Page 12 - Internal Auditor Middle East - December 2017
P. 12
IT Control
By Ahmed salameh Al-Malaji Edited By: Hossam Samy
Are your
organization’s
IT control
systems
reliable?
the organization’s security by measuring for cyber attack.So, the computer security
and comparing the relationships among includes the use of a set of firewalls,
the following three variables: passwords, and other preventive, detective
and corrective countermeasures to prevent
P: The time it takes for an attacker to unauthorized persons from getting an
break through the preventive controls of access to systems, data and devices.
an organization.
First: Preventive Controls:
D: The time it takes to detect the
occurrence of the attack. Key types of preventive controls used for
information systems include:
C: The time it takes to respond.
Authorization: This control determines
If P> (D + C), then, security measures are who is authorized to access the system by
effective. Otherwise, security measures are either giving him a password, a fingerprint
There is no doubt that all small, medium not ineffective. or an access card.
and large organizations have Information
systems, whether computerized or manual. This model is also used for comparing and Authentication: It is another layer
These systems are used for processing assessing cost and benefits of controls of preventive controls in which the
the data and extract a large amount of implementation. For example, if your permission for accessing the subsystems is
useful information which represent a main organization will invest 10,000 cash units given after confirming that the employee
source for decision-making inside and to improve security and have the following has an access permit to the master system.
outside the organization. The information options: Appropriate privileges must be given
systems must be highly reliable. To be so, according to the job description of the
it must have five key principles: safety, • Buy a firewall that will add 15 minutes employee.
confidentiality, privacy, processing to P duration.
Integration and availability. • Update the intrusion detection system It is necessary to have a user access
authorization matrix for the systems in the
Safety that will reduce D duration by 18 IT Department.
minutes.
It is the main element of these principles. • Invest in a new method of quick Training: Staff should be trained on how
Despite the complexity of information response to the intrusion process to to protect and maintain their PCs, and
systems security, and the need for reduce C duration by 20 minutes. employees should be made aware of social
information security specialists, but engineering and its methods of cheating
it is the matter of senior management Certainly, the third option, i.e. investing in the employees.
within the organization and not only the a new method, will make the organization Physical Access Controls: The main
more beneficial while other factors shall
information technology department, as remain unchanged. server room must be protected from
the senior management is responsible for unauthorized access through the access
the accuracy of the data and reports issued Defense in depth card or fingerprint. Visitors must be
by the organization. The defense in depth includes the use accompanied while roaming the premises
of the organization and PCs must be
Time Security Model of multiple layers of controls to avoid protected from misuse.
existence of gaps that may hinder the
This model evaluates the effectiveness of operation of the system or be vulnerable to Remote Access Controls: There are
10 INTERNAL AUDITOR - MIDDLE EAST DECEMBER 2017
