4.4.3.1 Risk Management and Internal Controls: Formal component
Risk management and the application of internal controls are important to the Formal component like IS/IT security policies. Risk management is needed within IS/IT security policies development and implementation because it identifies, assesses and mitigates the potential IT risks from any deficiencies, threats and vulnerabilities.
This conceptual model identifies that the application of risk management and internal controls influence good practices of the Formal component like IS/IT security standards. In terms of risk management, every guideline provided by IS/IT security standards, if implemented effectively, may control the risks associated with IS/IT use. Internal controls can be used to ensure that standard practices are consistent with policy goals. For example, after the risk identification stage, the organisation may provide a checklist of appropriate standards for implementing the processes or activities.
Policy relating to IS/IT security may provide a measurement tool so that the expected benefits of the approved strategy including procedure goals can be assessed. This measurement is an example of the application of internal controls. An effective internal controls application over risk is required in this framework to gauge the success of risk management in securing IS/IT systems and assets.
4.4.3.2 Risk Management and Internal Controls: Technical component
In this model, the implementation of risk management and internal controls over the Technical component is crucial. It is important to note that the Technical component has links with the Formal and Informal components.
The Technical component comprises two elements, namely, the technological areas stage and the procedures stage. The technological areas stage concerns the IS/IT required to be secured and to be aligned with the IS/IT security vision, while the IS/IT security procedures stage provides the steps to establish security solutions or counter-measures. Risk management and internal controls have a significant role to ensure that risks from the Technical component are managed and the IS/IT resources are used effectively and efficiently.
Through this model, the organisation has a proper way to identify and manage the Technical risks within the technological areas stage. Since the technological areas stage is aligned with the IS/IT
security vision, any potential IS/IT risks identified in the Technical component are becoming risks to the business. The CIO who is responsible to advise on the risks reported from the lower levels like the IT manager, needs to monitor and react effectively and efficiently over the daily, weekly or monthly security reports regarding the IT system vulnerabilities and threats. The IT Manager is responsible to manage and maintain the security of resources, by identifying and assessing the risks and promptly reacting at this level if deemed necessary but, if not workable, the matter needs to be discussed at a higher level, the CIO level.
In the technical dimension, the IT Manager should be able to fix the IT systems and databases presenting any vulnerabilities and threats through input from the Programmers Staff and IT Technical Staff. For example, the IT Technical Staff such as Database Administrator (IT Technical Staff) who is normally involved with the administration of databases applications, found the e-mail spams have threatened and jeopardised the business data, where, by opening the e-mail spams may expose the IT systems to viruses and lead to the loss of business information. In this situation, the Database Administrator (IT Technical Staff) is responsible to provide the IT security solutions such as Intrusion Detection and Prevention System (IDPS), primarily focused on identifying possible incidents, logging information and reporting attempts (Scarfon et al., 2007). The following are four types of IDPS technologies that are significant for this model: 1) Network-based; 2) Wireless; 3) Network Behaviour Analysis; and 4) Host-based.
Network-based, which monitors network traffic for particular network segments or devices and analyses the network and application control to identify suspicious activity.
Wireless, which monitors wireless network traffic and analyses it to identify suspicious activity involving the wireless networking protocols themselves.
Network Behaviour Analysis (NBA), which examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial service (DdoS) attacks, certain forms of malware and policy violations.
Host-based, which monitors the characteristics of a single host and the events occurring within that host for suspicious activity.
(Scarfon, et al, 2007, p ES-1) The above security technologies-IDPD, can be used as preventive controls in stopping, detecting and halting the potential threats and preventing unintended activities from coming into the corporation’s private network or, if deemed necessary, this matter should be discussed, communicated
and reported directly to the IT Manager for further decisions and strengthen the IT security internal controls.
Internal controls which are part of risk management help organisations to ensure that the technological areas including its policies and IS/IT security procedures are effectively and efficiently implemented. The management of an organisation is responsible to establish and improve internal controls within the technological areas and the IS/IT security procedures. However, to achieve the internal controls depends on the involvement of the Board, senior management, the lower levels including junior managers and operational staff. For example, after risk assessment was conducted by the IT Manager, it was found that the increased number of e-mail spams was due to external threats from outsiders; incoming e-mails had penetrated the corporate e-mail system and intranet. The security controls installed were not protective enough. Therefore, two types of internal controls systems would be needed to control the risk. The first type is the automatic application of Intrusion Prevention Detection installed and operated within the database applications and network, to block reactively the suspicious activities. The second type is the passive internal controls system for monitoring the activities over the use of IS/IT. In the passive internal controls system, for example, the system will give alerts and signals of potential security breaches through the information logs.
The first type of internal control is now discussed further. The CIO may receive feedback from the IT Manager, where the IT Manager may advise the CIO to heighten the system by installing a real- time IT security controls system within the application, such as automatic anti-spamming software enables to prevent the spammer’s tactics getting through into the corporation’s private network. The anti-spamming software may stop the up-coming e-mail spams coming into employees’ e-mail. If the suspicious activities are detected, the anti-spamming software will notify the IT Technical Staff through alert notices or on the screen alarms for active reaction purposes.
Apart from the automatic responses, the second type of internal controls is the passive approach where the Technical Staff receive alerts from the computer system (e.g., potential breach) and also receive input such as the state of a system and its stored information, whether the information stored in the Read Access Memory (RAM), in the files system and log files, appear as expected. Later the Technical Staff would fix the problems and discharge his/her obligations based on the flow charts of troubleshooting IS/IT systems. Some obligations may not allow the Technical Staff to create and write the scripts or executes some tables and properties. For internal controls purpose, the IT Manager is required to discover if there are any suspicious or breaching activities (e.g, unauthorised viewing or
manipulating the tables) by his/her IT Technical Staff and subordinates. Let us say that if the IT Technical is unable to resolve some technical problems based on the flow charts of troubleshooting (obligations), then the IT Manager may require his/her staff to attend education and training sessions (RT1:Technical/Formal), giving chances for improvement and improving knowledge (RT3:Technical/Informal). But, if the IT Technical Staff is still not improved, the IT Manager should make some decisions, whether to reshuffle/send the staff to a department that deals in non-critical business activities which carries a low risk, rather than delegating him/her in the critical business activities (high risk), or any other appropriate solutions. The IT Manager plays a significant role in identifying and assessing the risk and also in advising the potential mitigations for minimising and preventing the risk.
At departmental level, the CIO has the power to make decisions and approve certain IT budgets. If the budget requires more, the CIO needs to approach and report to the Risk Management Committee and CEO of the organisation with reference to risk mitigations strategies.
That is why the IS/IT risks need to be brought up at the Corporate Risk Management Committee so that the Board and senior management are consistently active, review and mitigate the Technical risks which may affect the business. Later, this study identifies that risk management processes can be operationalised throughout all the IS/IT security procedures stage. This can help organisations to achieve minimum risks relating to IS/IT.
4.4.3.3 Risk Management and Internal Controls: Informal component
The Informal component which involves employee values and organisational values is always neglected within IS/IT security implementations (Mishra, et al, 2004). It is believed that the security problems are derived from all three components including the Informal component. All significant areas including the IS/IT security risks from the Informal component should be addressed at the corporate governance level (Information Security Governance, 2004), including the CIO from senior management and the IT Manager from the lower management level. Corporate governance is not only the responsibility of the Board and senior management but also of all levels of employees.
For example, the Board monitored the managerial reports of IS/IT risks in the corporation and found that the risk associated with e-mail spams may cause system disruptions and files corruptions; business delays may cause business losses. After further investigation, the Board realised that the policies (e.g., education, training, awareness programme) and procedures (e.g., anti-spams software)
were already in place but the spams e-mails are still of concern and the Board wants to know why this still continues to happen. It was shown that all employees had attended the awareness programme and training on how to achieve the procedures of anti-spams software but only little improvement was achieved, which still dissatisfied management.
To find out why the anti-spams issue was still problematic, a drill-down study was conducted, where the IT Manager with his subordinates had to perform two tasks: first to view the internet logs, detecting who had opened the e-mail spams; and second, to study who already had been to anti-spams training and awareness programmes conducted by the corporation. Surprisingly, mostly, the trained and skilled employees were the people who opened the e-mail spams and their intended actions damaged to business data, business delays and, ultimately, financial losses and reputation damage. It is believed that the major cause of this was due to lack of the organisational value being embraced by the employees, they did not feel responsible for the security tasks assigned to them due to many factors. First, the understanding of the responsibility given was poor and of low quality; second, they were not sure to whom they were responsible, in terms of supervisory roles; third, they saw the security responsibility as technical problems. Organisational values have a connection with employee values. Employee values may affect the organisational values. When employee values are low, they also influence organisational values, where employees have a low integrity and are not trustworthy, it would also degrade the organisational values in accomplishing the responsibility of security tasks.
To consider the risk level, a few strategies can be considered, based on the risk assessment. For example, after finding out who were not behaving responsibly and had not complied with the policy and procedures on e-mail spams, the IT Manager may reinforce and conduct assessment over the elements of training, education, awareness, soft skills and values and participations. But, if these elements are still not workable and not implemented by employees, the IT Manager may get some advice from the CIO. The CIO may send reminder notices to employees or reprimands, to warn that their actions had caused high risks to the business. If the problem still cannot be resolved at CIO level, then the issue needs to be brought up at the CEO and Board level for ultimate action. The cost-benefit analysis conducted at the CEO and the Board level may show that the worst case would be that the employee/s be sacked due to risk factor.
Therefore, to accomplish the mitigation process of risk management, internal controls play an important role in the Informal component to ensure that employee values and organisational values are appropriate. For example, the risk assessment conducted at lower level has shown that the employee
RISK MANAGEMENT
was not fully responsible for the security tasks due to lack of understanding of the security roles and unclear supervisory roles. As part of the risk mitigation process, internal controls need to be established to react to the risk according to the risk level. For instance, the internal controls would be establishing the functional requirements for each security task, consisting of job scopes and the obligations (e.g., write, delete, create), job lists, who are responsible, the supervisor in charge of the task and information requirements for the task. Besides that, the internal control for this mitigation would also consider whether the security responsibilities have been communicated and understood between the giver (supervisor) of the task and the holder of the task. If these internal controls were not achieved as intended, at lower levels, this is a major issue of the IT Manager as leader and supervisor. The CIO should be able to advise the level of risk and prompt reactions towards this case, for example, transfer the employee to another unit or department within the organisation.
4.4.4 Risk Identification and Internal Control Application Process for the interaction of the three