SCHOOL OF INFORMATION TECHNOLOGY

Information Security Audit

SLOT: C2

Assignment on
Identifying the challenges faced by an information system manager
who works with the Information Systems of an enterprise in terms of
Risk, Threat, Vulnerability, Exposure and Attack.

Submitted by:
Ritvik Gupta (18BIT0218)
Aditya Kumar(18BIT0235)
 Who is an Information System Manager?
Information systems managers oversee technology use in a business or
organization. They make decisions about installation, maintenance and
upgrades on the electronic devices used in the workplace. Because they
must understand how to work with computer hardware, software, and
security.

The duties of Information system manager include:

• Accomplishes information systems staff results by communicating job expectations;
planning, monitoring, and appraising job results; coaching, counselling, and
disciplining employees; initiating, coordinating, and enforcing systems, policies, and
procedures.

• Maintains staff by recruiting, selecting, orienting, and training employees;

developing personal growth opportunities.

• Maintains safe and healthy working environment by establishing and enforcing

organisation standards; adhering to legal regulations.

• Sustains information systems results by defining, delivering, and supporting

information systems; auditing application of systems.

• Assesses information systems results by auditing application of systems.

 • Enhances information systems results by identifying information systems
technology opportunities and developing application strategies.

• Safeguards assets by planning and implementing disaster recovery and back-up

procedures and information security and control structures.

• Accomplishes financial objectives by determining service level required; preparing

an annual budget; scheduling expenditures; analysing variances; initiating
corrective action.

• Maintains professional and technical knowledge by attending educational

workshops; reviewing professional publications; establishing personal networks;
benchmarking state-of-the-art practices; participating in professional societies.

• Contributes to team effort by accomplishing related results as needed.

Different Types of Information Systems

• Transaction Processing System: Transaction processing systems were among the
earliest computerized systems. Their primary purpose is to record, process, validate, and
store transactions that take place in the various functional areas of a business for future
retrieval and use. A Transaction Processing an information system that records
company transactions.

• Decision Support system (DSS): A Decision Support System is an interactive

computer-based system which helps decision-makers utilize data and models to solve
unstructured problems. It is a computer-based support system for Management decision-
makers who deal with semi-structured and unstructured problems.

• Management Information System (MIS): A Management Information System is a

subset of the overall internal controls of a business covering the application of people,
documents, technologies, and procedures by management accountants to solve
business problems such as costing a product, service or a business-wide
strategy.Management Information System is basically concerned with processing data
into information which is then communicated to the various Departments in an
organisation for appropriate decision-making.

• Executive Support System (ESS): Executive Support Systems (ESS) supply the
necessary tools to senior management. The decisions at this level of the company are
usually never structured and could be described as “educated guesses.” Executives rely
as much, if not more so, on external data than they do on data internal to their
organization. Decisions must be made in the context of the world outside the
organization. The problems and situations senior executives face are very fluid, always
changing, so the system must be flexible and easy to manipulate.
Challenges faced by an Information System Manager

Need for balance of compliance and efficiency when managing records

These are the two main drives behind the endeavour of information management for an
organization. Compliance and efficiency.

Compliance provides long-term efficiency, while efficiency offers a meeting of

organizational objectives. In this way, the two are not separate. Helping stakeholders see
that these values are shared will promote balance between compliance and operational
staff. Knowing the true requirement versus regulatory interpretation of requirements can
help organizations find that sweet spot that balances compliance and efficiency.

Limited awareness of when information should be archived or disposed

and lack of action
Despite company policies being set and training being provided, staff are still a significant factor in
causing information leaks or confidentiality breaches. Organizations need to go beyond policy
setting and regularly communicate, conduct archiving/disposal exercises with employees, and also
incentivize behaviours that promote information security.

Lack of adequate resourcing or skill set

As an organization grows, information management is seldom a priority for investment in
resourcing or training. Organizational information management may be hampered by many
challenges as an organization grows. Promote recognition that every area of the organization
interacts with information to operate, therefore, better management is a win-win for all teams.
Recognizing that each department needs information management resourcing and skill set
development will help start the conversation on getting dedicated time for resources.
Meeting information requests while preventing violations of client
confidentiality
Ohio State University (OSU) notes this challenge as regulators request information from an
organization. The impetus is to provide what is required while limiting the exposure of a client.
Ensuring that there is communication between the organization and client on information requests,
or a pre-approved waiver authorizing information release in the event of regulatory inquiry address
this issue.

A key step in information management is understanding information overload on an individual

basis: check out this TED Talk on the topic.

Managing exponentially multiplying information

The amount of information and data we are dealing with is multiplying exponentially and
information managers are struggling to ensure business and regulatory requirements are met.
Organizations must engage all staff in helping manage compliance, as they are best positioned to
root out infractions and function as a key trigger in information disposal. Organizations that head in
this direction must allocate time for employees to routinely determine what needs to be kept versus
what needs to be disposed of. Simply assuming staff will do this despite packed schedules is
haphazard and ineffective.

Managing Secure disposal of all information assets

The need to securely dispose of information assets once they are no longer useful to an
organization is both a business and a regulatory imperative. Meeting regulatory requirements
requires due diligence. Organizations may face scrutiny and sanctions if they choose to dispose of
information assets on their own. Moreover, they are also expending unnecessary costs on media
and paper shredding. Partnering with a secure service provider helps us meet regulations and also
gives us the benefit of an advisor to help us navigate inquiries.

Security and Legal Threats to Information Systems

Businesses face many external and internal digital threats that can corrupt hardware and
compromise data. Our private data and intellectual property could be used in e-crimes or fraud.

Malware, viruses, spam and cookies

Malicious software or malware spreads worms, viruses, Trojans and spyware through:

 email attachments
 files on removable storage devices
 visits to infected websites.

Hackers use malware to control our computer remotely, steal or destroy information, corrupt
hardware and software, or spread malware.

Spam or junk emails promote fake or non-existent products and services such as get-rich-quick
schemes, false prize or lottery wins, or fraudulent and poor-quality goods.
Cookies track our website visits and can build a profile of our online interests and buying habits,
and report these details to third parties.

Online scams, phishing and pharmers

Online scams and fraudulent websites or emails are designed to trick us into revealing sensitive
information including bank account details, passwords or credit card numbers.

Phishing uses fraudulent emails claiming to be from a trusted sender, such as a bank, to 'fish' for
information. Pharming occurs when a hacker infects our computer with a malicious code and
directs us or our customers to a fake website. Both are used for online identity theft or cyber fraud.

Hackers, cybercrime and information/IP theft

Sophisticated and complex e-crime includes the theft of information or intellectual property, such
as trademarks or customer credit card details. Hackers illegally access our hardware and data to
use information such as credit card details for cybercrud, and can corrupt or compromise our
online security.

Electronic transaction laws

Legally there is no difference between electronic financial transactions and cash transactions, and
our online security must comply with national and state laws. In case, of frauds or data leaks, the
business becomes completely liable and hence it must take various steps in security and insurance
to prevent the business from exposure.

Conclusion
The above is a brief report of the various challenges and responsibilities of an Information
System Manager. The main goal is to increase the efficiency, productivity and
responsiveness of the system while ensuring the security of critical technological platforms
the business depends on. After overcoming the challenges, the system undergoes
vigorous testing in order to find vulnerabilities and for future development of the system.