InformationSystems Operations, Maintenance and Support
InformationSystems Operations, Maintenance and Support
Asmore and more companies migrate into the digital world and with moreindividuals preferring to conduct their businesses as well aspersonal affairs online, information security risks and threatsexpand exponentially. There has been a remarkable increase in userfriendly technologies like mobile web applications and cloudcomputing which have unwittingly propagated increases in cybercrimeas they are also hacker friendly(Whitman & Mattord, 2013).It is common to hear incidences of propriety data loss, identitytheft, regulatory involvement and damage that are more soreputational. This implies that as much as individuals andorganizations attempt to secure data comprehensively, there arealways gaping loopholes evolving continuously compromising privacyand information security(Enck, Gilbert, Chun, Cox, Jung, McDaniel & Sheth, 2014).This research paper sheds light on how organizations ought to set upmonitor and continuously evaluate defense lines through internalaudits to offer sufficient assurances with regard to data security aswell as privacy practices and controls.
Domain4 operations currently differ from the customary domain 6 in that itcontains Disaster Recovery. As such, the domain encompass informationsystems operations i.e. the core management function of auditors,which is to guarantee that IS procedures can improve in anappropriate mode from inconsequential or major interruptions ofoperations. As such, the domain entails documentation, changemanagement, and functions of a library software where auditorsutilize log consoles frequently. On the other hand, domain 4encompasses systems hardware where auditors have to highlight thecapacity management of an organization. In addition, auditors willhave multitask, multiprocess, multiuse, multithread, and use gridcomputing in a bid to understand the different roles of a computerand load balancer.
Thedomain 4 has a significant aspect in the assessment of the softwarecontrol parameters and how auditors can determine the functioningcapabilities of such parameters. In addition, they have to understandthe components of communication in a mainframe computer. Coupled withIS infrastructure and architecture, it is of paramount importancethat auditors understand the latency periods of a system, networkservices, and the bridges that ensure secure networks. Domain 4provides the guarantee that the procedures for information systemsoperations, preservation and sustenance meet the strategic andobjective functions of an organization. As such, the domainencompasses constant reviews of systems to determine theirsuitability and connections to a firm’s objectives and functions.In addition, the domain entails the periodic assessment of thirdparty policies and processes to ensure that an organization remainson the control framework of its systems. In this regards, evaluationand knowledge appear as the strongest and predominant aspects of thedomain since auditors must have a robust awareness and insight of thevarious components of a system or a network.
Increasingtrend of breaches on data security
Inthe recent past as well as today, there has been an alarming rate atwhich digital employee and daring and sophisticated cyber criminalsare stealing customer records. It is important to note that suchactivities reported over mass media are in essence just a tip of theiceberg as actual figures are much higher(Enck et al. 2014).In 2011, one source estimates that publicly reported data breachesstood at 1040 which is an increase of over 30% compared to publiclyreported incidences in 2010(Ponemon Institute, 2013).In the year 2003, such incidents were just 21 underscoring the factthat this trend has been increasing exponentially over the lastdecade.
Inmonetary terms, security breaches are quite costly as they alsoaffect management attention as well as an organization’sreputation. Accredited reports provide that some fines accruing toorganizations have run to a ceiling of 15 million dollars for asingle security breach incident(Ponemon Institute, 2013).After incorporating other expenditures such as lawsuit cost,settlements as well as court costs, it is possible to find costsassociated with data security breaches multiplying significantly.Information technology outlays can advance weak elements for a firmif the management fails to understand the level and extent ofbreaches. In fact, firms have to conduct cost benefit analysis todetermine the effectiveness of their systems.
Twentyeleven brought to light the high costs organizations have to contendwith because of data breaches. The PlayStation Network, a Sonyaffiliate was hacked in the same year, the organization is said tohave spent nearly 170 million dollars in cleanup costs(Ponemon Institute, 2013).According to data security analysts the investigation expenditure,the cost of lost business opportunities as well as the need forstronger data security systems investments are most probably going totranslate into the company losing much more money. Other than thecost of such breaches in terms of dollars, organizations have toanswer to regulatory bodies, which translate to massive managementdistractions(Appari & Johnson, 2010).In an effort to ensure that organizations conform to customer datasecurity protocols agencies like the Federal Trade Commission (FTC),require them to align operations in accordance with consent orders,which in some instances transcend for a period of 20 years.Organizations are therefore under strict legal and regulatoryrequirements to commit considerable amounts of resources towardsmonitoring and reporting compliance.
Asmuch as there have been widespread reports on the adverse effects ofdata security breaches, there is a very high likelihood that suchrisks and threats will continue to get much more advanced and muchmore costly to organizations. There are a number of reasons as to whythis is bound to continue.
Firstly,at present organizations prefer holding onto vast amounts of employeeand customer personal information. Secondly, technologyproliferations, which according to Ponemon Institute nearly 30% ofdata security breaches in 2011, were conducted remotely via mobiledevices(Ponemon Institute, 2013).It has been found that tablet computers and smart phones are commonlyhacked into in public places and more so can be easily preyed upon byall kinds of thieves and criminals. There is also the trend amongorganizations allowing employees place their personal information onthird party online firms like Dropbox and Google Docs(Ponemon Institute, 2013).These online sites allow employees to share easily personalinformation in a cost effective manner inadvertently offering hackersmore locations to commit cybercrimes. Social media platforms likeTwitter, LinkedIn, and Facebook allow employees connect withacquaintances, friends, peers and family and in the process leavedigital trails, which can be easily accessed by cyber criminals(Enck et al. 2014).
Blackhathackers are known to steal high profile data sensitive enough toaffect an organization’s operations(Enck et al. 2014).Ponemon provides that these criminals tend to affect companiesregardless on investments made on cyber security. Of all companiesinterviewed by Ponemon in 2011, a ninth of them reported suffering atleast once(Ponemon Institute, 2013).44% of the organizations perceived that their overall ITinfrastructure was relatively vulnerable to hackers.
Personalinformation targeted by criminals include social security identitynumbers, credit card information and birth dates which are valuablein the black market where criminals use these information to runpurchases running to millions of dollars without owner consent(Enck et al. 2014).For organizations, intellectual properties are the targets of mosthackers who are in some instances funded by some overseas governmentswho then use such information to undermine the quality of productsand services by the original owner.
Itis important to note that some of these unlawful intrusions are aimedat insulting individuals as well as organizations to cause them someform of embarrassment(Whitman & Mattord, 2013).Regardless of all these reasons as to why hacker’s targetinformation systems, it is only prudent for every company orindividual to have sufficient security protocols, maintenance andevaluation systems.
Thedynamics of cybercrime is such that the companies cannot portray theimage that they are simply victims of criminal acts(Whitman & Mattord, 2013).The fact that hackers have very easy times selling victim informationto the highest bidders in black markets while victims are severelyaffected governments have enacted tough laws against organizationsexposing their employees and customers to cybercrime throughineffective data security systems.
Morethan fifty countries had enacted laws against cybercrime by the endof 2011 with many more countries expected to follow suit(Ponemon Institute, 2013).It is important to understand that because cybercrime is relativelynew, even countries as developed as the US have no comprehensive dataprivacy legislation and as such, government oversight bodies act asindustry regulators(Enck et al. 2014).For instance, health care providers in the US as well as insurancecompanies have to adhere to privacy guidelines as stipulated by a lawreferred to as the Health Insurance Portability and AccountabilityAct (HIPAA)(Ponemon Institute, 2013).The FTC for instance forcefully requires organizations to performindependent assessments with regard to data security systems and moreso report compliance to assessments over extended durations of time.
Fororganizations, reputational damage resulting from incidences whereclients or employees complain of breaches in data security can havedevastating effects(Bélanger & Crossler, 2011).This is because information travels at a speed that transformsexponentially creating a massive snowball effect. Outrage from asingle customer can be posted on social media an in a short whilereach millions of internet users eventually affecting anorganizations shareholder value.
Asmuch as an organization may have the most comprehensive policies andcontrols on data security, they may tend to be ineffective unlessthese are consistently verified to upraise the security status(Bélanger & Crossler, 2011).This implies that the role of the internal auditor becomes criticalto an organization’s defense against cybercrime. Informationsystems audit tests should address the issue of cyber security as amajor threat to organizational integrity, pay extra attention andraise expectation requirements for the office of the internal auditorrelative to data security.
Itis recommended that organizations institute three defense lines whenshielding an organization’s information system from cybercriminals. The first line of defense should involve the management(Bélanger & Crossler, 2011).Organizations, which highly regard the safety of organizational, andcustomer data will in most cases allocate such responsibilities tothe topmost levels in a firm. It is a well-accepted fact that it isthe management that has the ability, ownership and more so,accountability towards risk mitigation via assessments, evaluationsand controls.
Secondly,risk management operations allow for monitoring and facilitation ofthe implementation of appropriate management practices(Bélanger & Crossler, 2011).Risk owners should be regularly and effectively informed by themanagement on the operations, evaluations, assessments of instatedchecks and balances relative to the information system.
Thirdly,internal audits offer a high degree of assurance to the topmanagement in organizations with regard to how it is able to assessand manage arising cybercrime risks. These include assessments andevaluations as to how well the first two line of defense work(Bélanger & Crossler, 2011).It is necessary that internal audit should be at its worst being atleast as robust as the first and second lines of defense. Without aninternal audit function, it is likely that an organization’s systemcan become obsolete therefore, has to bear the resources andauthority to run comprehensive assurance tests.
Thecritical internal audit function
Asdescribed above, organizations have lost both financial resources andreputation because of breaches on privacy and data security systems.Boards of directors have to therefore stay above such risks(Bélanger & Crossler, 2011).One with which companies can stay above such risks is through astrong internal audit function spearheaded by an astute auditcommittee.
Organization’sinternal audit functions should be mandated to offer audit committeeswith reports on risk assessment, which offer a true and fair view ofan organization’s position with regard to perceived information andprivacy security risks as well as possible potential and new risks(Bélanger & Crossler, 2011).The report should also highlight policy and control weaknessesencountered in an internal audit. In return, audit committees shouldalert the top management and more so the internal audit function ofemerging data security and privacy risks on what other boards ofdirectors have encountered. These forms of information relays areinvaluable towards keeping data security risks at bay.
Informationsecurity risks mutate rapidly further promoting the need for internalaudit functions to stay ahead of new and merging risks. Participationin many external as well as internal forums on these issues enablesan organization to be vigilant.
Therole of the internal auditor is primarily to ensure data securityrisks are comprehensively addressed more so prior to incorporatingnovel business products, processes or IT systems(Bélanger & Crossler, 2011).It is important to note that in instances where project teams runbehind schedule, information security risks are in most cases noteffectively addressed underscoring the need for a strong internalaudit function.
Recognizingpotential risks, instituting favorable policies as well as proceduresto act as shields against information systems threats. The internalaudit function should be uniquely placed to make timely and effectiveassessments determining the degree with which existing measures andcontrols are being utilized(Bélanger & Crossler, 2011).It should also be keen and sharply focused to act on any informationrelative to emerging potential threats in order to conduct impromptuaudit checks in a manner similar to the operation of regular internalaudit schedules.
Barriersaffecting the internal audit function
Itis not an easy task to have effective controls and measures againstinformation and privacy security threats. Four common barriers exist
Itis common for managers to view casually emerging security on the mereprecincts of a strong firewall, or tight controls or compliance toindustry standards(PWC,2012).Controls should be constantly checked. Exposures dynamically changeand thus control and policies should be appraised accordingly priorto the actual realization of a security breach.
Robustand effective information security protocols are indeed expensive andrequire concerted efforts from entire management teams to effectivelymaintain and sustain them(PWC,2012).This is however not as expensive and demanding as the after effectsof a data security and security breach and organization’s shouldcultivate a culture of prudence such as through the performing ofcomprehensive cost benefit analysis programs. Such an analysisprovides accurate assessments on the effects of potential damageswith regard to different forms of security breach.
Organizations,which do not value a strong internal audit function, tend to holdback such functions from performing their roles as mandated(PWC,2012).In most organizations, the internal audit is entrusted with financialcontrol assessments and in some instances the information systemssecurity controls too. However, audit committee teams and tomanagement in most cases undermine the ability of audit functions toapproach Data Security Breach challenges holistically. Such practicesare detrimental to organizations in their attempt to continue as agoing concern. In the information security realm, security risks aredynamically affecting organizations in complexity, as the realm isnascent(PWC,2012).Cyber security threats pose great challenges even to organizationswhose operations are primarily information security oriented. Smallerorganizations in most cases are challenges with keeping up pace withrecent developments. The solution is to implement strategies thatrecruit the right workforce with knowledge and skill to effect apotent audit function.
Ina number of organizations, it is common to find that the informationsecurity responsibilities are shared out to legal, financial and IToffices(PWC,2012).The solution to this challenge with can present fractures in aninformation security policy is to have a single office coordinatingall IT functions. Such an office should be accorded the resources andauthority to act upon security threats as and when they occur orenvisaged to occur.
Itcan easily take an organization over a year to re-establishreputation after security breach. The frequency of such breachescontinues to increase. The cost of such occurrences also continues togrow. Even in instances where there are robust controls failurescommonly surface. The solution is to have the audit function as athird defensive line empowered to manage all emerging risks withtools and human resource sufficient to ensure an organization is wellprepared to secure its sensitive information from cyber criminals. Intrusion and breaches occur frequently in network systems eitherfrom extraneous or inside sources, and the construction of a systemthat bypasses or detects such intrusions appropriately is ofparamount importance to any information system. In addition, it ishighly significant for auditors to understand the cost of suchintrusions and breaches thus, they should cultivate means that seekto avail secure systems and networks. Continuous assessments andchecks to understand the level of compliance and passivity can allowfirms to maintain secure and efficient systems.
Appari,A., & Johnson, M. E. (2010). Information security and privacy inhealthcare: current state of research. Internationaljournal of Internet and enterprise management,6(4),279-314.
Bélanger,F., & Crossler, R. E. (2011). Privacy in the digital age: areview of information privacy research in information systems. MISquarterly,35(4),1017-1042.
Enck,W., Gilbert, P., Chun, B. G., Cox, L. P., Jung, J., McDaniel, P., &Sheth, A. N. (2014). TaintDroid: an information flow tracking systemfor real-time privacy monitoring on smartphones. Communicationsof the ACM,57(3),99-106.
PonemonInstitute. (2013). BigData Analytics in Cyber Defense.Retrieved on June 27, 2014 fromhttp://www.ponemon.org/local/upload/file/Big_Data_Analytics_in_Cyber_Defense_V12.pdf
PWC.(2012). Fortifyingyour defenses: The role of internal audit in assuring data securityand privacy.Retrieved on June 27, 2014 fromhttp://www.pwc.com/en_US/us/risk-assurance-services/assets/pwc-internal-audit-assuring-data-security-privacy.pdf
Whitman,M., & Mattord, H. (2013). Managementof information security.London: Cengage Learning.