Question no. 1
The Five information system risks are:
Ø Human Errors
Ø Environmental Hazards
Ø Computer Systems Failure
Ø International Threats
Ø Cyber Crime
Human Errors
In terms of risk, specifically information systems failure, people are identified as the most significant vulnerability. "Human error is overwhelmingly stated as the greatest weakness in 2008 (86 percent) by a survey, followed by technology (a distant 63 percent)," the report states. It attributes the rising risk to increased adoption of new technologies and social networking.
Human errors can happen in many ways like in the design of hardware & information systems, E.g. programming, testing, authorization.
Environmental Hazards
The forces of the natural world can cause significant risk to life, property and economies. The power of extreme weather events and geological movements can alter the status quo in sudden dramatic actions. Natural risk includes flooding and mudflow, landslides, avalanches, droughts and fires and coastal realignment.
Industrialization has created additional stresses on the capacity of natural systems to recycle and regenerate, leading to a different set of environmental risk. Aspects of this research area include understanding resilience of natural systems and modeling the uncertainties associated with risk management strategies.
Examples of environment hazards are fire, earthquakes, hurricanes, floods, lightning strikes etc
Computer Systems Failure
This problem can occur by poor design of the systems, use of defective material, lack of proper quality control or/and in adequate specification of hardware by buyer. It’s a common risk in organization, if the company don’t have experienced IT employees which knows the best for their company and can design the system according to the need of servers, documents etc.
Example of Computer Systems Failure can be like if Carrefour have applied the slow computer systems & there are bunch of people waiting in the line for the counter to pay. They can leave the shopping from Carrefour & can move towards any other mall or shopping market.
Intentional threats
Computer crimes are the best example of intentional threats, when someone purposely damages property or information. It includes Identity Theft, credit crime etc.
It may also include malicious damage including terrorist attacks, destruction from virus attack to the information system, fraud & crimes related to the use of the internet and many more.
Cyber Crime
Cyber crime is stealing the data or information via networks (computer can be an example). Crimes can be performed by Hackers, hackers are the outsides who penetrate a computer system or by insiders who are authorized to use the computer system but are misusing their authorization.
Two basic methods of attack on computer systems are:
Ø Data Tampering
o False, fabricated or fraudulent data
o Changing or deleting data
o Examples – Wages clerk and the extra employee
Ø Programming fraud
- Programming techniques used to modify a computer program
o Virus
o Worm
o Trojan Horse
o Spoofing
Question no. 2
The four possible ways to prevent or control system risks are explained below:
ACCESS CONTROL
“Access control is a system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system. An access control system, within the field of physical structure, is generally seen as the second layer in the security of a physical structure.”
Access control can be an important criteria to prevent or control the system risk because giving an access control which means password or pin in common words or in real-world. Example of Access control can be “A pin on an ATM system at a bank”. It gives a control to the person to lock down the bank account with a PIN or Password. The system can also be locked by PIN or Passwords similar to the example. A senior or executive person can be given the access authority to control or prevent the system theft and many more threats.
Firewall
By implementing a firewall in the system, the system can be protected by viruses, worm and other threats which can be implemented by cyber criminals like hackers. Firewall can block the unusual activity attacking the system to steal or corrupt the data. So it can prevent or control the system risks.
Virus Protection
Anti-Virus phenomena can prevent or control the system to be corrupted by the cyber crimes which is mostly done by hackers. The hackers can apply a virus to the system which can defect the system or can delete all the data. So, virus protection can prevent or control the system risk.
Personal Control
Personal control can be a useful or advantageous factor for an organization or company to prevent or control the system risk. It means keep all the control by you. A manager or senior employee can do this for security purposes
Question No. 3
The two types of audits are:
Ø Internal Audit (and Auditors)
Ø External Audit (and Auditors)
DIFFERENCES B/W INTERNAL & EXTERNAL AUDITS
The INTERNAL AUDITORS are regular employees of the company they audit. Internal audits generally examine internal controls and the main purpose is to recommend improvements in efficiency and operational effectiveness. The materiality level for an internal audit is much lower than for an external audit.
(An external auditor will never examine unimportant cash, but an internal auditor will.)
The EXTERNAL AUDITORS are organizationally independent; they work for a completely different company than the company being audited. They also get paid more; the internal auditors receive their regular salary, regardless of their findings. The external auditors get paid based on their contract which includes expenses, overhead and profit.
The external auditors issue an opinion on the fairness of the financial or IT statements taken as a whole. The internal auditors may issue an opinion on a much smaller unit they may be auditing, but often they do not.
“External auditors are required to follow generally accepted auditing standards (or international auditing standards), internal auditors do not. The internal audits may follow GAAS, they may follow IA standards, or they may not follow any special standard.”
An internal audit may cover a time period of a week, month or quarter. An external audit generally covers a year.
No comments:
Post a Comment