Discussion

This assignment mainly focuses on information systems security and risk management. This has become important with the growing volume of data or information. Organisations use risk management techniques to protect information and keep the data safe from unauthorized access (De Carlo et al., 2014). It has become as important as protecting the property of the organisation. Protecting the information and safeguarding the data helps the company to eliminate thefts or illegal access of data. They achieve this security by following various types of information system controls. The main objective of this report is to deal with two types of IS control- one is the general management control and the other is application control of the selected organisation. The selected organisation for this report is Data Republic. The report will enlighten the risk management methods undertaken by the company to protect its data, the general management and application control adopted by them followed by the reason for adoption of auditing information system. Following paragraphs will reveal the services provided by Data Republic and the methods by which information system is helping the company in its business and in achieving the goal of the company.

Secure platform for data exchange: Data Republic provides a secure and unique framework to other organisation that own data and can exchange as well as analyse those data with the help of Senate platform (2018). The platform provides a secure infrastructure for data analytics to companies so that they are able to solve business related problems. The service that Data Republic provides to its customers will facilitate them in decision-making (“https://go.datarepublic.com.au/data-valuation-whitepaper/”, 2018). If secure connection is established then the organisations can easily access advance technologies like Hadoop served by Data Republic.

Manages data events: Data exchange is a two-way procedure and both the organisation is involved in the process. The Senate platform securely manages exchange of data and has proven to be successful in managing data events. It provides a secured environment where Data Listings can be controlled. The participants that are accessing data can be monitored through this process and they can be terminated with end of the event.   

Information System is defined as the process to collect and organise data for future analysis. The mentioned organisation deals with data exchange between two organisations. To provide this service they require storing huge amount of data. The data needs to be organised and structured. To achieve this Data Republic makes use of information system. With the help of a software, they organise data. With information system comes security. IS security deals with the amount of privacy offered to data so that it does not go to unwanted hands. Data Republic provides all security required to keep data safe. IS enlightens the communication of data and the mentioned organisation deals with communication of data between two companies. Therefore, IS helps Data Republic largely to achieve its business goals and carry on operations smoothly.

There are various types of general management controls like software control, hardware control, security control, implementation control and application control (Guenther, 2013). Software control is required to have direct control over the programs that access the data and make favourable changes so that unauthorized access is prevented. Hardware control is required to control the physical parts of the computer so that it can be made secured. Data security control ensures that personal data are not subjected to any changes, modifications or destructions. The system should be audited to ensure proper working of the process. Implementation control manages and controls the processes to audit the system (DAILY, KIEFF & WILMARTH JR, 2014). Formulating various standards and rules that should be followed during the implementation of data exchanges falls under the administration control. All the companies possess the mentioned control. Data Republic has the same general management control methods. It has an internal risk management group that helps to manage risks that are identified in the company. The group monitors the functioning of all the operations and application carried out by the mentioned company as well as maintaining integration of strategies followed to reduce the risks (Vempati et al., 2014). The unit of risk management follows their own standards and is independent of standards, rules and regulations set by global risk management units. The director of the group manages all functions and informs related risks to risk management board as well as assists them to take major decisions regarding reduction of risks.

Services offered by Data Republic

To manage risks the company has a technical office that supports the group as and when required (Lam, 2014). The members of this office are software engineers that controls the software of the company and invents new programs by which they can secure the personal information and data of the company. They also see to data security control by managing data events. Data events help to get a list of organisations that are accessing the data of Data Republic to facilitate data exchange (Smith & Wong, 2016). By doing so they will be able to keep a track of them. Whenever any malicious activity take place on the company’s network, the engineers are able to locate them and deny their access to the network.

The company has an administrative board that sets certain standards and rules for the company to protect data.

Application control ensures that personal information of an organisation is accurately accessed and processed with the help of manual methods. There are mainly three types of application control that organisations follow. They are input, processing and output controls (Ferguson, Guha, Liang, Fonseca & Krishnamurthi, 2013). The input controls checks the accuracy and completeness of data that the system uses as input. Different processes like data editing and conversion utilizes different types of input controls. Processing controls that the data are accurate and complete at the time of updating or processing (“Application Controls”, 2018). The processes like computer matching, control along with run control totals are used during the processing controls. Output controls ensure that output of processing control is accurate, complete and distributed properly. The application controls followed by Data Republic are:

• Edit checks: This controls input of the system. They consist of programmed routines that corrects the errors of the input data before they are being processed.
• Identification and Authentication checks: This type of application control checks the authentication of data and identifies the sources and destination of data that are performing data exchange.
• Validity checks: This type of application control checks whether the users that are using the Senate platform of Data Republic to exchange information are valid or not. If the program detects an invalid user then access is denied to data storage of the company.

The main difference between the above two controls are that general management controls monitors the overall performance of the system. It deals with methods undertaken by a particular organisation to carry on the functions smoothly. General management controls include steps like software and hardware control, administrative control and so on. To manage the general risks of the company, organisations has separate units to manage the different sectors of the company. There is a separate team to manage the software sector of the organisation that invents new methods to protect the data of the organisation.

Whereas, application controls checks the systems that are directly related to data like input controls, processing and output controls (Griss et al., 2014). Input control checks the input data of the company, processing control ensures that the input controls perform accurately and output controls ensures that the processing controls works as per the requirements.

Data Republic follow certain techniques to manage risks and ensure reliability, confidentiality, integrity and security of the business operations. To ensure reliability the company has certain regulations that they follow. The rules ensure that the connection established between two organisations for exchanging data is secured so that the data being exchanged does not land up in unwanted hand (Lei et al., 2014). By doing so the organisations will be able to rely on Data Republic. To ensure confidentiality of data the company has a specialized software team that designs special program to keep information confidential. To maintain the integrity of the company, Data republic has risk management unit that manages the risk along with maintaining the integrity of the company. The same software team that designs special routine programs to deny unauthorized access can achieve security (2018). The concerned company for risk identification and assessment uses various methods. Several programs are installed in the data servers that identifies and assesses the unauthorized users.

Relation between information system and organisation business operations

Audit plan: Data Republic maintains a separate audit plan. The audit plan ensures the following processes:

• Logging of each privileged transactions
• All the unauthorized access will be logged so that fraud cases can be detected.
• Products that are derived should be controlled.
• All users that are licensed to use the data products should follow strict terms and conditions that will restrict them to do malicious activities.

Audit process: Data Republic does auditing following a particular audit process. The process involves three steps. They are product, system and process audit (Alles, Brennan, Kogan & Vasarhelyi, 2018). Here in this particular company the system audit is performed to ensure that risks are managed efficiently by identifying the end users and mapping business processes. Process and product audit is required to ensure the quality goals of the organisation (Chan & Vasarhelyi, 2018). They include the standardization processes and setting other rules and regulations of the organisation.

Conclusions:

From the above discussions it can be concluded that an organisation needs to take certain control measures for the managing the risks of the organisation. The measures are general management controls and application controls. General management controls help to control the overall processes of the company whereas, application control help to check data security, completeness and accuracy. Auditing the processes, products and system also helps to manage the risks. The company should keep in mind that the functions that they are performing and according to that plan measures. For example, the mentioned company that is Data Republic handles huge amount of data and is involved in data sharing. Therefore, the company should ensure that the data are kept confidential and prevented from any kind of unauthorized access. To accomplish this they have hired a highly specialized software team that help secure the data. The Australian government is also aiding the company to secure data so that reliable communication is established between two organisations involved in data sharing activity.

Data Republic has a strong security of data. However, risks still exists that needs to be managed. Some recommendations are as follows:

• Making the networking systems of the company more strong such that no malicious activities can be performed on it. Network security can be achieved by following a number of protocols during handshaking (Aven, 2016). For example, when an organisation is trying to access the data it has to overcome a number of networking protocols and then secured connection can be established. However, if the number of protocol can be increased then the connection can be more secured.
• Auditing processes should be made frequent. This will help the organisation to detect any kind of unauthorized access easily.

References:

(2018). Retrieved from https://wps.prenhall.com/wps/media/objects/14071/14409392/Learning_Tracks/Ess10_Ch07_LT4_General_and_Application_Controls_for_Information_Systems.pdf

(2018). Retrieved from https://www.datarepublic.com/assets/security_white_paper.pdf

Alles, M., Brennan, G., Kogan, A., & Vasarhelyi, M. A. (2018). Continuous monitoring of business process controls: A pilot implementation of a continuous auditing system at Siemens. In Continuous Auditing: Theory and Application (pp. 219-246). Emerald Publishing Limited.

Application Controls. (2018). Retrieved from https://www.isaca.org/Groups/Professional-English/application-controls/Pages/ViewDiscussion.aspx?PostID=47

Aven, T. (2016). Risk assessment and risk management: Review of recent advances on their foundation. European Journal of Operational Research, 253(1), 1-13.

Chan, D. Y., & Vasarhelyi, M. A. (2018). Innovation and practice of continuous auditing. In Continuous Auditing: Theory and Application (pp. 271-283). Emerald Publishing Limited.

DAILY, J. E., KIEFF, F. S., & WILMARTH JR, A. E. (2014). Introduction. In Perspectives on Financing Innovation (pp. 13-16). Routledge.

De Carlo, F., Gürsoy, D., Marone, F., Rivers, M., Parkinson, D. Y., Khan, F., … & Narayanan, S. (2014). Scientific data exchange: a schema for HDF5-based storage of raw and analyzed data. Journal of synchrotron radiation, 21(6), 1224-1230.

Ferguson, A. D., Guha, A., Liang, C., Fonseca, R., & Krishnamurthi, S. (2013, August). Participatory networking: An API for application control of SDNs. In ACM SIGCOMM computer communication review (Vol. 43, No. 4, pp. 327-338). ACM.

Griss, J., Jones, A. R., Sachsenberg, T., Walzer, M., Gatto, L., Hartler, J., … & Cox, J. (2014). The mzTab Data Exchange Format: communicating MS-based proteomics and metabolomics experimental results to a wider audience. Molecular & Cellular Proteomics, mcp-O113.

Guenther, T. W. (2013). Conceptualisations of ‘controlling’in German-speaking countries: analysis and comparison with Anglo-American management control frameworks. Journal of Management Control, 23(4), 269-290.

https://go.datarepublic.com.au/data-valuation-whitepaper/. (2018). Retrieved from https://go.datarepublic.com.au/data-valuation-whitepaper/

Lam, J. (2014). Enterprise risk management: from incentives to controls. John Wiley & Sons.

Lei, J., Guan, P., Gao, K., Lu, X., Chen, Y., Li, Y., … & Zheng, K. (2014). Characteristics of health IT outage and suggested risk management strategies: An analysis of historical incident reports in China. International journal of medical informatics, 83(2), 122-130.

Smith, L. C., & Wong, M. A. (Eds.). (2016). Reference and Information Services: An Introduction: An Introduction. ABC-CLIO.

Vempati, U. D., Chung, C., Mader, C., Koleti, A., Datar, N., Vidovi?, D., … & Benes, C. H. (2014). Metadata standard and data exchange specifications to describe, model, and integrate complex and diverse high-throughput screening data from the Library of Integrated Network-based Cellular Signatures (LINCS). Journal of biomolecular screening, 19(5), 803-816.