Control Activities

As stated in COSO framework, control activities help management mitigate risks through policies and procedures to achieve business objectives. They are performed over the technology environment and business processes (COSO 2013). As issues of cyber security are relatively new, for many companies, managements practice cyber security mostly toward measures, for example firewalls and passwords, which tried to limit external access to company’s system. These applications are basically required, but not enough. According to Deloitte 2012, safeguards against unauthorized information distributions and access under control activities are helpful to defeat cybercriminals. It will monitor outbound information traffic for both content and destination. And destination could be a red flag in particular (Deloitte 2012). For instance, Microsoft doesn’t have operations in Cuba, but some information is sent to Cuba through Microsoft’s network, it is better to investigate who sent it and why it is sent. Effective safeguards will help managements do this wisely investigate. Normally cybercriminals would impersonate company personnel, it is not reasonable for a company to assume everyone who logs in legitimately is a virtually legitimate user. Before accepting a person logs in legitimately, companies need to use methods to verify that person’s real identity through control activities. Deloitte 2012 provides some available techniques. Biometrics, fingerprint is essential to access some key accounting system. Code token devices, devices taken by actually legitimate users which generate random access code at every login. “Machine fingerprinting” programs, compare post-login behavior and historical patterns to verify the user is actually legitimate (Deloitte 2012). Continue the above example, if a login to Microsoft’s accounting system taken place in Cuba, it is wisely to flag and investigate to determine whether the user is actually legitimate or fraudulent. As discussed above,...