Information Management and AuditingInformation Assets ProtectionOther points:
Information owner is responsible to establish system access.
Access capabilities are implemented by security administrator.
Review of access responsibilities should periodically be reviewed.
Non-employees (contract employees, vendor employees, maintenance personnel, clients,auditors, and consultants) should also adhere to the security policies.
Access controls could either be mandatory or discretionary:
Mandatory access control
is a mechanism to enforce corporate security policy or securityrules dealing with information resource sharing.
Discretionary access controls
are data data-owner-defined sharing of access control.
Adherence to trust and obligation of any information relating to an identified/identifiableindividual is called privacy.
Management is responsible to adhere to privacy issues. IS auditor is NOT responsible of thecontents of database. IS auditors could also take expert opinion.IS auditor e has to review management’s privacy policies, which include:
Nature of information.
Accountability of privacy issues.
Reduction in privacy modifications.
CRITICAL SUCCESS FACTORS:
Managerial commitment and support.
Updated policies and procedures reflecting business objectives.
CRIMES AND EXPOSURES:
Committing crimes can damage reputation, morale, and viability of an organization. Threatsrelated to crimes could be classified as under:
Legal repercussions (consequences).
Loss of credibility (competitive edge).
Disclosure of confidential sensitive information.
Sabotage – bad corporate image.
Following could be the computer crime perpetrators:
person able to explore the system details and exploit.
Script kiddies –
person who uses written scripts and programs to perform their own tasks.
person who illegally tries to break security measures.
Employees (authorized or unauthorized).
IS personnel –
custodian of information.
Prepared by: Muhammad Umar Munir