Tutorial Letter 505/0/2021: Information Strategy

MAC4866/505/0/2021
Tutorial Letter 505/0/2021
Information Strategy
MAC4866
Year module
Department of Management Accounting
IMPORTANT INFORMATION
Please register on myUnisa, activate your myLife email address
and make sure that you have regular access to the
myUnisa module website for MAC4866-21-Y1.
Note: This is a fully online module and therefore it is only available on myUnisa.
BARCODE
CONTENTS
Page
INTRODUCTION ...................................................................................................................................... 6
1. LEARNING UNIT 1: OPERATIONAL RISKS OF INFORMATION SYSTEMS .............................. 6
1.1 INFORMATION SYSTEMS SECURITY ........................................................................................ 6
1.1.1 IS security ..................................................................................................................................... 6
1.1.2 Operational risks: the information security management system (ISMS) ....................................... 7
1.1.3 Individuals posing a threat to the IS .............................................................................................. 7
1.14 IS/IT security ................................................................................................................................. 8
Summary .................................................................................................................................................. 8
1.2 PHYSICAL RISKS OF INFORMATION SYSTEMS ....................................................................... 9
1.2.1 Risk of physical damage ............................................................................................................... 9
Summary ................................................................................................................................................ 10
1.3 RISKS OF FRAUD AND OTHER DELIBERATE ACTIONS ........................................................ 10
1.3.1 Computer fraud schemes ............................................................................................................ 10
1.3.2 Internet risks ............................................................................................................................... 11
1.4 GENERAL AND APPLICATION CONTROLS ............................................................................. 11
1.4.1 Control problems ........................................................................................................................ 11
1.4.2 General controls ......................................................................................................................... 12
1.4.3 Personnel controls ...................................................................................................................... 12
1.4.4 Application controls ..................................................................................................................... 12
1.4.5 Access controls........................................................................................................................... 13
Summary ................................................................................................................................................ 13
1.6 THEFT AND FRAUD PREVENTION........................................................................................... 14
1.6.1 Computer theft ............................................................................................................................ 14
1.6.2 Software piracy and controls ....................................................................................................... 14
1.6.3 Computer fraud ........................................................................................................................... 14
Summary ................................................................................................................................................ 14
1.7 INTERNET AND E-MAIL CONTROLS ........................................................................................ 14
1.7.1 Virus protection ........................................................................................................................... 15
1.7.2 Encryption and other safety measures ........................................................................................ 15
1.7.3 E-mail ......................................................................................................................................... 15
Summary ................................................................................................................................................ 15
1.8. CONTROLLING DISTRIBUTED SYSTEMS AND COMMUNICATION NETWORKS .................. 16
2
MAC4866/505
1.8.1 Security issues raised by distributed systems ............................................................................. 16

1.8.2 Online access control procedures ............................................................................................... 16
1.8.3 Distributed processing and communication procedures .............................................................. 17
1.8.4 Integrated software systems ....................................................................................................... 18
1.8.5 Database control procedures ...................................................................................................... 18
1.8.6 Controls for small computers and service bureaus ...................................................................... 18
Summary ................................................................................................................................................ 19
References ............................................................................................................................................. 19
RISK MANAGEMENT (P3) .................................................................................................................... 20
PART D CYBER RISKS ........................................................................................................................ 20
1. LEARNING UNIT 1: CYBER SECURITY THREATS ................................................................... 20
1.1 Overview of cyber security threats .............................................................................................. 20
1.1.1 Types of sensitive information ..................................................................................................... 21
1.2 Understanding how technology interacts with the organisation ................................................... 21
1.3 Cyber security and the external environment .............................................................................. 21
1.4 Cyber security objectives ............................................................................................................ 21
1.5 Types of cyber security risks ....................................................................................................... 22
1.5.1 Malware ...................................................................................................................................... 22
1.5.2 Application attacks ...................................................................................................................... 22
1.5.3 Hackers ...................................................................................................................................... 22
1.5.4 Social Engineering ...................................................................................................................... 23
1.6 Cryptocurrency ........................................................................................................................... 23
1.7 Social media ............................................................................................................................... 23
1.7.1 What is social media ................................................................................................................... 24
1.7.2 Risks of social media to organisations ........................................................................................ 24
1.7.3 Risks of social media to individuals ............................................................................................. 24
1.8 Risk of security vulnerabilities ..................................................................................................... 25
1.8.1 Organisational changes .............................................................................................................. 25
1.8.2 Changeover methods.................................................................................................................. 25
1.8.3 Vulnerabilities ............................................................................................................................. 25
1.8.4 Impact of security vulnerabilities ................................................................................................. 26
Summary ................................................................................................................................................ 26
Relevant articles ..................................................................................................................................... 26
References ............................................................................................................................................. 26
2. LEARNING UNIT 2: CYBER SECURITY PROCESSES ............................................................. 27
2.1 Cyber security organisational characteristics .............................................................................. 27
3
2.1.1 Cyber security risk governance ................................................................................................... 27
2.1.2 Cyber security risk information and communication .................................................................... 28
2.2 Protection ................................................................................................................................... 28
2.2.1 Areas to be protected.................................................................................................................. 28
2.2.2 Methods of protection ................................................................................................................. 29
2.2.3 Forms of protection ..................................................................................................................... 29
2.4 Certification ................................................................................................................................. 29
2.5 Man in the middle (MitM)............................................................................................................. 29
2.6 Detection .................................................................................................................................... 30
2.7 Response ................................................................................................................................... 30
2.8 Defending against the cyber security risks .................................................................................. 30
2.8.1 Protecting devices....................................................................................................................... 30
2.8.2 Protecting networks and systems................................................................................................ 31
2.8.3 Business continuity plan (BCP) and Disaster recovery plan (DRP) ............................................. 31
Audit trail (additional info from old syllabus) ............................................................................................ 32
2.8.4 ISO27001 Information security management .............................................................................. 34
2.9 Blockchain technology ................................................................................................................ 34
2.9.1 What is Blockchain technology.................................................................................................... 34
2.9.2 Key features of a Blockchain (Kaplan Publishing, 2019) ............................................................. 34
2.9.3 The relevance of Blockchain technology to accountants ............................................................. 34
2.9.4 Risks ........................................................................................................................................... 35
2.10 Centralised monitoring ................................................................................................................ 35
Summary ................................................................................................................................................ 35
Relevant articles ..................................................................................................................................... 35
References ............................................................................................................................................. 36
3. LEARNING UNIT 3: CYBER SECURITY TOOLS, TECHNIQUES AND REPORTING ................ 37
3.1 Cyber security tools and techniques ........................................................................................... 37
3.2 Forensic analysis ........................................................................................................................ 37
3.2.1 System level analysis .................................................................................................................. 37
3.2.2 Storage analysis ......................................................................................................................... 37
3.2.3 Network analysis ......................................................................................................................... 37
3.3 Malware analysis ........................................................................................................................ 38
3.3.1 Reverse engineering ................................................................................................................... 38
3.3.2 Decompilation and disassembly .................................................................................................. 38
3.4 Penetration (Pen) testing ............................................................................................................ 38
3.4.1 Network discovery....................................................................................................................... 38
3.4.2 Vulnerability probing ................................................................................................................... 38
4
MAC4866/505
3.4.3 Exploiting vulnerabilities .............................................................................................................. 38

3.4.4 Internal network penetration testing ............................................................................................ 38
3.4.5 Web application penetration testing ............................................................................................ 38
3.4.6 Wireless network penetration testing........................................................................................... 38
3.4.7 Simulated phishing testing .......................................................................................................... 39
3.5 Software security ........................................................................................................................ 39
3.5.1 Design review ............................................................................................................................. 39
3.5.2 Code review ................................................................................................................................ 39
3.5.3 Security testing ........................................................................................................................... 39
3.6 Digital resilience .......................................................................................................................... 39
3.6.1 Identify all the issues................................................................................................................... 40
3.6.2 Aim toward a well-defined target ................................................................................................. 40
3.6.3 Work out how best to deliver the new cyber security system ....................................................... 40
3.6.4 Establish the risk resource trade offs .......................................................................................... 40
3.6.5 Develop a plan that aligns business and technology ................................................................... 40
3.6.6 Ensure sustained business engagement..................................................................................... 40
3.7 Frameworks ................................................................................................................................ 40
3.7.1 AICPA ......................................................................................................................................... 40
3.7.2 Cyber security risk management reporting .................................................................................. 40
3.7.3 Criteria ........................................................................................................................................ 41
3.7.4 National Institute of Standards and Technology (NIST) cyber security framework ...................... 41
3.7.5 AIC Triad .................................................................................................................................... 42
Summary ................................................................................................................................................ 42
Relevant articles and case studies on cyber attacks ............................................................................... 43
References ............................................................................................................................................. 43
5
INTRODUCTION
Dear Students
In Tutorial 501 it was mentioned that relevant information from the old syllabus would be
included from the Performance pillar in this tutorial. With cloud computing the service provider
will provide online security and back-ups. But what if the service provider discontinues their
service, this is unlikely if your organisation is using large public cloud providers such as
Amazon, Microsoft and Google, but what if your organisation uses a smaller cloud provider.
Organisation’s should either still do their own back-up’s or carefully monitor what their service
provider is doing in this regard. Another what if, is what if the organisation you work for does not
use cloud technology.
You also still need to know about control mechanisms like physical controls and so on. It is
therefore important that you study the information below.
1. LEARNING UNIT 1: OPERATIONAL RISKS OF INFORMATION SYSTEMS

This learning outcome relates to the UNGC principle 9
1.1 INFORMATION SYSTEMS SECURITY

Security management of the IS ensures that all aspects of the system are secure and protected
from internal and external threats (Romney & Steinbart 2009:245). The security of accounting
ISs is closely associated with the controls dealing with, inter alia, access to central and
distributed systems.
1.1.1 IS security
The term “information security” (including computer security) means “protecting information and
information systems from unauthorised access, use, disclosure, disruption, modification, or
destruction in order to provide the following:
 Confidentiality, which means preserving authorised restrictions on access and disclosure,

including the means for protecting personal privacy and proprietary information;
 Integrity, which means guarding against improper information modification or destruction,
and includes ensuring information nonrepudiation and authenticity; and
 Availability, which means ensuring timely and reliable access to and use of information
(Bodnar & Hopwood 2010:181).
6
MAC4866/505
1.1.2 Operational risks: the information security management system (ISMS)

The ISMS is a process that controls the information risks within the organisation. It forms part of
the larger enterprise risk management (ERM) process. The ISMS life cycle is developed by
applying the following established methods (Bodnar & Hopwood 2010:182):
 Systems analysis
Analyse the existing system to produce a vulnerability and threats report.
 Systems design
Design a comprehensive set of security measures and contingency plans.
 Systems implementation
Implement the designed security measures.
 Systems operation, evaluation and control

Assess the system’s effectiveness and efficiency during its operation in order to make
changes if necessary.
Vulnerabilities depict weaknesses in the system and threats are the potential exploitation of
them. Breaches in IS security are serious and increase as more individuals have access to
computers, the internet and distributed information systems. Organisations can use a qualitative
or quantitative approach, or a mix of both, to assess the risks they might face. Regardless of the
analysis method used, any analysis must include loss exposures for at least the following areas
(Bodnar & Hopwood 2010:184):
 business interruption
 loss of software
 loss of data
 loss of hardware
 loss of facilities
 loss of service and personnel
 loss of reputation
1.1.3 Individuals posing a threat to the IS

Systems personnel, users, intruders and hackers pose a threat to the security of the IS. In order
to attack the IS they need to have access to hardware, data files or critical programs. Systems
personnel usually have wide-ranging access to data and programs, whereas users have much
narrower (limited) access, but can still find ways to commit many different computer related
violations. Intruders and hackers are supposed to have no access, but usually find access to the
organisation’s data or programs (Bodnar & Hopwood 2010:185).
7
1.14 IS/IT security
A secure environment depends on the following factors (Bodnar & Hopwood 2010:195):
 Management philosophy and operating style

An overall atmosphere of security consciousness should be created. Top management
should set an example and adhere to security rules.
 Organisational structure
A clear organisational line should be drawn to designate who is responsible for making
decisions pertaining to IT procedures. Although segregation of duties is conducive to
control, one individual must be in charge of computer security.
 Board of directors and its committees

The board must appoint an audit committee, which in turn must appoint or approve an
internal audit function. Continuous consulting between these groups and the chief security
officer must take place.
 Management control activities

Controls should include budgets for the acquisition of equipment and software, operating
costs and for usage. Budget variances must be investigated.
 Internal audit function

The information security system must be audited constantly and risk assessments done
periodically. Security policies and procedures should be tested for both compliance and
effectiveness.
 Personnel policies and practices

Segregated duties, adequate supervision, job rotation, forced vacations and double checks
are sound personnel practices.
 External influences
Information systems must be in compliance with all state and local laws and regulations.
Summary
To promote efficiency and encourage adherence to prescribed policies and procedures of

management, an IT security system forms an integral part of the IS. Its broad purposes are to
safeguard the organisation’s assets and to ensure accuracy and reliability of data and
information (Eccles et al 2000:376).
8
MAC4866/505
1.2 PHYSICAL RISKS OF INFORMATION SYSTEMS

The organisation’s resources must be protected from risks such as loss, waste or theft.
Protecting assets requires the development and implementation of an internal control structure
within both the IS and other parts of the organisational system.
1.2.1 Risk of physical damage

Potential threats to an organisation can be divided into four broad categories (Eccles et al
2000:40), the first two of which pertain to physical risks:
 natural disasters (such as fire, floods and earthquakes)

 human-made disasters (such as war and terrorism)
 fraud (such as theft and the unlawful manipulation of data)
 operator error
The organisation must install and review suitable environmental and physical controls to protect
the IT facilities against physical, mechanical and environmental threats. Control measures must
be put in place to protect the organisation from all these threats. The following table is an
example of the more common controls directed at some environmental hazards (Gelinas & Dull
2008:272):
Environmental hazard Controls
Fire Smoke detectors, fire alarms, fire extinguishers, fire-resistant

construction materials, insurance
Water damage Waterproof ceilings, walls and floors, adequate drainage, water
and moisture detection alarms, insurance
Dust, coffee, tea, soft Regular cleaning of rooms and equipment, dust-collecting rugs
drinks at entrances, separate dust-generating activities from
computer, not allowing food/drink near computers, good
housekeeping
Energy increase, de- Voltage regulators, back-up batteries and generators

crease, loss
Successive layers of access controls should be implemented to prevent active threats. These
are site access (physical) controls, system access (logical) controls, and file access controls.
With regard to physical threats, such as theft, site access control is implemented to physically
separate unauthorised individuals from IS resources. For instance, users should be required to
wear security identification badges, computer rooms should have locked doors, guards should
9
patrol premises and operations should be monitored by closed-circuit television (Bodnar &
Hopwood 2010:197).
Note: It is not only important to realise that physical threats can jeopardise the information
system’s functionality, but you must also be able to suggest the necessary control measures to
be implemented for a specific case at hand.
Summary
Organisational resources may be lost or damaged owing to theft, acts of violence, or natural
disasters. This requires the organisation to put adequate physical controls in place to safeguard
these resources.
1.3 RISKS OF FRAUD AND OTHER DELIBERATE ACTIONS

Fraudulent activities can also be committed with the use of manual financial systems. But,
because most organisations use computers to capture and report on their financial activities,
computer fraud schemes are of special interest to the organisation.
1.3.1 Computer fraud schemes

Although the objectives of fraud are the same – misappropriation of assets – the perpetrators
use various techniques to commit computer fraud. Computer fraud could, inter alia, include (Hall
2008:130–131):
 theft, misuse or misappropriation of assets by altering computer-readable records and

files,
 theft, misuse or misappropriation of assets by altering the logic of computer software,
 theft or illegal use of computer-readable information,
 theft, corruption, illegal copying or intentional destruction of computer software, and
 theft, misuse or misappropriation of computer hardware.
Specifically, financial transaction fraud encompasses activities such as altering, or adding false
transactions and distributing of false pay cheques to non-existent employees.
The misuse or theft of an organisation’s computer resources by an employee also constitutes

unlawful activities. Computer operators can, for example, use the organisation’s computer to
conduct personal business. They might use the organisation’s database, internet, printing
facilities, etc. to conduct their private business. Database management fraud specifically
includes altering, deleting, corrupting, destroying, or stealing an organisation’s data (Hall
2008:133).
Fraudulent activities denote “a false representation of a material fact made by one party to
another party with the intent to deceive and induce the other party to justifiably rely on the fact
to his or her detriment” (Hall 2008:119). To combat fraudulent activities, such as white-collar
crime, defalcation, embezzlement and irregularities, management must create a climate that
makes fraud less likely and put proper control measures in place.
10
MAC4866/505
Apart from fraud or white-collar criminal activities, the IS of an organisation may also be
threatened by actions such as commercial or business espionage, malicious damage or
industrial action.
1.3.2 Internet risks

Many businesses use the internet and their own intranets to provide access to their and other
information. An organisation’s internet server is hopefully situated behind a device called a
firewall. Such a device attempts to prevent unauthorised access through the internet into the
organisation’s IS.
The organisation needs a strategy for the provision of information through intranets and the
internet. The level of security will depend on the type of information required. The organisation
also needs to protect itself from both intentional (code-cracking, Trojan horses and viruses) and
unintentional (bugs, crashes and loopholes) breaches of security.
Security measures should be implemented when using the internet to access information.
These measures include the use of firewalls, encryption technology, authentication, hashing,
secure servers and secure electronic transactions (SET) systems.
To feel safe in cyberspace, it must be possible to communicate information in such a way that:
 third parties cannot read it (interception),

 third parties cannot alter it (alteration), and
 the recipient can be confident about the sender’s identity (authentication).
The kind of intruders found on the internet are hackers, individuals looking for financial gain and
secrets and disgruntled ex-employees or ex-contractors (Eccles et al 2000:412).
1.4 GENERAL AND APPLICATION CONTROLS

There are a few reasons why control procedures may be more important for computerised AISs
than for manual systems. Automated systems are likely to process more data than manual
systems, thereby increasing the risk of errors and irregularities going undetected. Because
automated systems gather, process and store data in forms that people cannot read, the audit
trail is more difficult to follow.
1.4.1 Control problems

The use of computers can therefore increase the potential for loss or damage to some areas of
the organisation, the following of which are examples (Eccles et al 2000:377):
 illogical processing
 incorrect data entry
 concentration of data
 inability to substantiate processing
 concentration of duties
 unauthorised systems access
11
 poorly specified systems
 repetition of errors
 cascading of errors
 problems inherent in the electronic automated environment
 invisibility of records and audit trail
 information can be lost or changed, leaving no trace of the earlier content
 inability to react quickly
 failure to check the computer
The controls that can be introduced to prevent all kinds of risk are usually classified into two
major categories, namely general controls and application controls. General controls are
designed and implemented to ensure a stable and well-managed control environment and to
increase the effectiveness of application controls. Application controls are designed and
implemented to prevent, detect and correct errors and irregularities in transactions that are
being processed. There are, however, also specific controls for microcomputers, distributed
systems and communication networks.
1.4.2 General controls

Management is responsible for directing and controlling operations and for establishing,
communicating and monitoring policies and procedures. General controls include pre-
installation controls, organisational controls, operating controls, systems development and
documentation controls, and hardware and systems software controls (Eccles et al 2000:379).
General control affects all transaction processing activities.
General controls comprise the following (Bodnar & Hopwood 2010:149):
 a plan of organisation for data processing

 general operating procedures
 equipment control features
 equipment and data-access controls
1.4.3 Personnel controls

The organisation plan for data processing includes the segregation of all personnel concerned
with data processing.
Every layer of management has a specific IT responsibility. However, with the growth in internet
connectivity and e-commerce almost all employees may be in a position to compromise the
information system.
1.4.4 Application controls

Whereas general controls focus on the framework within which accounting systems operate,
application controls are concerned with preventing, detecting and correcting errors and
irregularities in the processing of transactions. The three major stages of data processing are
input, processing and output and therefore application controls are usually classified into input
controls, processing controls and output controls. Storage and transmission controls also fall
under these three headings.
12
MAC4866/505
Processing controls should also include (Romney & Steinbart 2009:325):
 data matching (e.g. the system should verify that the information on the vendor invoice
matches that on both the purchase order and receiving report before paying the vendor);
 file labels (e.g. file labels need to be checked to ensure that the correct and most current
files are being updated);
 recalculation of batch totals (e.g. if the recomputed record count is smaller than the
original, one or more transaction records were not processed);
 cross-footing (e.g. compare the results of the totals calculated by adding up the rows with
those of adding up the columns) and zero-balance tests (e.g. the payroll clearing account
should have a zero balance after it has been debited with the total gross pay of all
employees in a particular period and credited with the amount for all labour costs allocated
to various expense categories);
 write-protection mechanisms (e.g. replacing bar-codes and manual tags with radio
frequency identification (RFID) tags to ensure that the price of the merchandise cannot be
written over or erased); and
 database processing integrity procedures (e.g. the use of database administrators, data
dictionaries and concurrent update controls to ensure database processing integrity).
1.4.5 Access controls

Access controls include the use of effective passwords, which have not been discussed
previously. Although passwords provide a degree of security, the behaviour of non-security-
minded users can show forms of contra-security. The most common forms of contra-security
behaviour relating to passwords include (Hall 2008:763):
 forgetting passwords and being locked out of the system,

 failing to change passwords on a frequent basis,
 the post-it syndrome, whereby passwords are written down and displayed for others to
see, and
 simplistic passwords that a computer criminal can easily anticipate.
Note: Access controls could be regarded as general or application controls.
Summary
Internal control forms part of a larger functional process and therefore the whole process with its
objectives must be properly set up and communicated to the people working within the
organisation. In setting up a control policy for the organisation the cost must justify the benefits
gained from these controls. A level of control must be found that will ensure that the system is
safe and sound, that the controls placed on the system are not having a choking effect on the
throughput of the organisation, and that the costs of the controls are not out of proportion to the
loss that would be incurred if a disruption were to take place. This will depend on the risk
appetite of the organisation.
13
1.6 THEFT AND FRAUD PREVENTION
Theft preventive controls include the control of physical access to the system. Physical access
begins with controlling entrance to the computer room or building. Access to the IS is more
difficult because access from remote sites must also be controlled.
1.6.1 Computer theft

Computer equipment used to be securely locked, but with the advent of laptops, personal digital
assistant (PDA) devices and programmable cellphones, control measures have become
extremely difficult to implement. The planning of physical access security controls must be cost-
effective and reflect the value of the assets being protected (Romney & Steinbart 2009:285).
The problem with laptop theft is not only the price of replacing the hardware, but also the loss of
mostly confidential information.
1.6.2 Software piracy and controls

Software piracy is the copying and use of software without the developer’s or publisher’s
permission. “The software industry estimates the economic losses of piracy at $20 billion a year”
(Romney & Steinbart 2009:186).
1.6.3 Computer fraud

Computer-related crimes are generally referred to as computer fraud, computer abuse or
computer crime. The proliferation of computers in organisations and the increased use of e-
commerce created expanded opportunities for criminals to commit a wide variety of crimes, in
which the computer is the target of the crime or the means to commit the crime (Gelinas & Dull
2008:222).
Management and the board of directors are responsible for establishing appropriate control
measures to protect their information system from wilful, intentional misdeeds, as well as
unintentional errors and omissions. It is, however, important that they not spend more on these
control measures than the benefits to be received from them.
Summary
Computer fraud includes the theft, misuse or misappropriation of assets by altering the
computer-readable files, by altering the logic of the computer software, or by stealing
computers, software applications or information (Hall 2008:130-131). Installing proper security
measures or controls must be a top priority for management.
1.7 INTERNET AND E-MAIL CONTROLS

This focuses on the control measures that can be implemented to protect the IS against
internet-related exposures.
14
MAC4866/505
1.7.1 Virus protection

Romney and Steinbart (2009:194) suggest some practical measures to protect computers from
viruses:
 Install reliable antivirus software that scans for, identifies and destroys viruses.
 Make sure that the latest versions of the antivirus programs are used.
 Scan all incoming e-mail for viruses at server level rather when it hits users’ desktops.
 All software should be certified as virus-free before loading it into the system.
 Deal with trusted software retailers.
 Some software suppliers use electronic techniques to make tampering evident.
 Check new software on an isolated machine with virus detection software.
 Have two backups of all files. Data files should be backed up separately from programs to
avoid contaminating backup data.
 If you use flash drives, diskettes, or CDs, do not put them in strange machines as they
may become infected.
1.7.2 Encryption and other safety measures

Encryption involves the translation of data into secret code. Public-key encryption is the most
commonly used method. It uses two keys in association with each encrypted message, one to
encrypt the message and another to decrypt it. “In practice, the sender of a message keeps one
key private and makes the other public. Hence, one key is called the public key and the other
the private key” (Bodnar & Hopwood 2010:98).
Other encryption techniques include digital signature and digital envelope.
Firewalls are used to prevent unauthorised access to computer networks. An intrusion detection
system (IDS) monitors the system for unusual activity and reports it.
1.7.3 E-mail
There are many problems associated with the use of e-mail, including work interruption, volume
of e-mails, lack of personal communication and viruses. Strict policies must be put in place to
control the use and misuse of e-mail.
Summary
To enjoy the benefits of the internet, organisations have to combat the risks associated with its
use.
15
1.8. CONTROLLING DISTRIBUTED SYSTEMS AND COMMUNICATION NETWORKS
Where computer systems are more advanced, particularly those with remote terminals and
communication networks and those that use database management systems, the security risks
are higher than when a single computer is used.
1.8.1 Security issues raised by distributed systems

The increased risks when using distributed systems and communication networks pertain to the
existence of remote workstations from which many users can obtain (potentially) easy access to
the system. The increase in e-commerce activities has also contributed to an increase in
security threats. The following table is an example of security issues raised by e-commerce.
Practical application
Threat Security Solution
(1) Information intercepted, read or Encryption software that encodes data to

modified illicitly prevent tampering
(2) Users gain access to information by Authentication software that verifies the
using a false identity to commit fraud identities of both sender and receiver
(3) Unauthorised user on one network gains Firewall software that prevents information
access to another from being accessed by those who are
unauthorised
(4) Parties may deny engagement in Non-repudiation with a digital sign, provides
transaction an audit trail for transactions
(Lewin 2003:178)
1.8.2 Online access control procedures

The following can be done to reduce the risks associated with unauthorised use and
modification of data and information (Leitch & Davis 2001):
 Implement passwords and user identification.

 Restrict access of individuals to certain terminals, for certain types of transactions per user
or terminal, and for specific portions of data sets or files per user or terminal.
 Prevent access to confidential data from unauthorised terminals.
 Maintain security over passwords by, for example, changing them frequently, using
combinations of passwords, assigning responsibility for password and changing
procedures, and through terminal display protection, and data encryption during
transmission.
 Protect the physical security of terminals.
 Introduce automatic logging of terminal activity.
16
MAC4866/505
Strong passwords are needed to reduce network vulnerability and increase security. While a
truly impenetrable password is not possible, a strong password will at least require a lot of time
and powerful computer systems to crack. Strong passwords integrate all of the following
features (Wakefield 2004:6, 8):
 at least eight characters in length

 a combination of letters of mixed case, and numbers
 not easily typed
 something known only to the user (i.e. not present in any database)
 not found in an English or foreign language dictionary
 never shared
 never written down
The following control procedures can be used to ensure complete and accurate data entry
(Leitch & Davis 2001):
 use of control totals (per terminal) for future reconciliation

 maintenance of a transaction log for all online processing
Note: There are more control procedures than those listed above. Refer to other textbooks or
the internet to expand this list (e.g. Wessels, Grobbelaar, McGee & Prinsloo 2007).
Although audit trails are difficult to maintain in an online processing environment, the following
procedures can assist in establishing effective audit trails (Leitch & Davis 2001):
 the use of codes which identify the user, the terminal, the type of transaction, and the
sequential numbering of transactions within transaction type
 confirmation feedback to the terminal operator before final data entry
 periodic review of transactions and control totals by supervisors
 use of transaction logs and automatic notification at the beginning and end of transaction
information
1.8.3 Distributed processing and communication procedures

Where computer facilities are dispersed and access to databases is possible from a large
number of terminals, the risk of unauthorised transactions or the introduction of errors is so
much greater. Errors and/or fraudulent transactions could impair the integrity of the database.
With distributed systems there is also an increased risk of data being read or used by
unauthorised users (Leitch & Davis 2001).
Concurrency procedures must be introduced to control the simultaneous usage of the same
records, files and data elements in a database. This can be done through priority allocation to
prevent lock-up situations and preserve the integrity of data (Leitch & Davis 2001).
Another means of preventing unauthorised access is data coding or data encryption. This
involves the storing and/or transmitting of data in coded format. Coding can be incorporated into
database processing and provides effective protection against the direct access of data from a
17
database. The coding scheme must, however, be protected to uphold security (Leitch & Davis
2001).
1.8.4 Integrated software systems

Integrated software systems present another type of risk. Through this, data input errors can
compromise several files, data items and databases, and damage the integrity of data and
associated reports. To prevent erroneous updating of data, accurate data transfer between data
files and databases is necessary. This requires an effective audit trail which tracks the data as it
moves from file to file, affects other data items, or moves from one system to another (Leitch &
Davis 2001).
1.8.5 Database control procedures

All of the controls discussed above are useful in maintaining database integrity and security.
However, in many cases the database system is protected, but not the data in the database.
Several controls must therefore be present to ensure that the database management system
operates effectively (Leitch & Davis):
 Each user should have a subschema which limits that user’s ability to enquire, add, modify
or delete data.
 Control procedures should be in place to check every modification or deletion.
 Lock-out procedures should be introduced to provide automatic prevention of computer
lock-ups of concurrent updating when two users attempt to access the same data item
simultaneously.
 Transaction and recovery file logs that are separate from the database should be
maintained.
 Periodic scans and editing of the database should be carried out.
 There should be an effective database administration function separate from the
operational control of day-to-day operations.
 It is necessary to keep a documented record of the database structure and a data
dictionary which describes each data element.
 There should be adequate backup and recovery controls.
1.8.6 Controls for small computers and service bureaus

In addition to the larger scale information system setups dealt with previously, there are also
other system environments that require particular types of controls. These include computers for
smaller businesses (e.g. micro-computers and mini-computers) and organisations that use
service bureaus to perform their data processing.
The level of control and security of small businesses’ computer systems may differ from that of
larger businesses, depending on their systems architecture and not necessarily on the size of
the business. It will also depend on the risk appetite of their personnel. Small business
computers tend to have no hardcopy console log and few of them have features that limit
access to programs. Another weakness from a control point of view is that small systems tend
to be very accessible and easy to use (Eccels et al 2000:421).
18
MAC4866/505
Proper control is also necessary when using a service bureau, because sending the
organisation’s data to another physical location could lead to a loss of security and
confidentiality (Eccles et al 2000:417).
Summary
Distributed systems and communication networks introduces new dimensions of complexity and
requires more sophisticated control procedures. It is therefore important to have a
comprehensive control strategy, which should include contingency controls and a disaster plan.
References
Bodnar, GH & Hopwood, WS. 2010. Accounting information systems. 10th edition. Upper
Saddle River, NJ: Pearson.
Eccles, MG, Julyan, FW, Boot, G & Van Belle, JP. 2000. The principles of business computing.
5th edition. Kenwyn: Juta.
Gelinas Jr, UJ & Dull, RB. 2008. Accounting information systems. 7th edition. Mason, OH:
Thomson South-Western.
Hall, J. 2008. Accounting information systems. 6th edition. Mason, OH: Cengage Learning.
Leitch, RA & Davis, KR. 2001. Accounting information systems: theory and practice. 2nd
edition. Englewood Cliffs, NJ: Prentice-Hall.
Lewin, A. 2003. Management accounting: information strategy. London: CIMA.
Romney, MB & Steinbart, PJ. 2009. Accounting information systems. 11th edition. London:
Pearson Education.
Wakefield, RL. 2004. Network security and password policies. The CPA Journal, July:
6, 8.
Wessels, PL, Grobbelaar, E, McGee, A & Prinsloo, GTM. 2007. Information systems in a
business environment. Durban: LexisNexis.
19
RISK MANAGEMENT (P3)
PART D CYBER RISKS
We will now discuss cyber risks. You may think but this is a technical matter for IT
professionals. However, because of the scale of risks involved it is vital that management
accountants play an active role with regard to this issue in their organisations. Cyber risks relate
to the use of information technology and digital data. You have seen in news media what large-
scale cyberattacks can cause, for example massive economic damage, geopolitical tensions
and widespread loss of trust in the internet and organisations for that matter.
1. LEARNING UNIT 1: CYBER SECURITY THREATS
Learning outcome: Analyse cyber security threats.
Component outcomes:
1.1 Overview of cyber security threats
It is important to understand what constitutes sensitive information, how it could be used in a

malicious way and what the cyber security objectives could be of an organisation.
Please go to the links below to listen to two podcasts on Cybersecurity.
http://html5-
player.libsyn.com/embed/episode/id/7095967/height/360/theme/custom/thumbnail/yes/direction/
backward/render-playlist/no/custom-color/72246C
https://www.facebook.com/watch/live/?v=251249295555819&ref=watch_permalink
20
MAC4866/505
1.1.1 Types of sensitive information
There are three main types of sensitive information namely:
 Personal information or Personally Identifiable Information (PII)
 Business information
 Classified information
There are a number of examples PII information and business information in your textbooks.
1.2 Understanding how technology interacts with the organisation
Firstly, an organisation must understand how technology interacts with the organisation in order
to protect it from any cyber security threats. These technological interactions could include:
 Type of technologies that the organisation uses for example, Enterprise Resource Planning
(ERP)
 Connections for example Virtual Private Network (VPN), routers etc.
 Services providers for example cloud providers.
 Delivery to the customer or how things are transmitted to vendors.

Refer to your prescribed textbooks for more discussion on these.
1.3 Cyber security and the external environment
It is critical for an organisation to understand what is happening in the outside world as this
could have a significant impact on the organisation’s cyber security risks.
1.4 Cyber security objectives
Cyber security objectives need to set by management and they need to link to the cyber
security risks that have been identified. The Association of International Certified Professional
Accountants (AICPA) outlines some key cyber security objectives namely:
 Availability – customers want continuous access to organisation’s websites and

applications.
 Confidentiality – customer’s data must be protected.
 Integrity of date – prevention of unauthorised modification/destruction of information.
 Integrity of processing – prevention of improper use/modification/destruction of systems.

How these objectives are established, approved and maintained are equally important.
Refer to your prescribed textbooks for more discussion and examples on these.
21
1.5 Types of cyber security risks
Types of cyber security risks include Malware, Application attacks and Hackers.
Please go to the link below to watch a video on the key essentials to Cyber security risk
and threat management.
https://www.facebook.com/watch/live/?v=251249295555819&ref=watch_permalink
1.5.1 Malware
Malware is a term used to define various types of malicious software irrespective of their
purpose. Examples of the most common types include, Ransomware, Botnets, Trojans,
Malvertising, Viruses and Spyware.
Please refer to your textbook for more information on these.
1.5.2 Application attacks
These are increasingly more common as the use of applications (apps) become more common.
The aim is similar to malware, which is to steal data or users identities. Some of the most
common types are:
 Denial-of-service (DoS) attack
 Distributed-denial-of-service (DDoS) attack
 Structured Query Language (SQL) injection
 Cross-site scripting attacks (XSS attacks)
 Buffer overflow attack

Please refer to your textbook for more information on these.
1.5.3 Hackers
A hacker is a computer expert that gains unauthorised access to a computer system. It can be
both internal (disgruntled employee) and external. There are different reasons why someone
may want to hack a computer system for example:
 Gain access to codes, passwords and authorisations
 Interfere with control systems
 Obtain information that could be used by competitors
 Cause data corruption or delete files
There are different types of hackers namely:
 Black hat hackers – gain access without permission with malicious intent
 Grey hat hackers – not specifically good or bad but sell their skills for monetary gain
 White hat hackers – they are used by the organisation to understand weaknesses in the
systems
22
MAC4866/505
Please see the link below and refer to your textbooks for more information on Hackers.
https://players.brightcove.net/1485859309/default_default/index.html?videoId=5846547140001
1.5.4 Social Engineering
This is the manipulation of people to make them perform specific actions or reveal confidential
information.
Studies by Dr Robert Cialdini identified six principles that can persuade of influence someone,
namely:
 Reciprocity
 Scarcity
 Authority
 Consistency
 Liking
 Consensus
More on these principles can be found at the link below:
https://conceptually.org/concepts/6-principles-of-influence
Techniques known as phishing or spear phishing are types of social engineering used to gain
access to a system or network by hackers.
 Phishing, this is the use of fraudulent communications to steal sensitive information.
 Spear phishing, this is a phishing attempt to target a specific individual who is considered to
have specific information or access to this information.
Refer to your textbooks for more information on the above.
1.6 Cryptocurrency
Cryptocurrencies like bitcoin make it possible to send and receive money anonymously thereby
making the threat of cyber security more significant. Bitcoin is the currency of choice for
Hackers.
Read the article below on why Hackers love bitcoin.
https://www.theguardian.com/technology/2017/may/15/digital-gold-why-hackers-love-bitcoin-
ransomware
1.7 Social media
We all know what social media is, below is a good definition.
23
1.7.1 What is social media
“Social media is any digital tool that allows users to quickly create and share content with the
public. Social media encompasses a wide range of websites and apps. Some, like Twitter,
specialise in sharing links and short written messages. Others, like Instagram and TikTok, are
built to optimise the sharing of photos and videos” (The balance small business, n.d.).
Social media presents a number of opportunities namely:
 Advertising
 Brand development
 Big Data analytics
 Method of listening to customer
 Real-time information gathering
 Communication
 Recruitment and selection

The above are self-explanatory, please refer to your textbooks to see more detail on the
opportunities offered by social media.
1.7.2 Risks of social media to organisations
There are a number of risks associated with social media to organisations namely:
 Human error – mistakes by employees on personal accounts or organisations accounts.
 Productivity – employees can waste company time on social media during work hours.
 Data protection – Organisations need to have secure networks.
 Hacking – accessing organisation specific accounts and sending messages posing as the
organisation.
 Reputation – Well-meaning posts can be misinterpreted, even by employees.
 Inactivity – Not keeping a social media account or keeping it up-to-date can be damaging
for an organisation.
 Costs – a well-run social media presence will come at a cost or non-compliance could
results in fines.
Refer to your textbooks to see more detail on the risks to organisations from social media.
1.7.3 Risks of social media to individuals
As most of you may use social media in one form or another you will be aware of these risks
namely:
 Going viral – a person can become famous or infamous very quickly through social media.
 Internet trolling – abusive responses by others to incite individuals normally after going viral.
24
MAC4866/505
 Employment – companies will view a potential candidate’s social media accounts or even
dismiss employees due to negative comments made on social media.
 Legal sanction – legal action due to social media posts and the whereabouts at the time of a
crime can be used by law enforcement.
 Physical theft – criminals may identify possible unoccupied properties due to social media
posts.
 Identity fraud – criminals can build up a portfolio about an individual due to poorly protected
accounts.
 Permanence – social media posts are very difficult to delete.

Refer to your textbooks to see more detail on the risks to individuals from social media.
1.8 Risk of security vulnerabilities
It is important to be aware of how organisational change can have an impact on cyber security.
1.8.1 Organisational changes
Here are some examples of organisational change:
 Expansion
 Acquisition
 Restructure
 Hardware update
 Regulations
Refer to your textbooks for more detail on these.
1.8.2 Changeover methods
Below are some examples of how changing of systems can be undertaken by organisations:
 Direct changeover
 Parallel running
 Pilot changeover
 Phased changeover
1.8.3 Vulnerabilities
Organisations need to be aware of their vulnerabilities to cyber security threats, these can be:
 Technical deficiencies – defects in software, ineffective firewalls or antivirus software.
 Procedural deficiencies – ineffective policy on passwords.

25
 Physical – fire or floods.
1.8.4 Impact of security vulnerabilities
After having considered the information that needs protecting and the types of attacks the
organisation needs protecting from, an organisation needs to be aware of the implications of a
security breach or attack. These include:
 Downtime
 Reputation damage
 Customer flight
 Industry consequences
 Legal consequences
The above are self-explanatory, please refer to your textbooks to see more detail on these
impacts.
In your textbook, you will see a section in this chapter on legislation surrounding information
systems in the UK and EU which is the General Data Protection Regulation (GDPR), this was
mentioned in Tut 502 and Tut 505. There are also examples of other legislation (US, Asia-
Pacific, China & Singapore). South Africa has the POPI Act, which comes into force on the 1st of
July 2020. Please make sure that you know what these regulations entail.
Summary
In a digital world one of the major threats is cyber risks. After studying this section ask yourself
can I recommend suitable company polices on cyber security and suitable preventive and
detective controls in response to vulnerabilities?
Relevant articles
https://www.weforum.org/reports/the-global-risks-report-2020
https://www.mckinsey.com/business-functions/mckinsey-digital/our-insights/staying-ahead-on-
cyber-security
https://insights.cgma.org/story/cybersecurity/page/1
https://www.cimaglobal.com/Members/Insights/2019-CIMA-Insights/Five-simple-cybersecurity-
tips-for-your-small-business/
http://www3.weforum.org/docs/GAC16/Social_Media_Impact_Digital.pdf
https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/cyber-security-resource-
center.html
References
Kaplan Publishing, 2019. Official study text. Risk Management. Strategic Level. P3. Berkshire.
UK. Kaplan Publishing.
The Balance small business, n.d. Available from: https://www.thebalancesmb.com/what-is-
social-media-2890301. [Accessed 25 June 2020].
26
MAC4866/505
2. LEARNING UNIT 2: CYBER SECURITY PROCESSES
Learning outcome: Review cyber security.
Component outcomes:
2.1 Cyber security organisational characteristics
AICPA cyber security framework recommends a security mechanism based around three
principles namely:
 Protection
 Detection
 Response
These three principles can be used in various ways across the different levels within the system.
It must be noted that corporate governance, tone from the top and communication are key to
these three principles being effective in risk management in general.
2.1.1 Cyber security risk governance
The AICPA framework emphasises the importance of governance in particular:
 How management must consider the tone from the top
 Standards for conduct
 IT expertise at board level
 Hiring and training of cyber security personnel
 Reporting lines and responsibility for cyber security within organisations
27
Roles specifically mentioned by the AICPA framework include:
Role Responsibility
Chief Information Officer (CIO) Overall IT responsibility to board
Chief Risk Officer (CRO) Overall responsibility for risk
Chief Technology officer (CTO) Technology and resources to support internal

operations
Chief Information Security Officer (CISO) Head of cyber security program
Now refer to your textbooks to see the various ways for an organisation to address these
governance considerations, which include the various roles, board meetings, a handbook on
policies and procedures, etc.
2.1.2 Cyber security risk information and communication
The AICPA framework in accordance with CIMA’s risk management cycle highlights the
importance of information, which can be internal and external. Now refer to your textbooks for
examples of these different types of communication methods.
2.2 Protection
The previous chapter highlighted the various interactions that make an organisation vulnerable.
However, it is also vital to be aware of the ever expanding number of areas that need to be
protected. Above in the beginning of this tutorial letter the various controls and prevention
methods was discuss, read this in conjunction with this.
2.2.1 Areas to be protected
 Servers
 Desktops
 Laptops
 Mobile devices
 Networks
 Data storage
 Business applications
This list will continue to grow as more and more connected devices are created.
Refer to your textbook for more detailed discussion on each of these.
28
MAC4866/505
2.2.2 Methods of protection
These include:
 Policies and policy management
 Software updates
 Configurations
 Security products
 Application software controls

Refer to your textbook for more detailed discussion on each of these.
2.2.3 Forms of protection
Protection can take on various forms, namely:
 Identification – usernames, unique IDs etc.
 Authentication – password or pin numbers (read in your textbooks the problems and
precautions with passwords
 Authorisation – access is granted according to job level
 Protecting secrets – encryption where only authorised recipients can view the
data/information
 Physical security – CCTV, safes, security guards, location of IT facilities
 Personnel controls - Recruitment, training and supervision

Refer to your textbooks for a detailed discussion on these and examples thereof.
2.4 Certification
This is the digital verification of sender and receiver, there is also a private and public part of a
certificate. The different types are Secure Sockets Layer (SSL) certificates which is now
replaced by Transport Layer Security (TSL) certificates. It is very important that these
certificates do not expire.
See the links below to understand what certification is.
https://www.youtube.com/watch?v=hExRDVZHhig
https://www.cloudflare.com/learning/ssl/transport-layer-security-tls/
2.5 Man in the middle (MitM)

MitM is “a form of cyber eavesdropping in which malicious actors insert themselves into a
conversation between two parties and intercept data through a compromised but trusted
system” (Forcepoint.com n.d.).
The YouTube clip below explains MitM
https://www.youtube.com/watch?v=DgqID9k83oQ
29
2.6 Detection
Organisations must have strong detection strategies in place to detect if and when threats
occur. The sooner an issue is identified the easier it is to fix it. The following are some detection
strategies an organisation can implement:
 Event monitoring – logging of events
 Intrusion detection and prevention systems – there are now apps that can monitor activities,
Intrusion Detection Systems (IDS) & Intrusion Prevention Systems (IPS)
 Threat monitoring – this can help develop new controls
 User reports – these can help identify unusual activity

Refer to your textbooks for a detailed discussion on these and examples thereof.
2.7 Response
Not only do organisations need to be able to detect threats, but they also need to develop a
response strategy. This has brought on the development of Computer Incident Response
Teams (CIRTs) or Computer Security Response Teams (CSIRTs).
The primary function of the CIRT or CSIRT is to keep the organisation functioning by:
 Minimise any losses
 Restore normal operations as soon as possible
 Assist with any investigations, internally or externally
 Help provide data and information to support decision making and developing a planned
response
 Assist with communications during the critical periods with various stakeholder groups
Refer to your textbooks for the example – Maersk NotPetya
The YouTube clip below gives a good explanation of CIRTs/CSIRTs
https://www.youtube.com/watch?v=eBJDKBFSLqs
2.8 Defending against the cyber security risks

Remember from the previous chapter the key cyber security risks include, malware, application
attacks and hackers.
2.8.1 Protecting devices
Below are some examples of specific devices that need protecting:
 Desktops – Physical: locks (doors and cable locks), authentication: password, policies:
automatic screensavers, security updates
 Laptops – same as the above but also fingerprint and iris scanners, policies: safe storage
guidelines
 Mobile devices – Authentication: passwords and biometrics, policies: updates
 Bring your own device (BYOD) – Policies: acceptable use, allowable software usage
30
MAC4866/505
Refer to your textbooks for a detailed discussion on these.

2.8.2 Protecting networks and systems
Below are some examples of how to protect networks and systems:
 Network configuration management (NCM) – Maintaining information about the network,

segmentation and monitor changes
 Firewalls – Network: restricted access to systems and websites, application: monitoring
 Antivirus endpoint security – Security software on each network device

Refer to your textbooks for a detailed discussion on these and examples.
2.8.3 Business continuity plan (BCP) and Disaster recovery plan (DRP)
The aim of a business continuity plan is to minimise the extent of disruption, damage or loss of
information and to establish a temporary alternative way of processing information. Hence, the
objective is to resume normal business operations as quickly as possible and to familiarise
personnel with proper emergency procedures (Romney & Steinbart 2009:332).
Disasters happen and disaster prevention is the first step in managing disaster risks, ranging
from natural disasters to deliberate actions and human error (Bodnar & Hopwood 2010:205).
The first step in a disaster recovery plan is to obtain the support of senior management, as well
as the board’s approval. The design of a plan should include the following major components
(Bodnar & Hopwood 2010:206):
 an evaluation of the organisation’s needs

 a list of priorities for recovery based on these needs
 a set of recovery strategies and procedures
Apart from including the allocation of responsibilities, the priorities, backup and standby
arrangements as well as communication with personnel, a contingency plan should also include
adequate insurance cover.
Recovery strategies and procedures should include the availability of an emergency response
centre or an alternative backup site if the primary computing site is destroyed or unusable.
Organisations know that it is just a matter of time until they will be subjected to a cyber-attack,
therefore BCP and DRP need to form part of their cyber risk management process.
BCP is a strategy to keep an organisation running with minimal disruption if a disaster strikes.
DRP is a strategy to restore the data and applications should the data centre, servers or other
infrastructure be damaged or destroyed.
31
DRP involves:
 Making a risk assessment
 Developing a contingency plan to address those risks

Backups
Backup consists of file equipment and procedures that are available if the original files are
destroyed or out of service. Recovery is the ability to recreate the master and other files by
using prior files and transactions (Bodnar & Hopwood 2010:151). Disasters such as disk failure,
program errors, fires, floods, electricity surges and malicious acts can corrupt or destroy data.
Backups should be stored in a secure location, preferably an off-site location. Organisations that
must ensure continuous online operations must replicate their data in real time on primary and
secondary systems. This data replication strategy is called continuous data protection (CDP)
and the site that contains copies of the primary site’s programs and data files is a mirror site
(Gelinas & Dull 2008:266).
A backup strategy together with a DRP constitutes a comprehensive BCP.

Examples of back-ups that organisations can use include:
 Mirror site
 Hot back up site
 Warm back up site
 Cold back up site

Refer to your textbooks for a detailed discussion on these and examples.
The below YouTube clip explains the difference between hot, warm and cold back-ups.
https://www.youtube.com/watch?v=cirj3jvDvXc
Audit trail (additional info from old syllabus)
An audit trail enables management and the auditors to trace any transaction through all the
stages of its processing from the input of the transaction to the final output of the financial and
management reports. Organisations must maintain audit trails for two reasons (Hall 2008:144):
 The information is needed for conducting day-to-day operations. It helps employees to

respond to customer enquiries by showing the current status of transactions in process.
 It plays an essential role in the financial audit of the organisation. It enables external and
internal auditors to verify selected transactions by tracing them from initiation to the
financial statements.
32
MAC4866/505
Illustration
How did Nasdaq recover from September 11?
Answer:
Thanks to an effective disaster recovery plan, Nasdaq was up and running six days after the 11
September 2001 terrorist attack that destroyed the twin towers of the World Trade Centre.
Nasdaq’s headquarters was located on the 49th and 50th floors of One Liberty Plaza, just across
the street from the World Trade Centre. When the first plane hit, Nasdaq’s security guards
immediately evacuated personnel from the building. Most of the employees were out of the
building by the time the second plane crashed into the other tower. Although employees were
evacuated from the headquarters and the office in Times Square had temporarily lost telephone
service, Nasdaq was able to relocate to a backup centre at the Marriott Marquis. Once there,
Nasdaq executives went through their list of priorities: first, their personnel; second, the state of
their traders; third, the physical damage; and lastly, the trading industry situation.
A contingency plan should be tested on a regular basis to ensure that everyone in the
organisation knows what to do when a disaster occurs. It is far better to discover problems with
the implementation of the plan during a test, rather than when there is an actual emergency.
Nasdaq’s extremely redundant and dispersed systems also helped the company quickly reopen
the market. Each trader is linked to two Nasdaq connection centres, and there are 20
connection centres in the United States. The centres are connected to each server using two
separate paths and sometimes two distinct vendors. Servers are kept in different buildings and
have two network topologies. Even with the electricity out in Lower Manhattan, Nasdaq’s
systems were relatively unaffected.
When personnel could no longer occupy the Manhattan office and phone lines were out in the
Times Square office, Nasdaq still had offices in Maryland and Connecticut, which allowed it to
monitor the regulatory processes. This also lessened the risk of losing all Nasdaq’s senior
management. Even if large numbers of people had been lost in One Liberty Plaza, the company
still would have had members of its senior management in other locations.
Nasdaq also took such precautions as having its executives carry more than one mobile phone
in case one service provider goes down and investing in interruption insurance to help defer the
costs of closing the market. Planning and foresight saved Nasdaq from losing what could have
been tens of millions of dollars (Romney & Steinbart 2009:333).
A contingency plan should be tested on a regular basis to ensure that everyone in the
organisation knows what to do when a disaster occurs. It is far better to discover problems with
the implementation of the plan during a test, rather than when there is an actual emergency.
33
2.8.4 ISO27001 Information security management
ISO Standards are standards that cover a wide range of activities in an organisation from
producing a product, managing a process, delivering a service or supplying materials. There are
more than 21300 international standards developed by the International Organisation for
Standardization (ISO).
ISO27001 is the framework for all issues related to an organisation’s information risk
management processes.
Read the report below on ISO27001.
https://advisera.com/27001academy/what-is-iso-27001/
Refer to your textbooks for more on the ISO27001.
2.9 Blockchain technology

Students we are back to Blockchain, the main advantage of Blockchain is security. Blockchain
provides an effective control mechanism focused on preventing hackers from secretly modifying
records.
2.9.1 What is Blockchain technology
In your textbooks a definition of Blockchain is given, see the YouTube clip below for an
explanation of Blockchain technology.
https://www.youtube.com/watch?v=27nS3p2i_3g&feature=youtu.be
2.9.2 Key features of a Blockchain (Kaplan Publishing, 2019)
 Transactions are recorded by a number of participants using a network that operates via
the internet. These same records are maintained by a number of different parties.
 Details of the transaction taking place is recorded by everyone namely the value, the time,
the date and the details of the parties involved. For the transaction to be accepted it takes
the agreement of all participants in the chain to update their ledgers.
 The verification process of the transaction is executed by computers. Computers make up

the network that audit’s the transaction.
 When a new block is added, it is linked to the previous block by using a cryptographic
hash, which is generated from the contents of the previous block. This is to make sure that
the chain is never broken and that each block is permanently recorded.
2.9.3 The relevance of Blockchain technology to accountants
This is an important topic, Blockchain can fundamentally revolutionise the accounting profession
as it allows unchangeable and transparent record keeping for all financial related data.
Benefits of Blockchain to the accounting profession include:
 Decrease in costs relating to maintaining and reconciling ledgers
 Rendering complete assurance over the ownership and history of assets
 Making more time available to staff to focus on other responsibilities
34
MAC4866/505
There is a lot of information on the internet on this topic, below is just a few links that you can go
through, you can research much more on this topic.
https://www.icaew.com/-/media/corporate/files/technical/information-technology/thought-
leadership/blockchain-and-the-future-of-accountancy.ashx
https://www.accountingtoday.com/news/blockchain-unlocking-new-potential
https://www.youtube.com/watch?v=URjWivgtaRo
Now refer to your textbooks.
2.9.4 Risks
It was thought that Blockchain would be unhackable, but cyber criminals always find a way to
penetrate a system.
Below is an article in the CIMA member magazine where a number of risks are discussed.
https://www.fm-magazine.com/issues/2018/aug/blockchain-risks-and-rewards.html
Refer to your textbooks to read about the 51% rule.
2.10 Centralised monitoring
Due to the large amount of devices logging into organisation’s systems the need for centralised
monitoring has become essential.
There are a number of elements to centralised monitoring including:
 Event logging and aggregation
 Security information and event management (SIEM)
 Modern security operations centre (SOC) functions

Refer to your textbooks for a detailed discussion on these elements and the articles below.
https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpacybersecurityinitiative.h
tml
https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/download
abledocuments/soc-for-cybersecurity-brochure.pdf
Summary
In the above section, we discussed how to manage cyber threats through cyber security
processes and what the objectives and controls should be. After studying this chapter ask
yourself do I know how to manage cyber threats through cyber security processes?
Relevant articles
https://www.fm-magazine.com/news/2019/may/cybercrime-costs-201920981.html
https://www.journalofaccountancy.com/podcast/how-to-fend-off-cyberattacks.html
https://invenioit.com/continuity/4-real-life-business-continuity-examples/
35
https://101blockchains.com/introduction-to-blockchain-features/
References
Forcepoint.com n.d. Available from: https://www.forcepoint.com/cyber-edu/man-in-the-middle-

attack#:~:text=Share-
,Man%2Din%2Dthe%2DMiddle%20Attacks%20Defined,intellectual%20property%20or%20fiduci
ary%20information. [Accessed 1 July 2020].
Kaplan Publishing, 2019. Official study text. Risk Management. Strategic Level. P3. Berkshire.
UK. Kaplan Publishing.
36
MAC4866/505
3. LEARNING UNIT 3: CYBER SECURITY TOOLS, TECHNIQUES AND

REPORTING
Learning outcome: Discuss cyber security tools and techniques.
Component outcomes:
3.1 Cyber security tools and techniques

The main objective of cyber security is prevention but that is impractical therefore this chapter
looks at how organisations can improve their cyber security by looking back and learning from
any past cyber attacks.
3.2 Forensic analysis
Reviewing the cyber crime scene. This is like a crime series on television what evidence has the
attack/attacker left behind. Improved defences in the future can be developed by understanding
how the system was breached. There are three main areas to consider in forensic analysis
namely:
3.2.1 System level analysis
Looking for “footprints in the sand” to identify what changes have been made in the system
which can include:
 System components
 Configuration changes
 Services enabled without authorisation
 Fake accounts created

3.2.2 Storage analysis
As the amount of storage increases for example cloud technology, it becomes easier to hide
something. Cloud technology has made forensic analysis more difficult. Another issue is that
even if a file is deleted it may still exist these files take up storage and can still be accessed.
3.2.3 Network analysis

The monitoring of data moving across a network is similar to monitoring traffic on a road. This
type of analysis can help identify patterns in network activity prior to an attack in order to help
identify and prevent one in the future. Refer to your textbooks for more detail on the above.
37
3.3 Malware analysis
The objective of malware analysis is to find out how the malware got onto the system and its
purpose. This will help the organisation improve their detection and defence strategy in future.
There are two techniques that can be used namely reverse engineering and decompilation and
disassembly.
3.3.1 Reverse engineering
This technique involves deconstructing (breaking down) the malware to learn more about it, how
did it gain access to the system and whether it was a targeted or untargeted attack. The
malware is often protected by many layers of code so this exercise can be very time consuming.
3.3.2 Decompilation and disassembly

This is the next phase and involves understanding how the malware works and what it was
designed to do.
Refer to your textbooks for more detail on the above.
3.4 Penetration (Pen) testing

This is another preventative technique, whereby an organisation undertakes to investigate how
easily their systems can be breached by using white hat hackers.
The YouTube clip below explains Pen Testing

https://www.youtube.com/watch?v=q2t91jLmh3k
There are several different types of Pen testing which include:

3.4.1 Network discovery
This involves understanding the scope of a network, all the devices that are connected to a
network desktops, laptops, smart phones, IoT etc.
3.4.2 Vulnerability probing

Identifying devices that are connected to the system that are the most susceptible to an attack.
3.4.3 Exploiting vulnerabilities
A white hat hacker tries to gain access to the system to see how long it takes and what access
can be gained.
3.4.4 Internal network penetration testing
Organisations needs to realise that there are not just external threats but also disgruntled
employees can help hackers access the system. In order to test this the white hat hacker is
given an internal profile. Weak or unchanged passwords and unsecured workstations are
among the issues that can be identified in this testing method.
3.4.5 Web application penetration testing
This testing is trying to identify poor set up of web based applications, this is linked to
application attacks from chapter 8. For example unprotected input boxes to enable SQL
injection attacks.
3.4.6 Wireless network penetration testing
This is used to identify any rogue devises on a network.
38
MAC4866/505
3.4.7 Simulated phishing testing

The organisation checks to see how well the employees follow training/internal guidance with
regard to phishing attempts.
Please refer to your textbooks for a more detailed discussion and examples on the above Pen
Testing.
3.5 Software security

Software security is the process of writing security into the software. There are typically three
different levels
 Level 1 – prevention of access to the software from unauthorised sources
 Level 2 – writing detection of unauthorised access into the software
 Level 3 – writing the response into the software which alerts the appropriate department to
investigate the breach.
Besides the above levels there are other considerations to take into account in software security
namely:
3.5.1 Design review
When the software for some devices were designed these devices did not have the importance
as they have now. The design review considers the implication of technology development and
the interconnectivity of these devices.
3.5.2 Code review
A code review considers how the code is written and how someone proves that they should be
allowed access to the software.
With regard to the authentication process organisations can use a two step verification or a two
factor authentication.
3.5.3 Security testing
This is an internal audit type review to check controls are being carried out (compliance) and
are appropriate for the risk (substantive).
There are two key software controls that are used by most organisations today namely:
 Version control – monitors the various devices on the system to ensure that all software is
still supported by the software provider.
 Patch management – if there is a flaw in a service provider’s software they will update the
software to correct the flaw.
3.6 Digital resilience

The concept Digital Resilience was developed by Bailey, Kaplan, Marcus, O’Halloran and
Rezek. The concept is about integrating cyber security into the business operations. It moves to
a higher level then just undertaking the minimum to safeguard the organisation and complying
with regulations.
39
It involves six actions for an organisation to consider namely:
3.6.1 Identify all the issues
Understand what information an organisation has and how to protect it.

3.6.2 Aim toward a well-defined target
Set understandable and achievable targets that prioritises cyber security risks and remembering
basic controls namely business process controls and IT controls not just cyber security controls.
3.6.3 Work out how best to deliver the new cyber security system
Considering roles, responsibilities and change management issues.

3.6.4 Establish the risk resource trade offs
Reviewing of different potential solutions and selecting the most appropriate. There is no one
solution organisations have different attitudes towards risks and risk appetites.
3.6.5 Develop a plan that aligns business and technology
Regulatory and future developments need to be considered. For example if an organisation is

considering using cloud technology than cyber security practices must align to this.
3.6.6 Ensure sustained business engagement
Employees at all levels must be involved and understand their roles with regard to cyber
security risk management.
Refer to your textbooks for a more detailed discussion with examples on the above.
3.7 Frameworks
Various groups and commentators have development frameworks with the aim of organisation’s
communicating to various stakeholders the processes and controls they have in place for cyber
security.
3.7.1 AICPA
The Association of International Certified Professional Accountants (AICPA) is a global

association formed by CIMA and the American Institute of Certified Public Accountants in 2017.
The AICPA is the first major association to consider not just how to deal with cyber security
issues, but also how to report to stakeholders about cyber security.
3.7.2 Cyber security risk management reporting
The AICPA reporting framework has three key components in the report namely:
 Management’s description – This is the main part of the report, it includes a description of
the sensitive information, risks and controls in place. The detail in this part of the report
should be in compliance with the AICPA description criteria. This criteria is discussed below
in 3.7.3.
 Management’s assertion – Management give their opinion on whether the risks were set
out are in line with the criteria and if the controls are appropriate.
40
MAC4866/505
 The practitioner’s opinion – The final section is where the qualified accountant gives their
opinion on the description of the risks and if the controls will be successful.
3.7.3 Criteria
AICPA uses two sets of criteria in order to help with the writing and evaluation of the
management description that also allows for comparability of the reports. These two criteria
include:
 Description criteria – this is a comprehensive 33 page document that details the areas that
an organisation needs to take into account when identifying the cyber security risks it may
be subjected to and the necessary controls to be put in place. You now need to refer to your
textbooks for further discussion on this, there are approximately six pages on what the
description criteria entails.
 Control criteria – this is a comprehensive document that is over 300 pages long. It lists the
various potential risks and controls an organisation could have in place. Students you don’t
need to study this 300 page document, but have a look at the examples of the information in
your textbook this is two pages long. You can on your own conduct further research.
Below is a link to a video on the AICPA framework and a number of other resources
https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpacybersecurityinitiative.h
tml
The link below will take you to the 33 page description criteria of the framework.
https://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/DownloadableDocuments
/Cybersecurity/Description-Criteria.pdf
The link below is an example of a report, have a look at this to see how detailed the
report should be.
https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/download
abledocuments/illustrative-cybersercurity-risk-management-report.pdf
Students you will not be tested on the 300 page control criteria document or the 33 page
description criteria document. However, you will be tested on what is given in the textbook on
these two.
3.7.4 National Institute of Standards and Technology (NIST) cyber security framework
NIST is a non-regulatory agency in the United States that developed a framework for cyber
security. It involves three components namely:
 Implementation tiers – help organisations select the most appropriate level of cyber
security program and use as a communication tool to linking risk appetite, budget and
mission priority.
 Core – provides a set of cyber security activities, based on five principles namely:
o Identify
o Protect
o Detect
41
o Respond
o Recover
These are depicted in the diagram below.
 Profiles – these map the objectives to the desired outcomes included in the core.
Source: Security Affairs.co

Below is a link to the NIST framework.
https://www.nist.gov/cyberframework
3.7.5 AIC Triad
Confidentiality, integrity and availability, also known as the CIA Triad. These are the three
elements that support the model. The model is used to assist organisations understand their
information security and set up policies to help secure the organisation.
Please see the YouTube clip below for a brief explanation of the AIC Triad.
https://www.youtube.com/watch?v=11_Hp5Dvx5E&feature=youtu.be
Refer to your textbooks for more detail on the AIC Triad.
Summary
In the above section, the cyber security tools and techniques along with the reporting
frameworks were discussed. Irrespective of the name of the framework they all operate along
similar concepts namely, understanding the data, keeping it safe from an attack, establishing
any issues and having a clear plan on dealing with any issues should they occur. After studying
this chapter ask yourself, can I recommend cyber security tools and techniques and what
frameworks can be used to report cyber risks?
42
MAC4866/505
Relevant articles and case studies on cyber attacks

https://www.nst.com.my/world/2017/06/252609/cadbury-factory-becomes-australias-first-victim-
latest-cyber-attack
https://www.itgovernance.co.uk/blog/nhs-digital-data-breach-150000-patient-records-
compromised
https://www.reuters.com/article/us-australia-cyber/hackers-access-student-data-at-top-
australian-university-going-back-19-years-idUSKCN1T50ES
https://safety4sea.com/cm-maersk-line-surviving-from-a-cyber-
attack/?__cf_chl_jschl_tk__=457e93daf4794e50e4ed6d0f7a311e1403983fc7-1594117702-0-
AUUNzf-K0n48c-ydwiCxxGKsCFiD8_S336EN_q23w0dzrt-thM01-Vv61bA47Pvkw41d2x69jFR-
rjoeLPR24MixZ1UtB907ZHv5bENQBmpWcEK5hiUukT58p2QdcAH88k0bz6cFCRErO6WasTKy
togE2o6k9Ee7dms8KTXFdczIUsn7mNIezaTx8-
eUiXauV0eo100hd4EZt8PfD5RA0f_1T4Yzj_AzIbbVVaKl1ICaaeYLR27KN63BLzSsrYZOuz1lnr2
_SGV4vlEYmxNIaTsOANyH3pCmMvjB2PY2__rQPGAWSIY7Akb_pXigNybsSJQKXjLpfsaDAK
ZZV2OYOk8
https://www.hiscox.com/documents/2018-Hiscox-Small-Business-Cyber-Risk-Report.pdf
References
Bodnar, GH & Hopwood, WS. 2010. Accounting information systems. 10th edition. Upper
Saddle River, NJ: Pearson.
Eccles, MG, Julyan, FW, Boot, G & Van Belle, JP. 2000. The principles of business computing.
5th edition. Kenwyn: Juta.
Gelinas Jr, UJ & Dull, RB. 2008. Accounting information systems. 7th edition. Mason, OH:
Thomson South-Western.
Hall, J. 2008. Accounting information systems. 6th edition. Mason, OH: Cengage Learning.
Leitch, RA & Davis, KR. 2001. Accounting information systems: theory and practice. 2nd
edition. Englewood Cliffs, NJ: Prentice-Hall.
Kaplan Publishing, 2019. Official study text. Managing Finance in a Digital World. Operational
level. E1. Berkshire. UK. Kaplan Publishing.
Lewin, A. 2003. Management accounting: information strategy. London: CIMA.
Romney, MB & Steinbart, PJ. 2009. Accounting information systems. 11th edition. London:
Pearson Education.
Security Affairs.co. Available from: https://securityaffairs.co/wordpress/58163/laws-and-

regulations/nist-cybersecurity-framework-
2.html#:~:text=The%20Framework%20is%20an%20approach,Implementation%20Tiers%2C%2
0and%20Framework%20Profiles.&text=By%20being%20adaptive%2C%20the%20NIST,out%2
0of%20the%20thin%20air. [Accessed 17 July 2020].
43

Tutorial Letter 505/0/2021: Information Strategy

Uploaded by

Copyright:

Available Formats

Tutorial Letter 505/0/2021: Information Strategy

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Tutorial Letter 505/0/2021: Information Strategy

Uploaded by

Copyright:

Available Formats

MAC4866/505/0/2021

Tutorial Letter 505/0/2021

Department of Management Accounting

1.8.1 Security issues raised by distributed systems ............................................................................. 16

3.4.3 Exploiting vulnerabilities .............................................................................................................. 38

1. LEARNING UNIT 1: OPERATIONAL RISKS OF INFORMATION SYSTEMS

1.1 INFORMATION SYSTEMS SECURITY

 Confidentiality, which means preserving authorised restrictions on access and disclosure,

1.1.2 Operational risks: the information security management system (ISMS)

 Systems operation, evaluation and control

1.1.3 Individuals posing a threat to the IS

 Management philosophy and operating style

 Board of directors and its committees

 Management control activities

 Internal audit function

 Personnel policies and practices

To promote efficiency and encourage adherence to prescribed policies and procedures of

1.2 PHYSICAL RISKS OF INFORMATION SYSTEMS

1.2.1 Risk of physical damage

 natural disasters (such as fire, floods and earthquakes)

Environmental hazard Controls

Fire Smoke detectors, fire alarms, fire extinguishers, fire-resistant

Energy increase, de- Voltage regulators, back-up batteries and generators

1.3 RISKS OF FRAUD AND OTHER DELIBERATE ACTIONS

1.3.1 Computer fraud schemes

 theft, misuse or misappropriation of assets by altering computer-readable records and

The misuse or theft of an organisation’s computer resources by an employee also constitutes

1.3.2 Internet risks

 third parties cannot read it (interception),

1.4 GENERAL AND APPLICATION CONTROLS

1.4.1 Control problems

1.4.2 General controls

General controls comprise the following (Bodnar & Hopwood 2010:149):

 a plan of organisation for data processing

1.4.3 Personnel controls

1.4.4 Application controls

Processing controls should also include (Romney & Steinbart 2009:325):

1.4.5 Access controls

 forgetting passwords and being locked out of the system,

Note: Access controls could be regarded as general or application controls.

1.6.1 Computer theft

1.6.2 Software piracy and controls

1.6.3 Computer fraud

1.7 INTERNET AND E-MAIL CONTROLS

1.7.1 Virus protection

1.7.2 Encryption and other safety measures

Other encryption techniques include digital signature and digital envelope.

1.8.1 Security issues raised by distributed systems

Threat Security Solution

(1) Information intercepted, read or Encryption software that encodes data to

1.8.2 Online access control procedures

 Implement passwords and user identification.

 at least eight characters in length

 use of control totals (per terminal) for future reconciliation

1.8.3 Distributed processing and communication procedures

1.8.4 Integrated software systems

1.8.5 Database control procedures

1.8.6 Controls for small computers and service bureaus

Lewin, A. 2003. Management accounting: information strategy. London: CIMA.