Accounting Information Systems: Controls for Information Security

ACCOUNTING INFORMATION SYSTEMS
Author
Professor
University
City, State
TIME \@ "MMMM d, y" January 2, 19
Chapter 7: Controls for Information Security
Organizations world over are embracing information technology in running their operations. An organization’s management is concerned with the reliability of the information provided by the organization’s accounting system as well as the reliability of the cloud service providers contracted. Further, the management is concerned with compliance of the organization to the ever-increasing regulatory and industry requirements such as including Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standards (PCI-DSS).
The Trust Services Framework was developed to guide assessing the reliability of information systems. The framework organizes IT-related controls into five principles that jointly contribute to systems reliability. The principles include: security, confidentiality, privacy, processing, integrity, availability
There are two fundamental concepts of information security. They include information security as a management issue and the time-based model of information security. Information security is primarily a management issue and not merely a technology issue. Effective information security requires the deployment of technological tools such as firewalls, antivirus, and encryption. Management involvement and support is, however, key and present in all security life cycle. As a management concept, information security life cycle goes through four critical steps:
Step 1: Assessing the information security-related threats that the organization faces and then selecting an appropriate response.
Step 2: Developing information security policies and communicating them to all employees. Management must participate in developing policies because they must decide the sanctions they are willing to impose for noncompliance.
Step 3: The acquisition or building of specific technological tools. Senior management must authorize investing the necessary resources in mitigating the threats identified and achieve the desired level of security.
Step 4: Regular monitoring of performance to evaluate the effectiveness of the organization’s information security program.
The time-based model of information security, on the other hand, to employs a combination of preventive, detective, and corrective controls to protect information assets long enough for an organization to detect that an attack is occurring and taking timely steps to thwart the attack before any information is lost or compromised.
Criminals engage in targeted attacks that pose a threat to the organization’s information security. The basic steps that criminals use to attack an organization’s information system include social engineering and conducting reconnaissance. Criminals use deception in social engineering to obtain unauthorized access to information resources. If social engineering fails, criminals conduct reconnaissance which involves collecting detailed information about their target through, for instance, perusing an organization’s financial statements, Securities and Exchange Commission (SEC) filings, web- site, and press releases.
Next, once the attacker has identified specific targets and knows what versions of software are running on them, the next step is to conduct research to find known vulnerabilities for those programs and learn how to take advantage of those vulnerabilities. Using the identified vulnerabilities, the criminal can now obtain unauthorized access to the target’s information system. Finally, after penetrating the victim’s information system, the attackers are likely to attempt covering up their tracks and creating “back doors” that they can use to obtain access if their initial attack is discovered and controls are implemented to block that method of entry.
Organizations invest a lot in protecting information resources ensuring that the organization’s security information is secure and safe. Various preventive controls include: creating a security-conscious culture in the people within the organization, continuous employee training, creating user a...