IT Risk Advisory & Security, Why Every Business Needs It

By: Aaron Kerr & Kamran Faridi

Aaron Kerr

Director of IT Risk Advisory

IT Risk Advisory & Security, Why Every Business Needs It

Name one business process that is not supported by technology. We have entered an era where the systems support almost every task, from the most basic to the most complex. Artificial intelligence (AI) and robotics are becoming mainstream. The technical evolution of the last 20 years has taken business technology from a luxury to a functional necessity.

The mass usage of technology has created challenges with exponential increases in network traffic and data. Further, it has provided accessibility to data, even sensitive data, from any location in the world. This business enabler has presented a suite of risks and forced companies to further refine the balance between convenience and risk. Technology ecosystems have become more complex, which has made it more challenging to secure sensitive data. Technology risk, bot operational and security focused, are very real and malicious actors now have access to more sophisticated tools to streamline the attack process.

In order to prevent a breach or compromise, a critical element is management awareness and support (tone of the top). This enables IT to effectively implement a technology control program, for example maintain a risk based asset inventory, perform periodic risk assessments and allocate resources to focus on processes and controls that will have the biggest impact on risk mitigation activities. Additionally, some key systems may fall under the scope of regulatory compliance requirements, so IT must maintain proper due diligence to ensure the control program is both “right sized” and effective.

At a minimum, basic IT general controls (ITGCs) should be implemented on all applications. ITGCs consist of logical access, change management and IT operations.

Logical access includes application password parameters, appropriate user provisioning and removal of access, periodic user access reviews, appropriate elevated users.

Change management controls consist of changes to be authorized and approved prior to implemented on to production, developers not have the ability to promote changes in a non-tracking environment, the code which has been UAT is the same making to the production.

IT operations controls validates the job processing within the application to occur completely and accurately, which includes data backups.

For individual applications, these controls should be applied at the following layers; application, local server, database and network. History has confirmed that some of the largest data breaches occurred were lacking ITGCs and could have been prevented with basic control hygiene.

More From Aaron

More in IT Risk Advisory & Security

Related Case Studies