With the due passage of time, the threat tends to change and attracts immense problem for the business. Further, the information system is the major weapon of the organization and helps in the controlling the infrastructure of the entity. The report defines the business case together with the risks that are present in the business environment followed by the audit plan. Going by the happening of the event, it needs to be noted that cybersecurity is not only the concern of the I.T department rather the same must be encountered through audit plans and objective (Barney & Ray, 2015). The application of a strong audit system will help in the prevention and mitigation of the future attack and build a strong organization.
2. Background to the Case
The case relates to the cyber attack on Atlanta, where the computers of the municipal government and other services were affected by a ransomware attack. It clearly indicates that the local government is prone to cyber threats. It needs to be noted that the local government of every size and locations operates on a wide scale. The system is complex owing to the presence of a wide variety of features. The introduction of technology systems such as laptops, internet connected system, mapping and the informational system is an indication that the system is complex and needs to be tamed in an effective manner. The local government located in the United States does not have a strong control over the policies and regulations so they are unable to safeguard their system from attacks. This is of immense concern because the cyber attack can erode the entire system (Mcgalliard, 2018). It is being reported by forty percent of local government that cyber attack is a common happening on an hourly basis. Further, the biggest drawback that lies in this scenario is that a high percentage of government does not know the intensity and happening of the attack.
3. IS Risks
The provided case study shows the prevailing danger of the cyber attacks which are made on the general public systems by the use of ransom wares and cyber threats which use social engineering. The cyber threats are the most underrated risks in today’s business world. The cyber risk may be of many kinds some of which are a risk to finances, IT systems of the organization and the status of the firm which may cause huge losses to the firm because of the vast spread of the digitalization and improvement of interconnectivity between technological devices (Carroll, 2014). The risks of the firm relating to the cybersecurity should not only be bear by the It department of the firm, but also the other employees who work for the firm should also be concerned about such threats and risks. An organization should perform regular checks on the cybersecurity risks which may prevail upon it. Hence it should always be updated about the risks or threats and thus make the technological advancements in the firms IT sector so as to prevent the system from any type of hazardous activity. There should be awareness among the employees about the cyber risks which may be prevailing upon the firm. They need to identify any kind of technological risk that is present in the firms IT system (Van & Venzke, 2015). They should also be able to find and report the threats and vulnerabilities which can be used by the third parties or outsiders to exploit the firms IT system thus leading to a huge cyber loss (Francen, 2014). Also, it is the duty of the firm to remain as safe as possible by introducing new cyber solution which may help the firm to remove the present vulnerabilities and thus giving it a chance to move towards success by accelerating towards a greater lifespan of the firm (Zissis & Lekkas, 2012).
Internet connects all servers to each other and thus making it a powerful tool for the firms to discuss all the types of problems faced by them. This also increases the security risk thus exposing them to threats:
- Every day there are new softwares and methods launched in the world which are used by the blackhead hackers to exploit the firm’s database. These tools are available easily on the darknet and improved by every means. These tools thus increase the number of criminals as they provide them with the basic equipment which they use to manipulate the data of specific servers (Hanson et. al, 2011).
- There has been a considerable increase in the spam operations like virus injection, hacking, data tampering, phishing, and bugging. These spams have increased with the time thus making the cyber threat a gradually offensive state which may destroy the present technological advancements (Hanson et. al, 2011).
- The improvement in the authentication and authorization of the users lead the hackers to use the methods of social engineering which uses manipulation of the user's mind thus making them lose their security (Travica, 2015).
- With the increase in the literacy of the computer knowledge in today’s world, the next generation will be more hazardous as they will be creating much more dangerous and harmful threats which will lead to the deployment of an entirely new range of cybersecurity fails. The use of instant messaging over the email have been observed because of faster communication which makes the cyber threats more progressive thus leading to the introduction of many such harmed technologies in the world (Wagener & Hollenbeck, 2014).
- Wireless technologies are more easy to be hacked thus increasing the factor of cyber threat to increase. Also, the falling prices of the computer systems have also lead to increase in the approach of the consumers thus leading them to be provided with more information about the new technological advancements and thus increasing the cyber bullying in the fields (Miller & Pellen, 2014).
4. Audit Plan, Objectives and Procedures
The main objective of the audit process is to assess the security. Another objective would be to find the type of information which is needed to be audited. Also, the auditor may evaluate that the necessary controls and functions of the firm are being carried out in a specified manner or not.
Internal audit proves to be helpful in the assessment of the ongoing fight of the firms with the cyber attacks. They may prove to be successful by identifying the proper risks and thus leading to help the firm find the ways of coming up with the flaws present in the system of the firm (David, 2009). It also helps the board of directors to understand the possible ways by which their firm may be affected by the various factors relating to the risks of the digital era.
The formulation of security enhancements in the firm may help it to develop the firm’s capability of handling the cyber threats in an uncomplicated way. By performing an internal audit various possible factors affecting the cybersecurity of the firm may be found. This information can be used by the IT sector of the firm to improve its technology and prevent the risks of cyber attacks (Christensen et.a l, 2016). Also, some people use to get valuable additional information by performing maturity analysis approach which helps the firm to get sudden visual references that gives clear information to the firm about the areas which it needs to improve. Also, the information may be used to create paths which may help the firm to fill the cyber security gaps thus helping it to improve its functioning. The five stages of maturity — Initial, Managed, Defined, Predictable and Optimized helps the firm to know about its progress and thus helping it to find the security advancements it needs to make in its system (O'Brien & Marakas, 2009). This will help to complete the firm's target thus letting the board of directors meet the desired maturity level it needed to achieve.
5. Audit Questions and Documents
Maintaining and enhancing security capabilities
Background checks – The ground procedure. The user of the system will be asked to complete the ground check by providing the relevant credentials. A list will be prepared of the employees who have an access to the system
Head approval – Does the access to data needs head approval?
Personal devices, mobile will be barred from storing sensitive data. To test the validity of the process, the employees need to sign the paper and then carry personal devices. The external devices will be banned from inserting into the computer.
Performing risk assessment – the risk and difficulties faced by the business will be recorded and the extent of problem needs to be ascertained.
Does the organization have the appropriate tool to combat the cyber attack? What is the frequency of attacks faced by the business?
The attacks faced by the business needs to be recorded and the same needs to be ascertained. This will help to have a proper knowledge of the attacks encountered and will enable to strengthen the system (Heeler, 2009).
6. Control Recommendations
The control environment should rest on the values of the undertaking adhering to the practice, as well as guidelines. The key process needs to be documented so that a proper control is developed in a systematic manner (Gay & Simnet, 2015)
It is recommended to have a risk assessment policy to identify and evaluate the risk that can impact the attainment of the targets that are specified in nature so that those risks can be eliminated (Gay & Simnet, 2015).
It will comprise of automatic and manual reconciliation that will merge into the process with the main aim of ensuring the accuracy of the financial reporting. The key method will even consist of authorization and controlled mechanism (Heeler, 2009)
There have been considerable increases in the cyber risks because of the increased frequency of the types of information which have been provided over the internet. This information can be used to gain substandard knowledge thus leading to the increase in such threats. Most of the firms have already taken necessary actions for their prevention from the cyber risks by combating the dangers thus leading to the companies’ appraisal in the cyber security functions
Barney, J. and Ray, G. (2015) How information technology resources can provide a competitive advantage in customer service. Planning for Information Systems [online]. 3(2), pp. 444-460. Available from https://pdfs.semanticscholar.org/fe0d/ca770f19b8bbbfd7c84ea891c88ec5e8630c.pdf
Basta, A., Basta, N. and Brown, M. (2013) Computer security and penetration testing (2nd ed.). Cengage Learning.
Carroll, J.M. (2014) Computer security (3rd ed.), Butterworth-Heinemann.
Christensen, C.M., Bartman, T. And Van Bever, D. (2016) The hard truth about business model innovation [online]. Available from https://sloanreview.mit.edu/article/the-hard-truth-about-business-model-innovation/. [Accessed 6 March 2018].
David, F.R. (2009) Strategic Management: Concept & Cases. NJ: Pearson Prentice Hall
Francen, E. (2014) The 5 W’s of Information Security [online]. Available from https://www.frsecure.com/the-5-ws-of-information-security/ [Accessed 6 March 2018].
Gay, G. and Simnet, R. (2015). Auditing and Assurance Services. McGraw Hill
Hanson, D., Hitt, M., Ireland, R.D. and Hoskisson, R.E. (2011) Strategic Management: Competitiveness and globalization. South Melbourne: Cengage Learning Australia
Heeler, D. (2009) Audit Principles, Risk Assessment & Effective Reporting. Pearson Press
Layton, T.P. (2007) Information Security: Design, Implementation, Measurement, and Compliance. Auerbach Publication
Mcgalliard, T. (2018) How local government can prevent cyberattacks [online]. Available from https://www.nytimes.com/2018/03/30/opinion/local-government-cyberattack.html?rref=collection%2Ftimestopic%2FComputer%20Security%20(Cybersecurity)
Miller, W. and Pellen, R.M. (2014) Libraries and Google. Routledge
O'Brien, J. and Marakas, G. (2009) Management Information Systems. McGraw-Hill.
Travica, B. (2015) Modelling organizational intelligence: Nothing googles like Google’, Online Journal of Applied Knowledge [online]. 12(2), pp. 444-460. Available from https://www.iiakm.org/ojakm/articles/2015/volume3_2/OJAKM_Volume3_2pp1-18.pdf
VaA.S. andVenzke, C. (2015). Predatory Innovation in Software Markets’, Harvard Journal of Law & Technology [online]. 29(1), pp. 46-55. Available from https://www.questia.com/library/journal/1G1-442782249/predatory-innovation-in-software-markets
Wagner III, J.A. and Hollenbeck, J.R. (2014) Organizational behaviour: Securing competitive advantage. Routledge.
Zissis, D. and Lekkas, D. (2012). Addressing cloud computing security issues. Future Generation computer systems [online]. 28(3), pp. 583-592.