Web technology facilitated by the internet has provided the impetus for the tremendous growth in online shopping because of its speed, accessibility and ubiquity. Nevertheless, these same factors which propelled the advancement can so easily lead to information systems risks and subsequent exploit and compromise such as data breach if these security risks are not properly controlled (Suduc, Bizoi, & Filip, 2010).
This data breach could result in theft of credit card information which may well lead to financial loss for the customer. Nonetheless financial loss is not limited to customers as it is estimated that enterprises lost an average of $1.3 million (an increase from the 2016 figure of $1.2 million) while small and medium sized businesses lost an average of $117,000 in 2017 due to data breach in North America (Kasperskey Lab, 2017).
The good news however, is that there are a number of security measures that can be applied to mitigate information systems risks. The starting point though is to identity these risks (both physical and logical) and thereafter determine the appropriate measures that will provide the required level of security for the information assets.
Despite these security controls such as public key infrastructure, cryptography, anti-malware, etc., information systems are still vulnerable to attacks from both internal and external actors. This is because security set up and monitoring can be time consuming, consequently, security lapses are often overlooked and only noticed when there is an attack (Suduc, Bizoi, & Filip, 2010).
A veritable way of ensuring that the needed security controls are put in place and maintained on an ongoing basis is to institute regular information systems security audits targeting both physical and logical controls (Suduc, Bizoi, & Filip, 2010). This is particularly important since security can never be absolute as organisations’ information systems keep changing and hackers continue to discover new vulnerabilities (Suduc, Bizoi, & Filip, 2010). These audits would provide a feedback on the efficacy of security polices and also suggest remediations for areas that fall below expectation (Popescu, Popescu, & Popescu, 2008).
To ensure that these audits are comprehensive and provide the required assurance, ISACA (2018) recommends that the under listed reviews be carried out:
• Identity management
• Incident management (Security)
• Network perimeter security
• Systems development
• Project management
• IT risk management
• Data management
• Vulnerability management
These audits should cover the following areas:
As organisations change, their security infrastructure and posture will also change, consequently, information systems audit must be a continuous effort to ensure that the required level of security is maintained (Popescu, Popescu, & Popescu, 2008).
References
ISACA. (2018). Information Security Management Audit/Assurance Program. Retrieved June 20, 2018, from ISACA: https://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Information-Security-Management-Audit-Assurance-Program.aspx
Suduc, A.-M., Bizoi, M., & Filip, F. G. (2010). Audit for Information Systems Security. Informatica Economică, 14(1), 43-48. Retrieved from http://revistaie.ase.ro/content/53/04%20Suduc,%20Bizoi,%20Filip.pdf
Kasperskey Lab. (2017, September 19). Press Releases. Retrieved June 19, 2018, from Kasperskey Lab: https://usa.kaspersky.com/about/press-releases/2017_kaspersky-lab-survey-cost-of-cyberattacks-for-large-businesses-in-north-america
Popescu, G., Popescu, A., & Popescu, C. R. (2008). Conducting an information security audit. Manager, 7, 76-82. Retrieved from http://manager.faa.ro/download/496_714.pdf
This data breach could result in theft of credit card information which may well lead to financial loss for the customer. Nonetheless financial loss is not limited to customers as it is estimated that enterprises lost an average of $1.3 million (an increase from the 2016 figure of $1.2 million) while small and medium sized businesses lost an average of $117,000 in 2017 due to data breach in North America (Kasperskey Lab, 2017).
The good news however, is that there are a number of security measures that can be applied to mitigate information systems risks. The starting point though is to identity these risks (both physical and logical) and thereafter determine the appropriate measures that will provide the required level of security for the information assets.
Despite these security controls such as public key infrastructure, cryptography, anti-malware, etc., information systems are still vulnerable to attacks from both internal and external actors. This is because security set up and monitoring can be time consuming, consequently, security lapses are often overlooked and only noticed when there is an attack (Suduc, Bizoi, & Filip, 2010).
A veritable way of ensuring that the needed security controls are put in place and maintained on an ongoing basis is to institute regular information systems security audits targeting both physical and logical controls (Suduc, Bizoi, & Filip, 2010). This is particularly important since security can never be absolute as organisations’ information systems keep changing and hackers continue to discover new vulnerabilities (Suduc, Bizoi, & Filip, 2010). These audits would provide a feedback on the efficacy of security polices and also suggest remediations for areas that fall below expectation (Popescu, Popescu, & Popescu, 2008).
To ensure that these audits are comprehensive and provide the required assurance, ISACA (2018) recommends that the under listed reviews be carried out:
• Identity management
• Incident management (Security)
• Network perimeter security
• Systems development
• Project management
• IT risk management
• Data management
• Vulnerability management
These audits should cover the following areas:
 |
| Figure 2 | Information Security Management Systems | Source: sovisionit.com |
As organisations change, their security infrastructure and posture will also change, consequently, information systems audit must be a continuous effort to ensure that the required level of security is maintained (Popescu, Popescu, & Popescu, 2008).
References
ISACA. (2018). Information Security Management Audit/Assurance Program. Retrieved June 20, 2018, from ISACA: https://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Information-Security-Management-Audit-Assurance-Program.aspx
Suduc, A.-M., Bizoi, M., & Filip, F. G. (2010). Audit for Information Systems Security. Informatica Economică, 14(1), 43-48. Retrieved from http://revistaie.ase.ro/content/53/04%20Suduc,%20Bizoi,%20Filip.pdf
Kasperskey Lab. (2017, September 19). Press Releases. Retrieved June 19, 2018, from Kasperskey Lab: https://usa.kaspersky.com/about/press-releases/2017_kaspersky-lab-survey-cost-of-cyberattacks-for-large-businesses-in-north-america
Popescu, G., Popescu, A., & Popescu, C. R. (2008). Conducting an information security audit. Manager, 7, 76-82. Retrieved from http://manager.faa.ro/download/496_714.pdf
No comments:
Post a Comment