IT CONTROLS AND
HACKERS
By
John Kyriazoglou*
The main
purpose of IT Controls is to ensure the safe and secure operation of
information systems and the protection from harm or other potential damage of
the organization’s I.T. assets and data maintained by these systems. These
objectives are achieved by a set of policies, procedures, practices, methods,
techniques and technological measures, collectively called ‘controls’.
IT systems
and infrastructure controls are classified as General IT Controls, i.e.,
controls applying to the whole of an organization’s Information Systems
activity, and as IT Application Controls, which are specific to a given
application, such as payroll processing, general ledger accounting, accounts
receivable, etc. Both of these types of controls, within any type of
organization (private, public, etc.), must operate within the greater framework
of corporate governance and internal controls system, to fulfill their purpose
to the fullest.
Sometimes
the boundary line between these control types
(General IT Controls, IT Application Controls) is rather arbitrary, particularly
in client/server, web-based and cloud computing applications, most of which may
run on several computers.
What is
important and crucial is for IT management, systems development professionals
and other stakeholders (auditors, fraud examiners, etc.) is to realize that a
comprehensive and effective combination of both of these control types (General
IT Controls and IT Application Controls) arer required to ensure, as much as
possible, an adequately safe and secure processing environment. We need to be
proactive, plan and prepare both ourselves and our organizations for possible
attacks, frauds committed, and errors occurring to information systems,
disasters to IT facilities, and unusual events.
We should
probably note that modern intruders to IT systems and networks do not publish
their tools, successful or failed attacks or profits. They act with anonymity,
quietly, in a step-by-step approach, from both inside and outside the
organization, across the planet, and they usually cover their trail.
The players
now include terrorists, white collar criminals, hackers, open source. The
global underground cyber criminal community is actually trying to do better
than what we do. Ten years ago, people sold you user IDs and passwords. Now the
menu includes your CVs, ATM and credit cards with pin numbers, whole e-mail
inboxes. They will ship information to anywhere in the world for money.
There is an
army of them with new skills and capabilities.
There are: mappers,
scanners, hackers, crackers, password sniffers, readers and shooters with van
Eck tools, programmers who write code to enter network and application systems
without leaving a trail, moles (personnel) employed to work in an organization
much before it is attacked, vendors who sell illegal and improper hardware and
software, social engineers who get passwords and other sensitive information by
various means, etc.
They need
to be controlled by society on the one hand, by the enactment of rules,
regulations, laws, ethics codes, etc., and by organizations on the other hand,
by devising and implementing overall corporate and detail IT controls.
Corporate
and IT control issues are quite complex and may be included in corporate and
business strategic and operational concerns, rather than on their own ground,
as such. Detail IT controls require far more than the latest methods, practices
and software tools or technology. Organizations must understand very precisely
what IT entities, data, media, systems, services, and assets they are trying to
protect, and why, before selecting any general or specific IT control
solutions.
We also
must note that according to recent international data breaches cases data
privacy and protection shortcomings can do irreparable harm to companies’
balance sheets, not to mention their brands, credibility and customer trust and
relationships.
IT
management, IT professionals, IT auditors, Internal auditors, fraud experts,
etc., must be always on their guard to protect their organizations, the data
stored and reported by their IT systems, and the greater society, by using,
implementing and improving IT controls and methods in a most efficient and
effective way.
IT
controls, operating within the greater IT Governance Practices Framework, can
create value for an organization, as we have seen in several consulting
projects for various clients.
It is our
mission, moral duty, responsibility and job to do this. IT application systems
are the life-blood of organizations. Quick dissemination of correct and timely
information drives forward, enables and facilitates our national and global
economies, benefiting everyone across the globe.
We need to
work hard to achieve effective and working IT controls. As Menander (ancient
Greek writer, 342-291 B.C.) has said: ‘He who labors diligently need never
despair; for all things are accomplished by diligence and labor’.
We need to
both plan and act. And as William Shakespeare has said: ‘Be great in act, as
you have been in thought’.
We must be
persistent in reaching the goal of controls, and be aware of what Friedrich
Nietzsce has said: ‘Many are stubborn in pursuit of the path they have chosen,
few in pursuit of the goal’
Last but no
least, we may require to be disciplined in our approach, because as Abraham
Lincoln has said: ‘Be sure you put your feet in the right place, then stand
firm’.
For more
specific details on IT Controls as well as Business Management Controls see the
following books by John Kyriazoglou:
1. Book ‘IT Strategic & Operational Controls’,
2010, IT Governance, U.K.
2. Book ‘Business Management Controls: A Guide’,
2012, IT Governance U.K.
3. Book ‘Business Management Controls: Toolkit’,
2012, IT Governance U.K.
