By: Ahmed Salameh Al-Malaji, Accounting Information Systems - Internal Auditor at the Land Transport Regulatory Authority / Jordan



There is no doubt that all small, medium and large organizations have Information systems, whether computerized or manual. These systems are used for processing the data and extract a large amount of useful information which represent a main source for decision-making inside and outside the organization. The information systems must be highly reliable. To be so, it must have five key principles: safety, confidentiality, privacy, processing Integration and availability.


It is the main element of these principles. Despite the complexity of information systems security, and the need for information security specialists, but it is the matter of senior management within the organization and not only the information technology department, as
the senior management is responsible for the accuracy of the data and reports issued by the organization.

Time Security Model
This model evaluates the effectiveness of the organization’s security by measuring and comparing the relationships among
the following three variables:
P: The time it takes for an attacker to break through the preventive controls of an organization.
D: The time it takes to detect the occurrence of the attack.
C: The time it takes to respond.
If P> (D + C), then, security measures are effective. Otherwise, security measures are not ineffective.
This model is also used for comparing and assessing cost and benefits of controls implementation. For example, if your
organization will invest 10,000 cash units to improve security and have the following options:

  • Buy a firewall that will add 15 minutes to P duration.
  • Update the intrusion detection system that will reduce D duration by 18 minutes.
  • Invest in a new method of quick response to the intrusion process to reduce C duration by 20 minutes.

Certainly, the third option, i.e. investing in a new method, will make the organization  more beneficial while other factors shall
remain unchanged.

Defense in depth
The defense in depth includes the use of multiple layers of controls to avoid existence of gaps that may hinder the
operation of the system or be vulnerable to for cyber attack.So, the computer security includes the use of a set of firewalls,
passwords, and other preventive, detective and corrective countermeasures to prevent unauthorized persons from getting an
access to systems, data and devices.
First: Preventive Controls:
Key types of preventive controls used for information systems include:
Authorization: This control determines who is authorized to access the system by either giving him a password, a fingerprint
or an access card.
Authentication: It is another layer of preventive controls in which the permission for accessing the subsystems is given after confirming that the employee has an access permit to the master system. Appropriate privileges must be given according to the job description of the
It is necessary to have a user access authorization matrix for the systems in the IT Department.
Training: Staff should be trained on how to protect and maintain their PCs, and employees should be made aware of social
engineering and its methods of cheating the employees.

Physical Access Controls: The main server room must be protected from unauthorized access through the access
card or fingerprint. Visitors must be accompanied while roaming the premises of the organization and PCs must be
protected from misuse.


Remote Access Controls: There are several technologies used to protect data and systems from manipulation,including routers, firewalls, and intrusion prevention systems.
• Main Router: It is used to connect the information system to the Internet.
• Firewalls: It works in conjunction with the main router to filter information transmitted in or out of the information system.
• TCP / IP Protocol: It is used to communicate data in the form of streams of bytes over the Internet. Through this protocol, a set of rules
called the Access Control List “ACL” is used to determine the accepted/ rejected data streams. The most effective data filtering technique is Intrusion Prevention Systems.
• Internal Firewalls: They are used to divide departments and divisions within an organization so that a particular department or division cannot access to the information systems of the other division.
• Put key computers such as e-mail computers in a separate network outside the company’s internal network.
• There shall be special procedures for wireless network security.

Encryption: Encryption is the ultimate block in the development of preventive controls, through which data is converted from clear readable text to cipher unreadable data, and data can be returned to normal when needed.
The role of the internal auditor in ensuring the effectiveness of preventive controls:
The role of the internal auditor is to ensure that procedures and techniques are used effectively and efficiently, for example:
Request the IT Department to provide a list of all the addresses and websites that accessed the information systems through
the main router, as well as the websites and addresses that were prevented from entering through intrusion detection
systems and firewalls. This will be useful, particularly upon noticing the repetition of certain websites and addresses.

Second: Detective Controls:
There are no preventive systems capable to completely protect the information systems from cyber attacks due to the
continuous evolution of attackers’ methods and inherited vulnerabilities in any information system. Hence, there should
be controls that detect any attempt to attack the information systems. Through detective controls, the effectiveness of
preventive controls systems is determined. Log Analysis: It is a file that records all user’s activities, e.g. deleting, modifying,
and adding database records.Intrusion Detection Systems (IDS): It creates a log of addresses and websites that are allowed to pass to the firewall.

Management Reports:

Creating management reports that include Key Performance Indicators in terms of the business disruption due to security incidents, the number of installed, maintained and developed systems, and the time required to respond to the detected security incidents.
Information System Security Testing: There are many techniques that can be used to examine the system and detect vulnerabilities and weaknesses, where a person can try penetrating the information system (authorized person or security consulting company) to identify
and handle gaps and vulnerabilities.
Role of internal auditor in ensuring the effectiveness of detective controls:
The role of the internal auditor in assessing the detective controls include ensuring whether or not the administrative reports are prepared and the audit trail/log file is effective, where the internal auditor can request a specific sample from the log file analysis and
ensure that all transactions/activities in the file were made by authorized users, and match the privileges granted to the users with the user access authorization matrix.

Third: Corrective Controls:
They include ensuring that all identified vulnerabilities and weaknesses have been corrected. These controls include:

Computer Emergency Response Team (CERT): It consists of technical and operations management specialists to handle major incidents and regularly:
• Recognize the problem;
• Contain the problem;
• Solve the problem; and
• Follow-up.
Chief Security Officer: A specific individual responsible for the organization’s scope of security. Such a person should report to the COO or CEO and be independent of the information system management functions.