Wednesday, October 28, 2015

IT CONTROLS AND HACKERS

By John Kyriazoglou*
The main purpose of IT Controls is to ensure the safe and secure operation of information systems and the protection from harm or other potential damage of the organization’s I.T. assets and data maintained by these systems. These objectives are achieved by a set of policies, procedures, practices, methods, techniques and technological measures, collectively called ‘controls’.
IT systems and infrastructure controls are classified as General IT Controls, i.e., controls applying to the whole of an organization’s Information Systems activity, and as IT Application Controls, which are specific to a given application, such as payroll processing, general ledger accounting, accounts receivable, etc. Both of these types of controls, within any type of organization (private, public, etc.), must operate within the greater framework of corporate governance and internal controls system, to fulfill their purpose to the fullest.
Sometimes the boundary line between these control types  (General IT Controls, IT Application Controls) is rather arbitrary, particularly in client/server, web-based and cloud computing applications, most of which may run on several computers.
What is important and crucial is for IT management, systems development professionals and other stakeholders (auditors, fraud examiners, etc.) is to realize that a comprehensive and effective combination of both of these control types (General IT Controls and IT Application Controls) arer required to ensure, as much as possible, an adequately safe and secure processing environment. We need to be proactive, plan and prepare both ourselves and our organizations for possible attacks, frauds committed, and errors occurring to information systems, disasters to IT facilities, and unusual events.
We should probably note that modern intruders to IT systems and networks do not publish their tools, successful or failed attacks or profits. They act with anonymity, quietly, in a step-by-step approach, from both inside and outside the organization, across the planet, and they usually cover their trail.
The players now include terrorists, white collar criminals, hackers, open source. The global underground cyber criminal community is actually trying to do better than what we do. Ten years ago, people sold you user IDs and passwords. Now the menu includes your CVs, ATM and credit cards with pin numbers, whole e-mail inboxes. They will ship information to anywhere in the world for money.
There is an army of them with new skills and capabilities.
There are: mappers, scanners, hackers, crackers, password sniffers, readers and shooters with van Eck tools, programmers who write code to enter network and application systems without leaving a trail, moles (personnel) employed to work in an organization much before it is attacked, vendors who sell illegal and improper hardware and software, social engineers who get passwords and other sensitive information by various means, etc.
They need to be controlled by society on the one hand, by the enactment of rules, regulations, laws, ethics codes, etc., and by organizations on the other hand, by devising and implementing overall corporate and detail IT controls.
Corporate and IT control issues are quite complex and may be included in corporate and business strategic and operational concerns, rather than on their own ground, as such. Detail IT controls require far more than the latest methods, practices and software tools or technology. Organizations must understand very precisely what IT entities, data, media, systems, services, and assets they are trying to protect, and why, before selecting any general or specific IT control solutions.
We also must note that according to recent international data breaches cases data privacy and protection shortcomings can do irreparable harm to companies’ balance sheets, not to mention their brands, credibility and customer trust and relationships.
IT management, IT professionals, IT auditors, Internal auditors, fraud experts, etc., must be always on their guard to protect their organizations, the data stored and reported by their IT systems, and the greater society, by using, implementing and improving IT controls and methods in a most efficient and effective way.
IT controls, operating within the greater IT Governance Practices Framework, can create value for an organization, as we have seen in several consulting projects for various clients.
It is our mission, moral duty, responsibility and job to do this. IT application systems are the life-blood of organizations. Quick dissemination of correct and timely information drives forward, enables and facilitates our national and global economies, benefiting everyone across the globe.
We need to work hard to achieve effective and working IT controls. As Menander (ancient Greek writer, 342-291 B.C.) has said: ‘He who labors diligently need never despair; for all things are accomplished by diligence and labor’.
We need to both plan and act. And as William Shakespeare has said: ‘Be great in act, as you have been in thought’.
We must be persistent in reaching the goal of controls, and be aware of what Friedrich Nietzsce has said: ‘Many are stubborn in pursuit of the path they have chosen, few in pursuit of the goal’
Last but no least, we may require to be disciplined in our approach, because as Abraham Lincoln has said: ‘Be sure you put your feet in the right place, then stand firm’.
For more specific details on IT Controls as well as Business Management Controls see the following books by John Kyriazoglou:

1. Book ‘IT Strategic & Operational Controls’, 2010, IT Governance, U.K.
2. Book ‘Business Management Controls: A Guide’, 2012, IT Governance U.K.

3. Book ‘Business Management Controls: Toolkit’, 2012, IT Governance U.K.      

18 comments:

  1. Hi I really appreciate all the great content you have here. I am glad I cam across it!
    personal development

    ReplyDelete
  2. You're soooo talented in writing. God is truly utilizing you in tremendous ways.
    stress management

    ReplyDelete
  3. Post is very informative,It helped me with great information so I really believe you will do much better in the future.
    stress management

    ReplyDelete
  4. I have read many blogs in the net but have never come across such a well written blog. Good work keep it up
    industry research

    ReplyDelete
  5. Really!!! I am very impressed after reading this blog. thanks for providing deep information for
    mood

    ReplyDelete
  6. Truly superb blog, I don’t have actual words to praise in regards for this
    defeat fatigue

    ReplyDelete
  7. This is easier and surely gives comfort to internet users. Thanks for sharing. Post like this offers great benefit. Thank you!
    the engraving company Middlesex

    ReplyDelete
  8. If you could message me with any hints & tips on how you made your blog look this cool, I would be appreciative!
    Acne Treatment

    ReplyDelete
  9. This is a really good read for me, Must admit that you are one of the best bloggers I ever saw.Thanks for posting this informative article.
    Postnatal depression

    ReplyDelete
  10. How to deal with a Panic attack..?
    stress

    ReplyDelete
  11. This comment has been removed by the author.

    ReplyDelete
  12. This is something really helpful and nice article,
    Hypnotherapy

    ReplyDelete
  13. That is important to keep IT management systems safe and well-monitored. This includes retail shop's IT management system which includes a store's POS software system which is at the forefront of efficient information technology management. Same goes for grocery store POS software system for midsize and large grocery stores and multi-store chains of grocery shops.

    ReplyDelete
  14. Such a nice blog and i appreciate your all efforts about the psychological thriller it's really good work. well done.
    psychological thriller

    ReplyDelete
  15. I really loved reading your thoughts, obviously you know what are you talking about! Your site is so easy to use too, I’ve bookmark it in my folder
    online counselling

    ReplyDelete