ACC 564: Accounting Information Systems12 August 2012
This paper explores accounting information system attacks and failures and the party that is to blame. The paper will include the following requirements: 1. My position on whether the firm and its management team should or should not be held liable for losses sustained in a successful attack made on their AIS by outside sources. I will include two (2) facts to support my position. 2. Suggestions for who should pay for the losses incurred, to whom, and why. 3. My opinion regarding the role, if any, the federal government should have deciding and enforcing remedies and punishment. I will include two (2) facts to support my opinion. 4. An evaluation on how AIS can contribute or not contribute to the losses. This assignment will use technology and information resources to research issues in accounting information systems.
AIS Attacks and Failures: Who to Blame
Take a position on whether a firm and its management team should or should not be held liable for losses sustained in a successful attack made on their AIS by outside sources. Include two (2) facts to support your position.
Security controls are safety measures to avoid, counteract or minimize security risks. The firm and management team is responsible for effectively implementing preventative, detective, and corrective controls in order to prevent, identify, and limit the extent of damage from occurring, in progress, or caused by the incident. If adequate security controls are in place then the firm and management team should not be held liable for losses sustained in a successful attack made on their Accounting Information System (AIS) by outside sources. However, if a firm and its management team have not implemented an adequate security control system, then they should be held liable for losses sustained in a successful attack made on their (AIS) by outside sources.
Access controls are essential for protecting the confidentiality, relevance, and reliability of data and information. One threat that could occur during the data collection process is for someone with an understanding of the company’s computers and computer networks to “hack” into the computer system, employing a variety of techniques. A few of these techniques include password cracking, phishing, spreading a virus, social engineering or denial-of-service attacks. Physical access controls, such as placing locks on doors or computers, are a preventive control intended to prevent an unauthorized intruder. Similar to physical access controls are application or logical access controls, such as the use of user names and passwords, antivirus software, and firewalls, are also used to protect data and information from unauthorized users. A good example of both physical access and logical access intrusion is in court case United States v. Aaron Swartz, Aaron Swartz allegedly entered the wiring closet at MIT and downloaded information in order to conduct an academic study, with the use of a technique called “MAC address spoofing (Lindsay, 2011).” Potentially, the content downloaded could cost MIT several thousand dollars, should the thief choose to sell or distribute the information. Although physical and logical access controls are used by management to prevent an intrusion, no system is perfect. There is always the threat that someone with a more advanced understanding of the computer network will successfully attack.
The firm and management are responsible for implementing detective controls in order to identify and characterize the intrusion. These controls provide evidence that the preventive controls are functioning as designed. Implementing certain procedural controls, such as security awareness and training, sounding an alarm, running system checks, log monitoring, system audits, and file integrity checks are some techniques for detecting an intrusion. If the...