Identify Internal Controls

Policies, procedures, practices and organizational structures implemented to reduce risk

Policy and Procedures

"Every employee must change usernames and password every 3 months"

Can come from Government law and regulation.

Types of Controls

Preventive Controls

Preventative control means that if you have antivirus software installed in your computer, whenever there could be some virus attacks to your computer, your antivirus software is going to prevent that attack.

Detective Controls

Detective control, sometimes the security administrators keep firewalls, that firewalls could detect any of these unauthorized access to the system and would give alarm to the security administrators.

Corrective Controls

A very common corrective control is that we back up data.

Example

How to reduce risk of a fire

Ways of Control	Classification of controls
Install fire alarms	Detective
Use fire proof building materials	Preventive
Install sprinklers	Preventive
Fire drill practices	Preventive
Install smoke detection sensors	Detective
Install escape route maps	Preventive
Organize fire safety education workshops	Preventive
Install fire extinguishers	Preventive
No naked flame in the building	Preventive
No smoking in the building	Preventive
Backup system	Corrective
Regular maintenance of devices	Preventive
Regular fire department inspection	Preventive
Get fire insurance	Corrective
Install CCTVs	Detective

Most desire controls to reduce risk

No naked flames and no smoking are the most important measures. Reduce the probability should come before reduce the impact.

How to identify the internal controls?

Steps:

1. Classify which control is primary

2. Explain how and what risk do the control address

3. Analyse whether different controls can be applied in different situation

Examples

Job rotation

1. Is a preventive control

2. Prevent the knowledge of the system by a single employee

3. Detective control

   1. Other employee is able to detect if other employee were abusing the system.