS has the
feature to take key decision that is built in, the decision has influenced by changes made in
different variables (Arvidsson, Holmström and Lyytinen 2014). The organization can see the
changes by reducing the staff levels or by increasing the promotion budgets to see what changes
happen to the revenue, profit and expenses. With MIS system the company can make a possible
realistic scenario (Dwivedi et al. 2015). Any decision made by the project manager can result in
modification to the business strategy and the overall goals of the company. When the company
make a decision, it specify a goal in mind from MIS and track the result of the company by
analyzing it and ensuring that it has developed as planned. MIS provide data needed by the
company to determine the desired effect of the decision that they made and whether any correct
action being taken to achieve the goals (Khansa et al. 2017). Whenever the organization goals
are not on track, they can use MIS to evaluate and decide to take some additional measures for
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4IS SECURITY AND RISK MANAGEMENT
that situation. The next section discusses about the general management control and application
control for IS.
Compare General Management Control and Application Control for IS
The systems of computer are control by a set of well-designed information resources.
This resources are of two type; general controls and application controls. General control is a
combination of software, hardware and manual procedure where an overall control environment
has created (Peter et al. 2016). The application of general control is on all the computerized
applications. Application controls are unique for each of the computerized application (Wonham
2015).
General Controls
There are several types of General Controls which include physical hardware controls,
data security controls, administrative controls, implementation controls, computer operations
control, and software controls (Akyol et al. 2015). All this controls will be discussed one by one,
Software controls: It prevents from any unauthorized access to computer program, system
software and software program (Mattos and Duarte 2016). It monitors were the system software
has been used. The control area of system software is very important because the overall
functions of the control has performed for the programs in which the data and the files are
process (Fuggetta and Di Nitto 2014).
Hardware controls: It checks the malfunction of the equipment and ensure that the hardware of
the computer is physically secure (Kim, Kim and Park 2015). Thus, it is necessary that the
equipment of computer should be protected from the extremes of temperature, fires and
that situation. The next section discusses about the general management control and application
control for IS.
Compare General Management Control and Application Control for IS
The systems of computer are control by a set of well-designed information resources.
This resources are of two type; general controls and application controls. General control is a
combination of software, hardware and manual procedure where an overall control environment
has created (Peter et al. 2016). The application of general control is on all the computerized
applications. Application controls are unique for each of the computerized application (Wonham
2015).
General Controls
There are several types of General Controls which include physical hardware controls,
data security controls, administrative controls, implementation controls, computer operations
control, and software controls (Akyol et al. 2015). All this controls will be discussed one by one,
Software controls: It prevents from any unauthorized access to computer program, system
software and software program (Mattos and Duarte 2016). It monitors were the system software
has been used. The control area of system software is very important because the overall
functions of the control has performed for the programs in which the data and the files are
process (Fuggetta and Di Nitto 2014).
Hardware controls: It checks the malfunction of the equipment and ensure that the hardware of
the computer is physically secure (Kim, Kim and Park 2015). Thus, it is necessary that the
equipment of computer should be protected from the extremes of temperature, fires and
5IS SECURITY AND RISK MANAGEMENT
humidity. Since A. T. Kearney is Computer dependent organizations, it should make continued
operation or backup provisions for a constant service.
Computer operations controls: It oversee the computer department work that ensure the
procedure of the program that can correctly and consistently applied to the data storage and data
processing. In the job of computer processing and computer operation the control has set up for
the recovery and backup procedures of the abnormal processing.
Data Security Controls: Business data files that are valuable on either the tape or disk are not a
subject that can unauthorized change, access, or destruction when these data are in storage and
use (Sundaram 2017).
Implementation controls: The development process of the systems has audit at various points
that ensure the control of the process and properly manage them. The development audit of the
systems looks for formal reviews at the development of various stages by the user and
management; involvement of level of implementation by the user at each stage; and the
methodology of formal cost-benefit that establishes a feasible system. For a complete, thorough
system, operations documentation and user the audit must use the technique assuring the quality
and control of the program development, testing and conversion.
Administrative controls: Control discipline, formalize standards, rules and procedures that ensure
the organization’s application controls and general controls that are enforced and properly
executed.
humidity. Since A. T. Kearney is Computer dependent organizations, it should make continued
operation or backup provisions for a constant service.
Computer operations controls: It oversee the computer department work that ensure the
procedure of the program that can correctly and consistently applied to the data storage and data
processing. In the job of computer processing and computer operation the control has set up for
the recovery and backup procedures of the abnormal processing.
Data Security Controls: Business data files that are valuable on either the tape or disk are not a
subject that can unauthorized change, access, or destruction when these data are in storage and
use (Sundaram 2017).
Implementation controls: The development process of the systems has audit at various points
that ensure the control of the process and properly manage them. The development audit of the
systems looks for formal reviews at the development of various stages by the user and
management; involvement of level of implementation by the user at each stage; and the
methodology of formal cost-benefit that establishes a feasible system. For a complete, thorough
system, operations documentation and user the audit must use the technique assuring the quality
and control of the program development, testing and conversion.
Administrative controls: Control discipline, formalize standards, rules and procedures that ensure
the organization’s application controls and general controls that are enforced and properly
executed.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
6IS SECURITY AND RISK MANAGEMENT
Application Controls
In application controls manual and automated procedures are included to ensure that the
application authorized the data that are accurately and completely processed. There are three
types of application controls, 1) input controls, 2) output controls, and 3) processing controls.
The data is check by input controls for completeness and accuracy while entering the system.
Input controls are specific for data conversion, input authorization, error handling and data
editing. In Processing controls, during updating the data are accurate and complete. Run control
totals, checks programmed edit and Computer matching, are used in the form of processing
controls. In output control, the computer processing results are complete, accurate and
distributed properly. Depending on the application nature and data that are important some more
types of application controls are discussed below,
Control total (Input, processing): Computer programs count total from simple document to total
quantity fields of input or processed transactions.
Edit checks (Input): Programmed routine are performed to edit data for input of errors before
processing. Edit criteria that are not met by the transactions are rejected.
Computer matching (Input, Processing): Input data matches with the information for suspense or
master files and investigation done for notes that have unmatched items.
Run control totals (Processing, output): Balance the process of total transactions with total
number of input or output transactions.
Report distribution logs (Output): With documentation authorized recipients specifies that they
receive their checks, reports or other critical documents.
Application Controls
In application controls manual and automated procedures are included to ensure that the
application authorized the data that are accurately and completely processed. There are three
types of application controls, 1) input controls, 2) output controls, and 3) processing controls.
The data is check by input controls for completeness and accuracy while entering the system.
Input controls are specific for data conversion, input authorization, error handling and data
editing. In Processing controls, during updating the data are accurate and complete. Run control
totals, checks programmed edit and Computer matching, are used in the form of processing
controls. In output control, the computer processing results are complete, accurate and
distributed properly. Depending on the application nature and data that are important some more
types of application controls are discussed below,
Control total (Input, processing): Computer programs count total from simple document to total
quantity fields of input or processed transactions.
Edit checks (Input): Programmed routine are performed to edit data for input of errors before
processing. Edit criteria that are not met by the transactions are rejected.
Computer matching (Input, Processing): Input data matches with the information for suspense or
master files and investigation done for notes that have unmatched items.
Run control totals (Processing, output): Balance the process of total transactions with total
number of input or output transactions.
Report distribution logs (Output): With documentation authorized recipients specifies that they
receive their checks, reports or other critical documents.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7IS SECURITY AND RISK MANAGEMENT
Evaluation of IS related security and risk management techniques
The process of Evaluating the security system of information involves identifying,
gathering and analyzing the functionality of security. The A. T. Kearney organization follow a
process for the security and to manage a risk and identify, mitigate and categorize the risks
(Leveson 2015). The organizations have a methodology that ensures a well information security
and risk management plan. The company is now going through a process that evaluate the IS
security and risk management technique. It is recommended to follow the below steps that help
to understand the risk and create a plan accordingly.
1. Evaluate the scope of the infrastructure and information
The first and the foremost thing that has to be done is to identify the scope that the A. T. Kearney
organization has about the information systems which include the hardware and software
resources with the data (Hackl et al. 2015). While evaluating the infrastructure like the CRM,
legal, billing, and many more, it is important for the critical system to get focus on it.
2. Understanding the threats and vulnerabilities
The organization may face various threats based on the industry and geographical location. A
particular vulnerability has exploited successfully through this threat-source. The hardware and
software vulnerabilities are listed within the existing environment considering the threats that are
both intentional and unintentional. Intentional threats are caused by uploading malicious
software or network. As a results, a list of threats can be understandable that are associated to the
vulnerabilities.
3. Estimation of the impact
Adverse impact of security events could result in actual potential threat which can be describe
with the combination of Availability, Integrity and Confidentiality of the security goals. One can
Evaluation of IS related security and risk management techniques
The process of Evaluating the security system of information involves identifying,
gathering and analyzing the functionality of security. The A. T. Kearney organization follow a
process for the security and to manage a risk and identify, mitigate and categorize the risks
(Leveson 2015). The organizations have a methodology that ensures a well information security
and risk management plan. The company is now going through a process that evaluate the IS
security and risk management technique. It is recommended to follow the below steps that help
to understand the risk and create a plan accordingly.
1. Evaluate the scope of the infrastructure and information
The first and the foremost thing that has to be done is to identify the scope that the A. T. Kearney
organization has about the information systems which include the hardware and software
resources with the data (Hackl et al. 2015). While evaluating the infrastructure like the CRM,
legal, billing, and many more, it is important for the critical system to get focus on it.
2. Understanding the threats and vulnerabilities
The organization may face various threats based on the industry and geographical location. A
particular vulnerability has exploited successfully through this threat-source. The hardware and
software vulnerabilities are listed within the existing environment considering the threats that are
both intentional and unintentional. Intentional threats are caused by uploading malicious
software or network. As a results, a list of threats can be understandable that are associated to the
vulnerabilities.
3. Estimation of the impact
Adverse impact of security events could result in actual potential threat which can be describe
with the combination of Availability, Integrity and Confidentiality of the security goals. One can
8IS SECURITY AND RISK MANAGEMENT
classify it with high as immediate impact, medium as critical business impact and low as limited
impact.
4. Determining the risk
The risk of threat or vulnerabilities has determined by exploiting the vulnerability of the threat-
source successfully, by the magnitude and the security controls adequacy that mitigate, reduce or
eliminate the risk.
The matrix below includes example of threats and their possible impact:
Threat Impact Risk
Software vulnerability on the internal billing system High Medium
Two versions are patching behind the Customer portal on the system High High
Updates of the software version for the admin server of general
business
Low Low
No update regarding the development server that has an access
control in 12 months
High Medium
Table 1: IS security risk matrix
5. Planning the Controls
This is the final step for every controls. It mitigates or eliminate the risks that has identified the
control. It reduces the risk level of the IS environment. This final step is the basic process for the
IT security risk evaluation. If the result has shared to the A. T. Kearney organization who is the
key decision maker. The professional of IS provide risk mitigation as an option for a business
decision.
classify it with high as immediate impact, medium as critical business impact and low as limited
impact.
4. Determining the risk
The risk of threat or vulnerabilities has determined by exploiting the vulnerability of the threat-
source successfully, by the magnitude and the security controls adequacy that mitigate, reduce or
eliminate the risk.
The matrix below includes example of threats and their possible impact:
Threat Impact Risk
Software vulnerability on the internal billing system High Medium
Two versions are patching behind the Customer portal on the system High High
Updates of the software version for the admin server of general
business
Low Low
No update regarding the development server that has an access
control in 12 months
High Medium
Table 1: IS security risk matrix
5. Planning the Controls
This is the final step for every controls. It mitigates or eliminate the risks that has identified the
control. It reduces the risk level of the IS environment. This final step is the basic process for the
IT security risk evaluation. If the result has shared to the A. T. Kearney organization who is the
key decision maker. The professional of IS provide risk mitigation as an option for a business
decision.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
9IS SECURITY AND RISK MANAGEMENT
Importance of IS Auditing and Safeguarding Data Quality
The role of auditing is a critical measure that ensures the IS integrity (Rezaee et al. 2018).
At the initial stage, IS auditing is an extension of traditional auditing. Government entities and
Professional organization and association recognized the need of IS auditing. Auditors has
realized that the ability of the computer has impacted the attestation function. Computer is the
key resources for the business environment which is similar to other business of the organization.
Therefore, the need of IS auditing is critical.
Earlier IS auditing were drawn from areas like traditional auditing that provides
knowledge practices for internal control. Secondly, IS management providing necessary
methodologies for system implementation and successful design. Finally, computer science field
provides knowledge that control the concepts, theory, discipline and formal models for the
software and hardware design to maintain reliability, integrity and data validity.
For the audit function, IS auditing has become an integral part to support the auditor’s
judgment that process a quality information through the computer systems (Kim et al. 2017).
Initially, with the skills of IS audit, the auditors resource has technologically viewed for the staff
of the audit. For any kind of technical assistance, the audit staff look towards them. There are
several types of audit within the IS auditing namely technical IS audits, Organizational IS audits,
implementation or development IS audits, application IS audits and compliance IS audits that
involves the international or national standards. The role of IT auditor’s assures that controls are
adequate and appropriate. The primary role of audit’s provides assurance of reliable and
adequate internal controls that are operating in an effective and efficient manner (Mustapha and
Lai 2017). Thus, auditors will assure and management will ensure.
Importance of IS Auditing and Safeguarding Data Quality
The role of auditing is a critical measure that ensures the IS integrity (Rezaee et al. 2018).
At the initial stage, IS auditing is an extension of traditional auditing. Government entities and
Professional organization and association recognized the need of IS auditing. Auditors has
realized that the ability of the computer has impacted the attestation function. Computer is the
key resources for the business environment which is similar to other business of the organization.
Therefore, the need of IS auditing is critical.
Earlier IS auditing were drawn from areas like traditional auditing that provides
knowledge practices for internal control. Secondly, IS management providing necessary
methodologies for system implementation and successful design. Finally, computer science field
provides knowledge that control the concepts, theory, discipline and formal models for the
software and hardware design to maintain reliability, integrity and data validity.
For the audit function, IS auditing has become an integral part to support the auditor’s
judgment that process a quality information through the computer systems (Kim et al. 2017).
Initially, with the skills of IS audit, the auditors resource has technologically viewed for the staff
of the audit. For any kind of technical assistance, the audit staff look towards them. There are
several types of audit within the IS auditing namely technical IS audits, Organizational IS audits,
implementation or development IS audits, application IS audits and compliance IS audits that
involves the international or national standards. The role of IT auditor’s assures that controls are
adequate and appropriate. The primary role of audit’s provides assurance of reliable and
adequate internal controls that are operating in an effective and efficient manner (Mustapha and
Lai 2017). Thus, auditors will assure and management will ensure.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
10IS SECURITY AND RISK MANAGEMENT
Thus, the profession of IS auditing is to conduct, aims, and qualities characterized by
technical standards, have a set of rules that are ethical, and a certification of professional
program. Most of the IS auditing professional believe that IS auditor will get better empirical and
theoretical knowledge by improving their research and education base on the function of IS
audit.
For a number of reason data quality are important in the business and government
organization. Providing a high-quality data have a competitive advantage which give a unique
source to the business asset. But at the same, satisfaction of the customer gets reduce with poor-
quality data. It lowers the employee job satisfaction, and results in loss of process knowledge
which leads to excessive turnover. Poor quality data lead to improvements that can breed
organizational mistrust. However, with poor-quality data financial condition of any business is
impossible to determine. All the levels of government, military needs have high quality data for
its operations and counter-terrorism efforts. The local level need high-quality data to assess the
residence of individual for the real state tax purposes. In a study it was found that an insurance
company could not obtain accurate estimation for its insurance-in-force due the poor-quality
data. The consequence leads to miscalculation in the premium income and the loss amount that
was required for a future insurance claims.
Thus, to obtain a high-quality data, it is preferable to keep the bad data out from the list
of database. To do this, the system edits data to enter into the database or list. The organizations
staffs are encouraged for a wide variety of methods and improve the entire process. The next
way is to detect the bad data that has already entered proactively into the database. For this, the
data analyst will look for data quality problems. The basic understanding needed for such
Thus, the profession of IS auditing is to conduct, aims, and qualities characterized by
technical standards, have a set of rules that are ethical, and a certification of professional
program. Most of the IS auditing professional believe that IS auditor will get better empirical and
theoretical knowledge by improving their research and education base on the function of IS
audit.
For a number of reason data quality are important in the business and government
organization. Providing a high-quality data have a competitive advantage which give a unique
source to the business asset. But at the same, satisfaction of the customer gets reduce with poor-
quality data. It lowers the employee job satisfaction, and results in loss of process knowledge
which leads to excessive turnover. Poor quality data lead to improvements that can breed
organizational mistrust. However, with poor-quality data financial condition of any business is
impossible to determine. All the levels of government, military needs have high quality data for
its operations and counter-terrorism efforts. The local level need high-quality data to assess the
residence of individual for the real state tax purposes. In a study it was found that an insurance
company could not obtain accurate estimation for its insurance-in-force due the poor-quality
data. The consequence leads to miscalculation in the premium income and the loss amount that
was required for a future insurance claims.
Thus, to obtain a high-quality data, it is preferable to keep the bad data out from the list
of database. To do this, the system edits data to enter into the database or list. The organizations
staffs are encouraged for a wide variety of methods and improve the entire process. The next
way is to detect the bad data that has already entered proactively into the database. For this, the
data analyst will look for data quality problems. The basic understanding needed for such
11IS SECURITY AND RISK MANAGEMENT
process are, 1) structure of database or list, 2) subject matter and 3) data analyzing methodology.
The data that are collected and are used for an authorized person.
Conclusion
Form the above study it has concluded MIS has the better feature with up-to-date
information. The organization can see the changes by implementing the MIS model and track the
result of the company by analyzing it and ensuring that it has developed as planned. Secondly, IS
auditing has become an integral part to support the auditor’s judgment that process a quality
information through the computer systems. Finally, it was understood that the Data quality is a
key to safeguard and improve the information system. With considerable analysis and
experience, the study provides the way to safeguard and improve the data quality. It identifies the
high-quality data and has discuss how an organization can obtain it.
process are, 1) structure of database or list, 2) subject matter and 3) data analyzing methodology.
The data that are collected and are used for an authorized person.
Conclusion
Form the above study it has concluded MIS has the better feature with up-to-date
information. The organization can see the changes by implementing the MIS model and track the
result of the company by analyzing it and ensuring that it has developed as planned. Secondly, IS
auditing has become an integral part to support the auditor’s judgment that process a quality
information through the computer systems. Finally, it was understood that the Data quality is a
key to safeguard and improve the information system. With considerable analysis and
experience, the study provides the way to safeguard and improve the data quality. It identifies the
high-quality data and has discuss how an organization can obtain it.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 15
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.