Study of information security, risk, audit and the role of law in Sri Lankan perspective

Abstract

2010 was named as the Information Technology year in Sri Lanka. Our main attention was focused on whether our systems supported by Information Technology (IT) were safe from attacks. With the expansion of Information Technology most of the Sri Lankan organizations were driven by computerized information systems. With the vital role played by the Information Technology for its users it offers not only the benefits but also unchallengeable threats. These threats came in many forms such as data sabotage, destruction of systems and hacking offences. To address this issue both the IT professionals as well as the legal experts had come with their own solutions from time to time. The role played by the Information Technology Audit was focused through this paper. Through IT Audit the possible attacks to the systems could be identified. The role played by the legal experts in this regard was enacting the most recent Computer Crimes Act No 24 of 2007 which enable to bring security violators to the law. The research methodology adopted by this research was checking 75 information systems of Sri Lanka by a validated questionnaire. The questionnaire was presented to the system users and the feedback from them was taken as the results of this study. IT Audit also could be used as an evaluation tool in a research like this although this study limited its scope to adopt sampling method through questionnaire since the data was highly confidential. The findings were analyzed in order to come for conclusion which satisfied the implemented security level in information systems which were reviewed. Overall security of the information systems was satisfactory in terms of physical, logical and network security. Approaches that could be taken when a breach of security was there in terms of legal measures were also come under review.