Preventive Controls

Preventive controls are put in place to prevent disruptive events before their occurrence. For instance, the HVAC system is meant to prevent overheating equipment. Besides, business impact analysis identifies risks that require immediate mitigation thus improving security in return. In the business continuity plan for the financial organization, there are five preventive controls (Xin et al., 2019). The preventive controls include internal control systems, IT requirements, information security policy, change management, and IT controls (Clark, 2016). Proper implementation of the five measures will ensure that the BCP for the financial institution will achieve its aim of preventing disruptions from occurring and in case they occur it will ensure that operations continue in a time of disruptions and outages.

The financial institution should design and implement a comprehensive, efficient and effective internal control system that determines detective and preventive controls for risks associated with business and its core processes and minimizes operations risks and other risks (Xin et al., 2019). Internal control systems comprised of risk controls, business impact analysis, and risk identification/assessment (Clark, 2016). Business impact analysis is used to examine and measure the impact of a disruption and determines possible control measures and accountability. With the procedures in place, BIA outlines a framework to prevent occurrence threats (Oncioiu & IGI Global, 2019). Besides, risk controls are preventive measures that are aimed at reducing the damage and probability of occurrence of IT-related risks and operational risks. Risk controls, therefore, increases the resistance of an organization to threats and increases the reliability and robustness of its IT-related system and business operations (Allen & Derr, 2016). Lastly, risk identification/assessment is an internal control system that identifies and evaluates threats resulting from operational risks that can disrupt a business or its core processes and identifies critical business functions associated with the system. In conjunction with other risk categories, risk identification and assessments are performed to achieve optimal results. 

Other than internal control systems, IT requirement is another preventive control. The financial institution must meet facility management services and IT system requirements to prevent threats that may occur due to failure to meet the set standards (Oncioiu & IGI Global, 2019). The IT requirements that need to be adhered to include those responsible for clearing services and requirements on the workplace and supporting services (Clark, 2016). Meeting IT requirements ensures that the system does not work beyond its capacity to an extent that its infrastructure is compromised and exposes it to risks.

Concerning information security policy, the financial institution should maintain a robust information security policy to protect the disclosure of information to unauthorized users and ensure integrity and data accuracy. Information system security should comprise of different aspects to ensure the business and its process are not affected (Xin et al., 2019). First, the general duties of chief technology officers and subordinates should be well defined to avoid conflicts associated with nuclide duties (Allen & Derr, 2016). Physical control, application/system rights management, mobile phones/tablets, clean desk policy, outsource of partners and service providers, computer and internet, and data security and protection should be addressed in information security policy (Oncioiu & IGI Global, 2019). As a result, every member and each stakeholder in the financial institution should adhere to the information security policy. Besides, the financial institution should ensure that its policy complies with the set standards and requirements. 

Change management is another important aspect of preventive controls because a change in IT systems and business-related operations increases the possibility of disruptions. As a result, the company should implement a change management procedure that outlines the responsibilities and roles of each worker (Clark, 2016). Also, procedures should be evaluated, approved, and tested.

IT control is a preventive control through integration with the general risk controls of the company. Thus, the financial institution should ensure periodical testing, security relates aspects and connectivity (Allen & Derr, 2016). Through the IT controls, the company can prevent disruptions before they occur.

References 

Allen, G., & Derr, R. (2016). Threat assessment and risk analysis: An applied approach.

Clark, R. (2016). Business Continuity and the Pandemic Threat. Ely: IT Governance Publishing. 

In Oncioiu, I., & IGI Global, (2019). Network security and its impact on business strategy.

Xin, M., & Choudhary, V. (April 01, 2019). IT Investment Under Competition: The Role of Implementation Failure. Management Science, 65, 4, 1909-1925.