The fundamental purpose of information security is to protect essential information, which aids in supporting an organization’s mission. Every organization is prone to risks and uncertainties, some of which adversely affect performance; therefore, in a bid to support an organization’s mission, the management of risks and uncertainties is important. However, managing uncertainties is often a difficult task due to insufficient resources and many threats, vulnerabilities, and associated risks. Therefore, IT security must aim at reducing the risks and threats related to the security of an organization’s IT assets.
The management of organizational risks involves many tools and techniques that focus on the risks associated with information systems. Some of the important information systems that need security include the decision support system (DSS) and the transaction processing system (TPS). The TPS is essential in processing data obtained from transactions such as purchases, sales, payments, deposits, and withdrawals. The TPS procedures often involve calculation, classification, sorting, and the storage and retrieval of analyzed data. Risk refers to the potential adverse effects caused by a particular process or a future event that may affect the security of stored information. Risk management, therefore, involves the measures that prevent factors that may contribute to the failure in integrity or confidentiality of an information system (Tsohou, Karyda, Kokolakis, & Kiountouzis, 2006, p.198). This paper explores risk management in the transaction processing system. Management decisions based on inaccurate and ineffective TPS procedures can adversely affect consumer-related activities.
Transaction Processing System Vulnerabilities
Vulnerability refers to the weakness in the security of a management information system concerning its design, procedures, internal controls, or implementation. A system’s vulnerability may be exploited either intentionally or accidentally resulting in a security breach (Tsohou, et al., 2006, p.216). Vulnerabilities concerning TPS may be a technical flaw or weakness in any aspect of the TPS system. However, vulnerabilities are not limited only to technical protections of the system. The standard operating procedures of the system performed by the systems administrators, inadequate review of entries, setting and/or resetting of passwords can be a source of vulnerabilities.
Vulnerabilities can also be identified at the policy level. In TPS procedures, the lack of a proper testing policy may result in a lack of vulnerability scanning during implementation. There are vulnerabilities related to TPS design and implementation. The lack of clearly defined TPS procedures and internal controls in an organization can expose the TPS to risks. The TPS should have manual internal controls and checks throughout the data processing activities to ensure the accuracy of any retrieved information. A comprehensive audit program can assess the efficiency of the internal controls.
The standard operating procedures typical of a TPS include the verification of passwords, account number, and recording of transactions. However, the failure of the TPS system to perform these routines can be a source of vulnerability. Lack of information backups such as data or operating systems backups can also make the TPS vulnerable to risks. Additionally, lack of formal training on TPS procedures involving appropriate data entry, transaction processing, document processing, and retrieval of files by employees can be a source of vulnerability.
Inadequate procedures to recover information may expose the TPS to risks. Most TPS systems in an organization are networked via the internet and the lack of efficient information recovery procedures from the networks makes the TPS prone to risks. Additionally, the lack of alternative information processing or storage locations in an organization makes the stored information vulnerable to risks. Additionally, the lack of alternate communication services or a monitoring system may be a source of vulnerability. Vulnerabilities can be identified using a variety of software such as vulnerability scanners. The vulnerability scanners search a system for any flaws for necessary risk management. The review of the operational and management controls can also identify flaws within a system.
Identification of Threats
The potential of a given procedure or situation to exploit, either accidentally or intentionally, a particular vulnerability is a threat to information security. The threat source is an intentional method aimed at the exploitation of a particular system’s vulnerability. It can also be a method or situation that may not necessarily present a threat but which accidentally triggers vulnerability (Tsohou, et al., 2006, p.217). Threats and threat sources can adversely affect the security of TPS information. The possible threat sources to a TPS system are usually threats to the system. The accidental exposure of information such as passwords or account numbers to unauthorized persons is a threat to the security of the TPS system. Additionally, accidental release of sensitive or classified information can put TPS security at a risk. The alteration of TPS software during design or implementation may be a potential threat to information security. Modification, deletion, or insertion of any element of the operating system, whether authorized or not, puts the confidentiality or integrity of the TPS data programs at a risk. It also endangers the other information resources linked to the TPS system such as the decision support system and financial information system. This may include software viruses, Trojan horses, and malicious codes (Taylor, 2011, p. 129). This may result from improper bandwidth usage as most TPS activities within an organization are conducted via the internet.
Power fluctuations caused by commercial power failure may make data inaccessible to authorized users or result in alteration of essential data. An accidental error may arise when configuring the system during the upgrade or installation of the TPS software or communication equipment. This presents a threat source to information security. A malfunction of a communication system, especially during data transfer or retrieval of information from a particular computer terminal or host facility, can present a threat to the security of the information.
Common threat sources to a TPS system include natural, human, and environmental threats. Natural threats such as hurricanes, deluges, and quakes are usually unintended. They may cause damage to the TPS system or damage applications used in the system thus affecting its availability. Human threats can be either intentional such as virus infection or inadvertent such as mistakes during data entry. They affect the confidentiality and integrity of the information. Environmental threats for a TPS system include power failure that may result in modification of information or data.
Appropriate Security levels for TPS
Protection of data within a TPS system is important. The data should be protected from former employees or business rivals who have intentions of stealing or destroying essential business information. In real-time TPS, the security risk is high since data is made accessible to many users. To mitigate the potential risks, flaws in the TPS must be fixed to reduce the impact arising from the technical flaw (Caballero, 2009, p.65).
A common mitigation strategy for a TPS involves the installation of available software from vendors. If the threat is internet-related, a vulnerable aspect of the system such as web pages can be removed.
For a TPS system, several levels of security can be appropriate in ensuring the security of information. The use of passwords as means of authentication of individuals accessing the system promotes the security of information. The passwords should be difficult and unpredictable to an unintended user. They should include both numbers and letters that are difficult to predict. Weaker passwords are easily predictable putting the system at a security risk. The password input mechanism should be foolproof to prevent unauthorized persons from accessing them. For transactions requiring online transmission of a password through the internet, the server should be secured to ensure the protection of passwords and personal information.
The TPS can also be protected by biometric methods that use fingerprints or eye scans as a means of authentication. Sensitive data can be made secure using biometric devices that restrict unauthorized access. Additionally, data encryption can be an effective way of protecting sensitive TPS data. Sensitive data should be stored and transmitted in an encrypted format. On reaching the authorized user, the encrypted data is then decoded into its original form. This would ensure unrestricted access of information to authorized persons while unauthorized persons accessing the data may not correctly decrypt it. Another level of security applicable to a TPS system is the use of firewalls that alert online intrusion into the system (Caballero, 2009, p.67). The firewalls verify the passwords of any individual trying to access the system from the local network.
Effective risk management involves the identification of the vulnerabilities and threats to a system to establish effective IT security for the system. Due to the limitation of resources and many threats to information systems, risk management is important to protect essential data at a minimal cost. The TPS system supports decision-making within an organization and therefore, it is important to ensure its security. Multi-level protection involving the use of passwords, biometric devices, data encryption, and installation of firewalls can serve to reduce risks associated with the system. They also ensure the integrity, availability, and confidentiality of essential data and information.
Caballero, A. (2009). Computer and Information Security Handbook. New York: Morgan Kaufmann Publications.
Taylor, R. (2011). Digital Crime and Digital Terrorism. New York: Pearson Education, Inc.
Tsohou, A., Karyda, M., Kokolakis, S., & Kiountouzis, E. (2006). Formulating Information systems risk management strategies through cultural theory. Information Management & Computer Security, 14(3), 198 – 217.