Information systems controls
1 Controls
Selecting
proper controls and implementing those will initially help an organization to
bring down risk to acceptable levels. Control selection should follow and
should be based on the risk assessment. Controls can vary in nature but
fundamentally they are ways of protecting the confidentiality, integrity or
availability of information. ISO/IEC 27001:2005 has defined 133 controls in
different areas, but this is not exhaustive. You can implement additional
controls according to requirement of the organization. ISO 27001:2013 has cut
down the number of controls to 113.
2 Administrative
Administrative
controls (also called procedural controls) consist of approved written
policies, procedures, standards and guidelines. Administrative controls form
the framework for running the business and managing people. They inform people
on how the business is to be run and how day-to-day operations are to be conducted.
Laws and regulations created by government bodies are also a type of
administrative control because they inform the business. Some industry sectors
have policies, procedures, standards and guidelines that must be followed – the
Payment Card Industry (PCI) Data Security Standard required by Visa and
MasterCard is such an example. Other examples of administrative controls
include the corporate security policy, password policy, hiring policies, and
disciplinary policies.
Administrative
controls form the basis for the selection and implementation of logical and
physical controls. Logical and physical controls are manifestations of
administrative controls. Administrative controls are of paramount importance.
3 Logical
Logical
controls (also called technical controls) use software and data to monitor and
control access to information and computing systems. For example: passwords,
network and host-based firewalls, network intrusion detection systems, access
control lists, and data encryption are logical controls.
An
important logical control that is frequently overlooked is the principle of
least privilege. The principle of least privilege requires that an individual,
program or system process is not granted any more access privileges than are
necessary to perform the task. A blatant example of the failure to adhere to
the principle of least privilege is logging into Windows as user Administrator
to read Email and surf the Web. Violations of this principle can also occur
when an individual collects additional access privileges over time. This
happens when employees' job duties change, or they are promoted to a new
position, or they transfer to another department. The access privileges
required by their new duties are frequently added onto their already existing access
privileges which may no longer be necessary or appropriate.
4 Physical
Physical
controls monitor and control the environment of the work place and computing
facilities. They also monitor and control access to and from such facilities.
For example: doors, locks, heating and air conditioning, smoke and fire alarms,
fire suppression systems, cameras, barricades, fencing, security guards, cable
locks, etc. Separating the network and workplace into functional areas are also
physical controls.
An important
physical control that is frequently overlooked is the separation of duties.
Separation of duties ensures that an individual can not complete a critical
task by himself. For example: an employee who submits a request for
reimbursement should not also be able to authorize payment or print the check.
An applications programmer should not also be the server administrator or the
database administrator – these roles and responsibilities must be separated
from one another.
General controls
Govern design, security, and use of
computer programs and security of data files in general throughout
organization‘s information technology infrastructure.
Apply to all computerized applications
Combination
of hardware, software, and manual procedures to create overall control
environment
Types of general controls
Software controls
Hardware controls
Computer operations controls
Data security controls
Implementation controls
Administrative controls
Application controls
Specific controls unique to each
computerized application, such as payroll or order processing
Include both automated and manual
procedures
Ensure that only authorized data are
completely and accurately processed by that application Include:
Input controls
Processing controls
Output controls
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.