IT Controls Implementation
Different Levels Of Management or Control
IT controls or Information System controls are implemented in a structured manner in an organization. Almost all mid level and large level business enterprises typically have 3 levels of management. Information systems are designed and implemented to cater to various needs specific to each level.The different levels from bottom-up are:
- Operational level aka lower level management
- Tactical level aka mid level management
- Strategic level aka top management
Information controls are required to be implemented at each of these levels on an overall organizational basis. This means if a business has 2 units in different States or cities, then IT controls would be required to be implemented at both the units and not just a few select ones.
IT Control Layers and Implementation
User accounts and access rights:This is nothing but assigning a user account for an employee. Just like logging into an email account with username and password, access to IT information in an enterprise is regulated by access rights controls. Every employee who has access to IT resources at the operational layer requires to be issued user accounts and access rights. At the operation level are employees who are technically involved with accounts posting, data entry, low level administration, and other basic works. Data is fed into the IT systems of the company at this level. The roles and responsibilities of each such employee must be clearly defined and unique user ID with access rights must be granted. Temporary users or those who only require occasional access to the company's IT systems may be issued with one time or guest user ID. This ensures that every time they need access, approval would be required from the appropriate authority and thus, their entry would be logged for reference. Also the IT system must have a facility to identify and display the unique user ID and name of the employee or any other person to whom the access is granted when they enter, modify, alter or access any IT information in the company.
Password Controls:Most of us know this point as well. Do you guys remember when you first opened your Google or Pinterest account? If so, when you were creating a password, there would have been a prompt specifying the requirements for an ideal password. Passwords are vital to ensure access restriction and control. The enterprise must have clear rules regarding minimum password requirements. Even though the user to whom access is granted is free to choose the passwords, the password itself may be subject to a few basic requirements like having at least a single case sensitive letter (Capital Letter), minimum length, inclusion of special characters (!,@,#,$,%,&, etc) or numbers. This would result in strong passwords and would safeguard the IT systems and information from being compromised.
Compartmentalization:Segregation of duties is a very important control. It helps prevent a single employee from having complete control or access to any resource. So if you were running a store, you would ensure that the person handling the payments would not be the same person making accounting entries. This is essentially to prevent fraud. Suppose the cashier is also given the job of book keeping, assuming the person is unscrupulous, he may misappropriate cash and also purposefully omit recording such sale from the sales figures. So the proprietor would be completely unaware that a sale took place. Therefore, it is essential to compartmentalize duties so that a transaction requires approval from multiple employees before conclusion.
Tactical layer is concerned about preparation of strategic plans so that an organization can achieve its objectives. It is important for controls to be placed at this level as the information is highly confidential in nature. Such information in the hands of a competitor would spell doom to the business.
It is important to study the application controls at this stage. Data is processed by applications and therefore unauthorized access to such application systems must be controlled. Can you imagine what would happen if people came to know about a company's expansion plans or new product launch information? People would take unfair advantage of such information and make unfair gains. The company could lose its market share and also would face lawsuits from different people for disclosure of confidential client information.
So it become necessary to ensure the following controls:
- Risk assessment should be conducted
- Antivirus software must be updated
- Workshops and events must be organized to educate the employees about application security
- Comply with the necessary requirements of the enterprise security policy.
The Strategic or Top Management
These guys are the big shots. They are responsible for formulation of enterprise goals and strategies and also ensure their implementation and monitoring. It is necessary for the top management to make sure that the enterprise has a detailed and viable security policy and that it is being updated and revised regularly. They must also take steps to communicate the policies to the employees and other stake holders.
Value of Information
The tide of information technology has swept us away in every sphere of life and business is no exception. Business decisions, which in the previous decade used to take days or even months to evaluate and implement, today take place in a jiffy. All thanks to the high speed processing, abundant availability and accessibility of information. All sorts of information have some value or the other. Public information probably has the least value since it is readily available but business information has very high value.
Just imagine a big company like Coca Cola. The formula of Coke has remained a secret for 126 years. No doubt the information pertaining to the contents of Coke with the company is its single most potent revenue generating asset. What if suddenly, somebody in Coca Cola decided to leak this vital information to a rival? This 126 year old monopoly drink would suddenly have thousands of generic versions of the same drink manufactured by others and its market share would crash. It would be the end of the brand and the company.
In order to prevent precisely this sort of loss of business information, IT controls or Information Technology controls are vital for every business organization. The enterprise may be big or small, but still, business is run on information. There is a lot of vital information in a business like:
- Technical Know Hows
- Designs and blue prints
- Research Information
- R&D findings
- Customer details and preferences
- Market penetration and marketing techniques
- Pay packages of employees
- Future plans and objectives
- Ongoing talks for business deals
- Confidential client information
Businesses often take measures to prevent such information from falling into the hands of their competitors or from becoming public. Such embarrassing leaks can be avoided and detected by implementing effective IT controls.