Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Implementing Security Controls to Mitigate Identified Risks

Verified

Added on 2019/09/20

AI Summary

The company is taking three steps to detect malware and prevent intrusion into the internal system. These steps include keeping the system up-to-date, using right anti-virus software, and running cross-checking of the system periodically. The company also uses Windows operating system on all its computers with automatic updates for security patches. In addition, periodic cross-checks will be done to ensure the entire system is secure. Other risks identified include brute force login, flood at primary facility, disk error, and unreadable display. To mitigate these risks, information security controls from ISO 27002 (2005) will be implemented. These controls include training employees on information security awareness, implementing account lockout policy to prevent brute force login, transferring data centre location to the top floor to prevent flood damage, having instant copies of files at different locations to prevent disk error, and upgrading physical system to reduce human-led mistakes.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

0
Risk Assessment
Data Services and Systems Pvt. Ltd.
Student Name:
Course Name:

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

1
Abstract
The paper is concerned with identification of security risks for a company and understanding
the possible mitigation steps for them. The company selected for the assessment is Data
Services and Systems Pt. Ltd. It is a hypothetical company chosen for the security risk
assessment. The company deals in data analytics and services. The company is situated in
Guiyang city of China which is a flood prone location. The client base of the country is all
over the world. They are big and small businesses that need data analytic services for specific
market. The company is headquartered in Guiyang and accesses the data of various other
locations with the help of network of freelancers it has built in years.
The paper identified twelve security risks for the company. These security risks are: delivery
malware to internal system, network sniffing of exposed network, craft phishing attack, get
physical access through authorized staffs, communication interception attacks, brute force
login, spill sensitive information, flood at primary facility, mishandling of sensitive or critical
information, disk error, unreadable display, and incorrect privilege settings.
These risks were further analysed on various parameters and mitigation steps for six of the
risks were identified. There were multiple security controls identified to ensure that these
risks do not occur.

2
Table of Contents
Abstract......................................................................................................................................1
Introduction................................................................................................................................3
Scope of ISMS...........................................................................................................................3
Information Security Policy Statement......................................................................................3
Risk Assessment.........................................................................................................................3
Information Security Risks....................................................................................................3
Adversarial Risk.................................................................................................................4
Non-Adversarial Risk.........................................................................................................5
Response to Identified Risks......................................................................................................6
Information Security Controls....................................................................................................6
Conclusion..................................................................................................................................6
References..................................................................................................................................6

3
Introduction
The company that has been selected for the assessment is Data Services and Systems Pt. Ltd.
It is a hypothetical company based out of Guiyang City, China. The company provides data
analytics services to various clients around the world. The client of the company ranges from
large companies to small companies and some governmental organizations. The company
operates with around fifty employees who work in-house. Along with that, the company also
has many individuals working for it as freelancers. The freelancers are located in various
countries around the world. They provide their services to the company from their respective
home countries. All the activities of the company are technology based and company has
never involved itself in the activities that require offline management. There are some
activities such as field survey for data collection that is conducted by country specific
freelance teams. The company is smaller in size and it has no head office outside China. The
only method that has been considered to operate for other countries is through the internet
based services. The data collection and management of those countries are taken care at the
head office. The data collection and compilation is done by the freelancers.
The company management is concerned about the various security risks that might impact the
organization’s activities in the days to come. Some of the concerns are related to security of
the data and information from physical and technical damages and others. Therefore, the
management is willing to implement Information Security Management System (ISMS) to
ensure that all the risks are taken care. Various chapters in this section are focused on
identifying the likely risks that can occur and then devising appropriate mitigations plans for
them. The second chapter discusses about the scope of the ISMS for the company. The third
chapter discusses the information security policy statement. The fourth chapter assesses the

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

4
various security risks. The fifth chapter identifies the possible responses to the assessed risks
and the sixth chapter discusses the various security controls as per ISO 27002.
Scope of ISMS
The company is situated in Guiyang City which is the capital of Guizhou province of
Southwest China. The city receives flood almost every year. The company is physically
present at this city only and there is no other physical presence in any part of the world.
However, as per the business market is concerned, the company covers various countries
such as USA, European Countries, India, and others. The company is into data analytics and
management. The clients of the company hire it to conduct various forms of analysis to
understand and analyse the market trends and other aspects. The data is collected by the
company through online network of numerous freelancers active throughout the world. The
operations department of the company handles these freelancers. The department assigns
responsibilities to these freelancers through email and chat. The completed tasks are received
through emails. At present the company uses QQ as the mail and chat messenger to conduct
its business worldwide. The freelancers use QQ International to connect with the operations
department. The report related to completion of particular task such as data collection from
field, data collation and other activities are informed to the Finance department that in the end
of each month distributes the finance. The
The dependency on the online communication is huge within the company and it cannot
operate even for a single day without the presence of this aspect. The company has current 65
desktops, in which around ten are idle and the rest are functional. The operations department
uses around 30 of these computers and the rest of the computers are distributed among other
departments. All the computers are connected with High Speed Broadband for the internet
connection. The company also uses large data storage centre which is situated on the ground

5
floor of the company headquarter. The data centre of the company uses various components
for its functioning. Some of the important components are heat exchanger, transformers,
server room, cooling-units, extinguishing gas, diesel generators, cooling water, batteries,
telecommunications, and video cameras. The company uses different software available for
different types of data analysis and maintenance such as IBM’s SPSS, R, and others. There
are some more technological assets such as iPads, laptops, mobile phones, landline
connection, and others.
The company’s headquarter is a six storey building. The ground floor has the data centre, and
the rest of floors are for staffs and company management. Other than the technological assets,
and building, the company has furniture sets used by the staffs to work.
Information Security Policy Statement
Given below is the information security policy that is active within the company:
1. The company will safeguard the entire information received from the client.
2. The data and information will be kept confidential from access to any third party until
ordered to do so by the management.
3. It should be ensured that the network infrastructure available is reliable and sound for
proper functioning of the business.
4. The compliance to international information security standards should be followed.
5. The management of the organization will handle all the security related issues and the
changes in the policy will on its discretion.
6. The continued assessment of the risks should be done to ensure any shortcomings are
identified as early as possible.
7. Before or after the implementation of any changes within the organization should be
followed by security assessment.

6
8. The access to sensitive information will be protected within multiple layers and will
be accessed by authorized personnel only.
9. The information should be segregated into sensitive and general information the
moment it arrives to make a clear distinction and management (Bulgurcu et al, 2010).
10. While at employment, all the information generated by a particular employee will be
the asset of the company and will be stored in the company repository.
11. The employees are instructed not to use their personal equipment like laptops,
smartphones, and other such thing within the company premise to access the data and
information of the company (Hone and Eloff, 2002).
12. Use of any external storage device is not allowed with any computer or other
electronic equipment of the company.
13. All security issues must be reported to the management at shortest possible time.
Risk Assessment
This section is concerned with identification of various security risks that are likely to
threaten the functioning of the business. There are twelve security risks that have been
identified. Six of them are adversarial risk and the rest are non-adversarial risk (ISO 27002,
2005).
Given below are the adversarial risks that have been identified for the organization:
1. Deliver Malware to Internal System: The hackers from outside the organization can
insert malware into the system that can disrupt the functioning or steal information
that is sensitive. These are mostly done to sell the information to the competitors.
2. Network Sniffing of Exposed Network: The presence of any exposed network to the
external environment might allow the external party to gain the system access.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

7
3. Craft Phishing attack: There can be various forms of phishing such as webpage
cloning or emails that seem to be coming from authorized personnel but not in actual.
4. Get physical access through authorized staffs: Stealing the access of authorized
person physically to get into the system.
5. Communication interception attacks: gaining access by attacking the
communication that use weak encryptions
6. Brute force login: External parties can guess access passwords and other
authorizations codes. Software to crack codes possibly used in these cases.
Given below are the non-adversarial risks that have been identified for the organization:
1. Spill sensitive information: it is about sending the sensitive material to the
unauthorized individuals.
2. Flood at primary facility: This company is located in Guiyang which is a flood
prone location. The location of server is on the first floor of the building and it is
likely to get impacted if flooding occurs. Therefore, flood is a major threat to the
company.
3. Mishandling of sensitive or critical information: Mishandles the information and
unknowingly leaves at places where it should not have been.
4. Disk error: Storage corruption occurrences that destroys the information present on
the disk
5. Unreadable display: The company has desktops that are of no appreciable quality
and it is expected that due to the poor display of some of the computer, challenge in
handling the information can come up.
6. Incorrect privilege settings: Due to the mistake of the administrators, some
unauthorized person is allowed access to sensitive material

8
Adversarial Risk
Threat
Event
Threa
t
Sourc
es
Threat Source
Characteristics
Releva
nce
Likelih
ood of
Attack
Initiatio
n
Vulnerabil
ities and
Predisposi
ng
Conditions
Severity
and
Pervasive
ness
Likeliho
od
Initiate
d
Attack
Succeed
s
Overall
Likelih
ood
Level
of
Impact
Risk
Capabil
ity
Intent Targeti
ng
Deliver
malware to
internal
system
Outsi
der High
Modera
te
High Predicte
d
Modera
te
High High Very
High
Very
High
Moder
ate
Modera
te
Network
Sniffing
Exposed
Outsi
der
High Low High Predicte
d
Modera
te
High High Very
High
Very
High
Low Low

9
Network
Craft
Phishing
Attack
Outsi
der
Moderat
e
High High Predicte
d
Modera
te
High High Very
High
Very
High
Low Low
Access
physical
access
through
authorised
staffs
Outsi
der
Low High High Predicte
d
Modera
te
High High Very
High
Very
High
High High
Communica
tion
interception
attacks
Outsi
der
Moderat
e
Low High Predicte
d
Modera
te
High High Very
High
Very
High
Low Low
Brute force
login
Outsi
der
Moderat
e
High High Predicte
d
Modera
te
High High Very
High
Very
High
High High

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

10
attempts
Non-Adversarial Risk
1 2 3 4 5 6 7 8 9 10 11
Threat
Event
Threat
Sources
Range
of
Effects
Relevanc
e
Likelihoo
d of
Event
Occurrin
g
Vulnerabiliti
es and
Predisposing
Conditions
Severity and
Pervasivene
ss
Likelihoo
d Event
Results in
Adverse
Impact
Overall
Likelihoo
d
Level of
Impact
Risk
Spill
Sensitive
Informatio
Accidental
(User)
Low Possible Moderate High Low Moderate High High High
Flood at
Primary
Facility
Environment
al (Flood)
High Predicted Low High Low Moderate High Very
High
Very
High

11
Mishandlin
g of
sensitive or
critical
informatio
Accidental
(User)
Moderat
e
Expected Moderate High Moderate High Moderate High Moderat
e
Disk error Structural
(Storage)
Low Possible Moderate High Moderate High Moderate Moderat
e
Moderat
e
Unreadable
display
Structural
(Display)
Low Predicted Low High Low Moderate Low Moderat
e
Low
Incorrect
privilege
settings
Structural
(Controller)
Low Possible Low High Low Moderate low Moderat
e
Low

12
Response to Identified Risks
Given below are the responses to the identified risks from the “Risk Assessment” above:
1. Craft Phishing Attack
The phishing attacks can be prevented by providing training to the employees to ensure that
they detect the phishing efforts before it impacts any system. They need to be taught about
the way to identify the emails that looks suspecting. The information source of the email
should be checked prior to opening it. Direct link clicking should be prevented (Litan, 2004).
The employees need to be taught to believe their instincts on opening a new page or email
and if there is slightest of doubt, then action must not be taken. If not sure, then someone
from security division must be contacted.
2. Deliver Malware into Internal System
The company will be working on three steps to detect malware and prevent intrusion into the
internal system. They are keeping the system up to date, using right anti-virus software, and
running cross checking of the system periodically. The company is using windows operating
system on all its computer as it is compatible with most of desktop applications. The
windows will have automatic updates on which automatically keep the system upgraded with
security patches time to time. Effective anti-virus will be used on all the computers (You and
Yim, 2010). The anti-virus will of enterprise level. Any anti-virus is not powerful enough, so
periodic cross checks will be done for entire system within the organization.
3. Brute Force Login
The external parties can conduct brute force attacks in various ways. The use of guessing is
preferred manner and various combinations is tried to open the system by the person. The

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

13
manual guessing works well if the personal is familiar with the other party. In other cases,
software are used. The prevention of brute force can be done through implementation of
account lockout policy. In this, consecutive three failed attempts will require the user to
contact the administrator. The second method is delaying the account access for certain
period after wrong attempt. The third method is the use of challenge-response test. There are
tools like reCAPTCHA that can be used (Von Ahn et al, 2008). Google also provides image
options that can eliminate the attack of automated systems.
4. Flood at Primary Facility
The city is prone to flood due to its location. The company has placed its data centre on the
ground floor in the beginning as it was assumed to be comfortable to establish one on the
ground floor rather carrying all the components to other floors. The flood might impact the
data centre severely and result in data loss. This can be prevented by taking two consecutive
steps. The first step is to establish a remote data storage services. This can be done through
transferring all the files on cloud network. Reputed companies like Amazon, Google, and
Microsoft provide such services. The next step is to transfer the data centre to the top floor.
5. Disk Error
The challenge of disk error can be resolved by having an instant copy of whatever is saved on
the computer disk at another location. The employees need to be trained on how to keep
another copy at different location within the company. However, if such situation arises in the
future, then there are some methods that will be utilized. They are testing the memory – to
identify is there any issue with the memory; trying the disk on another system; replacing
cables; and updating the bios.
6. Unreadable Display

14
The unreadable display issue within the company is due to the purchase of some old
computers when the company was being established. However, after the growth of the
company, these computers are still being used. The displays are in pretty based shape. The
company management needs to invest some budget into the purchase of some good retina
display monitors which will be comfortable for the employees to use and also will reduce the
likeliness of human led mistakes. The company can make bulk purchases from reputed
brands like Wipro, Samsung, Dell and others to upgrade the physical system.
Information Security Controls
Given below are the information security controls (ISO 27002, 2005) for the risks that have
been identified earlier:
1. Craft Phishing Attack: Clauses 8.2.1 (management responsibilities), 8.2.2
(information security awareness, education, and training), 10.9.1 (electronic
commerce), 10.9.2 (on-line transactions), 10.9.3 (publicly available information),
13.1.1 (reporting information security events) will be applicable. The controls will be
implemented by conducting one week training session of the employees. The training
will be followed by minor tests to ensure everyone knows the things taught.
2. Deliver Malware into Internal System: Clauses 12.2.2 (control of internal
processing), 12.3.1 (policy on the use of cryptographic controls), 12.4.1 (control of
operational software), 12.4.2 (protection of system test data), 11.5.5 (session time
out), 11.5.6 (limitation of connection timing), and 10.10.3 (protection of log
information) will be applicable. These controls can be implemented by hiring an
external agency to manage and implement the mechanisms at appropriate places.
3. Brute Force Login: Clauses 11.5.1, 11.5.2, and 11.5.3 will be used to ensure that the
system is prevented from the brute force login. These clauses refer to secure log-on

15
procedures, user identification and authentication, and password management system
respectively. The implementation of the secure encrypted system will be facilitated.
The encryption service will be bought from external agencies.
4. Flood at Primary Facility: Clauses 7.1.1 (inventory of assets), 9.1.1 (physical
security perimeter), 9.1.4 (protecting against external and environmental threats), and
9.2.4 (equipment maintenance) will be used. The company will being one month
project which will focus on changing the data centre location and transferring files.
5. Disk Error Unreadable Display: Clauses 10.5.1 (Information back-up), 10.7.2
(Disposal of Media), 10.7.3 (Information handling procedure), 9.2.6 (secure disposal
or re-use of equipment), and 9.2.7 (removal of property) will be applicable. This
aspect will be taught at the training session.
6. Unreadable display: Clauses 7.1.1 (inventor of assets), 7.1.2 (ownership of assets),
9.2.4 (equipment maintenance) will be applicable. The company will purchase new
monitors in bulk from good brand like Samsung.
Conclusion
The security risks identified in this paper are expected to take place for the company and the
measures that have been identified are possibly appropriate enough to handle these situations.
The six security risks detailed in the last two chapters can be referred to as preliminary ones
as there exists other risks also that can impact the company in some way or the other.
References
Bulgurcu, B., Cavusoglu, H. and Benbasat, I., 2010. Information security policy compliance:
an empirical study of rationality-based beliefs and information security awareness. MIS
quarterly, 34(3), pp.523-548

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

16
Höne, K. and Eloff, J.H.P., 2002. Information security policy—what do international
information security standards say?. Computers & Security, 21(5), pp.402-409.
ISO 27002, (2005). Information technology — Security techniques — Code of practice for
information security management.
Litan, A., 2004. Phishing attack victims likely targets for identity theft.
Von Ahn, L., Maurer, B., McMillen, C., Abraham, D. and Blum, M., 2008. recaptcha:
Human-based character recognition via web security measures. Science, 321(5895), pp.1465-
1468.
You, I. and Yim, K., 2010, November. Malware Obfuscation Techniques: A Brief Survey.
In BWCCA (pp. 297-300).

1 out of 17

+13062052269

info@desklib.com

Implementing Security Controls to Mitigate Identified Risks

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Related Documents

Response to Identified Risks

Assessing Information Security Risks

Guidelines for Managing Information Security Risks for Cosmos Organization

IT Security Risks and Proposed Solutions for an Organization

Understanding Information Security Threats

IS Security and Risk Management: Telstra Corporation Ltd