SBM4304 IS Security and Risk Management: Controls and Techniques

Verified

Added on 2023/06/08

AI Summary

This essay provides a detailed analysis of Information Systems (IS) security and risk management, focusing on the types of IS controls, including general and application controls, and their differences. It highlights various security and risk management techniques essential for ensuring the availability, reliability, confidentiality, integrity, and security of digital business processes. The essay also explores the role of auditing in supporting data quality by identifying and addressing data problems, such as duplications and security threats, thereby improving the overall quality and financial performance of an organization. The paper concludes that information system controls play an essential role in safeguarding information resources.

A ec rit and i Mana ementRUNNING HE D: IS S u y R sk g
ec rit and i Mana ementIS S u y R sk g

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

ec rit and i Mana ementIS S u y R sk g 1
The term information system can be defined as the study of systems with special reference to
networks of hardware and software and information utilized by organization and people for
collecting, filtering, processing, creating and distribution of data (Falkenberg, Hesse & Olive,
2016). In order to ensure the performance of information systems in accordance with the
management standards, certain manual and automated measures are used. The information
resources are protected with the help of controls which are a set of methods, policies and
organizational procedures. These controls play an important role in ensuring that the operations
of the organization are in adherence with the management standards. Moreover, these controls
ensure that the accounting records are accurate and reliable, and that the operational assets are
safe (Webb, Ahmad, Maynard & Shanks, 2014). The focus of this essay is on the types of
information system control along with analyzing the difference between general management
control and application control. Certain security and risk management techniques are also
highlighted in this essay which can be utilized for ensuring availability, reliability,
confidentiality, integrity and security of the digital business processes. Furthermore, this essay
provides how auditing supports data quality.
In earlier days, information system controls were not so popular and was addressed only before
system installation. Nowadays, the dependency on such controls for information systems have
increased for which vulnerabilities and threats are required to be identified in advance.
Information system controls are the most important aspect of the design of the system due to
which adequate attention is required to be given to these controls throughout the system’s
lifespan (Tsohou, Karyda, Kokolakis & Kiountouzis, 2015).
There are two types of information system controls namely general controls and application
controls. General controls are responsible for managing the data files security in the entire
organization along with regulating the design, security and use of different computer programs.
In other words, general controls aim at the creation of complete control environment by using the
mixture of system software and certain manual procedures (Soomro, Shah & Ahmed, 2016).
These general controls are applicable in case of every computerized application. General controls
include data security controls, software controls, computer operations control, implementation
process control, administrative controls and physical hardware controls. Different functions are
performed by different types of general controls such as controlling data centre, network

ec rit and i Mana ementIS S u y R sk g 2
operations, protecting computer from the occurrence of fraudulent actions, ensuring file security
and securing equipment, asset or property efficiency.
As far as the application controls are concerned, they cannot be generally applied to every
computerized application which requires them to be unique. In other words, application controls
are controls that are specific such as payroll, accounts receivable and order processing. Input,
output and processing controls are included in application controls. All these controls are
responsible for performing different functions (Sadgrove, 2016). Accuracy, validity and
completeness of information being processed by the computer is assured with the help of input
controls. Similarly, the accuracy, validity and completeness of the computer generated data is
ensured with the help of output controls. Processing controls manage the data which is input into
the computer by ensuring its accurate processing. Other than this, some other application
controls are responsible for the regulation of the information that belongs to the master file.
When these two types of information system controls are compared, it can be concluded that the
function performed by both these controls is different but ultimately both are responsible for
controlling the computer systems. The difference lies in the fact that general controls can be
applied in almost every organizational area while application controls are specific to every
application. Another difference is in the objectives of both types of control. General control
ensures the integrity of computer operations and data programs along with proper application
implementation and development. On the other hand, application control ensures information
completeness, maintenance, accuracy and validity along with providing timely updates (White,
Fisch & Pooch, 2017).
The need for setting up security and risk management techniques has subsequently increased due
to the digitalization of the business processes. Such techniques have the capability of ensuring
the integrity, confidentiality, security and reliability of such processes. Management of risk plays
an integral part in the digital business processes. Risk management process allows identifying the
potential risk and threats to the information resources in advance so that proper action can be
taken before it actually affects the information resources (Rahman, Islam & Ameer, 2015). Risk
management also assists the organization in achievement of the organizational goals and
enhances its decision making capabilities regarding countermeasures which can reduce the level
of risk to the information resources. With the help of risk management techniques, the risk is not

ec rit and i Mana ementIS S u y R sk g 3
eliminated but is reduced to an acceptable level such that the operational activities of the
organization do not get affected. The securities and risk management techniques can easily
identify the risks to information, assets and people and can also provide the required protection
by reducing or removing the risks along with effectively accepting the responsibility for the risk
that still remains untreatable. Such techniques determine in advance the risk tolerance level of
the organization which is kept in mind throughout the process of risk management (Nazareth &
Choi, 2015). The technique further provides that the security risk management can be effectively
undertaken only when it is undertaken by the entire organization through all the staff members.
The technique should be developed by the business after properly understanding the current
business conditions of the organization and by considering the risk profile and appetite of such
organization. The technique should also involve a descriptive annual plan and should adequately
identify the capabilities on the basis of input and management guidance (Jang & Kim, 2016).
Cryptography is the most common method which is used for the purpose of supporting the
confidentiality and integrity of data. With the help of enforcing file permissions and access
control lists, the confidentiality of the data is protected and sensitive information is secured from
any kind of unauthorized access. Hashing of data is also a commonly used technique for
protecting the integrity of data (Lee, 2014). While signing of the data digitally, certain
techniques can be used so that it remains secured. Encryption technique can also be used for
protecting data confidentiality. Encryption of the data will ensure that the data is not accessed by
authorized individuals and can be read only by the person who has the key for decrypting the
data. Security of the data can be ensured and the data can be protected from potential risks when
site back- up is taken o timely basis. It will ensure that back- up data is available even when the
system or hard drive suffers from any damage. Such back- up should also be made available on
some off- site location so that the damage to the primary data does not affect the operations and
functioning of the organization (Feng, Wang & Li, 2014).
Employee behavior plays a key role in establishing an information security culture within an
organization, therefore, the organization should aim at bringing the required changes within their
behavior. Certain steps are required to be followed for the purpose of establishing an information
security culture in an organization which includes proper evaluation, operative and strategic
planning, implementation and post evaluation. In most of the organizations, risk management is

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

ec rit and i Mana ementIS S u y R sk g 4
considered to be an enterprise- wide issue where each and every individual working with the
organization is accountable for the security of the data including the leaders (Mayer, Grandry,
Feltus & Goettelmann, 2015). Every individual also has their own role within which they have to
ensure that security risk is being properly managed. For achieving this, proper training is to be
provided to every individual working with the organization so that they can understand the
manner in which the security goals can be achieved. Furthermore, data quality will automatically
improve when it will get audited by an IS auditor on yearly or half yearly basis (Bulgurcu,
Cavusoglu & Benbasat, 2010).
Auditing is very important for the purpose of enhancing the quality of data as it covers each and
every aspect of the information system by way of inspection. When the IS auditor completes the
audit process, the chances of errors in the system are reduced to minimum and the data quality is
improved. However, this is achieved after following a long process. First of all, the selection of
audit approach is made which is followed in the entire audit process for maintain harmony in the
results. Moreover, audit approach is selected by keeping in mind the given situation and the
requirements of the audit process. The audit process involve a lot of activities such as conducting
interviews of the important individuals, visiting data center and different branches, establishing
the audit criteria, etc. These points will also be included in the documentation done for the
purpose and will assist in making the identification of the high risk areas (Dreyfuss & Giat,
2016). Furthermore, the information sources are also required to be identified on which the audit
report will be based. Such information sources include past audit reports of the organization,
system flows, network maps, etc. Then the risk assessment is performed with regard to the
purpose of the business and the environment in which the operations of the business takes place.
Then the IS auditor performs the function of documenting the risk along with its expected
outcome, probable occurrence, nature and the controls which can assist in effectively addressing
of risk. The scope of final audit is determined on the basis of risk assessment results, currently
used internal controls and objectives of the audit. These results are then combined with some
strategies with the help of which the audit objectives will be achieved. Therefore, audit help in
the determination of any problems faced by the data of the system and allows to take required
steps for addressing such problems on time (Bamakan & Dehghanimohammadabadi, 2015).

ec rit and i Mana ementIS S u y R sk g 5
In simple words, audit enhances the quality of data possessed by the system by identifying and
eliminating all the outdated information and making on- time identification of risks to its
security. This allows an organization to save large amount of funds and focusing on offering
greater level of satisfaction to the customers. Ultimately, the financial performs of the
organization also improves in the market. Information system audit, therefore, assists in the
minimization of duplication of data and identifies any threats to its security in advance.
Therefore, the data quality is improved when its confidentiality, integrity and accuracy is ensured
(Dubois, Heymans, Mayer & Matulevicius, 2010).
Therefore, it can be concluded that information system controls play the most essential role in
safeguarding the information resources. Controls ensure that the operations of the organization
are in adherence with the management standards. Moreover, they also ensure that the accounting
records are accurate and reliable, and the operational assets are safe. General management
controls and application controls are responsible for effectively controlling the computer
systems. The focus of this assignment was on the types of information system controls i.e.
general controls and application controls along with making comparison between them.
Moreover, the essay highlighted certain security and risk management techniques which can be
utilized for ensuring availability, reliability, confidentiality, integrity and security of the digital
business processes. Furthermore, the essay demonstrated how data quality is improved by audit.
Data quality can be ensured with the help of early identification of data problems such as
duplications and allows to take needed steps on time so that the quality can be ensured.

ec rit and i Mana ementIS S u y R sk g 6
References
Bamakan, S. M. H., & Dehghanimohammadabadi, M. (2015). A weighted Monte Carlo
simulation approach to risk assessment of information security management
system. International Journal of Enterprise Information Systems (IJEIS), 11(4), 63-78.
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an
empirical study of rationality-based beliefs and information security awareness. MIS
quarterly, 34(3), 523-548.
Dreyfuss, M., & Giat, Y. (2016). Identifying security risk modules in a university’s information
system. In Proceedings of Informing Science & IT Education Conference (Vol. 2016, pp. 41-51).
Dubois, E., Heymans, P., Mayer, N., & Matulevicius, R. (2010). A systematic approach to define
the domain of information system security risk management. In Intentional Perspectives on
Information Systems Engineering (pp. 289-306). Springer, Berlin, Heidelberg.
Falkenberg, E. D., Hesse, W., & Olive, A. (2016). Information System Concepts: Towards a
consolidation of views. Springer.
Feng, N., Wang, H. J., & Li, M. (2014). A security risk analysis model for information systems:
Causal relationships of risk factors and vulnerability propagation analysis. Information
sciences, 256, 57-73.
Jang, J. Y., & Kim, C. N. (2016). An Analysis of the Effects of Knowledge Complementarities
on the Performance of Information System Audit: A Perspective of the Resident Audit in the
Project Office. Journal of the Korea society of IT services, 15(1), 113-129.
Lee, M. C. (2014). Information security risk analysis methods and research trends: AHP and
fuzzy comprehensive method. International Journal of Computer Science & Information
Technology, 6(1), 29.
Mayer, N., Grandry, E., Feltus, C., & Goettelmann, E. (2015). Towards the ENTRI framework:
security risk management enhanced by the use of enterprise architectures. In International
Conference on Advanced Information Systems Engineering (pp. 459-469). Springer, Cham.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

ec rit and i Mana ementIS S u y R sk g 7
Nazareth, D. L., & Choi, J. (2015). A system dynamics model for information security
management. Information & Management, 52(1), 123-134.
Rahman, A. A. L. A., Islam, S., & Ameer, A. N. (2015). Measuring sustainability for an effective
information system audit from public organization perspective. In Research Challenges in
Information Science (RCIS), 2015 IEEE 9th International Conference on (pp. 42-51). IEEE.
Sadgrove, K. (2016). The complete guide to business risk management. Routledge.
Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs more
holistic approach: A literature review. International Journal of Information Management, 36(2),
215-225.
Tsohou, A., Karyda, M., Kokolakis, S., & Kiountouzis, E. (2015). Managing the introduction of
information security awareness programmes in organisations. European Journal of Information
Systems, 24(1), 38-58.
Webb, J., Ahmad, A., Maynard, S. B., & Shanks, G. (2014). A situation awareness model for
information security risk management. Computers & security, 44, 1-15.
White, G. B., Fisch, E. A., & Pooch, U. W. (2017). Computer system and network security. CRC
press.