Overview of Three
Question:
Discuss about the Business Information Systems IS Risk.
Recently, “Three” faced IS risks as it failed to secure the customers’ information. It is one of the biggest mobile companies in Britain. Due to the major cyber-security breach, it has faced issues in successfully executing IS functions (Swinford and McGoogan, 2017). It is a UK based mobile operator, which provides telecommunication and internet services to the customers. This firm has own network infrastructure to provide internet services. The IS of this organization works to collect, store and manage the customer data. Three customers a facility to purchase mobile phones, SIMs, mobile broadband, accessories, top-ups though online medium. This increases the role of IS in an effective execution of business activities. In order to make online purchase, customers share personal details such as name, mobile number, address and bank details with the firm. In online stores, customer provides these data to shop the firm’s offerings over the internet. Customer database is critical IS of this organization through which Three collects, stores, share and organize customers data. This system is used to share and communicate information among the different departments including sales, production and marketing (Three, 2017). Thus, IS of this firm includes use of digital information through hardware and software.
In 2016, customer database were hacked by using employee login in unauthorized manner. Due to this, private information of over six million customers was at risk. This firm confirmed that customer data such as address, phone number and names were accessed by the hackers (Lomas, 2016). The financial information of customers was not accessed by the hackers.
In the selected case study of Threes, different IS risks can be confronted including unauthorized access, software bug, operational mistake, network based virus, device failure and malfunction (Khan, 2012). Below table details the risks, their likelihood, level and implications to the business:
|
No. |
Risks |
Risk Likelihood |
Risk Level |
Implications to the Business |
|
1 |
Unauthorized access |
.3 |
High |
Loss of customer trust Loss of market share Poor performance Legal issues Loss of business reputation |
|
2. |
Software bug |
.5 |
Medium |
Decline in competitiveness Reduction in sales |
|
3. |
Operational mistake |
.6 |
Low |
Negative image Poor employer branding Decline in ability to attract customers |
|
4. |
Network based virus |
.7 |
High |
Security breach Loss of customer data and information Loss of business reputation |
|
5. |
Device failure and malfunction |
.2 |
Low |
Operational problems Increase in employee and customer complaints |
The above IS risks could be faced by Three, which would have great implications on the business performance and competitiveness. On the basis of above table, it is determined that unauthorized access and network-based virus are the high level of risk, which may great negative implications on the business (Jouini et al., 2014). These risks have potential to affect the tangible assets such as sales and market share as well as intangible assets including reputation, consumer trust, and organizational image. In this way, the IS risks have potential to destroy the business considerably (Pearson, 2013). The IS risks in Three have causes serious issues of customer complaints and dissatisfaction, which may influence its ability to retain and attract customers and to maintain sales.
The auditing of an information system includes examining the performance of management controls, which are established by an organization within an information technological (IT) infrastructure. Through this, effectiveness of organizational policies, system and practices in terms of protecting corporate identity and ensuring data integrity is analyzed. The audit areas will include management of customer data security, data access and user management at “Three”. Through this, the effectiveness of internal control processes and policies of “Three” in terms of protecting customer data would be analyzed (Moeller, 2010). Below would be the objective and procedure to access audit areas:
|
No. |
Audit Areas |
Audit Objectives |
Audit Procedures |
|
1 |
Customer data management including security and access at Three |
To determine the practices and system used for managing customer data security and access at Three To access the practices and system of consumer data protection and privacy of Three To determine deficiencies of existed system of customer data management at Three and to made informed recommendations |
Interview of managers and employees of Three’s IT team as well as its customers Review of online and offline documents such as customer complaints, privacy policy, customer reviews and reports of managers, news for privacy concerns at Three |
|
2 |
User management at Three |
To access the practices of managing user experiences with the IS at Three To determine challenges in managing user experience at Three with IS and to make recommendations |
Interview of IT management and its customers Review of documents such as customer reviews, news, privacy policy and customer feedback management policy |
Information Security Risks Faced by Three
By using the above depicted procedures, required information to audit the selected areas could be obtained in systematic manner. Through interview and survey, questions would be asked to the managers and users of IS including both customers and employees of “Three”. The views and opinions of these participants would be quite useful to determine their real experiences with the policies and systems of data protection and privacy of “Three” (Cascarino, 2012). Review of documents would be the other procedure through which secondary information related to the effectiveness of customer data management system at “Three” would be obtained. Managers of Three’s IT department would be interviewed to determine practices of managing data privacy and protection, whereas customers’ interviews and assessment of secondary sources would be used as audit procedure to access the effectiveness of system critically and to suggest informed changes in the management of IS of this firm (Chong, 2013).
Similarly, interview over the employees and customers of “Three” would also be conducted to determine the access the user experiences over the IS. Employees and customer are used organizational IS to obtain, store and to share information with each other and due to this their opinions could be useful to determine performance of IS in terms of satisfying their information related needs (Gutbrod and Wiele, 2012). Managers would also be interviewed to determine the challenges of firm in establishing systems to provide flawless experiences to the users within the IS infrastructure and to provide recommendations for improvements. Review of documents procedure would also be used to investigate the firm’s IS system effectiveness in terms of providing smooth user experiences through the secondary sources. Journals, books and e-newspaper would be the key sources of collecting secondary information regarding the IS of the organization for the more effective documentation review procedures (Moeller, 2016). Through the above stated audit procedures, it is planned to achieve each objective related to the selected audit areas.
In order to achieve each developed objectives, required information would be asked to the customers through the questionnaire. Below table depicts audit questions for each objective and relevant documents:
|
No. |
Audit Objectives |
Interview Questions |
Audit Evidence |
|
1. |
To determine the practices and system used for managing customer data security and access at Three |
What are the systems and practices used at Three to ensure security on customer data access? How systems work at Three to protect consumer data from any unauthorized use? What plans Three has to make the system better in terms of securing consumer data from unauthentic uses? |
Blueprint of IS architecture of Three, which would be signed by the top management Video including trials of examine security breaches of Three Blueprint of Three’s IS plan |
|
2. |
To access the practices and system of consumer data protection and privacy of Three |
Do Three take any security measures when it asks to you for the financial details? Have you faced problems due to security breach of Three? Does Three response adequnetly in case of security breach complaints? |
Documentation of interview answers Customer reviews for Three’s privacy policy Copy of Three’s responses |
|
3. |
To determine deficiencies of existed system of customer data management at Three and to made informed recommendations |
What do you think deficiencies in IS system of Three? Is staff training organized at Three to reduce this risk? How IS can be improved at Three? |
Copy of consumers’ complaints for Three Detail of training programs at Three Detail of Three’s response over the IS improvement |
|
4. |
To access the practices of managing user experiences with the IS at Three |
Does Three has certain policies and system to guide your use of IS? Does “Three” communicate security measures before information sharing? Does “Three” provide any OTP, when they asked information to you? |
Three’s IS polices for employees Three’s IS polices for customers Video including trials of making online purchase from Three online stores |
|
5. |
To determine challenges in managing user experience at Three with IS and to make recommendations |
What challenges do you face in managing user experiences at Three? Is unauthorized access major challenge in improving the user experience with IS at Three Is Three communicate adequnetly regarding any IS fault? |
Documentation of interview answers including examples of recent IS problems at Three, which are published in authentic newspaper Examples of security breaches at Three, which are published in authentic newspaper Examples of Three response towards the customers during any IS problem |
The above table depicts the questions, which would be asked in interview to the customers, managers and IS staff of “Three” to achieve the purpose of conducting audit. Apart from this, audit evidences are the results, which an auditor obtains by applying the selected audit procedures. The interview and review of documents would be the key audit procedures of conducting IS audit at Three. The validity of obtained results are required to present by auditors with the help of evidences which could be either any authentic document, inquires of the client, observation and result of physical examination (Van Deursen et al., 2013). The above audit question and evidences would be helpful to audit the IS system of Threes and to access their effectiveness.
This section of control recommendation includes recommended control mechanism for mitigating above identified IS risks effectively including their benefits for “Three”. Below table depicts control recommendations and their benefits:
|
No. |
IS Risks |
Control Recommendations |
Benefits |
|
1 |
Unauthorized access |
Developing personal firewall at Three Employ password protected software in systems at Three Conduct employee training at Three to educate them and to take quick action in case of any early doubts and identification of unauthorized access Timely revise polices of consumer data privacy and update of systems at Three |
Mitigate risk of unauthorized access at Three Protect consumer data and to increase trust for Three Employee education to increase their morale Increase employee authority at Three to response queries of customer frequently |
|
2. |
Software bug |
Implement bug tracking system at Three Appoint quality control manager at Three |
Regalulary access software bug at Three to decreases potential of IS issues and customer problems Ensuing customers and clients of Three for effective management of software bug Increase in customer trust and improve image of Three |
|
3. |
Operational mistake |
Developing culture of professional accountability at Three Operational quality management program in Three |
Ensuring operational effectiveness of IT department of Three in terms of developing and managing the process to store, collect and to share customer data Improve quality consistency at Three and increase in consumer satisfaction |
|
4. |
Network based virus |
Use updated antivirus |
Mitigate risk of security breach at Three Reduce customer complaints and to improve brand image of Three Increase ability to attract customers |
|
5. |
Device failure and malfunction |
Implement highly capable software for data backup at Three Software to provide early indication of device failure and malfunction at Three |
Ensuring operational consistency at Three and to increase consumer satisfaction Reduce complaints from customer for error regarding IS functions at Three |
In above table, the ways to mitigate and manage the identified IS risks of “Three” are discussed. These ways would be useful for this firm to reduce or eliminate implication of IS risk on the business. By developing personal firewall, it would be easy for firm to limit or eliminate the unauthentic access over the consumer database, which may increase consumer trust and satisfaction (Khan, 2012). Employee training at “Three” would also be effective to educate IS staff to monitor the performance of software and hardware and to track any potential of unauthorized access, software bug, device malfunction and operational mistake. This may help Three to ensure consistency in the operations of IS systems. The timely revision of polices and system update could be useful for this firm to make required measures for mitigating IS risks effectively and to increase consumer trust (Gibson, 2014). The controlled recommendations would be beneficial to improve consumer satisfaction and to decrease consumer complaints that may influence firm’s sales and profitability in positive manner (Mithas et al., 2011).
References
Cascarino, R.E. (2012) Auditor’s Guide to IT Auditing,+ Software Demo (Vol. 583). USA: John Wiley & Sons.
Chong, G. (2013) Detecting Fraud: What Are Auditors’ Responsibilities?. The Journal of Corporate Accounting & Finance, 24(2), pp.47-53.
Gibson, D. (2014) Managing risk in information systems. USA: Jones & Bartlett Publishers.
Gutbrod, R. and Wiele, C. (2012) The Software Dilemma: Balancing Creativity and Control on the Path to Sustainable Software. Germany: Springer Science & Business Media.
Jouini, M., Rabai, L.B.A. and Aissa, A.B. ( 2014) Classification of security threats in information systems. Procedia Computer Science, 32, pp.489-496.
Khan, M.A. ed. (2012) Handbook of Research on Industrial Informatics and Manufacturing Intelligence: Innovations and Solutions: Innovations and Solutions. UK: IGI Global.
Lomas, N. (2016) Three UK suffers major data breach via compromised employee login. [Online]. Available at: https://techcrunch.com/2016/11/18/three-uk-suffers-major-data-breach-via-compromised-employee-login/ (Accessed: 3 April, 2017).
Mithas, S., Ramasubbu, N. and Sambamurthy, V. (2011) How information management capability influences firm performance. MIS quarterly, pp.237-256.
Moeller, R. R. (2016) Brink’s Modern Internal Auditing: A Common Body of Knowledge. USA: John Wiley & Sons.
Moeller, R.R. (2010) IT audit, control, and security (Vol. 13). USA: John Wiley & Sons.
Pearson, S. (2013) Privacy, security and trust in cloud computing. In Privacy and Security for Cloud Computing (pp. 3-42). London: Springer.
Swinford, S. and McGoogan, C. (2016) Three Mobile cyber hack: six million customers’ private information at risk after employee login used to access database. [Online]. Available at: https://www.telegraph.co.uk/news/2016/11/17/three-mobile-cyber-hack–six-million-customers-private-data-at-r/ (Accessed: 3 April, 2017).
Three Mobile (2017) About Three [Online]. Available at: https://www.three.co.uk/About_Three (Accessed: 3 April, 2017).
Van Deursen, N., Buchanan, W.J. and Duff, A. (2013) Monitoring information security risks within health care. computers & security, 37, pp.31-45.
