Accounting Information Systems: Controls for Information Security

ACCOUNTING INFORMATION SYSTEMS
Author
Professor
University
City, State
TIME \@ "MMMM d, y" January 2, 19
Chapter 7: Controls for Information Security
Organizations world over are embracing information technology in running their operations. An organization’s management is concerned with the reliability of the information provided by the organization’s accounting system as well as the reliability of the cloud service providers contracted. Further, the management is concerned with compliance of the organization to the ever-increasing regulatory and industry requirements such as including Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standards (PCI-DSS).
The Trust Services Framework was developed to guide assessing the reliability of information systems. The framework organizes IT-related controls into five principles that jointly contribute to systems reliability. The principles include: security, confidentiality, privacy, processing, integrity, availability
There are two fundamental concepts of information security. They include information security as a management issue and the time-based model of information security. Information security is primarily a management issue and not merely a technology issue. Effective information security requires the deployment of technological tools such as firewalls, antivirus, and encryption. Management involvement and support is, however, key and present in all security life cycle. As a management concept, information security life cycle goes through four critical steps:
Step 1: Assessing the information security-related threats that the organization faces and then selecting an appropriate response.
Step 2: Developing information security policies and communicating them to all employees. Management must participate in developing policies because they must decide the sanctions they are willing to impose for noncompliance.
Step 3: The acquisition or building of specific technological tools. Senior management must authorize investing the necessary resources in mitigating the threats identified and achieve the desired level of security.
Step 4: Regular monitoring of performance to evaluate the effectiveness of the organization’s information security program.
The time-based model of information security, on the other hand, to employs a combination of preventive, detective, and corrective controls to protect information assets long enough for an organization to detect that an attack is occurring and taking timely steps to thwart the attack before any information is lost or compromised.
Criminals engage in targeted attacks that pose a threat to the organization’s information security. The basic steps that criminals use to attack an organization’s information system include social engineering and conducting reconnaissance. Criminals use deception in social engineering to obtain unauthorized access to information resources. If social engineering fails, criminals conduct reconnaissance which involves collecting detailed information about their target through, for instance, perusing an organization’s financial statements, Securities and Exchange Com...