INFORMATION SYSTEMS SECURITY AND CONTROLS

Information system
This is the organized collection, processing, transmission and storage of information in
accordance with defined procedures whether automated or manual.

The value of information comes from the characteristics it possesses. Some characteristics affect
the information’s value to users more than others do. This can depend on circumstances; for
example, timeliness of information can be a critical factor, because information loses much or all
of its value when it is delivered too late. The following are some of its characteristics:

- Availability: enables authorized users or computer systems to access information without

interference or obstruction and to receive it in the required format.
- Accuracy: Information has accuracy when it is free from mistakes or errors and it has the
value that the end user expects. If information has been intentionally or unintentionally
modified, it is no longer accurate.
- Authenticity: is the quality or state of being genuine or original, rather than a reproduction
or fabrication. Information is authentic when it is in the same state in which it was
created, placed, stored or transferred.
- Confidentiality: Information is confidential when it is protected from disclosure or
exposure to unauthorized individuals or systems. Confidentiality ensures that only those
with the rights and privileges to access information are able to do so.
- Integrity: Information has integrity when it is complete and uncorrupted. The integrity of
information is threatened when the information is exposed to corruption, damage or
destruction of its authentic state. Corruption can occur while information is being stored
or transmitted.
- Utility: This is the quality or state of having value for some purpose or end. Information
has value when it can serve a purpose. If information is available, but it is not meaningful
to the end user, it is not useful.
Security
Generally, security is the quality or state of being secure and free from danger. In other words,
protection against those who would do harm, intentionally or otherwise.
A successful organization should have the following multiple layers of security in place to
protect its operations:
1. Physical security - to protect physical items, objects, or areas from unauthorized access and
misuse.
2. Personnel security - to protect the individual or group of individuals who are authorized to
access the organization and its operations.
3. Network security - to protect networking components, connections and contents.
4. Information security - to protect the confidentiality, integrity and availability of information
assets, whether in storage, processing or transmission. It is achieved via the application of
policies, training, awareness and technology.

Controls
This are methods, policies and organizational procedures that ensure safety of organizational
assets; accuracy and reliability of its records and operational adherence to management
standards.

Therefore, we can define information systems security as the policies, procedures and technical
measures used to prevent unauthorized access, alteration, theft or physical damage to information
systems. It is the state of being protected against the unauthorized use of information resources,
especially electronic data or the measures taken to achieve this.
Information systems security is a complex field with many unknown and unexplored areas.
Security threats such as break-ins, denial of service, unauthorized access and information
integrity concerns remain a critical challenge to information systems. In this manner our
discussion cannot be complete without touching on computer security and controls. During the
design and all throughout the operation of a computer system, security measures must be
incorporated. Computer systems security management efforts should focus on addressing
organizational arrangements that create security loopholes. This is accomplished by the
development and implementation of organizational control systems that cover all aspects of
computer systems development, implementation and operations.
The aim of a control system is to eliminate the occurrence of erroneous and fraudulent data
processing, storage and transmission. This should however be done in the light of prevailing
practical realities relating to resource requirements and cost implications. Nevertheless, control
systems should:
Prevent all possible erroneous and fraudulent data processing
Detect the occurrence of such errors and fraud,
Minimize the extent of loss to the organization that arise
Facilitate recovery from such losses, errors and frauds.
Provide a frame work for investigating cause of errors, how they can be effectively prevented
from occurring, detected when they occur and strategies for addressing them effectively,
efficiently and at minimal costs.

Security Problems in Today's Information Systems

Security of information systems is the management of information technology risk in pursuit of
business objectives; Yet, events bordering on misuse and intentional damage are prevalent.
Businesses stand to lose profits, information resources, stakeholder and consumer confidence if
they allow unauthorized access to data.
Information technology has presented businesses with opportunities undreamt of only a couple of
decades ago. However, it also has introduced some unprecedented challenges. It is therefore
necessary to consider the superimposing issues seriously.
1. Cybercrime
Simply put, Cyber-crime refers to the use of information technology to commit crimes. Cyber-
crimes can range from simply annoying computer users to huge financial losses.

Types of cyber-crime
Identity theft: Identity theft is the crime of obtaining the personal information of another person
for the sole purpose of assuming that person's name or identity to make transactions or
purchases. This is done by accessing someone else’s personal details. The details used in such
crimes include date of birth, credit and debit card numbers, passport numbers, etc. Once the
information has been acquired by the cyber-criminal, it can be used to do transactions or even
perform a crime.
Remedies:
- Do not share personal information (birthdate, Social Security number, or bank account
number) just because someone asks for it.
- Use the security features on your mobile phone.
- Install and update firewalls and virus-detection software (a computer program used to
detect, prevent and remove malicious programs that have been placed on your computer
to spy on you or to damage your computer)
- Update sharing and firewall settings when you are on a public Wi-Fi network. Use a
virtual private network (VPN), if you are using a public Wi-Fi.
- Review your credit card and bank account statements daily if possible. Compare receipts
with account statements. Watch for unauthorized transactions.
- Freeze your credit files. Credit freezes prevent someone from applying for and getting
approval for a credit account or utility services in your name.
- Shred receipts, credit offers, account statements, and expired credit cards. This can
prevent “dumpster divers” from getting your personal information.
Copyright infringement: Copyright infringement is the violation, piracy or theft of a copyright
holder's exclusive rights through the unauthorized use of copyrighted material or work. Piracy is
one of the biggest problems with digital products. Fast internet access and reducing costs of
storage are some of the contributors of copyright infringement crimes.

Remedies:
- Ensure your work is properly marked: A correctly worded notice will deter infringement,
as it states that the work is protected under law. Displaying a notice shows that you have
an awareness of copyright and take infringements of your work seriously.
- Register your work: If your work is infringed and your claim to copyright is disputed you
may need evidence to help prove your claim. This valuable evidence can be provided by
our copyright registration service that provides verifiable proof of the date and content of
your work.
- Keep or register supporting evidence: Supporting evidence falls into two categories:
1. Evolution of ideas - This is evidence of the progression of the work. Early drafts,
synopsis, rough recordings, sketches, etc. are all evidence that the work progressed
over time, rather than being copied from elsewhere. Although it is possible to fake
such evidence, it is often time consuming to do so, so it can be fairly good evidence
to demonstrate that you created the work from scratch over a period of time.
2. Footprints or watermarking - This is normally evidence inserted into finished
documents that will identify the author in some way. Such as deliberate mistakes or
hidden data that can be read using special applications.
- Agreement between co-authors: If your work is a joint venture, be sure you know exactly
where you stand, who will own what rights and what happens when someone leaves.
 - Proving ownership: copyright is granted automatically. Commonly, creators mark their
work with the copyright symbol © followed by their name (or names) and the year in
which the work was published. You could register your copyright through an online
service or log your work with a bank or Solicitor.
Hacking: Hacking is the art of bypassing security controls to gain unauthorized access to a
system. Once the attacker has gained access to the system, they can do whatever they want
especially stealing sensitive information. We will look at the protection against hackers from 4
different scenarios.

Remedies:
- Keeping Your Accounts Secure
1. Create complex passwords: Your passwords to access your accounts on apps or
websites should consist of a combination of numbers, upper- and lower-case letters,
and special characters that is difficult to guess.
2. Do not give out your password: This is an obvious piece of advice, but one that bears
revisiting: with the exception of some school services, you should not ever have to
provide a site administrator with your password for them to access your account. If
you do then change it and maintain a tradition of changing your password often.
3. Use two-factor authentication: Two-factor authentication requires you to enter a code
sent to you in a text message or another service to access your account after you enter
your user name and password. This makes it more difficult for a hacker to access your
information, even if they are able to crack your password.
4. Avoid using the correct answer for security questions: When making security
questions, don't make the answer to them the correct answer. Hackers can find out
your mother’s maiden name or what street you grew up on easily. Instead, make the
answers incorrect or even better, make them like passwords and do not base the
answers on the questions at all.
5. Read privacy policies carefully: Any company that has information from you must
have a privacy policy that details how they use that information and the extent to
which they share it with others.
6. Log out of accounts when you're done with them: Simply closing the browser window
isn't always enough, so make sure you click (or tap) on your account name and
select Log Out (or Sign Out in some cases) to manually sign out of your account and
remove your login credentials from the site.
7. Make sure you are on an official website when entering passwords: Phishing scams
instances in which a malicious page pretends to be a login page for a social media or
bank account.
- Keeping Your Phone Secure
1. Update your devices and software: As soon as an update becomes available for
anything from your phone's Facebook app to its entire operating system, you should
apply it if possible. Many updates are patches to repair weaknesses and address
security vulnerabilities. 
2. Avoid rooting your phone or loading unverified apps: Both iPhones and Androids
have security safeguards that can be bypassed by rooting the respective devices but
doing so opens your phone up to attacks and infections that would have previously
been impossible. Similarly, downloading apps from unverified sources greatly
increases your risk of contracting malware.
3. Charge your phone on reliable USB ports: These include the ports on your computer
and in your car (if applicable). Public USB ports, like the ones you may see in a
coffee shop, can compromise your information.

- Keeping Your Computer Secure

1. Encrypt your hard drive: If your hard drive is encrypted, a hacker will be unable to
read the data stored there, even if they manage to gain access to your hard drive.
While you've taken steps to prevent access, encryption is another method of
protecting your information.
2. Install updates as soon as they become available: In addition to performance
upgrades, system updates often contain improvements to security.
3. Back up your data frequently: Despite even the strictest security, it's still possible
that your data may become compromised. This may be the result of hacking, or
simply computer failure. Backing up your data ensures you don't lose everything.
4. Avoid clicking suspicious links or responding to unknown emails: If you get an
unsolicited email or an email from a sender that you cannot verify, treat it as a
hacking attempt. Do not click on any links or give the sender any personal
information.
5. Install a strong anti-malware software and activate your firewall: Both Windows
and Mac-based computers come equipped with a firewall, which prevents hackers
from gaining access to your computer. A strong anti-malware program can protect
against system infections.
6. Enable a firmware password: If your computer has the option available, require
users to enter a password before rebooting from a disk or entering single-user mode.
A hacker cannot get around a firmware password unless they have physical access to
your machine, you'll need to be extremely careful not to forget or lose the password
since it is immensely difficult to reset. 
7. Disable remote access: You should keep it disabled by default and only turn it on for
brief periods when you need it.

- Keeping Your Network Secure

1. Do not use an open Wi-Fi on your router: Generally speaking, secured networks
require you to enter a password before you can connect to them. Protect your Wi-Fi
with an encrypted password for authorized users and consider refreshing your
equipment. Newer routers allow you to segregate wireless access.
 2. Avoid file sharing services: Not only does file sharing often violate intellectual
property laws, but file-sharing websites are continuously checked by hackers.
3. Keep personal information off social media: You may think you're just sharing with
friends but revealing too much about yourself and your life on social media can
make you vulnerable to hackers. Share personal information directly with people
who need to know rather than openly posting on social media.
4. Install a software firewall: If you connect your LAN directly to the Internet,
configure a firewall to screen both incoming and outgoing traffic.
5. Beware of worms: Most computer viruses are just a nuisance, but it takes only one
malevolent worm (bug) to bring your network to its knees. Install a reliable
antivirus software and keep it updated.
6. Access Control list: Network security is a daily job. Assign access to directories and
other network resources on a need-to-have basis, and remove a user’s account
immediately when they leave your company.

Phishing: Phishing is a kind of social engineering threat that occurs when a scammer uses some
form of fraudulent electronic communication such as emails, texts or copycat websites to get you
to share valuable personal information. Scammers also use phishing emails to get access to your
computer or network then they install programs like ransomware that can lock you out of
important files on your computer.

Social engineering is the psychological manipulation of people into performing actions or

divulging confidential information. Other common social engineering threats are:

i. Pharming: This attack misdirects a user’s website traffic to a fake site by installing a
code on the computer that modifies the destination URL to the attacker’s.
ii. Dumpster Diving: is a technique used to retrieve information mostly from trash or
disposed documents that could be used to carry out an attack on a computer network.
iii. Shoulder Surfing: is using direct observation techniques, such as looking over
someone's shoulder, to get information. Shoulder surfing is an effective way to get
information in crowded places such as ATM lobbies.

Remedies:

- Check the Source of Information from Incoming Mail – for example, Your bank will
never ask you to send your passwords or personal information by mail. 
- Pay Attention To URLs: Enter Your Sensitive Data in Secure Websites Only because
malicious websites may look identical to a legitimate site. Never Go to Your Bank’s
Website by Clicking on Links Included in Emails. In order for a site to be ‘safe’, it must
begin with ‘https://’ and your browser should show an icon of a closed lock.
 - Enhance the Security of Your Computer – you should always have the most recent update
on your anti-virus, operating system and web browsers.
- Be Wary of Pop-Ups – Pop-up windows often masquerade as legitimate components of a
website. All too often, though, they are phishing attempts.
- Use Firewalls – High-quality firewalls act as buffers between you, your computer and
outside intruders. You should use two different kinds: a desktop firewall and a network
firewall.
- Check Your Online Accounts Regularly – If you don’t visit an online account for a while,
someone could be having a field day with it. Even if you don’t technically need to, check
in with each of your online accounts on a regular basis.
- Two-factor authentication - For accounts that support it, two-factor authentication
requires both your password and an additional piece of information to log in to your
account.
Denial of Service: this is denying legitimate users from accessing information systems, devices,
or other network resources due to the actions of a malicious cyber-criminal. Services affected
may include email, websites, online accounts (e.g., banking), or other services that rely on the
affected computer or network.
It is accomplished by flooding the targeted host or network with traffic until the target cannot
respond or simply crashes, preventing access for legitimate users.

Remedies:
- Secure Your Network Infrastructure: this can only be achieved with multi-level
protection strategies which include a combination of advanced intrusion prevention and
threat management systems (putting together firewalls, a VPN, an anti-spam, a content
filtering software and load balancing).
- Redundancy: Businesses should create redundant network resources especially from
different providers so that when one link in down the other picks without too much
downtime. An efficient disaster recovery site (DR) is also a requirement so that if one
server is attacked, the others can handle the load.
- Cloud services: they provide improved flexibility for environments that combine in-house
and third party resources. The cloud is a diffuse resource, which can absorb harmful or
malicious traffic before it ever reaches its intended destination and most providers
monitor the web consistently for the latest threats.
- Develop a Denial of Service Response Plan: come up with a response plan based on a
thorough security assessment. No network is perfect, but if a lack of performance seems
to be prolonged or more severe than usual it is probably an attack and action should be
taken immediately.
When DoS hits, there is no time to think about the best steps to take. There needs to be a
defined plan in advance to enable prompt reactions and avoid any impacts.
Programmed Threats: this is a software program that is written to hijack the security or to
change the behavior of a normal process. It is a piece of program code that presents a security
threat to a system. The harm caused can be in either the form of;
1. Denial or degradation of service,
2. Restricted access to information resources
3. Destruction, corruption and fabrication of data.
The threats can be either intentional or unintentional:
- Intentional or malicious – this are undesired effects caused by an agent’s intention to
cause damage or loss.
- Unintentional – this are undesired effects arising from mistaken design or implementation
errors. They are acts performed without malicious intent though they still represent a
serious threat to information security. This are mainly human errors.

Malware - if the source of the damaging instructions is an individual who clearly intended to
cause harm then it becomes a malicious code or malicious software. This is a code which can
either be generated to cause harm to a specifically targeted system or generally to any system.

There are two broad categories of malware:

1. Non-replicating threats: do not have an in-built ability to replicate themselves
2. Self-replicating threats: have an in-built capability to replicate themselves

1. Non - replicating threats

- Trap door or back door: a method of bypassing normal authentication, securing remote
access to a computer’s applications, operating system or even online services. The
attacker gains access to plaintext and so on, while attempting to remain undetected.
- Trojan horses: It is a type of malicious software developed to disguise as a legitimate
software to gain access into a target’s system. Trojans do not self-replicate by infecting
other files or computers rather, it is the decoy that usher in other malicious software.
Trojans survive by going unnoticed and pretends to be harmless in order to trick people
into downloading it.
 - Logic bomb: is a piece of code inserted into an operating system or software application
that implements a malicious function after a certain amount of time or after specific
conditions are met.
- Session hijacking: refers to the exploitation of a valid computer session also called a
“session key” to gain unauthorized access to information or services in a computer
system. The most common method of session hijacking is called IP spoofing (spoofing is
a technique used to gain unauthorized access to the computer with an IP address of a
trusted host) 
- Tunneling: It involves allowing private network communications to be sent across a
public network through a process called encapsulation. This means that hackers can
actually get in a network using tunneling as it allows the use of the WAN e.g. Internet,
which is a public network, to convey data on behalf of a private network.
2. Self - replicating Threats: The commonest representatives of self-reproducing threats
are:
a. Computer viruses
b. Computer worms.

a. Computer virus: It is a self-replicating and malicious program, which attaches itself to

an application, document or system file and then rapidly replicates itself, modifying and
destroying essential files.
Viruses can be classified along the following basis;l
i. Classification by the type of target: the target they want to infect.
ii. Classification by concealing method: method used to hide itself from detection.
i. Classification by type of target
Boot sector viruses: A boot sector also called a boot block is a sector of a hard disk, floppy disk,
or similar data storage device that contains code for booting programs. Booting is the process
that starts operating systems when the user turns on a computer system. Generally, a boot sector
virus executes its own code, which usually infects the section of the hard disk where startup files
exist, then continues to the PCs start up process.
File viruses: Are computer viruses that infect files with the intent to cause permanent damage or
make files unusable. They attach themselves to a file, usually an executable application and then
infects other files when the program to which it is attached is run.
Macro viruses: A macro virus is a computer virus written in the same macro language that is
used for software applications, such as word processing programs. Macro viruses written for
these programs can spread by infecting other related documents each time the document is open.
Multipartite viruses: Also called a multi-part virus, is a fast-moving malware that uses file
infectors or boot infectors to attack the boot sector and executable files simultaneously.
ii. Classification based on concealing method
Stealth viruses: is a computer virus that has the ability to conceal their presence from typical
anti-virus programs. A hidden computer virus, which attacks operating system processes and
uses various tricks to hide the changes it has made to any files or boot records.
Polymorphic viruses: It is a self-encrypted virus designed to duplicate itself by creating usable,
albeit slightly modified copies of itself to avoid detection yet retain the same basic routines after
every infection. They encrypt their code and the code changes itself each time it runs, but the
function of the code will not change at all.
Companion viruses: a type of computer virus that compromises a feature of the operating system
that enables software with the same name, but different extensions, to operate with different
priorities. For example, a computer could have program.exe and the virus creates a file called
program.com. When the computer executes program.exe the virus runs program.com before
program.exe is executed. In many cases, the real program will run as usual.

Encrypted virus: encryption is the process of converting information into a complicated code. A
portion of the virus creates a random encryption key and encrypts the remainder of the virus. The
key is stored with the virus. When an infected program gets initiated, the virus uses the stored
random key to decrypt the virus.

Characteristics of a Virus
The term "virus" when applied to computers has some of the following implications:
- It is a program - It's written by some individual or individuals, presumably with the
intent of spreading and causing damage.
- It replicates itself - just like you can copy a file from one disk to another and have copies
on both disks, a computer virus is in part defined by its ability to make copies of itself.
Typically the copies aren't on the infected computer, but rather on other computers.
 - It is infectious – it infects various systems; exactly how depends on the virus. Also
significant is the fact that a computer virus can spread on its own.
- It is secretive – operates with stealth and in a hidden manner. It can attach itself on files
and move with stealth as it causes damage.

Recognizing a virus infected system

Virus infected computers may exhibit the following symptoms:

- Disruption of computer operations

- Overwriting and deletion of data or applications

- Dangerous operations like forced hard disk formatting
- Unexpected rebooting
- Sudden decline in speed
- Difficulty in saving files

b. Computer worms
A standalone malware that replicates itself in order to spread to other computers especially via
the computer network. The objective of this type of malware is usually to saturate computers and
networks, making them difficult to use. Unlike viruses, worms do not infect files. The biggest
danger with a worm is its capability to replicate itself to send copies of itself to other nodes on a
system without any user intervention. Hence a computer could send out hundreds or thousands of
copies by itself, creating a huge devastating effect.
Whereas viruses almost always corrupt or modify files on a targeted computer, worms always
cause harm to the network by consuming bandwidth.
One example would be for a worm to send a copy of itself to all e-mail addresses on the mailing
list. The worm further replicates and sends itself out to everyone listed in each of the receiver's
address book, and the manifest continues. Due to the copying nature of a worm and its capability
to travel across networks the end result in most cases is that the worm consumes too much of the
network bandwidth, causing Web servers, network servers and individual computers to stop
responding. In certain attacks the worm may be designed to tunnel into the system and allow
malicious users to control a computer remotely.
Symptoms of a computer worm infection
- Slow computer performance: freezing of the computer operations and operating system
errors.
- Depleted disk space: check your hard drive space. When worms repeatedly replicate
themselves, they start to use up the free disk space on your hard drive.
- Missing or new file additions: Be on the lookout for missing or new files. One of the
duties of a computer worm is to delete and replace files on a computer.
- Slow network: By overloading a shared network, they affect the bandwidth.
Worms typically cause harm to their host networks by consuming bandwidth and
overloading web servers.
- Unusual computer behavior: the sudden appearance of unfamiliar files or icons or the
unexpected disappearance of files or icons indicates that there is a very high likelihood of
a worm infection. Such as programs that execute themselves without user interaction or
unusual sounds, images and messages;

Preventive measures
- Software updates: Keeping up to date with operating systems and all other software
patches will help reduce the risk due to newly discovered vulnerabilities.
- System security: efficient use of firewalls and up-to-date vendor-issued security releases.
They have updates and security patches designed to protect computers from new malware
- Antivirus: Using antivirus signatures that are up-to-date, will help prevent malicious
software from running.
- Check unknown attachments: Being careful not to click on attachments or links in emails
that seem suspicious or the source is not clear.
- File encryption: encrypt files to protect sensitive data stored on computers, servers and
mobile devices
Physical Security
Sensitive items can be vulnerable to a thief or accidental exposure if not kept physically secured.
An organization can implement the best authentication scheme in the world, install firewalls and
intrusion prevention, but its security cannot be complete without implementation of physical
security.
Some physical security breaches:
a) Theft and destruction: Involves physical attacks executed to acquire sensitive information and
information equipment.
b) Dumpster diving or trashing: this is scavenging through materials that have been thrown
away. Around the offices and in the trash attackers can find used disks and tapes, discarded
printouts and handwritten notes of all kind, which might contain important information.
c) Wiretapping: Entails network intrusion wiring and connections that are not sufficiently
protected. Criminals may use wiretapping methods to snoop on communications. Unfortunately,
it’s quite easy to tap many types of network cabling. For example, a simple induction loop coiled
around a terminal wire can pick up most voice and standard communications.
d) Degradation of service: Involves shut down of a service or slowing it down significantly.
Service disruption may arise from physical orchestrations such as arson or explosions, shutting
off power, air conditioning or performing assorted electromagnetic disturbances.
Natural disasters, like lightning and earthquakes, can also disrupt service in addition to
performing electromagnetic disturbances.

Physical security is the physical protection of tangible assets and resources. It’s also protection
of the actual hardware that stores and transmits information. An organization must identify all
the vulnerable resources and take measures to ensure that they cannot be physically tampered
with or stolen. Some of these measures include:

- Physical controls: such as locked doors. This refers to capabilities that limit access to
restricted areas. High-value information assets should be secured in a location with
limited access.
 - Surveillance: for example physical intrusion detection: High-value information assets
should be monitored using security cameras and other means to detect unauthorized
access to the physical locations where they exist.
- Access control: sensitive areas should be out of bounds for unauthorized employees. Use
of devices such as a biometric controls can help control traffic in and out of restricted
areas.
- Environmental monitoring: An organization’s servers and other high-value equipment
should always be kept in a room that is monitored for temperature, humidity and airflow.
The risk of a server failure rises when these factors go out of a specified range.
- Environmental design: this method uses natural or environmental surroundings to reduce
the opportunities for crime. For example Natural surveillance; where lighting is designed
to illuminate points of interest.
- Redundancy/Disaster recovery: an efficient system and data backup is of key importance.
Procedures should be tested and policies reviewed on a regular basis to ensure safety and
to reduce the time it takes to recover from disruptive man-made or natural disasters.
- Employee training: Employees should be trained on the importance of security and how
to secure their equipment and data wherever they go.

Physical security controls provide an additional layer of defense that securely safeguards

physical equipment hence, a well-implemented control should be able to:

i. Deter – a good control should have the ability to convince potential intruders and
attackers that the likelihood of success is extremely low.
ii. Detect – it should discover and interrupt potential intruders and attackers before
an incident or event occurs.
iii. Deny – it should have adequate restrictive controls that can be used to deny
physical access to the organization’s assets.
iv. Delay - Where the implementation of physical security controls is unable to deter,
detect or deny potential intruders it should at least ensure that their ability to gain
access to company resources is really slowed down.
Controls
Managers in any institution that uses computers are responsible for the control of quality and
performance of the information system in the business. Like any other vital business assets,
information systems; hardware, software, networks and data need to be protected by built-in
controls to ensure their quality and security.
Information system controls are methods and devices that attempt to ensure the accuracy,
validity and propriety of information system activities. Controls must be developed to ensure
proper data entry, processing techniques, storage methods and information output. Thus,
information systems controls are designed to monitor and maintain the quality and security of
input, processing, output and storage activities of any information system.
Information system controls can fall into two distinct categories:
- General controls: govern the design, security and use of computer programs and the
security of data files in general throughout the organization’s information technology
infrastructure. They consist of a combination of hardware, software and manual
procedures that create an overall control environment.
- Application controls: are specific controls unique to each computerized application, such
as payroll. They consist of controls applied from the business functional area of a
particular system and from programmed procedures.

General controls
1. Software controls – they monitor the use of system software and prevent any
unauthorized access to this software and applications.
2. Hardware controls – ensure that computer hardware is physically secure and check for
any equipment malfunction.
3. Operations controls – ensure that programmed procedures are consistently and correctly
applied.
4. Data security controls – ensure that valuable business data are not subject to unauthorized
access, change or destruction.
5. Implementation controls – audit the systems development process to ensure that the
process is properly controlled and managed.
 6. Administrative controls – formalize standards, rules and procedures to ensure the
organizations general and application controls are properly executed and enforced.

Application controls
Application controls include both automated and manual procedures that ensure only authorized
data are completely and accurately processed by that application. Application controls can be
classified into three categories:

1. Input controls: They are designed to provide reasonable assurance that transactions are
properly authorized, accurately converted to machine-readable form and recorded in the
computer
2. Processing controls: Process control is the ability to monitor and adjust a process to give
a desired output. It is used in organizations to maintain quality and improve performance.
3. Output controls: Output controls ensure that the results of computer processing are
accurate, complete and properly distributed.
Input controls
They are designed to provide reasonable assurance that transactions are properly authorized,
accurately converted to machine-readable form and recorded in the computer. They also ensure
that data files and transactions are not lost, added, duplicated or improperly changed. Summarily,
input controls seek to confirm and maintain data accuracy, completeness and recording.
- Accuracy controls check data for accuracy when they enter the system. There are specific
input controls for input authorization, data conversion, data editing and error handling.
They include:
Format checks are validation checks, which ensure that entered data is in a particular
format or pattern.
Limit checks confirm that allowable data ranges are not violated or exceeded.
Reasonableness checks ensure that excessive variances are highlighted. Checks if values
conform to the set creteria
- Completeness controls ensure that no input data are left out, no additional data are
included and no data are duplicated. These checks include:
i. Batch totals - the sum of specific data items in a collection of items.
 ii. Hash totals – the numerical sum of one or more fields in the file including those
that are not normally added e.g. employee numbers
iii. Sequence checks- These facilitate completeness of processing by ensuring that
documents are processed in correct order of sequence.
iv. Record totals checks – used for reconciliation. It verifies each transaction
individually, making sure the amounts match perfectly.

Processing controls
Once business data is entered correctly into the computer system, it must be processed properly.
Processing controls establish that data are complete and accurate during updating. They are also
used to ensure that data are not lost or do not go unprocessed. Processing controls can include
hardware controls and software controls. Processing controls include:
i. Run control totals – this is the integrity of cumulative totals contained in the
accounting records is maintained from one data processing run to the next.
ii. Computer matching - involves the computerized comparison of automated
systems of records for the purpose of establishing or verifying eligibility
iii. Programmed edit checks - are programmed routines designed to check input data
and processing results for completeness, accuracy and reasonableness.

Output Controls
Output controls ensure that the results of computer processing are accurate, complete and
properly distributed. This include:

- Storage Controls - ensure the accurate and continuing reliable storage of data as a vital
organizational resource. Storage controls ensure:
i. Physical protection against erasure – by the use of a file protection ring, which
can indicate whether any reading or writing can take place on a magnetic tape.
ii. Content identification - External labels or magnetic labels that consist of machine-
readable information encoded on the storage medium are attached to tape reels or
desk packs to identify the content.
iii. File back-up routines – on magnetic tapes are held for important files i.e.
generations of computer files are maintained.
 iv. Data back-up routines. The contents of a database held in a direct-access storage
device are periodically dumped into a backup file.
v. Data encryption - cryptographic storage scrambles the data before it is stored thus
it cannot be discerned by anybody.
vi. Authorization – secure use of sensitive documents.
- Facility controls - are methods that protect an organization’s computing and network
facilities and their contents from loss or destruction. Computer networks and computer
centers are subject to such hazards as accidents, natural disasters, sabotage, vandalism,
unauthorized use, industrial espionage, destruction and theft of resources. Therefore,
various safeguards and control procedures are necessary to protect the hardware, some
software controls ensure that the right data are being processed. For example, the
operating system or other software checks the internal file labels at the beginning and end
of magnetic disk and tape files. These labels contain information identifying the file as
well as provide control totals for the data in the file. These internal file labels allow the
computer to ensure that the proper storage file is being used and that the proper data in
the file have been processed.
Another major software control is establishment of checkpoints during the processing of
a program. Checkpoints are intermediate points within a program being processed where
intermediate totals or listings of data are written on magnetic tapes or disks or listed on a
printer. Checkpoints minimize the effect of processing errors of failures, since processing
can be restarted from the last checkpoint (called a rollback), rather than from the
beginning of the program.
They also help build an audit trail, which allows transactions being processed to be traced
through all of the steps of their processing.
- Physical protection controls: Providing maximum security and protection for an
organization’s computer and network resources requires many types of controls. For
example computer centers and end user work areas are protected through such techniques
as identification badges, electronic door locks, burglar alarms, security police, closed-
circuit V and other detection systems. Computer centers may be protected from disaster
by such safeguards as fire detection and extinguishing systems; fireproof storage vaults
 for the protection of files, emergency power systems; electromagnetic shielding,
temperature, humidity and dust controls.
Biometric controls are security measures provided by computer devices that measure
physical traits that make each individual unique. This includes voice verification,
fingerprints, hand geometry, retina scanning, face recognition and genetic pattern
analysis. Biometric control devices use special-purpose sensors to measure and digitize a
biometric profile of an individual’s fingerprints, voice, or other physical trait. The
digitized signal is processed and compared to a previously processed profile of the
individual stored on a database. If the profiles match, the individual is given access to
information system resources.

Protecting computer systems and networks is a major challenge now that so many
companies are internet worked via intranets, extranets, and the internet.
- Computer failure controls: Sorry the computer is down is a well-known phrase to many
end users. A variety of controls can prevent such computer failure or minimize its effects.
Computer systems fail for several reason-power failures, electronic circuitry malfunctions
and telecommunications network problems. The information services department
typically takes steps to prevent equipment failure and to minimize its detrimental effects.
For example, an establishment of some form of redundancy with a fail-over capability
and a disaster recovery plus highly trained data center personnel can help keep a
company’s computer systems and networks working properly in the event of a major
system failure.
- Data transmission controls – involve telecommunications linkages between the number
of computer peripherals and the central computing resource. These linkages are often
vulnerable to unauthorized access leading to data loss, alteration and eavesdropping. Data
transmission controls includes:
Parity check – is the process that ensures accurate data transmission between nodes
during communication. A parity bit is appended to the original data bits to create an even
or odd number(1 or 0). The source then transmits this data via a link and bits are checked
and verified at the destination. Data is considered accurate if the number of bits (even or
odd) matches the number transmitted from the source.
 Echo checks – A form of error detection. The receiving computer sends a copy of the data
immediately back to the sending computer for comparison.
Controls totals – works by comparing the data sets already received with a total placed at
the end of the transmission to indicate the number of blocks of records sent. If the two
numbers do not agree, then the receiver asks for retransmission.
- Procedural controls - Procedural controls are methods that specify how an
organization’s computer and network resources should be operated for maximum
security. They help to ensure the accuracy and integrity of computer and network
operations and systems development activities.