Hacking the AIS
By Helen Tewolde
This paper will discuss accounting information system attacks and failures: who to blame. I am also going to discuss the following related topics in the following order: Firstly, I will take a position on whether a company and its management team should or should not be held liable for losses sustained in a successful attack made on their AIS by outside source. Secondly, I will suggest who should pay for the losses, to whom, and state why. Thirdly, I will give my opinion regarding the role, if any; the federal government should have deciding and enforcing remedies and punishment. Finally, I will evaluate how AIS can contribute or not to contribute to the losses. A Company and its Management Team Should Be Held Liable for the Losses According to the Control Objectives for Information and Related Technology (COBIT) framework and the Trust Services framework, achieving organization’s business and governance objective require adequate control over IT resources. IT processes must be properly managed and controlled in order to produce information that satisfies the seven criteria: effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability. These IT processes are grouped into the following four management activities or domains (Romney & Steinbart, 2012). 1. Plan and Organize (PO),
2. Acquire and Implement (AI),
3. Deliver and Support (DS), and
4. Monitor and Evaluate (ME)
Management should develop a plan to organize information resources to provide the information it needs. Then authorizes and oversees efforts to acquire the desired functionality or technology solutions. Management also performs a number of activities to insure that the resulting system actually delivers the desired information. Finally, there is a need for constant monitoring and evaluation of performance against established criteria. Besides management’s responsibility to manage and control over IT, management is also responsible for the security and system reliability of the entire accounting information system (AIS). This is because security is primarily a management issue, not a technology issue. The accuracy of an organization’s financial statements depends upon the reliability of its information systems. And information security is the foundation for system reliability. Therefore, information security is first and foremost is a management issue, not an information technology issue. In other words, management plays very crucial roles in information security. These crucial roles are enumerated as follows: 1. Create and foster a proactive security aware culture.
2. Define the information architecture and place a value on organization’s information resources. 3. Assess risk and select a risk response.
4. Develop and communicate security plan, policies, and procedures. 5. Develop and communicate security plan, policies, and procedures. 6. Monitor and evaluate the effectiveness of the organization’s information security program. In addition, management and organization has a responsibility to employ multiple layers of control and time based model of information security in order to avoid having a single point of failure. For tactical and daily management of security, most organizations follow the principle of defense-in-depth and employ multiple preventive, detective, and corrective controls (Romney & Steinbart, 2012). Another important role that a company and its management should consider is in preserving confidentiality and privacy. Organizations posses a lot of information, including strategic plans, trade secrets, cost information, legal documents, and process improvements. Of course, preserving the confidentiality the organization’s intellectual property is the basic objective of information security. Protecting the privacy of their customers’ information is also equally important. That means a company and its management team is...
Please join StudyMode to read the full document