Information Systems’ Security and Compliance


Cyber-attacks take different forms and might result in substantial economic and reputational losses for an organization. This paper aims to discuss how information systems control and security policies can be used for establishing an organizational framework for combating malware and hacker attacks.

Security Policies

A comprehensive approach to the informational security of an organization requires a risk assessment that will help to determine the level of risk associated with specific organizational activities and processes. Once the risk to a company’s assets has been identified, it is necessary to develop a security policy that will guide the use of tools and technologies for the protection of organizational IT infrastructures (Laudon & Laudon, 2015).

Authentication is a policy that can be successfully used to ward off some types of security threats. It is established with the help of passwords and technologies such as biometric authentication. Firewalls, unified threat management systems, and intrusion detection systems can be also helpful in preventing authorized access to private networks. Large organizations employ the following screening technologies to ensure that no incoming requests can directly access a private network: packet filtering, stateful inspection, network address translation (NAT), and application proxy filtering among others (Laudon & Laudon, 2015).

Policies aimed at securing wireless networks are essential for reducing the level of the threat emanating from malware and hacker attacks. Many companies resort to the use of encryption for the protection of their digital data. Public key infrastructures are successfully used by e-commerce businesses whose revenue cycles rely on digital networks. Another important policy is the assurance of system availability, which is essential in the financial sector. High-availability computing and fault-tolerant computer systems provide a reasonable level of assurance that computing systems will quickly recover after a crash (Laudon & Laudon, 2015).

Information System Control

Information system control refers to the implementation of a set of policies and functions aimed at the prevention of authorized access to digital information, degradation of physical equipment as well as detection and monitoring of risks and vulnerabilities of an information system (Laudon & Laudon, 2015). Information system control along with security policies constitutes a framework for the acceptable use of digital information-based assets of an organization and electronic records management, thereby reducing the threat of system intrusion.

It should be mentioned that there are two types of information system controls: general controls and application controls. General controls are used by organizations to oversee the use, design, and security of sensitive data files and programs throughout their IT infrastructures. For example, service-based organizations use software controls to prevent unauthorized access to system software, which might result in significant financial losses.

Companies that are heavily reliant on the use of their computer hardware resort to hardware controls and make backup provisions. Another example of general controls is manual procedures aimed at monitoring the work of computer departments. Data security controls are necessary for safeguarding data while it is in storage. Financial services organizations rely on implementation controls that help to monitor the system development process. Administrative controls such as rules, policies, and procedures are also extremely effective in protecting the information-based assets of a company. Application controls that consist of manual and automated procedures are utilized by businesses to guarantee that only accurate, complete, and authorized data is processed by applications (Laudon & Laudon, 2015).


The paper has helped to better understand how information systems control and security policies can be used by businesses for establishing an organizational framework for protecting against malware and hacker attacks.


Laudon, K., & Laudon, J. (2015). Management information systems: Managing the digital firm (14th ed.). London, England: Pearson. Web.