Establishing a framework for security and control

Establishing a Framework for Security and Control

Information System Control

Both manual and automatic controls are used in IS. It includes:

General Control

It regulates the creation, usage, and security of computer programs as well as the overall security of data files across the whole IT infrastructure of a company. It is used for all applications that use computers. To build the entire control environment, a combination of manual processes, hardware, and software is used. Overall, general controls are those that ensure that programmed procedures run as intended. The following is a list of general control types:

• Software Control
  • Keep an eye on how the system software is being used and guard against unwanted access. It controls how to use the operating system's system software, which controls and manages computer resources to make it easier for application applications to run.
• Hardware Control
  • Make sure computer hardware is physically secure and that it won't break down or malfunction. Computer gear must be physically secured, so only authorised users are able to access it. Only those who work with computers should have access to the rooms where they are used. Computer terminals can be housed in secure rooms or other locations like PCs. Computer equipment needs to be protected specifically from heat, cold, and humidity extremes. Organizations that are dangerously dependent on their computers must also plan for an emergency backup in the event of a power outage.
• Computer Operation Control
  • Monitor the operations of the computer department to make sure that the programs and processes are consistently and correctly functional for both data processing and storage. They cover things like software setup controls, computer processing duties, computer operations, backup controls, and recovery techniques for processing that terminates atypically.
• Data security Control
  • ​​​​​​​Assure that priceless and crucial corporate data files on storage media or disk are not susceptible to modification, unlawful use, or destruction. When data files are being used or kept for storage, these restrictions must be in place. Since operators who run the batch jobs have insufficient access, it is simpler to control data files in batch systems.
• Implementation Control
  • At various stages, conduct an audit of the system development process to make sure it is appropriately managed and monitored.
• Administrative Control
  • To make sure that the organization's general and application controls are appropriately carried out and enforced, formalize standard rules, procedures, and control discipline.

Application Control

Application control is a type of particular control that is customized to each computerized application, like order processing or payroll. Both automated and manual processes are present. It makes sure that application only processes permitted data completely and accurately. It contains:

• Input Control
  • When data are entered into the system, it verifies that they are accurate and comprehensive. The specific input controls include editing, resolving errors, conversion, and authorization.
• Processing Control
  • It proves that data are correct and comprehensive at the time of updating. Run control totals, computer matching, and programmed edit checks are the three main processing controls.
• Output Control
  • It makes ensuring that the output of computer processing is correct, comprehensive, and delivered appropriately. Some typical output controls are as follows: balancing the sums of the output, input, and processing; checking the computer processing logs to make sure all the right computer jobs were processed in the right way

Risk Assessment

It establishes the degree of risk to the company in the event that a particular activity or process is improperly controlled. Although every risk cannot be quantified, businesses must be compelled to recognize some potential dangers. A management should assess the effect that a risk has and create controls and rules to reduce risk and loss. A management should be knowledgeable about threat, risk's likelihood of happening, potential loss, threat's value, and anticipated annual loss.

Security Policy

• It rates information threats, establishes acceptable security, sets goals, and specifies the means by which these goals are to be attained.
• It speaks to the following claims:​​​​​​​
  • What informational resources are the most crucial for the company?
  • Who in the company creates and maintains this data?
  • What information protection policies are in place currently?

Other policies are driven by the security policy:

• Acceptable Use Policy (AUP)
  • Defines permitted applications for the computing resources and information assets of the company.
• Authorization Policy
  • Determines the various access levels for users to information assets.

Identity Management

Tools and business procedures that identify authorized users and manage access.

• Identifies and gives permission to various user categories.
• Defines the area of the system that a user may access.
• Protecting identities and authenticating users

Access regulations for users at various levels are recorded by identity management systems.

Disaster Recovery Planning

It is a strategy created to restore services that have been degraded or interrupted. Restoration of business activities following a tragedy is the main goal of business continuity planning. It emphasizes:

• An analysis of the business impact of the outage will be performed.
• It is up to management to choose which system to restore first.
• Find the most important system for the company.

MIS Audit

controls regulating each information system as well as the firm's overall security environment. It examines technologies, practices, paperwork, and training. It might even simulate a disaster to assess how well technology, IS personnel, and other staff members respond. It lists, ranks, and calculates the likelihood of each control witness. And evaluate each threat's potential financial and organizational impact.

Technologies and Tools for Protecting Information System

• Identity Management Software
  • Automates user tracking across the board. Identify users, safeguard identities, and manage access
• Authentication
  • Password systems, tokens, Smart cards, biometric authentication, etc. are all included.
• Firewall
  • Combination of hardware and software that restricts access to a private network by unauthorized users. In order to guard against unauthorized traffic, the firewall is positioned between the company's private network and the public internet.
• Antivirus and Antispyware Software
• Securing Wreless Network
  • Giving a special name to the network's SSID and not broadcasting the SSID.
• Encryption
  • Converting normal information or data into cipher text, a secret code or text that is unreadable to unwanted recipients. There are two ways to encrypt data:
• Symmetric Encryption
  • Both the sender and the recipient utilize the same shared key.
• Public Key
  • Private key for decryption and public key for encryption.
• Digital Certificate
  • The certification authority confirms the user's identification, stores data on the CA server, and then creates an encrypted digital certificate with the owner's public key and owner ID information.
• Ensuring Software Quality
• Securing Mobile Platform
  • Any unique requirements for mobile devices should be included in and covered by security rules.

Reference

Laudon, Laudon, "Management Information Systems Managing the Digital Firm", twelfth edition