Skip to main content

3.7 Control Design & Implementation


3.7 Control Design & Implementation



  • Control design and implementation is one of the important steps in risk management. Control can be either proactive or reactive. Proactive controls attempt to prevent an adverse impact whereas reactive control attempts to detect and recover from an incident. Proactive control is also known as safeguards whereas reactive control is also known as countermeasures. Use of a physical security guard outside the processing area is a proactive control or safeguard to prevent any unauthorized entry. Use of a fire extinguisher is a reactive control or countermeasure against the risk of fire.


  • All the implemented controls should be documented in a risk register.


  • An effective control should be able to prevent or detect and recover from the event with minimum adverse impact.


  • The most important factor for designing IS controls is that they should be aligned with the requirements of the business processes and should be able to address the stakeholder’s requirement. Process owners should provide the control requirements on the basis of the business needs and objectives.


  • Role of risk advisor is to provide advice on the control selection and implementation procedure. Risk practitioners should evaluate the adequacy of the current controls. In case current controls are not sufficient, he should recommend implementation of new controls.


  • Internal controls should be incorporated in the new system development at the design phase itself. This will help in designing and developing effective and efficient internal control systems.


  • Board of directors and senior management is accountable for risk policies, guidelines and standards.


Compensating Controls


  • In some scenarios, it may not be feasible to implement controls. For example, in small organizations, segregation of duties may not be cost effective. In such cases, risk practitioners should recommend the implementation of compensating controls. Compensating controls are an indirect way to monitor and control the transaction. For lack of segregation of duties, compensating control may be monitoring of transaction logs and conducting audits.


Threat vis-à-vis Vulnerability


  • CRISC aspirants should be able to establish the difference between threat and vulnerability. Vulnerability means weakness in the system. Threat is a factor that attempts to exploit the vulnerability. For example, when an anti-virus is not updated it is a vulnerability. Hacker who attempts to exploit the vulnerability (un-updated anti-virus) is a threat. Objective of an internal control is to reduce the vulnerability i.e. weakness. Internal control cannot directly control the threat.


Control Standards and Frameworks


  • Implementation of control requires documented policies and procedures. Accountability should be established for control implementation and monitoring. Implementation of industry specific standards and frameworks helps an organization to build a structured control environment.


  • ISO 27001 standard is a widely accepted and recognized standard for information security management systems (ISMS). Payment Card Industry Data Security Standard (PCI DSS) is used by all organizations that process debit or credit cards. HIPAA is a recognized standard for the health industry.


  • Many countries require mandatory implementation of certain standards by the organization.


Administrative, Technical and Physical Controls


Following are the details of different types of control:


Managerial/ Administrative


  • Managerial control involves oversight of the processes.

  • Examples of managerial controls are policies and procedures, audit, risk and compliance reporting etc.

  • Managerial control aims to monitor the function of technical as well as physical control.



Technical


  • In technical controls, control is implemented through use of technology and with minimum human intervention.

  • They are also termed as logical controls.

  • Examples of technical controls include logical access, firewalls, antivirus software, IDS etc.

  • A technical control requires proper managerial (administrative) controls to operate correctly.


Physical


  • In physical controls, the objective is to control physical movement of employees and assets.

  • Examples of physical control include security guards, locks, fences, CCTV and devices that are installed to physically restrict access to a facility or hardware.


Preventive, Corrective, Detective, Deterrent, Compensating Controls


Following table depicts details of different types of control:


Preventive Control


  • Preventative controls are designed to be implemented in such a way that it prevents the threat event and thus avoid the potential impact.


  • Examples of preventive controls include:

    

  • Use of qualified personnel

  • Segregation of duties

  • Use of SOPs to prevent errors

  • Transaction authorization procedures

  • Edit checks

  • Access control procedures

  • Firewalls

  • Physical barriers


Detective Control


  • Detective controls are designed to detect a threat event once the event has occurred. Detective controls aim to reduce the impact of the event.


  • Examples of detective controls include:


  • Internal Audit & other reviews

  • Log monitoring

  • Hash totals

  • Checkpoints in production jobs

  • Echo controls in telecommunications

  • Error messages over tape labels

  • Variance Analysis

  • Quality Assurance


Corrective Control


  • Corrective controls are designed to minimize the impact of a threat event once it has occurred and helps in restoring to normal operations.


  • Examples of corrective controls include:


  • Business continuity planning

  • Disaster recovery planning

  • Incident response planning

  • Backup procedures


Deterrent Control


  • Purpose of a deterrent control is to give a warning signal to deter or discourage the threat event.


  • Examples of deterrent controls include:


  • CCTV cameras - under surveillance signs

  • Warning signs


Compensating Controls


  • Compensating controls are alternate measures that are employed to ensure that weakness in the system is not exploited. In many cases, a strong control in one area can compensate for weakness in another area.


  • For example, in small organizations, segregation of duties may not always be feasible. In such cases, compensatory controls such as review of log should be implemented.


Key aspects from CRISC exam perspective


CRISC Question
Possible Answer
MOST important factor for designing the controls
To address the stakeholder’s requirements
Best method for creating access rights for temporary staffs
·         With auto expiration date
·         Only need to know access
Best control to protect data within a USB devices
Encryption
System backup and restore procedures is example of
Corrective control
Internal control should be incorporate in which SDLC phase
Design Phase
Accountability for risk policies, guidelines and standards
·         Board of Directors
·         Sr. Management
Internal control requirement should be provided by
·         Process owners
Controls are most effective when they are designed to reduce
Vulnerabilities
Example of managerial controls
·     Policies and procedures
·    Audit, risk and compliance reporting etc.


Flashcards - 3.7 Control Design & Implementation

Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: A...
Read more

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical backgrou...
Read more

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more