Accounting Information Systems of Air New Zealand - Assignment Example

Accounting Information Systems Table of Contents Table of Contents 1 Introduction 2 Threats 3 Common Threats 3 External Threats 4 Internal Threats 4 Operational Threats 5 Security 6 Confidentiality 6 Integrity 7 Availability 8 Controls 8 Specific Controls that will protect Customer information of Air New Zealand 9 Access controls 9 User Controls 10 Data Sharing Control 10 Internal Operation Control 11 Implementing Information Security Management Systems 11 References 12 Introduction Air New Zealand is the national carrier of New Zealand, established as Tasman Empire Airways Limited in April 26, 1940. The New Zealand government bought full ownership in 1961 then it was privatized in 1989 and was rescued by the government again through the ownership of 80% of its shares through the injection of fresh money in 2001. Air New Zealand provides both international and domestic routes to its clientele. Air New Zealand have a total workforce of 10,453 employees and a reported income of 71$ Million as of August 2012 (Air New Zealand, 2012). Air New Zealand can be considered as one of the lifeblood of New Zealand’s economy since it provides services that are essential in the dynamics of commerce. At about 9am in November 10, 2009, an outage of the computer system of Air New Zealand affected its airport check-in systems as well as its online bookings and call centre systems. The outage affected more than ten thousand passengers contributing to the chaos and confusion of affected airports (NZPA, 2009). The disruption not only caused millions of dollars in actual damages to Air New Zealand itself but also to its customers and related business depending on the airline for its logistic needs. In June 18, 2007, Air New Zealand/Eagle Airways Flight 2300 was forced to land on its belly due to hydraulic system that was being drained via a fatigue crack in its actuator that caused the landing gear to being stuck. There was no recorded fatality in the incident and the damage to the aircraft is repairable (TV NZ, 2007). Both incidents while considered accidents could have been prevented if the right information security management system is in place to protect the information assets of Air New Zealand. It should be noted that incidents similar to the ones described may cause the company more in terms of legal if not good will costs. Threats Threats not only impact the corporation itself as an entity but also affect its employees, clients and partners. As predicated above threats not only affect the operation of Air New Zealand, it likewise creates doubt about the safety of its clients and equally affects its financial assets as well as those of its partners. Identification of the threats is therefore not only essential in managing the risks associated to the operation and service provisioning of Air New Zealand it is similarly essential in setting up the infrastructure that would support its overall security management systems. Threats by any definition is an entity or process if not events that threaten life, disrupt operation, or cause damage to the corporate image of any entity and in this particular case—Air New Zealand—its cause damage to assets of the company, its employee, its clients and even its partners. In the context of information technology in particular Accounting Information System, a threat is a process, thing, or person that will affect the confidentiality, integrity and availability of the information system, its data and programs (Whitman & Mattord, 2011). Common Threats Natural Disasters and Terrorist Attacks – these are often remediated with the use of back-up sites Software Errors and/or Equipment Malfunctions – This will be discussed further at the operational threats Unintentional Acts – These are often done by unsuspecting clients and at times even employees. Strict information security policy is the best way to address these threat. Intentional Acts – This can be done by hackers from the external front and disgruntled employees from the internal front. We need to classify threats based on their impact and cost to the company to assess the amount of investment needed to neutralize the threats and reduce the risk of its consequences. The following threat classification enables companies to develop remediation strategies. External Threats Most organization prepare for threats emanating from outside the comforts of its offices or its property. These are threats coming from terrorists, criminal elements and even those people who are considered harmless, but nevertheless cause damage to properties and even disruption to the operation of Air New Zealand. In the context of information technology threats can emanate from hackers, or even customer who unknowingly email or infect the exposed system of Air New Zealand to viruses or malwares. Information Technology related threats are often remediated thru the installation of perimeter defences such as firewalls and external servers where data can be inoculated for viruses and malwares including limiting the access of hackers, Internal Threats Internal Threats are threats coming from employees, officers and even owners of the organizations. Lack of control and open access system often times result to accidental deletion of data. In some instances, disgruntled employees themselves are sometimes the cause of internal threats to computer system. More often than not internal threats are often times disregarded in the installation of an information security management system. Internal threats are strategically addressed and remediated thru strict access control, user and information security policies these are augmented with the use of individual user name and password combination. Compartmentalizing information is a good security strategy to limit the access of information to departments or personnel that needs them in performing their tasks. Operational Threats Another area that is most often disregarded is the threats that come from the actual operation of the airline. No process documented or not is perfect. Thus there is also a need to review and identify the threats associated to operational threats. There are instances wherein employees need to work around the system to achieve the business objective of his position. It is often overlooked that these loopholes are the sources of vulnerability that open the floodgates of attack or taken advantaged off by hackers to gain entry into the system or for accidents to happen. System or operational loopholes are often too obvious that they are most of the times ignored by employees because it is beneficial in achieving their operational targets. Operational threats can be remediated with the use of a helpdesk system that will enable users in an organization to report problems of any kind. This will prevent employees from developing work around from the established operational procedures. This strategy will enable the organization to correct loop holes in their operation that will expose their data. Security It should be noted that each of the threats enumerated in this paper has the potential to expose if not affect the confidentiality, integrity and availability of the customer information system of Air New Zealand. It should be highlighted that it is essential for airlines to collect related customer information to address regulatory and national safety concerns. However, customers shall divulge information only with the understanding that Air New Zealand will protect it from third parties. The security of customer information has three components that needs to be addressed to ensure that it is considered secured. Each component will be discussed in the context of customer information. The related system to be addressed in the explanation would be a module of the accounting information system more specifically the ticketing system. Confidentiality Confidentiality is an aspect of security that relate to keeping the contents, data or even the identity of customers stored in the Air New Zealand information infrastructure. The mere exposure of the names of the customers of Air New Zealand may expose the customers to criminal elements. To illustrate: if a kidnap for ransom criminal syndicate happens to acquire information about the travel arrangements of a particular customer. It is easy for the syndicate to lay in wait or arrange for the taking of the customer where he is most vulnerable. Protecting customer information is not only a fiduciary responsibility of Air New Zealand it is a regulatory requirement to ensure the safety of its passengers. Other details such as the home address, destination address, as well as the financial details of the customer must be protected as well. Integrity Integrity is an aspect of security since it addresses the veracity and accuracy of the data, in this case the customer information of Air New Zealand. While it is essential to protect the confidentiality of the customer information its accuracy that portends to its integrity must likewise be protected or secured. If the integrity of customer information is breached, it conveys that the data therein cannot be relied upon. Ergo there would be a need to verify each item therein. The verification process alone can take time that would result to delays thereby negating the benefits of having a computer system. A breached in the integrity of the system would also render succeeding reports that used the data with dubious integrity be questioned as well. Securing the integrity of the data starts from its entry into the system. The person encoding the data or the system where the data is obtained should be reliable. Thus a series of controls at the entry level should be strengthened. Then it is important that once a data is entered or made part of the Air New Zealand system it should not be edited by anybody except those authorized to do so. Availability Availability refers to the access and availability of the data in the form and manner it is most available. To illustrate: denial of service normally prevents legitimate people or employees from accessing customer data. The denial of access leads to losses if not good will losses because operation is not only impaired but are disrupted to the point of stopping. The most oft repeated hacking technique is the denial of service which prevents or hampers the operation of a company because data are not available for its use. Availability of data as a component of security mandates that data should be available in the form at the time it is needed. Controls Controls are most often made part of the information security management system through a framework that is adopted by the organization. Controls are basically employed to address the sources of threats if not mitigate the risk associated to the identified threats that are essential in the operation of the organization. Controls can be instituted through policies and procedures at the operational stage or through the controls given to tools that would include software tools (Blackley, Peltier, & Peltier, 2003). Information Technology Security Management System that would include COBRA COBIT, BS 7799 or ISO 27001 are frameworks that are used as bases in the formulation of security policies and procedures. These frameworks when used as basis for the set of controls will require monitoring by the organisation. Breached controls are considered security incidents that need to be resolved or corrected. Security incidents are not problems or in itself security violation per se most of the times these are incidents that require attention since they present a vulnerability in the operation of the organization (Whitman & Mattord, 2011). It should be noted that incidents are often times caused by accidents. Deliberate attack requires skills in hacking. It should be emphasized that controls according to the frameworks listed above are not exclusively provided by technology appliance. A significant number of controls are instituted through the implementation of security policies and revisions in procedures and processes to make it symmetrical to information security management systems goals. The operation and culture itself of the organization should be modified to a culture where the security of information is not only important but considered essential in everyday tasks. Only through this methodology will the employees be acculturated to information security. Specific Controls that will protect Customer information of Air New Zealand Several information security management system framework list controls or strategies that will help in protecting customer information of Air New Zealand. A practical approach of course is to limit the amount of data collected from customers to ensure that each customer’s information exposure is limited to what is essential and needed by Air New Zealand. Another approach is to convert or transform the contents of the data when it is stored in the system then decoding it again when it is accessed. Access controls Access control pertains to wifi access points, PC connection ports and/or remote location access through dial-in modem. This type of control can be successfully implemented using appliances that will limit the amount of data to be transmitted or accessed by parties accessing the system to extract customer information. Most of the time access to the server is obtained using user password combination. There are instances the use of passwords may also be secured through regular password change (Romney & Stenbart, 2009). User Controls Once an employee or affected party gains access to the system, it is essential to provide the person or party a user name and password combination. The profile or organizational group of the user, person or party will be have limited access to the information as defined by his job description. The level of information if not the amount of information available to the users should be defined by the profile of user and his job description (Hurt, 2009). Data Sharing Control There are two aspects in data sharing controls—the first is the authentication and validation of the parties trying to connect with Air New Zealand. The other would be the amount of data the partners of Air New Zealand can access. A process can likewise be instituted wherein Air New Zealand can “push” the data to their partners thereby limiting the access to their system while equally ensuring that Air New Zealand will only communicate with established IP addresses. Credit Card companies only need the name of the card holder, the card number and the amount. This should only be the data provided to credit card companies. Similar companies or partners can also have the same arrangements. These companies would include limousine, hotel and other services that may require the data of Air New Zealand’s customer. Internal Operation Control Different departments in Air New Zealand have specific need when it comes to customer information. The accounting department for example only need the transaction amount on a normal operation day. Audit may require all the information but these are special circumstances that can be dealt with at the right time. Other departments such as the booking department only need the destination and connecting requirements of the customer, there might not even be a need for these departments to see the identity of the customer. Limiting the access of the different departments in Air New Zealand to customer information could contribute in securing customer information. However this strategy would require the help of the infrastructure that would control user access. Implementing Information Security Management Systems In implementing information security management systems, it is essential that an operational framework is in place that will report, catalogue and address security incidents. The operational framework should include a process where security incident logs will be analyzed and evaluated to spot for recurring incidents that need to be resolved or plugged. It is essential that each incident is addressed ergo, a mechanism that will make the incident open until it is resolved should be installed (Peltier, 2001). Monitoring the compliance and breaches of security controls is as important as installing them. This is to ensure the efficacy of the controls while measuring the efficiency of the response strategy of the information security management system in addressing such breaches. To illustrate: the number of failed login that is exceeds the tolerable limit of accidental entry of wrong passwords will indicate that an attempt to gain entry into the system is being tried somewhere in the network. In this case, the best response is to locate this terminal and accost if not secure the person who is attempting to gain entry into the system. Firewall, anti-malware that will stop Trojan horses can also be installed to secure the system. However, it is not enough to stop or deny entry to possible hackers, dimensioning of the potential threats by measuring the attempts to breach perimeter defences should also be monitored to ensure that threats are not only identified but also neutralized. The same is true for threats, emanating externally, internally and even threats coming from the operation of the company. It should be noted that technology or security appliance is not the only asset that can be used in neutralizing security threats. Employees or even customers themselves are potent detectors of possible security threats. References Air New Zealand. (2012, August). Annual Financial Reports. Retrieved October 5, 2012, from Air New Zealand corporate website: http://www.airnewzealand.co.nz/assets/PDFs/2012-annual-financial-report.pdf Blackley, J. A., Peltier, J., & Peltier, T. R. (2003). Information Security Fundamentals. Boca Raton, FLorida: CRC PRess. Hurt, R. (2009). Acounting Information Systems - Understanding Business Process. New York: McGraw Hill. NZPA. (2009, November 10). Computer crash Chaos for Air New Zealand. Retrieved October 5, 2012, from Stuff.co.nz: http://www.stuff.co.nz/national/2952584/Computer-crash-chaos-for-Air-New-Zealand Peltier, T. (2001). Information Security Polices, Procedures and Standards: Guidelines for Effective Information Security Management. United States: CRC Press LLC. Romney, M., & Stenbart, B. (2009). Accounting Information System. Sydney: Pearson Education. TV NZ. (2007, June 18). Belly Landing at the Blenheim Airport. Retrieved October 05, 2012, from TV NZ: http://tvnz.co.nz/content/1187269/423466.html Whitman, M. E., & Mattord, H. J. (2011). Principles of Information Security. Boston: Cengage Learning Products. Read More