Info Systems Security Controls

Threat = potential adverse occurrence or unwanted event that could be damaging to the IS or organization

Exposure = potential money loss due to the threat

Risk = the chance (probability) that a threat will occur/ any exposure to the chance of injury or loss.

Controls = an activity performed to minimize or eliminate a risk.

Risk Assessment:

  1. Identify Threats (strategic, operating, financial losses, information errors)
  2. Estimate Risk (likelihood of occurrence) difficult to estimate.
  3. Estimate Exposure (money losses)
  4. Identify Controls
  5. Estimate Expected Loss, Costs, and Benefits
  6. Determine Cost/Benefit Effectiveness

Control Activities

Control activities are the policies and procedures the organization uses to ensure that necessary actions are taken to minimize risks associated with achieving its objectives. Controls have various objectives and may be applied at various organizational and functional levels.

Preventive: controls focus on preventing an error or irregularity.

Detective: controls focus on identifying when an error or irregularity has occurred

Corrective: controls focus on recovering from, repairing the damage from, or minimizing the cost of an error or irregularity.

Physical controls include security over the assets themselves, limiting access to the assets to only authorized people, and periodically reconciling the quantities on hand with the quantities recorded in the organization’s records.

Information processing controls are used to check accuracy, completeness, and authorization of transactions.

  • General controls cover data center operations, systems software acquisition and maintenance, access security, and application systems development and maintenance. This includes:

Security Plan: Who, What, When, Where

Segregation of Duties within the Systems Functions

Project Development Control: scheduling

Physical Access Controls: access the site and equipments

Logical Access Controls: access the system

Data Storage Controls: data protection

Data Transmission Controls: data encryption

Documentation Standards: procedures for data processing

Minimizing System Downtime: preventive maintenance

Disaster Recovery Planning: backup, contingent sites

Protection of Personal Server and Client/Server Networks: inventory and access logs

Internet Control: intranet, firewall

  • Application controls apply to the processing of a specific application, like running a computer program to prepare employee's payroll checks each month.

Source Data Controls: accuracy, validity, completeness of data sources

Input Validation Routines: accuracy, validity input data as it is entered into the system

On-line Data Entry Controls: validity, integrity of on-line transaction data

Data Processing and File Maintenance Controls: currency checks, matching, exception reports

Output Controls: distribution list, shredder