Premium Essay

Reducing It Risks Through Sufficient Security Controls

In:

Submitted By nickmorgan0
Words 3417
Pages 14
Abstract
When identifying risks to the organisation and assigning resources, it is imperative that organisation understand the consequence of the risk eventuating so that risk treatment can be prioritised. Such prioritisation can only occur when risks are rated and prioritised based on an international standard that utilises consequence for determining risk ratings. While the crime triangle allows for the rating of risk, it does not take consequence into consideration as ISO31000 does. Where the organisation is able to understand how they will be adversely affected by negative risks, there will be a higher level of co-operation to assign resources. Where the consequence is only portrayed in a technical manner and not in line with the organisations strategy and business objective, there will more reluctance to support risk treatment.

Organisations must utilise an Enterprise Risk Model that allows for scalability and organisational wide understanding and co-operation. Such a model should be developed enterprise wide and further more adapted for the identification of different types of risks, such as security risks. ISO31000 better suits such a requirement in comparison to the crime triangle that specifics risks as crime. It is imperative to understand that risks are not always perceived as crimes and utilise a model that allows for this.

Risks are often guided by uncertainty and it is imperative for organisation to utilise as much information relating to the risk as possible as too much uncertainty pollutes the risk and its consequence. Organisations must use a model that provides some form of certainty and utilises historical data where as many factors can be historically quantified as possible. Such a model allows for a standardised approach to risk management and prioritisation across the organisation which in turn allows for treatment and reduction of

Similar Documents

Premium Essay

Mister

...Data governance (DG) refers to the overall management of the availability, usability, integrity, and security of the data employed in an enterprise. Data Governance practices provide the framework for maintaining company’s investment in their data management activities (MDM, Data Profiling and Data Quality, and Metadata Management). Data Governance provides a mechanism to rationalize and control organization’s collection, storage, analyses and dissemination of its data. Most companies accomplish Data Governance by: * Defining data standards * Creating programs consisting of a governing council, personnel, procedures, and plans to execute data governance policies * Establishing auditing practices to monitor and report on the integrity of data governance activities For many companies, their intellectual property can often be more valuable than their physical assets. Having an effective IT governance strategy in place can protect this intellectual property, reducing the risk of theft and infringement. Data protection, privacy and breach regulations, computer misuse around investigatory powers are part of a complex and often competing range of requirements to which directors must respond. There is increasingly the need for an overarching information security framework that can provide context and coherence to compliance activity worldwide. IT Governance is a key resource for forward-thinking managers and executives at all levels, enabling them to understand how decisions...

Words: 486 - Pages: 2

Premium Essay

Uranium Mining Case Study

...designed to address: Sources of Exposure- It contain sufficient information regarding all the significant exposure pathway and sources to be identified. This include the mine plan, the processing plant, equipment’s, and their descriptions, processed involved and radionuclide concentration that the project will produce. Control measures-Measures are implemented to control radiation exposures. These includes, the provisions of engineering control such as ventilation, dust or fume control measures, warning signs, PPE and shielding...

Words: 1752 - Pages: 8

Premium Essay

Technical Project Paper: Information Systems Security Due Week 10 and Worth 110 Points

...Information Security in Pharmacies Introduction Information security is vital in many firms especially pharmacies and other sensitive fields. Security officers are, therefore, necessary to ensure both physical and logical safety. The Information Security Officer/Manager (ISO) will have different duties such as managing the information security functions in according to the firm’s established guidelines and provisions/policies, providing reports to the firm’s management at reasonable intervals, establishing and ensuring implementation of information security procedures and standards, according to the state’s provisions regarding risk management policies, consulting and recommending to the pharmacy on issues of security enhancement, conducting information security analysis and assessment programs and many others. Protecting medication, funds and health information According to statistics, many health firms such as pharmacies and hospitals have adopted the electronic health records (EHR) model to store their information. However, these firms still use physical records such as filing to store their information. In adopting the EHR, pharmacies usually aim at improving the coordination with patients, reducing disparities, improving public health and enhancing privacy of information through secure data protection. Medication, funds and also information have to be protected to encourage quality service deliverance to the firms. Access to the pharmacy According to the Joint Commission...

Words: 2989 - Pages: 12

Premium Essay

Layered Security in Plant Control Environments

...Layered Security in Plant Control Environments Ken Miller Senior Consultant Ensuren Corporation KEYWORDS Plant Controls, Layered Security, Access Control, Computing Environment, Examination, Detection, Prevention, Encryption, Compartmentalization ABSTRACT Process control vendors are migrating their plant control technologies to more open network and operating environments such as Unix, Linux, Windows, Ethernet, and the Internet Protocol. Migrating plant controls to open network and operating environments exposes all layers of the computing environment to unauthorized access. Layered security can be used to enhance the level of security for any computing environment. Layered security incorporates multiple security technologies in each computing layer to provide resistance to unauthorized intrusion, while reducing the risk of failure from a single technology. Layered security requires acceptance of a model, development of an access control plan, compartmentalization of the network, and implementation of core security products that address examination, detection, prevention, and encryption. Layered security is considered a “best practice” in any computing environment, and should be widely used in critical control environments. INTRODUCTION Plant control environments have traditionally been built on proprietary technology. This proprietary technology provided a reasonable level of security from unauthorized access due to its “closed” nature, and lack of connection...

Words: 2711 - Pages: 11

Premium Essay

Mine

...Electronic Surveillance of Employees: Explain where an employee can reasonably expect to have privacy in the workplace. In the workplace, it is important that employees remain fully aware of the limitations employers place on privacy. According to the text, Halbert and Ingulli (pg. 73) suggests that 92% of employers were using electronic surveillances by 2003 in order to monitor their employees. These types of surveillances include the monitoring of phones, computers, electronic mail and voicemail, and video. Phone monitoring can be appropriate for work environments such as call centers. This type of surveillance can be used for quality control or to assist with appropriate performance coaching of employees in order to meet or exceed the goals of their position. If the employee’s job is not closely related to answering phone calls on a daily basis, this form of monitoring may be viewed as inappropriate and invasive to the privacy of the individual. Computer monitoring is also a popular form of electronic surveillance which allows employers to view the ways in which a computer is being used during working hours. Monitoring an employee’s computer use can aid in gathering pertinent information such as their internet usage, number of key stokes or their amount of idle time on any given day. This would be suitable for positions that require an immense amount of typing or a position that heavily relies upon efficiency. If the use of monitoring is not meant to assist the...

Words: 1010 - Pages: 5

Premium Essay

It Controls for Reporting

...IT Controls for Reporting Internal Control Systems (ACC 544) Apollo Footwear is largest supplier of shoes in the western United States. Exponential company growth has facilitated the need for tighter information technology internal controls. The Treadway Commission (COSO) defined internal controls in the following way " a process, affected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives" (Raval & Ashok, 2007, p.56). Design IT Controls Apollo Footwear needs software to track what employees are doing when logged into the system. A problem with the current system is the inability to track employees who are logged into the system and what they are doing with the data that is being retrieved. The current system does not provide adequate restrictions to data access. In addition the need to predictive software that can see patterns is a critical step toward recognizing fraud, and finding errors, and damaged data in the system. This is critical due that errors and damaged financial data can create problems for financial reports. Further processes and management of procedures to control workflow is essential. Reporting Options Reporting options is the method that auditors use to convey the information obtained through the collection of evidence and findings through the testing of control procedures. (Louwers, Ramsay...

Words: 985 - Pages: 4

Free Essay

Acct505

...- Internal Control for LJB Company Course: ACCT 504- Financial Accounting November 2012 Table of Contents: Cover Page……………………………………………………………………….1 Table of Contents…………………………………………………………………2 Why Use SOX……………………………………………………………………3 Recommendations & SOX Principles……………………………………………3 Enhancing the Positives………………………………………………………….5 References……………………………………………………………………….7 Tom Wheatley, President LJB Company 20 N Wacker Drive, Suite 200 Chicago, IL 60605 re: Improvement to Internal Controls December 12, 2012 Dear Tom Wheatley, Why Use SOX? There are several internal control considerations that Midwest Consulting advises you to explore going forth. When you become public, LJB Company is required to meet Sarbanes- Oxley Controls (SOX). These standards are an internal control system whose purpose is to stop fraud and meet the terms of SOX laws and regulations. It can also be used to systematically improve businesses and is an opportunity to recognize the significance of you, the President of LJB Company, getting involved in certification of accuracy in financial data. Many other top level executives are doing the same! I have identified several recommendations that align with internal control principles and would like for you to consider them as you move forth. Your accountant will need to become cognizant of his responsibility to make all matters regarding your organization’s financial matters transparent. Also, the paired responsibilities of purchasing...

Words: 939 - Pages: 4

Premium Essay

Auditing

...Audit and Assurance Services Chapter 1 1 Learning Objectives 1. What is auditing?  Distinguish between auditing and accounting.  Importance of auditing in reducing information risk. 2. Distinguish audit services from other assurance and non-assurance services provided by CPAs. 3. Three main types of audits. 4. How to become a CPA?  Identify the primary types of auditors. 2  What is auditing? Evaluating 3 Nature of Auditing Auditing is the accumulation and evaluation of evidence about information to determine and report on the degree of correspondence between the information and established criteria. Auditing should be done by a competent, independent person. 4 Audit Reporting -- (Expressing Opinions) The final stage in the auditing process is preparing the Audit Report, which is the communication of the auditor’s findings to users. 5 Information and Established Criteria To do an audit, there must be information in a verifiable form and some standards (criteria) by which the auditor can evaluate the information. 6 Accumulating Evidence and Evaluating Evidence Evidence is any information used by the auditor to determine whether the information being audited is stated in accordance with the established criteria. Transaction data Client inquiry Written and electronic Communications with outsiders Observations 7 Competent, Independent Person The auditor must be qualified...

Words: 2208 - Pages: 9

Premium Essay

Credit Rish

...Credit risk Credit risk is a fast changing discipline at the leading edge of risk management practice. The recent credit crisis brought into focus the need for effective risk management control and highlighted many of the deficiencies of the banks’ approach to measuring credit risk. This has resulted in many financial institutions reviewing their existing approach to the management of credit risk from a process, organisational and systems perspective. At the same time, many institutions are also continuing to develop more sophisticated methods of risk management, such as measuring and hedging Credit Valuation Adjustments (CVA) and modelling economic capital and incremental risk Definitions of Credit risk: ❖ Credit risk is the risk of loss due to a debtor's non-payment of a loan or other line of credit (either the principal or interest (coupon) or both). ❖ Is the risk that another party to an investment transaction will not fulfill its obligations. Credit risk can be associated with the issuer of ❖ The likelihood that an individual will pay his or her credit obligations as agreed. Borrowers who are more likely to pay as agreed pose less risk to creditors and lenders. ❖ Risk of loss that may arise on outstanding contracts should a counter party default on its obligations. ❖ The risk that a counter party to a transaction will fail to perform according to the terms and conditions of the contract, thus causing the holder of the claim to suffer a loss. ...

Words: 3836 - Pages: 16

Premium Essay

Risk Management Plan

...Risk Management Computer Network Charles Watson PROJ/595 James Hiegel Table of Contents Project Scope…………………………………………………… Pages 1-9 WBS…………………………………………………………….. Page 10 Risk Management Plan…………………………………………. Pages 10-14 References………………………………………………………. Page 15 Project Scope Project Scope Statement Project Name | Computer Network | Project Number | | Project Manager | Charles Watson | Prioritization | | Owner(s) | Charles Watson | Statement of Work—Project Description andProject Product | Updating the network will allow the company to have a more reliable network infrastructure as well as the ability to become more scalable. High deliverables for the project include; what software (NOS, Computer OS, anti-virus, and applications, firewalls) is needed, what hardware (computers, servers, cables, routers, VOIP, firewalls), is needed, documentation, budget, scheduling, planning. I plan on completing this project using a team of four people that are highly knowledgeable in computer networks as well as computer systems. 1. The first step is to determine what antivirus software is needed or if the current one is sufficient, but to just a newer version of what is already installed. To determine if the current one can be updated, it has to be compatible with updates to the server such as the OS, NOS. With confidential information, it is imperative that the antivirus/firewall software and firewall hardware can handle the possibility of network intrusions...

Words: 3738 - Pages: 15

Premium Essay

Ebanking

...E-BANKING E-BANKING Group 14 Section3 Group 14 Section3 Table of Contents ABSTRACT 4 INTRODUCTION 4 BRIEF HISTORY OF E-BANKING IN INDIA 5 HOW DOES IT WORK? 5 LITERATURE REVIEW 6 Need for E-banking: 7 Advantages and Benefits of E-Banking: 7 Drawbacks: 8 E-banking in Rural India 9 Online Trading 10 Traditional Trading Vs Online Trading 10 Online Bill Payment 11 Frauds 12 Phishing 12 Trojan Horse 13 Preventive measures 13 OTP 13 Hardware Tokens 13 Smart Card and USB Tokens 13 RECOMMENDATION 14 Access Control 14 Firewalls 14 Isolation of Dial up Services 14 Security Log (audit Trail) 14 Back up & Recovery 14 Approval for I-banking 14 FUTURE SCENARIO 15 Cyber Crime 15 Real Time Gross Settlement System (RGTS) 15 Wireless Application Protocol (WAP) 16 Mobile Banking: 17 Direct Benefit Transfer 21 ABSTRACT With rapid advances in technology, changing according to modern times has become a prerequisite to survive in this highly competitive world. As people are becoming increasingly aware of the consequences of their financial decisions, their needs and expectations have rose to high levels. Banking institutions are facing competition not only from each other but also from non-bank financial intermediaries as well as from alternative sources of financing. Almost everything is available to the customer at his/her doorstep and is just a click away. All this cannot be done with the facility of online...

Words: 4291 - Pages: 18

Premium Essay

Segregation of Duties

...function that need to be addressed in an audit or risk assessment, the fundamental element of internal control is the segregation of certain key duties, especially as it relates to risk. The basic idea underlying segregation of duties (SOD) is that no single employee should be in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties. Similar to traditional SOD in accounting functions, SOD in IT plays a major role in reducing certain risk, and does so in a similar fashion as well. Duties that should be segregated include: 1. Custody of the assets 2. Authorization 3. Recording transactions If adequate segregation of duties does not exist, the following could occur: 1. Misappropriation of assets 2. Misstated financial statements 3. Inaccurate financial documentation (i.e. errors or irregularities) 4. Improper use of funds or modification of data could go undetected 5. Unauthorized or erroneous changes or modification of data and programs may not be detected As the figure 1 shows, there are some of the key roles and functions that need to be segregated. 1. IT Duties vs. User Departments The most basic segregation is the segregation of the duties of the IT function from user departments. Generally speaking, this means the user department does not perform its own IT duties. While a department provides its own IT support, like the help desk, it should not do its own security, programming and other critical IT duties. Mixing...

Words: 2548 - Pages: 11

Premium Essay

Prison Incarceration

...ideals of enforced solitude and intimidation. Prison reform movements at the end of the century and beginning of the 19th century were also followed by reform-oriented design concepts, with the “separate and silent systems” (Pennsylvania and Auburn models respectively), being two of the first architectural manifestations in which the design of the prison building and the availability of space became a factor impacting the reformative potential of the offenders through isolation and labor, therefore including separate cells and larger spatial configurations where prisoners could work together. Although today’s goals of incarceration have little in common with those of centuries ago, with few exceptions, the architecture of incarceration has remained largely standardized...

Words: 1195 - Pages: 5

Premium Essay

Auditing, Attestation & Assurances

...Auditing, Attestation, & Assurance Services Paper Auditing, Attestation, & Assurance Services Auditing, attestation and assurance are various financial services provided for an organization based on their individual needs. The needs of companies differ as will the scope of their auditing, attestation and/or assurance service requirements. Auditing boasts both a formal definition and an informal one which describe the accounting function in its basic form as well as its interpretive meaning to the individual responsible for the function, the very core of the profession; ensuring the integrity of financial data as presented. Assurances are defined as “independent professional services that improve the quality of information, or its context, for decision makers (which) encompasses attest services and financial statement. Attest services occur when a practitioner is engaged to issue a report on subject matter, or an assertion about subject matter that is the responsibility of another party” (Accounting Concern, 2015). Auditing Service Boynton & Johnson (2006), describes auditing as “a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and communicating the results to interested users” (p. 6). An audit is part of the overall assurance service that specifically targets information in the financial statements...

Words: 1172 - Pages: 5

Premium Essay

Study Guide

...ability of management to obtain, manipulate and interpret critical data elements for strategic planning purposes and regular performance monitoring. Problem The business problem to be solved is how to improve operational efficiencies, reduce IT costs, and improve insight into the financial management aspects of the company for improved strategic planning and performance monitoring. Approach Determine if a single ERP platform set in a cloud computing environment will effectively reduce IT costs, improve the financial reporting process, and improve strategic planning and performance monitoring efficiencies across an international, professional services company that has over 52,000 employees in more than 30 countries. Methodology Through the use of subject matter experts...

Words: 7227 - Pages: 29