(14)What are the classifications of Information System's Controls?


Answer: Following are the classifications of Information System’s Controls:

(1)Classification on the basis of Objectives of Control:

(i)Preventive Controls:
  • Preventive Controls are designed to prevent an error, omission or malicious act occurring.
  • Some of the examples of preventive controls include employing qualified personnel, segregation of duties, authorization of transaction, firewalls, anti-virus software, passwords etc.
(ii)Detective Controls:
  • Detective controls are designed to detect an errors, omissions or malicious acts that occur and report the occurrence.
  • Thus detective controls detect errors or incidents that escape preventive controls.
  • Some examples of detective control includes bank reconciliation, audits, hash totals, echo control in telecommunications, Intrusion Detection System etc. 
(iii)Corrective Controls: 
  • Corrective controls are designed to correct errors, omissions, or incidents once they have been detected.
  • Corrective controls are designed to reduce the impact or correct an error once it has been detected.
  • Some examples of corrective controls are a business continuity plan (BCP), contingency planning, backup procedure, rerun etc.
 

(2)Classification on the basis of Nature of IS Resource:

(i)Environmental Controls:
  •  Environmental controls are designed to minimize the risk of environmental hazards and exposures.
  • These are the controls relating to IT environment such as power, air-conditioning, Uninterrupted Power Supply (UPS), smoke detection, fire-extinguishers, dehumidifiers etc.
(ii)Physical Controls:
  •  These are the controls relating to physical security of IS resources.
  • Physical controls include security guards, access control doors, Security guards, door alarms etc. 
(iii)Logical Controls:
  •  Logical access controls are implemented to ensure that access to systems, data and programs is restricted to authorized users. 
  • Logical access includes operating systems controls, application software boundary controls, networking controls, access to database objects, encryption controls etc.


 (3)Classification on the basis of Audit Functions:

(i)Managerial Controls:
  • Managerial controls helps in development, implementation, operation and maintenance of information systems in a planned and controlled manner in an organisation.  
  • This control provides a stable infrastructure in which information systems can be built, operated and maintained on a day to day basis.
(ii)Application Controls:
  • The objective of application controls is to ensure that data remains complete, accurate and valid during its input, update and storage.
  • Any activity that aims processing accuracy of the application can be considered an application control.
  • Application control includes form design, source document controls, input, processing and output controls etc.