Establishing a Rigorous Risk Management System, Research Paper Example

Best practices for systems reporting

The management of business organizations is constantly involved in identification of risk areas prompting them to design appropriate measures of risk mitigation. Most of the risks evident in the IT department in an organization involve access to a wealth of resources in the confine of its database. The resources cannot be accessed by all employees, clients as well as business partners. Business managers therefore execute access control that facilitates any user to access the necessary resources that enable them to perform their duties while access to any other irrelevant resources for a particular user is denied. Access control is a security concern whose management implications should be understood by solution providers in the organization. The effects associated to illicit access of these resources can be devastating to the management as it may lead to malicious activities including system attack, financial frauds, data theft and identity theft, which consequently harm the online business.

Criminals have enhanced their expertise in the recognition of potential weaknesses of access to information and they have designed appropriate tools that facilitate successful exploitation of the weak systems. Majority of the contemporary criminals have turned to IT crimes in contrast to the traditional crimes. Most malicious activities, up to 80%, that have been documented are attributed to web serving and illicit intrusions by former employees (Caballero, 2009). A critical concern for audit as well as management involves logical access to the organization’s computer system as well as data. The risks that are associated with computer system and data in organizations have been promoted by information technology proliferation with particular reference to the internet. Most of the audit and business risk are attributed to the vulnerabilities associated to the IT section and majority are related to access control.

Mitigating risks allied to access control requires identification of potential risks of access control and an evaluation of the level of risks that they are associated with. Best practices for systems reporting starts with establishment of comprehensive policies in addition to procedures that empower the authorized users with access while the illicit users are denied access (Caballero, 2009). The use of authentication control serves the purpose of ascertaining that the truthful authorized user is actually the one accessing the system. In situations that risks are extremely high, it is not just enough to use access controls with one layer of authorization control consisting of username and password. Other tools are used with authorization control to grant access which includes some hardware devices that are connected to remote computer such as temporary PINS, biometrics, USB tokens and smart cards that compliment username and password in form of authentication. The temporary PINS comes in form of numbers that are sent to the users’ phone as text messages that facilitate access. The temporary PINS are only applicable for a limited span of time.

An important consideration for IT auditor is the procedures that were initially disclosed in any audit to ascertain the adequacy of access control in the mitigation of potential risks that are allied to access. This includes enacting limitations of access for the legitimate employees to the “need to know” coupled with the mitigation of the risks that are associated with any illicit intrusion.

Employee monitoring practices

Employee monitoring practices should be implemented in the organization to control the logical environment for information security including access control. Reflecting back on data breach and theft and any cases of malicious and trusted insider, it becomes imperative to consider efficient employee monitoring practices (Katsicas, 2009). Apart from the risks associated with malicious intrusion and data breach, implementing employee monitoring practices is a regulatory requirement as well.

The organization CIOs are equipped with a variety of tools that facilitate automatic tracking together with monitoring of all computer based activities among the employees. Majority of the tools are highly sophisticated to the extent of sending automatic alerts in case an employee sends a sensitive email that has an attachment of a confidential data such as a resume to a suspicious person such as a competitor. Most employees usually waste a lot of resources and time and this necessitates the management to implement systems and tools to monitor the activities of employees (Katsicas, 2009).

To facilitate efficient monitoring, the employer is equipped with computer software that facilitates observation of any information in the screen and the hard disc of the computer that is used by an employee. All internal usage including electronic mail or web surfing is monitored through this software. Keystroke monitoring can also be used to reflect the number of keystrokes performed by an employee at any time (Katsicas, 2009). A computer that is not in use for sometime will indicate that it was not in use and this can be used by employers to track the time wasted by employees.

Access to classified, unclassified, and sensitive information

Access to classified, unclassified, and sensitive information can take the form of unauthorized entry in to information system while exceeding the set lever of the users authorized access or illicit intrusion in to a system while eluding access control. The procedures of access control set by the human resource should be tied to access control as one way of handling the disposition of classified data and media. The access rights of any employee whose position in the office has changed should also be changed. The access rights of any newly hired employee should be commensurate with the necessary applications that are relevant to the duties and responsibilities of the employee’s job requirements. The appropriate application or software should be equipped with capabilities of limiting the access to the relevant and appropriate usage. Any transfer executed for any employee should be accompanied by appropriate changes in access rights and in case the employee is fired, the access rights have to be terminated altogether (Hubbard, 2009).

Standard chosen for marketing: Marking of Classified Information

Marking of Classified Information using physical procedures with the application of suitable application together with control markings is a healthy way of notifying holders about the most appropriate degree of protection that is needed. Effective marking of classified information is a vital accomplishment as it indicates the extent of assigned classification, the time period necessary for protection, portions that indicate the classified information and additional notations that are relevant for information and material protection. Headers along with footers should be used to mark the available computer files to ascertain that any printed or transmitted material has the relevant classification in addition to the appropriate markings (Caballero, 2009). All devices together with storage media that are removable including cassettes, diskettes, tape reels and CD-ROMs must come with outer label using appropriate markings.

References

Caballero, A., (2009). Computer & Information Security Handbook. Morgan Kaufmann Publications Elsevier Inc

Hubbard, D., (2009). The Failure of Risk Management: Why It’s Broken & How to Fix It. John Wiley & Sons.

Katsicas, S. K., (2009). Computer and Information Security Handbook Morgan Kaufmann Publications Elsevier Inc.