This section will explain how IS/IT security risk is identified and the application of internal controls for the model interaction. Figure 4.8 illustrates the relationship between risk management and internal controls for the interaction of the three components.
Figure 16Figure 4.8 Relationship between risk management and internal controls for the relationships among the three components
Formal Component Internal Controls Technical Component Informal Component
It is first necessary to identify the critical issue areas which may compromise confidentiality, integrity and availability of IS/IT assets and data. The critical areas are identified for each of the three types of relationships namely: RT1-Formal/Informal, RT2-Formal/Technical and RT3- Informal/Technical. In achieving IS/IT security governance, critical areas will depend on the IS/IT security vision and security requirements in an organisation. The management are responsible to identify and prioritise the critical areas needs based on the business goals of the organisation which can be seen in Table 4.2.
Table 4.2 is based on Table 4.1 with the addition of the identification of supervisory roles/structure of responsibility. In the conceptual model, once a critical issue area has been identified, the next process is to determine the potential risks from the relationships (e.g., RT1, RT2 or RT3) associated with the issue areas. These issue areas and risks are illustrated through examples in Table 4.2. For example, the second issue area identified from RT1 relates to the password policy, integrity of the employee and unauthorised access to the Accounting Information Systems, as in Column 2. Risks associated with it are recognised in Column 3. An identified risk of RT1-Formal/Informal from this issue area was “Accounting Staff share passwords and unauthorised people can view and manipulate some Accounting data or files, which may cause data modification by unauthorised parties including writing, changing, deleting and creating”.
Clearly, this action was due to lack of supervision roles in discovering employees’ activities, lack of check and balance, employees did not understand, or were not clear about or neglected their obligations in the access to certain IT systems.
As the structure of responsibility is significant in IS/IT security governance tasks, the next process is to establish the supervisory roles, in Column 4, the giver of responsibility and the holder of responsibility, based on the obligations and policy undertakings. After identifying the security issue area (e.g., Accounting Information System) and entities (e.g., supervisor and the holder of responsibility), the next step is to grant the entities ‘status” based on the hierarchy of types of access control like “Top Secret/Secret/Classified/Unclassified” in the Bell La Padula Model (Bell and Padula, 1976). The Bell La Padula Model is used in this conceptual framework because it keeps confidential and important data secret, where a computer user of one Accounting Information System with a Secret access (a low level clearance) should not be able to read files marked as Top Secret (a high clearance), but someone with Top Secret should be able to read all files within the hierarchy. Using the theory by Bell and Padula for the conceptual framework, the management may establish roles, obligations (access
rights) and provide start and finish of access to an Accounting Information System, based on employee privileges and designations.
Risk identification is part of the risk management activities. The risk identification stage helps an organisation to identify any potential scenarios that may happen if not addressed effectively and efficiently. In this case, each relationship has a diverse range of risks depending on the issue area.
After risk identification, the conceptual model examines whether organisations have applied internal controls to that particular risk or not (Cooper et al, 2004). This can be seen in Column 5. The internal controls are important mechanisms to ensure that the risk related to certain areas is controlled and minimised. If no internal controls are applied, the organisation needs to establish internal controls for that particular risk as seen in the “suggested internal controls in place” column. In Table 4.2, the suggested internal controls for the second issue discussed in Column 5 were:
“first, the Accountant should monitor the activities of his/her Accounting Staff, by discovering any suspicious events over the password log reports, network log reports, bio-metric authentication reports; and second, the Accountant is required to ensure his/her Accounting Staff attend security training or policy awareness programme on security password indicating active participation in the IS/IT security procedures”.
However, if relevant internal controls have been already implemented, the organisation may enhance and improve the existing internal controls in place.
Additional potential areas, the identified risks and associated internal controls are shown below in Table 4.2.
No (1) Relationship Type(RT) (2) Issue Areas (3) Identified Risk (4) Giver of Responsibility and Holder of Responsibility (5)
Suggested Internal Controls in place.
1 RT1: Formal/ Informal E.g.., Language style of IS/IT Security Policies documents Documents are not understood because too simple, technical, wordy or complicated
(Between CIO and Operation Manager, IT Manager, Area Sales Supervisor, IT Manager, Purchasing Supervisor)
The CIO who wrote the policies should verify the document is intelligible enough. The CIO should get feedback from all the experts/counterparts including Operation Manager, IT Manager, Area Sales Supervisor, IT Manager, Purchasing Supervisor).
The CIO should conduct education and training programme about the document to identify any language issues and the contents of policies.
2 RT1: Formal/ Informal E.g.,. Security Password Policies Accounting Staff share passwords to view some Accounting data or files. (Between Accountant and Accounting Staff)
The Accountant should monitor the activities of his/her Accounting Staff, by discovering any suspicious events over the password log reports or network log reports.
The Accountant is required to ensure his/her Accounting Staff to attend security training or policy awareness programme on security password indicating active participation in the IS/IT security procedures 3 RT3: Informal/ Technical E.g., Information System Development E.g., Employee able to change database codings. Some critical sales formulas in the Sales Information System sales may be changed and modified, this led to inaccurate of data
(Between Area Sales Supervisor and Sales Staff, Programming Staff)
The Area Sales Supervision is required to delegate the tasks, to more than one Sales Staff for discovering if any suspicious activities done by the Programming Staff or his/her own Sales Staff.
The Area Sales Supervisor is required to monitor the Password Log Reports, Network Log or Firewall Log to detect any significant/suspicious events from the Programming Staff and Sales Staff
4 RT2: Formal/ Technical Databases, Network, Internet Policies or other IS/IT security policies Misalignment between security requirements and business goals, may cause losses
(Between IT Manager and IT Technical Staff)
The IT Manager is required to monitor the installation and implementation of the security hardware and software over the resources were correct and achieved the intended goals, by checking-up and auditing related areas as done by the Technical Staff.
In IS/IT security governance, the active involvement of the Board and senior management can be seen through the directing and monitoring actions done by the supervisor of the responsibility. In the next section how the directing and monitoring actions influence the three components is discussed.
4.4.5 Directing and Monitoring Actions over risks from Formal, Technical and Informal