Control activitiesare policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out. It is management’s responsibility to develop a secure and adequately controlled system. Management must make sure that: 1. Controls are selected and developed to help reduce risks to an acceptable level. 2. Appropriate general controls are selected and developed over technology. 3. Control activities are implemented and followed as specified in company policies and procedures. The information security officer and the operations staff are responsible for ensuring that control procedures are followed. Controls are much more effective when placed in the system as it is built, rather than as an afterthought. As a result, managers need to involve systems analysts, designers, and end users when designing computer-based control systems. It is important that control activities be in place during the end-of-the-year holiday season, because a disproportionate amount of computer fraud and security break-ins takes place during this time. Some reasons for this are (1) extended employee vacations mean that there are fewer people to mind the store (2) students are out of school and have more time on their hands and (3) lonely counterculture hackers increase their attacks. Control procedures fall into the following categories:
