Good Essay On Risk: Information Management Systems

Consultant’s letter

This Paper was prepared for_________ taught by___________
The client’s address_____________
Dear Sirs,
This letter will explain in detail the importance of risk management and appropriate internal control strategies development for the security of information management systems in your organization.
Effective risk management contributes to the accomplishment of the organization’s mission. In the cyber-driven era, IT security perspective becomes crucial for risk management. COSO (2004) definition of IT system as a set of activities, involving people, processes, data, and technology contributing to the organization’s getting, generating, processing and communicating information to maintain accountability and benchmark its performance towards achievement of its objectives, outlines the main areas of IT risk management. These are ensuring such IT systems functions as storage, processing and transmission of the valid data which cannot be unexpectedly or unitentionally modified (integrity); the accesibility of data on timely basis for the management to make risk-informed decisions (availability); and the availability of information only for the appropriately authorized persons (confidentiality) (Stoneburner,Goguen, & Feringa, 2002). Thus, from the IT security perspective, risk management is the process of identifying and assessment of the issues that may impose a threat of a failure in confidentiality, integrity or availability of an information system (Elky, 2006).
Risk is defined by the National Institute of Standards and Technology as function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization (Stoneburner et al., 2002). Threat is a potential source of exercising the organizational vulnerability, intentionally or unintentionally. Vulnerability is a weakness in system security procedures, design, implementation, or internal controls that could be exercised by threat and affect integrity, availability or confidentiality of IT systems (Elky, 2006). Identification of known threats and the organization’s vulnerability to them is a first step in the risk management process. Threats can originate from different sources and have different nature. Examples of threats to which IT system is vulnerable is the absence of contingency plan or back-up data, non-compliance with regulations due to amendments in them not tracked in a timely manner, absence of protection against virus attack, lack of proper authorization levels for system access. Identifying threats implies simultaneous identification of potential threats sources, methods of exercising threat (attacks) and tecniques which can be used to exercise these threats ( e.g. cracking e-mail, leakage of data, destruction of transactions trails etc.) .
Risk assessment is the second process stage following risk identification. It requires relating threats to vulnerabilities, estimation of likelihood and impact of the risk (Elky, 2006). Relating threats to vulnerabilities (threat-vulnerability pairing) can be exercised through many techniques, as well as defining both likelihoods (a probability that a certain threat will occur against the certain vulnerability), and impact the threats can have on data integrity, availability and confidentiality. Lots of techniques for risk assessment exist as well, from quantitative assessment based on sophisticated statistical methods (Elky, 2006), to qualitative methods with attachment of probabilities of occurrence to each type of risks and deriving risk tree or risk matrix from these probabilities (COSO, 2004). However, cost-benefit relation does not normally allow applying quantitative risks techniques for all of the organization’s IT systems risk assessment. Qualitative risk assessment with simple grading as “Low”, “Moderate” or “High” is typically used. Combined both with likelihood tables and description of impact (limited, serious or severe effect) it produces adequate risk estimates (Elky, 2006). Thus, risk assessment will result in a risk determination matrix, or risk-level matrix based on the best available information and best estimates of IT security managers. It depicts the level of risk to which IT systems might be exposed if a given vulnerability were exercised (Stoneburger et al., 2002). E.g. the risk of data security breach in case of transferring control over the data protection to cloud service provider can be estimated as moderate by likelihood but severe by impact in case if the provider has established internal control policies which however have deficiencies. Based on the risk likelihood and its impact analysis, risk control strategies will be elaborated to minimize each particular risk which has been identified and assessed.
The company can use different control strategies to minimize the risks. Based on the documented results of the risk assessment and the company’s attitude to risk, or risk appetite (COSO, 2004), risk mitigation, transference, avoidance or acceptance strategies can be pursued. Risk mitigation is a most typical strategy implying establishing adequate control procedures to reduce risk likelihood or impact. These procedures normally stipulate authorization, seggregation of duties, assets accountability and physical safeguarding (SAS 109, 2005). An example of risk mitigation strategy for a physical security weakness is additional locks and entry level protective tools (identification by user ID and password) to access the server. Some IT security issues emerge in such rapidly developing and dynamic environment which itself continuously poses the new risks, that COSO views mitigation strategy as the preferable recommended approach to manage these risks ( e.g. the risks associated with the use of cloud computer technologies) (Horwath, Chan, Leung, & Pill, 2015). Risk transference, or another risk approach supposing the transfer the risks to another party, is also possible for some IT solutions (including cloud computing) but generally it does not decrease likelihood of a risk and requires a thorough check whether the risk control strategies the third party offers comply with the company’s requirements. In this case, risk transference can reduce the threat impact (Elky, 2006). In the abovementioned example with the cloud system provider, the proper control policies can reduce the risk impact from moderate to low.
Risk avoidance is another strategy which essence is just removing risk or the vulnerable areas. E.g. to avoid the risk associated with cloud computing use, the company can take decision not to use cloud computing technologies and store the data on its own server. To avoid the risk of year-end journal vouchers falsification, the company can shut down the function of year-end closing entries log in the system instructing the accounting department to enter them in a usual mode, one by one, with standard authorizations. However the costs of such control strategy can sometimes overweight the benefits in terms of required resources. Finally, risks acceptance, or operation with a known risk, can also be taken if the risk is too low or the costs of risks mitigation are too high (Elky, 2006). E.g. if the documents flow within the system for payroll approval require installation of ERP-system for a microenterprise, doing with manual authorization will be an example of risk acceptance, which is justified by too high costs of mitigation.
In elaborating control activities for risks mitigation, two types of control strategies can be used, preventive and detective controls. Preventive controls are those which prevent from policies violation, e.g. authentication for login, authorization for entry processing, development of security plans for documented controls. Detective controls are those which cannot prevent the flaw but can detect the violation of security policy. Audit trails, control totals for accounting data, or virus removal are examples of such controls. There are another classifications of control activities by function, such as technical, operational or management controls (Stoneburner et al., 2002), or general and application controls (SAS 109). The organization risk control policy usually comprises the combination of such controls which is individually tailored to address the IT system vulnerabilities. E.g. to ensure confidentiality, availability and integrity of the accounting information system, after identification of risks (threats to financial data’s validity, accuracy and reliability matched against the vulnerabilities of manual input) the company can use a range of risk strategies (mitigation for typical data entries, avoidance for year-end closing entries) and a range of controls. Those can include both general (access security) and application (automated reconciliations), both preventive (no entries over some limit without proper authorization) and detective (control totals check) controls. Such combination allows ensuring that IT accounting information system can prevent, detect and correct material misstatements in classes of transactions, account balances, or disclosures and that financial reporting roles, responsibilities and significant matters are communicated properly (SAS 109, 205).Thus, the risks associated with IT accounting systems will be effectively mimimized.
Summarizing, I’d like to underline that many risk management tools and methodologies for informational systems exist (NIST, OCTAVE®, FRAP, COBRA, Risk Watch etc) (Elky,2006), and the choice of a basic methodology is driven by the specific needs of the company. If you wish, our consultants will be happy to discuss the IT systems risk management options for your company and to assist you with elaboration of the appropriate risk control strategies.
Sincerely,
Consultant (title\name)

References:

1. American Institute of CPAs. (2007). Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement Statement on Auditing Standard SAS No 109, AU Section 314 Retrieved from: http://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AU-00316.pdf
2. Committee of Sponsoring Organizations of Treadway Comission (COSO). (2004). Enterprise Risk Management – Integrated Framework. Retrieved from: http://www.coso.org/
3. Elky, S. (2006).An Introduction to Information Systems Risk Management. SANS Institute.Retrieved from: http://www.sans.org/reading-room/whitepapers/auditing/introduction-information-system-risk-management-1204
4. Horwath, K., Chan, W., Leung, E., & Pill, H. (2015). Enterprise Risk Management for Cloud Computing. Committee of Sponsoring Organizations of Treadway Comission (COSO) (2012). Retrieved from: http://www.coso.org/
5. Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk Management Guide for Information Technology System. Recommendations of the National Institute of Standards and Technology. Retrieved from: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist800-30.pdf