By Edison Fontes
On February 19, PricewaterhouseCoopers (PwC) released its survey “Economic crime: a threat to business processes – 2014”. This survey was attended by 5,128 respondents from 96 countries around the world. Of these companies, 54% have more than 1,000 employees. Brazil is represented in this contingent.
It is a very rich research and deserves to be studied and debated in detail and with the wisdom to identify what it can transmit to the reality of each organization, but specifically its achievement. I suggest that the reader access the PwC website and read it completely.
For this article, I would like to highlight some items that strengthen the Information Security Organizational Process as the Preventive Basis for combating fraud and minimizing its impacts. Let's see:
The. In Brazil, 24% of the companies had situations of economic fraud identified and 64% of the frauds were committed by internal personnel.
B. Considering the Rationalization (Desire), Opportunity and Pressure triangle, Opportunity was the first reason to commit fraud, accounting for 74%. The other two elements had 13% each.
w. Denunciation Channel was the means that most led to the discovery of Fraud with 34%, Information Monitoring with 21% and Internal Audit with 17%.
d. Recommendations for combating fraud:
– Involvement and commitment of top management.
- Risk management
– Controls, policies, rules, procedures and monitoring.
– Continuity of actions for compliance.
Considering only these highlights above, the Organizational Information Security Process is fundamental for the existence of controls that help to combat fraud.
The existence of an opportunity to commit fraud indicates vulnerability in system controls and fragility in information security controls. For example if a user discovers that there is no good audit trail (no one will know what he did), or if he can perform actions using another user's identification, or if access authorizations that should be cut are still valid, these Weaknesses create opportunities for fraud.
To monitor the information, it is necessary to have traceability records, it is necessary that user identifications are effective, these traceability records need to be reliable and have a guarantee of their integrity.
The Reporting Channel needs to have its information kept in a secrecy/secrecy standard compatible with what it proposes. Access to this information must be strictly controlled. Appropriate authorization and access cutoff of users who are no longer performing the function is required.
Internal auditing will only be able to carry out its work if there are rules and controls in place to identify what does not comply with information security policies and standards. A user can only be accused of fraud for using the identification of another user, if there is a regulation indicating that in the organization the identification is personal and non-transferable.
Policies and standards need to exist in a way that is compatible and easy to understand for the organization and for the users of that organization. Risk assessment is one of the Information Security Dimensions, including a specific standard, ISO/IEC 27005: 2008.
It is worth remembering that the recent Law 12,737 of 2012, Criminal Classification of Computer Crimes, by including Article 154-A in the Penal Code, requires the existence of “security mechanisms”. An organization that does not have an Information Security Process will find it difficult before the courts to prove various actions that it has suffered from criminals, if it does not have adequate controls with its size and type of business.
I consider the Information Security Organizational Process to be the basis for combating economic crimes in the organization. Of course, there are other types of actions. But, read the PwC survey and draw your own conclusions.
Edison Fontes is a professor and master in CISM, CISA and CRISC, consultant in Information Security, Risk Management, Business Continuity and author of five books on the subject of information security (www.nucleoconsult.com.br).
quick access
EN 
PT 
