The Essence of Information System Security and Audit
The main objective is to ensure that the organization’s information technology and business systems are adequately controlled, monitored and assessed.
The techniques used to achieve security are many and varied. In order to assess the level of security required, it is necessary to identify the risks, which apply to your installation. Having identified the risks, select those techniques, which together will provide the appropriate level of security for the data, for the systems and for the organization.
In this regard, the following areas of the computer activity should be monitored on a regular basis.
They are: Access control, System activity monitoring, and the Audit trail
1. User Access Control:
Access capabilities are implemented by security administration in a set of rules that stipulates which users or group of users are to gain access to certain information on the system. It is generally on the “need-to-know” or “need-to-do” basis.
The objective of security in this area is to optimize productive computer time, lessen the risk of error and fraud, eliminate unauthorized work and secure the confidentiality of information. It should allow proper division of duties to ensure that the potential for unauthorized operation and fraud is minimized.
2. Monitoring the system:
Most organizations today have installed computers of various sizes for processing data into information and knowledge. Too much emphasis appears to have been placed on the technology and too little attention on the security of the valuable business wealth contained in the information being managed with Information Technology Department. This is perhaps the worst risk facing business today because security awareness among non-computer professionals is low.
Most computer installations have experienced system collapse or degradation because of failure of some component of systems software. Unexpected situation do arise and if care is not taken, can have extensive and expensive repercussions.
Anyone can make a mistake and the consequences of these must be contained by effective security controls. Malicious acts of sabotage or fraud are more likely to occur, if there are low chances of detection. However the odds can be lessened by reducing the opportunity to commit crimes by increasing the possibility of detection through effective system security and controls.
Controls over the experts who work on the computers are also critical aspect. An uncontrolled systems development will automatically produce a system that is uncontrollable. Bugs and accidental errors will proliferate while these systems are fertile breeding ground for attempts at fraud.
For an improvement to take place, the following questions may be asked, on probable areas of risk, such as
1. Could this happen here?
Inadequate system security exposes organization to so many risks. Some of these are: Data Diddling, Trojan Horse, Rounding Down, Salami techniques, virus, Logic bomb and data leakage etc.
System log should be analyzed to provide detailed information on all
normal and abnormal occurrences during each processing period.
Applying the principles of Information System Security and Audit raised in this write-up will ensure that an organization’s information assets and systems are adequately controlled, monitored and assessed.
Mukaila Apata is a System Auditor and Security Administrator with over
For more IT Security Resources, Anti-Virus Vendors, Corporate Security Resources, IT Security Articles,
Computer and Internet Fraud, IT Security certifications & Career and
Internet Policy Guide, Click Here:
Original content provided by Jidaw.com. Copyright © 1989-2010 Jidaw Systems Limited All rights reserved.
|HOME||ABOUT US||NIGERIA||CONTACT US||RESOURCES||TRAINING||E-LEARNING||CERTIFICATION||SITEMAP||HELP|