Page 184 - Courses
P. 184

Exploring Corrective Controls

                 Human error.
                 Computer virus.
                 Software corruption.
                 Hardware or system malfunctions.
                 Natural disasters.

            Human Error

            Human error examples include:
                 Damage to equipment caused by a drop or fall when a user performs his or her own
                   movement of technology equipment. The best approach is to have the information
                   technology area perform all equipment movements.
                 Accidental deletion or drive reformatting. These risks are minimized through timely backups
                   or backing up data prior to data reformatting.
                 Accidental overwriting of data or configuration parameter. These risks are minimized through
                   timely backups of files and configuration parameters.

            Computer Viruses

            Computer viruses are introduced into corporate networks through malicious code. The most
            common method of delivery is through email phishing attacks where the user clicks on a link in an
            email, which creates access to the network, or otherwise compromises the privacy of an account or
            device.

            Recently some organizations have also fallen victim to supply chain attacks where the vendor (like
            Solar Winds) itself is compromised, and then unknowingly infects their clients via a system update or
            patch.

            Hardening, patching, anti-virus software, deny-all rulesets, and vulnerability management (which
            includes social engineering tests) are critical controls to limit the exposure of viruses, including boot
            sector, file injecting, and polymorphic viruses.

            Software Corruption

            The risks of corruption caused by diagnostic or repair tools are reduced by backing up prior to use of
            these tools.

            Failed backups may occur occasionally due to batch scheduler issues or target system unavailability.
            Monitoring of automated backups should occur to report backup failures and restart backups in a
            timely manner.

            Configuration complexity is a legacy of more complex systems where hundreds of configuration
            variables, if set improperly, can corrupt systems. Enhanced testing prior to deployment to
            production can reduce this risk.


            Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.
   179   180   181   182   183   184   185   186   187   188   189