Business Information Systems IS Risk

Question: Discuss about the Business Information Systems IS Risk. Answer: Background to the Case Recently, Three faced IS risks as it failed to secure the customers information. It is one of the biggest mobile companies in Britain. Due to the major cyber-security breach, it has faced issues in successfully executing IS functions (Swinford and McGoogan, 2017). It is a UK based mobile operator, which provides telecommunication and internet services to the customers. This firm has own network infrastructure to provide internet services. The IS of this organization works to collect, store and manage the customer data. Three customers a facility to purchase mobile phones, SIMs, mobile broadband, accessories, top-ups though online medium. This increases the role of IS in an effective execution of business activities. In order to make online purchase, customers share personal details such as name, mobile number, address and bank details with the firm. In online stores, customer provides these data to shop the firms offerings over the internet. Customer database is critical IS of this o rganization through which Three collects, stores, share and organize customers data. This system is used to share and communicate information among the different departments including sales, production and marketing (Three, 2017). Thus, IS of this firm includes use of digital information through hardware and software. In 2016, customer database were hacked by using employee login in unauthorized manner. Due to this, private information of over six million customers was at risk. This firm confirmed that customer data such as address, phone number and names were accessed by the hackers (Lomas, 2016). The financial information of customers was not accessed by the hackers. IS Risks In the selected case study of Threes, different IS risks can be confronted including unauthorized access, software bug, operational mistake, network based virus, device failure and malfunction (Khan, 2012). Below table details the risks, their likelihood, level and implications to the business: No. Risks Risk Likelihood Risk Level Implications to the Business 1 Unauthorized access .3 High Loss of customer trust Loss of market share Poor performance Legal issues Loss of business reputation 2. Software bug .5 Medium Decline in competitiveness Reduction in sales 3. Operational mistake .6 Low Negative image Poor employer branding Decline in ability to attract customers 4. Network based virus .7 High Security breach Loss of customer data and information Loss of business reputation 5. Device failure and malfunction .2 Low Operational problems Increase in employee and customer complaints The above IS risks could be faced by Three, which would have great implications on the business performance and competitiveness. On the basis of above table, it is determined that unauthorized access and network-based virus are the high level of risk, which may great negative implications on the business (Jouini et al., 2014). These risks have potential to affect the tangible assets such as sales and market share as well as intangible assets including reputation, consumer trust, and organizational image. In this way, the IS risks have potential to destroy the business considerably (Pearson, 2013). The IS risks in Three have causes serious issues of customer complaints and dissatisfaction, which may influence its ability to retain and attract customers and to maintain sales. Audit Areas, Audit Objectives and Procedures The auditing of an information system includes examining the performance of management controls, which are established by an organization within an information technological (IT) infrastructure. Through this, effectiveness of organizational policies, system and practices in terms of protecting corporate identity and ensuring data integrity is analyzed. The audit areas will include management of customer data security, data access and user management at Three. Through this, the effectiveness of internal control processes and policies of Three in terms of protecting customer data would be analyzed (Moeller, 2010). Below would be the objective and procedure to access audit areas: No. Audit Areas Audit Objectives Audit Procedures 1 Customer data management including security and access at Three To determine the practices and system used for managing customer data security and access at Three To access the practices and system of consumer data protection and privacy of Three To determine deficiencies of existed system of customer data management at Three and to made informed recommendations Interview of managers and employees of Threes IT team as well as its customers Review of online and offline documents such as customer complaints, privacy policy, customer reviews and reports of managers, news for privacy concerns at Three 2 User management at Three To access the practices of managing user experiences with the IS at Three To determine challenges in managing user experience at Three with IS and to make recommendations Interview of IT management and its customers Review of documents such as customer reviews, news, privacy policy and customer feedback management policy By using the above depicted procedures, required information to audit the selected areas could be obtained in systematic manner. Through interview and survey, questions would be asked to the managers and users of IS including both customers and employees of Three. The views and opinions of these participants would be quite useful to determine their real experiences with the policies and systems of data protection and privacy of Three (Cascarino, 2012). Review of documents would be the other procedure through which secondary information related to the effectiveness of customer data management system at Three would be obtained. Managers of Threes IT department would be interviewed to determine practices of managing data privacy and protection, whereas customers interviews and assessment of secondary sources would be used as audit procedure to access the effectiveness of system critically and to suggest informed changes in the management of IS of this firm (Chong, 2013). Similarly, interview over the employees and customers of Three would also be conducted to determine the access the user experiences over the IS. Employees and customer are used organizational IS to obtain, store and to share information with each other and due to this their opinions could be useful to determine performance of IS in terms of satisfying their information related needs (Gutbrod and Wiele, 2012). Managers would also be interviewed to determine the challenges of firm in establishing systems to provide flawless experiences to the users within the IS infrastructure and to provide recommendations for improvements. Review of documents procedure would also be used to investigate the firms IS system effectiveness in terms of providing smooth user experiences through the secondary sources. Journals, books and e-newspaper would be the key sources of collecting secondary information regarding the IS of the organization for the more effective documentation review procedures (Moelle r, 2016). Through the above stated audit procedures, it is planned to achieve each objective related to the selected audit areas. Audit Questions and Documents In order to achieve each developed objectives, required information would be asked to the customers through the questionnaire. Below table depicts audit questions for each objective and relevant documents: No. Audit Objectives Interview Questions Audit Evidence 1. To determine the practices and system used for managing customer data security and access at Three What are the systems and practices used at Three to ensure security on customer data access? How systems work at Three to protect consumer data from any unauthorized use? What plans Three has to make the system better in terms of securing consumer data from unauthentic uses? Blueprint of IS architecture of Three, which would be signed by the top management Video including trials of examine security breaches of Three Blueprint of Threes IS plan 2. To access the practices and system of consumer data protection and privacy of Three Do Three take any security measures when it asks to you for the financial details? Have you faced problems due to security breach of Three? Does Three response adequnetly in case of security breach complaints? Documentation of interview answers Customer reviews for Threes privacy policy Copy of Threes responses 3. To determine deficiencies of existed system of customer data management at Three and to made informed recommendations What do you think deficiencies in IS system of Three? Is staff training organized at Three to reduce this risk? How IS can be improved at Three? Copy of consumers complaints for Three Detail of training programs at Three Detail of Threes response over the IS improvement 4. To access the practices of managing user experiences with the IS at Three Does Three has certain policies and system to guide your use of IS? Does Three communicate security measures before information sharing? Does Three provide any OTP, when they asked information to you? Threes IS polices for employees Threes IS polices for customers Video including trials of making online purchase from Three online stores 5. To determine challenges in managing user experience at Three with IS and to make recommendations What challenges do you face in managing user experiences at Three? Is unauthorized access major challenge in improving the user experience with IS at Three Is Three communicate adequnetly regarding any IS fault? Documentation of interview answers including examples of recent IS problems at Three, which are published in authentic newspaper Examples of security breaches at Three, which are published in authentic newspaper Examples of Three response towards the customers during any IS problem The above table depicts the questions, which would be asked in interview to the customers, managers and IS staff of Three to achieve the purpose of conducting audit. Apart from this, audit evidences are the results, which an auditor obtains by applying the selected audit procedures. The interview and review of documents would be the key audit procedures of conducting IS audit at Three. The validity of obtained results are required to present by auditors with the help of evidences which could be either any authentic document, inquires of the client, observation and result of physical examination (Van Deursen et al., 2013). The above audit question and evidences would be helpful to audit the IS system of Threes and to access their effectiveness. Control Recommendations This section of control recommendation includes recommended control mechanism for mitigating above identified IS risks effectively including their benefits for Three. Below table depicts control recommendations and their benefits: No. IS Risks Control Recommendations Benefits 1 Unauthorized access Developing personal firewall at Three Employ password protected software in systems at Three Conduct employee training at Three to educate them and to take quick action in case of any early doubts and identification of unauthorized access Timely revise polices of consumer data privacy and update of systems at Three Mitigate risk of unauthorized access at Three Protect consumer data and to increase trust for Three Employee education to increase their morale Increase employee authority at Three to response queries of customer frequently 2. Software bug Implement bug tracking system at Three Appoint quality control manager at Three Regalulary access software bug at Three to decreases potential of IS issues and customer problems Ensuing customers and clients of Three for effective management of software bug Increase in customer trust and improve image of Three 3. Operational mistake Developing culture of professional accountability at Three Operational quality management program in Three Ensuring operational effectiveness of IT department of Three in terms of developing and managing the process to store, collect and to share customer data Improve quality consistency at Three and increase in consumer satisfaction 4. Network based virus Use updated antivirus Mitigate risk of security breach at Three Reduce customer complaints and to improve brand image of Three Increase ability to attract customers 5. Device failure and malfunction Implement highly capable software for data backup at Three Software to provide early indication of device failure and malfunction at Three Ensuring operational consistency at Three and to increase consumer satisfaction Reduce complaints from customer for error regarding IS functions at Three In above table, the ways to mitigate and manage the identified IS risks of Three are discussed. These ways would be useful for this firm to reduce or eliminate implication of IS risk on the business. By developing personal firewall, it would be easy for firm to limit or eliminate the unauthentic access over the consumer database, which may increase consumer trust and satisfaction (Khan, 2012). Employee training at Three would also be effective to educate IS staff to monitor the performance of software and hardware and to track any potential of unauthorized access, software bug, device malfunction and operational mistake. This may help Three to ensure consistency in the operations of IS systems. The timely revision of polices and system update could be useful for this firm to make required measures for mitigating IS risks effectively and to increase consumer trust (Gibson, 2014). The controlled recommendations would be beneficial to improve consumer satisfaction and to decrease consum er complaints that may influence firms sales and profitability in positive manner (Mithas et al., 2011). References Cascarino, R.E. (2012)Auditor's Guide to IT Auditing,+ Software Demo(Vol. 583). USA: John Wiley Sons. Chong, G. (2013) Detecting Fraud: What Are Auditors Responsibilities?.The Journal of Corporate Accounting Finance,24(2), pp.47-53. Gibson, D. (2014)Managing risk in information systems. USA: Jones Bartlett Publishers. Gutbrod, R. and Wiele, C. (2012)The Software Dilemma: Balancing Creativity and Control on the Path to Sustainable Software. Germany: Springer Science Business Media. Jouini, M., Rabai, L.B.A. and Aissa, A.B. ( 2014) Classification of security threats in information systems.Procedia Computer Science,32, pp.489-496. Khan, M.A. ed. (2012)Handbook of Research on Industrial Informatics and Manufacturing Intelligence: Innovations and Solutions: Innovations and Solutions. UK: IGI Global. Lomas, N. (2016) Three UK suffers major data breach via compromised employee login. [Online]. Available at: https://techcrunch.com/2016/11/18/three-uk-suffers-major-data-breach-via-compromised-employee-login/ (Accessed: 3 April, 2017). Mithas, S., Ramasubbu, N. and Sambamurthy, V. (2011) How information management capability influences firm performance.MIS quarterly, pp.237-256. Moeller, R. R. (2016) Brink's Modern Internal Auditing: A Common Body of Knowledge. USA: John Wiley Sons. Moeller, R.R. (2010)IT audit, control, and security(Vol. 13). USA: John Wiley Sons. Pearson, S. (2013) Privacy, security and trust in cloud computing. InPrivacy and Security for Cloud Computing(pp. 3-42). London: Springer. Swinford, S. and McGoogan, C. (2016) Three Mobile cyber hack: six million customers' private information at risk after employee login used to access database. [Online]. Available at: https://www.telegraph.co.uk/news/2016/11/17/three-mobile-cyber-hack--six-million-customers-private-data-at-r/ (Accessed: 3 April, 2017). Three Mobile (2017) About Three [Online]. Available at: https://www.three.co.uk/About_Three (Accessed: 3 April, 2017). Van Deursen, N., Buchanan, W.J. and Duff, A. (2013) Monitoring information security risks within health care.computers security,37, pp.31-45.