Identify Internal Controls
Policies, procedures, practices and organizational structures implemented to reduce risk
Policy and Procedures
"Every employee must change usernames and password every 3 months"
Can come from Government law and regulation.
Types of Controls
Preventive Controls
Preventative control means that if you have antivirus software installed in your computer, whenever there could be some virus attacks to your computer, your antivirus software is going to prevent that attack.
Detective Controls
Detective control, sometimes the security administrators keep firewalls, that firewalls could detect any of these unauthorized access to the system and would give alarm to the security administrators.
Corrective Controls
A very common corrective control is that we back up data.
Example
How to reduce risk of a fire
Install fire alarms
Detective
Use fire proof building materials
Preventive
Install sprinklers
Preventive
Fire drill practices
Preventive
Install smoke detection sensors
Detective
Install escape route maps
Preventive
Organize fire safety education workshops
Preventive
Install fire extinguishers
Preventive
No naked flame in the building
Preventive
No smoking in the building
Preventive
Backup system
Corrective
Regular maintenance of devices
Preventive
Regular fire department inspection
Preventive
Get fire insurance
Corrective
Install CCTVs
Detective
Most desire controls to reduce risk
No naked flames and no smoking are the most important measures. Reduce the probability should come before reduce the impact.
How to identify the internal controls?
Steps:
Classify which control is primary
Explain how and what risk do the control address
Analyse whether different controls can be applied in different situation
Examples
Job rotation
Is a preventive control
Prevent the knowledge of the system by a single employee
Detective control
Other employee is able to detect if other employee were abusing the system.
Last updated