Information System Controls

The purpose of this document is intended to look at a course registration system within a university and argue which controls should be inputted into that system to ensure the system is not being abused. Also included within this document is an argument for which controls should be put into place to ensure students are able to enroll into courses they request.

When using an information system within a university to ensure student enrollment within classes they request there are few security controls that will have to be implemented. Without controls to protect the information system people will most certainly abuse the system. Controls not only assist the students, but they also aid the school in ensure the classrooms are not being overfilled. Controls will also help the school faculty by protecting information that students, whom don’t have a need to know, from viewing. If controls weren’t put into place, students would have access to other students personal information such as social security numbers and addresses, students then would be able to steal their identity and open credit cards and reek all sorts of havoc on each other.

Without an information system having controls in place there would be virtually no security to protect peoples information or the information system itself, however what types of controls should be put in place? When talking about information systems there are different types of controls that happen at different levels, the overall goal is to ensure data confidentiality, data integrity, and data availability. This means users should only have access to information that they are authorized to have access to. Data integrity means that data is secured and not being changed from the time a user inputs the data into the system to the time the data is being accessed. Data availability means that the data is there and ready for when the wants to access it. One form of controls is user-based permissions; this ensures users have access to only the data they are authorized to have access to. Another form of control is file-based permissions; this ensures only authorized personnel can access that specific file. Everything that happens within an information system happens at the system level. The system-level is responsible for auditing everything that happens on that system, but also ensuring everything on that system follows the correct policies and procedures for operation (, 2004). System-level controls cover everything from proper administration of the system, acceptable use policies of that system, backup procedures of the system, and how data is accessed, stored, or modified on the system. The different types of controls on the information system ensure the confidentiality, integrity, and availability of the data within an information system (Locicero, 2007).

When a student needs to enroll into a class they should first have to have a username and password to log into the information system with. The information system should be using encryption in order to ensure the data being passed between the users computer and the information system is secured. The information system itself should either be placed on a server or multiple servers to ensure that it has maximum uptime, as well as, being on some sort of uninterruptable power source (UPS) or backup generator. The information system should also have redundant paths to ensure the network access has maximum uptime. The information system’s audit, security, and application logs should be stored on a separate server, which should be secured. Trained personnel who are trained to follow all necessary policies and procedures should complete the basic administration of the system. The information system should have a consistent backup plan, which is tested on a regular basis in the event of a failure. There should also be a disaster recovery plan for the information system, which should be stored in a location that is different from where the information system resides. These sets of controls will ensure students are able to enroll in courses they request, as well as, maintain the information system for everybody to use.

In conclusion, when there are proper policies and procedures that have been implemented for an information system and everybody follows the doctrine this preventative action should greatly reduce the event of improper use of an information system. Proper administration of an information system will greatly mitigate any security issues that may arise. Having backup and disaster recovery procedures will ensure the information system can be recovered in the event of something catastrophic.

1. (2004, February). Review of Information System Controls. National Audit Office Form 905, 2.3, Retrieved August 21, 2008, from [URL Removed Broken link]
2. Locicero, Claudio (2007, November 5th). Confidentiality, Integrity, Availability and What it Means to You. Retrieved August 21, 2008, from Confidentiality, Integrity, Availability and What it Means to You Web site:,-Integrity,-Availability-and-What-it-Means-to-You&id=817559