Info Systems Security Controls
Threat = potential adverse occurrence or unwanted event that could be damaging to the IS or organization
Exposure = potential money loss due to the threat
Risk = the chance (probability) that a threat will occur/ any exposure to the chance of injury or loss.
Controls = an activity performed to minimize or eliminate a risk.
- Identify Threats (strategic, operating, financial losses, information errors)
- Estimate Risk (likelihood of occurrence) difficult to estimate.
- Estimate Exposure (money losses)
- Identify Controls
- Estimate Expected Loss, Costs, and Benefits
- Determine Cost/Benefit Effectiveness
Control activities are the policies and procedures the organization uses to ensure that necessary actions are taken to minimize risks associated with achieving its objectives. Controls have various objectives and may be applied at various organizational and functional levels.
Preventive: controls focus on preventing an error or irregularity.
Detective: controls focus on identifying when an error or irregularity has occurred
Corrective: controls focus on recovering from, repairing the damage from, or minimizing the cost of an error or irregularity.
Physical controls include security over the assets themselves, limiting access to the assets to only authorized people, and periodically reconciling the quantities on hand with the quantities recorded in the organization’s records.
Information processing controls are used to check accuracy, completeness, and authorization of transactions.
- General controls cover data center operations, systems software acquisition and maintenance, access security, and application systems development and maintenance. This includes:
Security Plan: Who, What, When, Where
Segregation of Duties within the Systems Functions
Project Development Control: scheduling
Physical Access Controls: access the site and equipments
Logical Access Controls: access the system
Data Storage Controls: data protection
Data Transmission Controls: data encryption
Documentation Standards: procedures for data processing
Minimizing System Downtime: preventive maintenance
Disaster Recovery Planning: backup, contingent sites
Protection of Personal Server and Client/Server Networks: inventory and access logs
Internet Control: intranet, firewall
- Application controls apply to the processing of a specific application, like running a computer program to prepare employee's payroll checks each month.
Source Data Controls: accuracy, validity, completeness of data sources
Input Validation Routines: accuracy, validity input data as it is entered into the system
On-line Data Entry Controls: validity, integrity of on-line transaction data
Data Processing and File Maintenance Controls: currency checks, matching, exception reports
Output Controls: distribution list, shredder