Information Security Risks

Information Security Risks

💻 “I Swear I Didn’t Click That Link!”

A Government Auditor’s Guide to the Wonderful, Wild, and Wicked World of Information Security Risks (Based on GAO Green Book 2025, Sections 8.14–8.17)

Picture this: It’s a sunny Tuesday. You’re sipping your lukewarm office coffee and opening your email, when suddenly *bam* an urgent message from “IRS Refund Services” offers you $4,263.19 if you verify your banking info. You know it’s fake, but your coworker Jerry doesn’t. And Jerry just clicked.

That, my friend, is how Section 8.14 of the 2025 GAO Green Book just came to life in your inbox.

Welcome to the modern audit battlefield where phishing is more dangerous than fishing, bots don’t dance (they breach), and Jerry doubles as both your coworker and biggest security risk (bless him.)

🎯 The basics: What is information security risk?

The GAO Green Book doesn’t mince words.

Section 8.14: Information security risk is the risk to entity operations, assets, and personnel, as well as external parties, due to unauthorized access, use, disclosure, disruption, modification, or destruction of information or information technology.

In other words, if your entity’s digital defenses are made of Swiss cheese, someone (or something) will find the holes. And the stakes? Not just corrupted files or frozen screens, but real operational damage to people, programs, and public trust.

These risks strike at the very heart of the holy trinity of information security objectives:

• Confidentiality (Keep it private)
• Integrity (Keep it correct)
• Availability (Keep it accessible)

And the villains threatening those objectives? They come in all shapes, sizes, and bandwidths.

🚨 Meet the usual suspects

1. Unauthorized access

When someone sneaks past digital doormen and starts messing with your stuff.

Section 8.14: End users, developers, or unrelated attackers may compromise the confidentiality of a platform or software system…

Sometimes this is a bad actor. Sometimes it’s just Jerry with admin rights he never should’ve had. Either way, the result is a mess.

2. Exploitation of personnel

Yes, we’re talking phishing.

Section 8.14: Attacks, such as phishing attempts, that trick users into revealing information or giving an attacker access…

Remember: It’s not just spammy emails. Texts, fake login pages, even QR codes at your local government conference are included. If it seems fishy, it’s probably phishy.

3. Malicious software (aka Malware)

Viruses, ransomware, spyware… it’s a software house of horrors!

Section 8.14: Installation of a program or file that intentionally attacks… by corrupting or stealing data, overwhelming a system with traffic, or locking the entity out.

If the objective is to harm your entity, steal your data, or get paid in shady crypto, then it qualifies.

4. Automated attacks

They don’t sleep, they don’t blink, and they don’t take holidays.

Section 8.14: Attacks… may be automated through bots, artificial intelligence, and machine learning software.

Imagine a robot army, except instead of lasers, they’re wielding SQL injections.

5. Undetected errors

These aren’t flashy, but they’re deadly.

Section 8.14: End users, developers, or unrelated attackers may improperly alter data… without visible evidence.

If no one knows the data’s been tampered with, people make decisions on false information. That’s not just a tech fail. That’s an audit fail.

6. Threats to physical environment

Because Mother Nature doesn’t care about your data warehouse.

Section 8.14: Fire, loss of electricity, climate control failures, natural disasters… or failure to appropriately limit physical access…

Translation: lock the server room. And don’t put it in the basement. In a flood zone. Next to the microwave.

🧍 The call is coming from inside the office

Section 8.15 drops the mic with a reminder that sometimes the biggest threat is wearing a badge and sipping from the breakroom mug: Internal threats include unintentional acts by employees… [or] intentional malicious acts by former or disgruntled employees.

Yes, even beloved Bob from IT could go rogue if things go south. These folks know your systems, passwords, and coffee order. That’s the kind of insider access making auditors very nervous.

🌐 Outsiders aren’t always strangers

Section 8.16 gives us an external threat plot twist that not all threats come from hackers in hoodies: External parties… may include end users, such as program beneficiaries; federal, state, and local government entities; and service organizations.

So, that well-meaning contractor who manages your software updates? Still a risk.

That friendly state agency sharing your system? Still a risk.

Your outsourced data center in another time zone? Yep, still a risk.

Section 8.16: External information security risks may arise when an entity relies on these external parties’ internal control systems.

Spoiler alert: their weaknesses become your audit findings.

🧩 It’s complicated… literally

Management has a lot to consider when scoping out information security risks, and Section 8.17 gives us a checklist that feels… oddly relatable:

• Complex systems that make a Rube Goldberg machine look streamlined?
• New or emerging tech you adopted before fully understanding?
• Outdated software still limping along since Windows XP?
• Decentralized systems where no one knows who’s in charge?
• Outside access to sensitive systems?
• Staff who lack the tech chops to maintain defenses?
• End users who think a firewall is an actual wall?

Check, check, and check. (We’re looking at you, Jerry.)

Section 8.17: Management considers information security risk factors…

Yes, and so should we.

🕵️‍♀️ So, what’s an auditor to do?

First: Don’t panic.

Second: Follow the Green Book. It’s not just bureaucratic bedtime reading, it’s a roadmap. Sections 8.14–8.17 exist to help you anticipate the chaos before it strikes, document your thinking, and keep the entity on solid audit ground.

So, ask the tough questions:

• Where is your data stored?
• Who can access it?
• How are you protecting it from people, bots, and power surges?
• Have you trained Jerry?

Because here’s the truth: Information security isn’t just an IT problem, it’s a management responsibility and an audit imperative.

🔚 Final thoughts: It’s not paranoia if they want your data

Let’s be honest. Today’s risks are smarter, faster, and less polite than ever before. The 2025 Green Book knew this and why it pulled no punches in reminding us to take information security seriously. With malware mutating and AI-powered attacks on the rise, you need more than a strong firewall, you need a strong framework.

So, keep this blog bookmarked, keep the Green Book nearby, and remember: The next time Jerry clicks a suspicious link, your documentation better be solid.

Because when things go sideways, the best security is a good internal control!

Looking for high-quality and convenient CPE?

We have you covered! Our live webinars are a great choice if you want the learning to come to you. Just log on at the scheduled time and enjoy wherever you are! Here are a few of our upcoming courses:

• July 15: GAGAS 2024: The New Quality Management System (2 CPE hours)
• July 16: Excel Update: 2024 to 2025 (2 CPE hours)
• July 22-23: Audit Findings: An Online Workshop (8 CPE hours)
• July 24: Advanced Governmental Auditing (3 CPE Hours)
• July 25: Project Based Risk Assessment (4 CPE Hours)

Need to do things at your own speed, but still get all your credits? Plan your CPE around your life, not the other way around! Yellowbook-CPE.com has dozens of self-study e-book and video courses, including the Performance Audit Essentials Bundle. Are you a new performance auditor, or trying to get a new performance auditor up to speed? This bundle of courses is for you! New performance auditors learn how to think through an audit project on their own and learn critical relations skills.