Control Adjustment in Information Systems Security

Control adjustment is a critical phase in information systems security management. It focuses on evaluating whether existing or proposed controls can be effectively designed, implemented, and operated to mitigate identified risks. The primary objective of this phase is to ensure that security controls are practical, cost-effective, and aligned with organizational goals.

A fundamental principle of control adjustment is that the cost of implementing controls should not exceed the expected benefits. These benefits may include reduced risk exposure, prevention of potential losses, regulatory compliance, and enhanced stakeholder confidence. Decisions made during this phase are influenced by several factors, including managerial judgment, findings from earlier risk assessment phases, gaps in existing controls, and user expectations for a secure yet efficient control environment.

Importantly, existing controls should not be discarded without careful evaluation. Controls may be:

• Completely terminated if the associated threats no longer exist
• Replaced with more effective or modern alternatives
• Modified or enhanced to improve efficiency and coverage

The goal is to establish an integrated and balanced security framework that protects organizational assets while supporting business operations.

31.1 Security as a Cost-Effective Measure

According to the IT security guidelines issued by the International Federation of Accountants (IFAC):

“Different levels and types of security may be required to address the risks to information. Security levels and associated costs must be compatible with the value of the information.”

This principle highlights that not all information assets require the same level of protection. Organizations must carefully assess the value and criticality of their information and implement safeguards accordingly.

Key factors that contribute to making security cost effective include:

• Criticality and sensitivity of information assets
• Potential impact of security breaches
• Cost of implementing and maintaining safeguards
• An optimal balance between potential loss and control costs

Cost-effective security does not imply minimal security; rather, it emphasizes risk-based security investment that delivers maximum protection for the resources spent.

Level of Integration of Security

Security controls must be harmonized with existing information systems to ensure consistency and effectiveness. When information systems are integrated across departments or platforms, security systems should exhibit a corresponding level of integration.

Integrated security enables:

• Consistent enforcement of security policies
• Controlled communication and data sharing
• Reduced duplication of security efforts
• Improved monitoring and incident response

Security should neither restrict legitimate system interactions nor allow uncontrolled access beyond what the information system itself permits.

31.2 Roles and Responsibilities in Security Management

For security controls to be effective, roles and responsibilities must be clearly defined, assigned, and communicated throughout the organization. Security is a shared responsibility that spans technical, managerial, and operational functions.

Key roles typically include:

1. Executive Management – Holds overall responsibility for information security and ensures alignment with organizational objectives.
2. Information Systems Security Professionals – Design, implement, manage, and review security policies, standards, procedures, and controls.
3. Data Owners – Classify data, define sensitivity levels, and ensure accuracy and integrity of information.
4. Process Owners – Embed appropriate security controls within business processes and information systems.
5. Technology Providers – Support the technical implementation of security measures and solutions.
6. Users – Comply with security policies and follow established procedures in daily operations.
7. Information Systems Auditors – Provide independent assurance on the adequacy and effectiveness of security controls.

Clearly defined accountability ensures that security controls are consistently applied and effectively maintained.

31.3 Report Preparation

Report preparation is the final phase of the security review process. The report formally documents:

• Identified risks and exposures
• Existing control weaknesses
• Recommended safeguards and improvements

A critical challenge at this stage is securing management acceptance of the identified exposures. The security administrator must clearly demonstrate the likelihood of threats, the potential impact of losses, and the tangible benefits of implementing recommended safeguards.

Well-structured reports supported by clear metrics and analysis are more likely to drive informed decision making. Tools such as text analysis and readability assessment utilities can help refine security documentation to ensure clarity, professional tone, and effective communication with stakeholders.

Meaning of Threat

In general terms, a threat is an expression or condition indicating potential harm or danger. In information security, a threat is defined as an unwanted event—whether deliberate or accidental—that may result in damage to an asset. Threats typically exploit one or more existing vulnerabilities.

Identification of Threats

Threats can be identified based on their nature or source:

• Nature of Threat: Accidental or natural events (force majeure) versus deliberate and intentional acts of harm.
• Source of Threat: Internal threats originating within the organization or external threats arising from outside entities.

31.4 Types of Threats

Threats to information systems are broadly categorized into two types:

1. Physical Threats

Physical threats involve damage to the physical infrastructure of information systems. Examples include:

• Natural disasters such as fire, earthquakes, and floods
• Environmental factors like dust and pollution
• Energy and power variations
• Unauthorized physical intrusion

Physical damage can render hardware unusable and disrupt critical business operations. Organizations should assess the frequency and probability of such events and implement appropriate preventive and recovery measures.

Energy Variations

Energy variations can affect both hardware and software systems. Organizations must assess total power requirements and monitor voltage fluctuations to implement suitable protective measures.

• Surges or Spikes: Sudden increases in power supply
• Sags or Brownouts: Sudden decreases in voltage
• Blackouts: Total loss of power, scheduled or unscheduled

Common remedies include:

• Uninterruptible Power Supplies (UPS)
• Voltage regulators and circuit breakers
• Backup power systems for critical operations

Security system design must also account for total power failure. Critical systems such as emergency exits, alarms, and fire suppression mechanisms should continue functioning or allow manual operation during power outages.

2. Logical Threats

Logical threats refer to damage caused to software, data, and information systems without physical presence. Examples include:

• Viruses, worms, and malware
• Unauthorized logical access or hacking
• Data manipulation or destruction

Effective control adjustment requires addressing both physical and logical threats through a combination of preventive, detective, and corrective controls to ensure comprehensive information security.