Understanding IT Risk Management Strategies

Verified

Added on  2020/04/07

|18
|5082
|30
AI Summary
This document explores various aspects of IT risk management. It delves into risk assessment methodologies, highlighting the importance of understanding potential threats and vulnerabilities within IT systems. The document also examines different risk mitigation strategies, emphasizing the need for proactive measures to safeguard sensitive data and ensure operational continuity. Additionally, it touches upon best practices for implementing effective IT risk management frameworks.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.
Document Page
Aztek
Aztek: IT Risk Management
Bring Your Own Devices (BYOD)
9/25/2017

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
Aztek: Risk Management & Assessment
Executive Summary
Aztek is an Australian company that provides financial solutions and services to the clients. There are
certain issues that are being observed in Aztek with its growth and expansion in terms of infrastructure
and operations. The management has suggested various projects for the elimination of these issues and
Bring Your Own Devices (BYOD) is a suggestion that will be implemented. The report covers the
assessment of the risks for the project and discusses it viability from the feasibility and security aspects.
The types of the risks that may come up and their management have been covered in the report along with
the elaboration on the aspect of data security.
Findings and Recommendations
The risk register has been prepared for the BYOD project that lists the risks that are identified (Cioupdate,
2016).
These risks include information, device and network security risks and insider threats that may be
executed.
The recommendations have been provided to ensure that the risks that are identified are avoided or
mitigated and the root cause of the risk is eliminated so that their likelihood drops to zero. There are
several management level employees that work in Aztek and also there are various departments that have
been set up for the security management. Some of these dedicated management and departments include
security department and IT department along with Project Managers of every project that contribute in the
security management. These resources would have the authority to implement the enhanced controls and
administrative checks so that security vulnerabilities are highlighted and are avoided. These resources
must work on the security updates in the policies and administrative plans along with the increase in the
frequency of the security audits, reviews and inspections. The security reports that are prepared in these
activities must also be reviewed so that the areas of improvement are worked upon.
The technical sets of controls are the security measures that must be taken so that the technology is put to
use in the avoidance and prevention of the security attacks. For the information security attacks, the first
measure shall be encryption of all the data sets so that the misuse is avoided and controlled. There shall
also be use of automated anti-malware and anti-denial tools to avoid the risks. The network security risks
shall be avoided by using network based intrusion prevention and detection application, network scanning
tools and network audit tools. The devices of the employees must be installed with security tags and
trackers.
2
Document Page
Aztek: Risk Management & Assessment
Access control, identity management, firewalls and authentication systems are some of the basic steps
towards the security. These shall be made stronger by using combination of administrative and technical
controls. There shall be use of biometric systems, role based access control systems, resource
management systems etc. for avoiding the unauthorized access in the office or the applications.
The employees may also be the carriers of the risk and the risks associated with employee mistake or
deliberate action shall be avoided by explaining them the implications of the security risks on the
employees. They may be held responsible for the risk if it is caused through their device and there may be
legal obligations on them as a result. The employees must also be made aware of the best security
practices that they may follow for the avoidance of the risks. They must be provided with the knowledge
and information on the ethical practices to follow along with professional codes of conduct.
3
Document Page
Aztek: Risk Management & Assessment
Introduction.................................................................................................................................................5
Aztek – Overview of the Organization....................................................................................................5
BYOD: Project Details & Overview........................................................................................................5
Project Review from Finance Service Sector...............................................................................................6
BYOD Description: Financial Aspects....................................................................................................6
Aztek IT Security Policies & Procedures....................................................................................................8
BYOD Scheme: Risk Assessment...............................................................................................................9
Process for Risk Management.................................................................................................................9
Risk Register.........................................................................................................................................10
Data Security for the BYOD Scheme........................................................................................................14
Conclusion.................................................................................................................................................15
References.................................................................................................................................................16
4

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
Aztek: Risk Management & Assessment
Introduction
Aztek – Overview of the Organization
There are numerous business set ups and units that have been established all across the world
that carry out the business operations and activities as per their respective industry type. Some of
these sectors are mandatory for every country and some may have a lesser significance as
compared to the rest. One of the most significant, mandatory and crucial sectors is the finance
sector upon which a major share of the economy is based upon. Aztek is the finance firm from
Australia that has a good hold in the market and a decent customer base associated with it.
As the business units expand, there comes an increased responsibility and accountability on the
organizations to perform better and serve its customers in a better manner. With the business
expansion, there are a few infrastructural, operational and technical issues that are being
witnessed. It has become required to overcome these issues so that the business continuity and
service quality is maintained. The suggestions have been given by the team of directors and
leadership in this area including the concept of BYOD, deployment of cloud hosting services and
outsourcing of IT functions.
On the basis of the suggestions provided and the organizational issues, the project that has been
selected is the use of BYOD scheme.
BYOD: Project Details & Overview
BYOD stands for Bring Your Own Devices and it is a scheme that allows the involvement of the
devices owned by the office employees in the business units. One of the growing trends in the
present times is that of IT consumerization. There are various mechanisms that are present which
can be included to promote the same and BYOD is an initiative associated with IT
consumerization. The use of technical gadgets is on a rise in the current times and there are
individuals that own many such gadgets and devices. Some of the examples of these devices
include mobile phones, desktops, laptops, modems, connecting wires, tablets etc. Most of these
devices are portable in nature and be carried from one place to the other. BYOD allows the
employees to bring such devices to office and use them to execute business activities, services,
tasks and operations.
5
Document Page
Aztek: Risk Management & Assessment
The BYOD project will offer many benefits to the organization, its customers and its
stakeholders as well. There will also be certain challenges and drawbacks that may come up.
Project Review from Finance Service Sector
The business functions and activities in the organizations are guarded and managed by certain
guidelines and policies. In the finance sector also there are bodies and agencies that have been
set up by the Government to control and monitor the associated operations. One such
government body in Australia is termed as Australian Securities and Investments Commission
(ASIC). This body regulates the corporate activities of the corporate organizations and firms.
The set of rules, policies and laws that are stated by ASIC must be adhered and all the Australian
financial firms shall comply with the same.
In every business sector, the necessity to maintain and follow the ethical and professional
guidelines is mandatory. Australia has specified all these guidelines for the business
organizations under Australian Code of Conduct (ASC). The set of tasks that come under BYOD
must also conform to the ASC codes.
Aztek has the business domain as finance and the frequency of financial transactions and
payments in the company is more in number as compared to the other organizations. All the
electronic payments and the financial transactions that take place must comply with e-payments
code that comes under the ASIC policies and framework.
Security and privacy of information is necessary to be maintained and the same shall be made
possible by adhering to the Intellectual Property and Privacy laws defined by the government and
legal bodies of Australia.
BYOD Description: Financial Aspects
The objectives that have been defined by Aztek have customer satisfaction and engagement as
the focal point. Some of the points under the business objectives are:
The customers must be provided with the financial solutions that are reliable, accurate,
quick and usable.
The percentage of employee satisfaction and engagement with Aztek must not drop down
and shall always be maintained.
6
Document Page
Aztek: Risk Management & Assessment
The percentage of customer satisfaction and engagement with Aztek must not drop down
and shall always be maintained.
The customers must be provided with the release and end products as per the promised
delivery dates.
All the projects that are taken up by Aztek also have the project goals which shall be in
accordance with the goals of the firm to achieve strategic alignment.
There are certain tools and applications that are complex in nature and it provides an
advantage to the organization if such tools are tested and used by the resources prior to
the actual usage. This leads to the deeper understanding and operational ease with the
tool and also makes the resource comfortable with its usage leading to avoidance of
errors and lesser execution time. The company tools will run on employee devices which
will provide them with the ability to experience the functioning of the tools leading to
better service execution and solution design.
The complexity of operations and their execution will reduce leading to better
productivity, efficiency and satisfaction for employees which will in turn improve
customer satisfaction as well.
The organizational activities and infrastructure will improve as there will be better
communication and sharing along with better integration.
In terms of the company budget and finances, the BYOD project will offer several advantages to
Aztek.
Currently, the devices that are used in the organization for the execution of business
activities are procured by the organization from its share of expenses. This includes a
huge investment for an organization that is under expansion. BYOD scheme will
eliminate these costs which may be used in other activities.
The employees will be able to explore the tools and application from off-the-office
locations which will provide them with better operational ease leading to avoidance of
operational costs due to errors, mistakes and reworks (Gessner, 2016).
Testing is an activity that is a part of every project and the tools required for test
execution and test creation may be different for every project. For instance, a project
involving a mobile based financial solution may require different devices like Android
7

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
Aztek: Risk Management & Assessment
based mobile device, iOS based mobile device, Windows based mobile device etc. with
different screen sizes and resolutions. This will involve additional costs and the devices
may not be required once the project is completed. These additional and unnecessary
costs will be avoided after the use of BYOD scheme (Retailwire, 2016).
Aztek IT Security Policies & Procedures
BYOD will offer many benefits and advantages to Aztek in terms of the ability to achieve the
organization goals with ease, enhanced engagement of the customers and employees of the
organization and many others. One of the major benefits as discussed under the financial aspect
of the project above would be the elimination of unnecessary costs and expenses.
These benefits will be abundant in number but there will also be many issues that will be related
with BYOD in the areas of implementation, integration and usage. Security will be the main
issue in this area and there will be numerous risks to the information and network security that
might be witnessed. There are many threat and risk agents that will be the carriers of these
security issues and these carriers will be required to be checked in all the measures that are
implemented from the security point of view.
Aztek has always been an organization that has made sure that the state of security in the
organization and in association with the applications and services related with the organization
are always maintained. BYOD scheme that has been selected for implementation is Aztek has its
own set of security issues. The security policies of Aztek do not include the countermeasures that
can be executed for the prevention and control of the BYOD related attacks and would be
necessary to be updated.
It would be required to first analyze the associated security risks and plan out the control,
avoidance and prevention measures that shall be applied.
The various forms of the risks and security attacks in association with the BYOD scheme can be
categorized in three broad categories and areas viz. information security risks, risks to the device
security and network security risks. The devices that the employees currently own were brought
by them for the personal use. The security aspect of the personal activities and the professional
activities are different from one another. There might be basic security precautions that the
8
Document Page
Aztek: Risk Management & Assessment
employee may have taken for the device protection which would not be sufficient for use in
Aztek. Therefore, the IT & Security team at Aztek must review the device from the security
aspect and must also install the necessary security updates and tags for making the device fit to
be used in the organization (Coleman, 2011). The security risks associated with the category of
information and network security attacks must be controlled and avoided by using the
technological tools and administrative checks. The disaster recovery mechanisms must also be
stated carefully.
BYOD scheme is a new scheme that will be used in Aztek and the employees will also not be
aware of the threats that they might bring along with the use of unsecure networks and
applications. The device of the employees, such as the Smartphone will be used for many
personal activities along with the professional tasks. There may be certain applications that may
not be secure and may cause a negative implication on other applications or the security of the
device. There may be malware attacks or eavesdropping activities that may take place. Also, the
use of devices on the public Wi-Fi connections may also bring in many unknown risks to the
employee’s Smartphone (Newton, 2015).
The employees will be required to be provided with the information on the secure use of the
device so that the applications and information related with Aztek is not impacted in a negative
manner (Trendmicro, 2016).
BYOD Scheme: Risk Assessment
There are many risks that may take place in the organization and its associated applications.
These risks may belong to different categories and one such category is the security risks (Crane,
2013). A security risk is defined as an occurrence which may lead to the compromise of the
security of any of the component associated with the organization which may have serious
implication.
Process for Risk Management
For the management of the risks that will emerge with the implementation of the BYOD scheme
in Aztek, there is a process that has been defined to control, avoid, prevent and detect the risks.
The process is termed as risk management and it is also one of the knowledge areas that come
9
Document Page
Aztek: Risk Management & Assessment
under the domain of project management. This process will provide the management and
leadership with the guidelines and mechanisms on adequate management of the risks.
Risk Management Process
Risk identification shall be the first stage in the process of risk management and in this stage the
security team, management and the IT team of the organization must create a list of sources from
which they may attain maximum information on the probable risk areas (Capterra, 2016). A list
of these risk areas along with the specific risk events shall be prepared in this stage (Berg, 2016).
The risk areas and events that are identified shall then be assessed and their probability and
implication on the organization and its components shall be calculated. The prioritization in
terms of the treatment of the risk must also be calculated on the basis of the risk factors
(Castsoftware, 2016).
One the priority, impact and likelihood of the risk is assessed, the response and treatment
strategy for the risks shall be calculated. These strategies shall be based upon the nature of the
risk and the damage that it may cause. For instance, it would be best to avoid some of the risks
while for the other risks the best possible treatment would be to accept or transfer the risk
(Microsoft, 2016).
The next set of phases shall focus upon the management and senior authorities to ensure that the
risk is monitored and controlled by applying the treatment strategies and is also closed after
completion (Vila, 2012).
Risk Register
The risk register that has been prepared for the BYOD project at Aztek includes the risks that
have been identified and also suggests the best treatment and response strategy that can be
applied for the control of the risk. The category of the risk along with their probability and
impact has also been included in the register after the assessment of the risks on different
parameters.
10
Risk
Identification
Risk
Assessmentand
Prioritization
Risk Treatment Risk Control Risk Tracking
and Report

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
Aztek: Risk Management & Assessment
Risk Name Risk Category Probabilit
y
Risk
Impact
Risk Response &
Treatment Strategy
Information
Breaches
Information Security
Risk
Moderate High The treatment strategy
that shall be followed in
this case shall be risk
avoidance by using
automated technical tools
and administrative checks
for information protection
Information
Leakage
Information Security
Risk
Moderate High The treatment strategy
that shall be followed in
this case shall be risk
avoidance by using
automated technical tools
and administrative checks
for information protection
(Informationweek, 2016)
Loss of the
Device
Device Security Risk Low High Risk avoidance shall be
used as the treatment
strategy for this risk
which shall be
implemented by using
device tracking tools,
device safety tools and
technical controls
Message &
Media
Alteration
Information/Network
Security Risk
Moderate High The treatment strategy
that shall be followed in
this case shall be risk
mitigation by enhancing
the information integrity
11
Document Page
Aztek: Risk Management & Assessment
by using network safety
tools (Grimes, 2016)
SQL
Injection
Information Security
Risk
Moderate Moderate The treatment strategy
that shall be followed in
this case shall be risk
avoidance by using
automated technical tools
and administrative checks
for information protection
(Usask, 2017)
Flooding
Attacks
Information/Network
Security Risk
Moderate Moderate -
High
The treatment strategy
that shall be followed in
this case shall be risk
avoidance by using
automated technical anti-
denial and intrusion
detection tools for
information and network
protection (Stoneburner,
2002)
Exploitation
of Security
Vulnerabilit
ies
Information/
Network/Device
Security Risk
Moderate Moderate The treatment strategy
that shall be followed in
this case shall be risk
avoidance by analyzing
the security weaknesses
and using the parameters
and mechanisms for
elimination of the same
Malware
Attacks and
Injections
Information/Network
Security Risk
Moderate Moderate-
High
The treatment strategy
that shall be followed in
this case shall be risk
12
Document Page
Aztek: Risk Management & Assessment
avoidance by using anti-
malware tools and
applications
Spoofing
Attacks
Network Security Risk Low Moderate The treatment strategy
that shall be followed in
this case shall be risk
mitigation by enhancing
network management and
control and creating alerts
for the users in such an
occurrence
Man in the
middle
Attacks
Network Security Risk Moderate Moderate The treatment strategy
that shall be followed in
this case shall be risk
mitigation by enhancing
network management and
control and creating alerts
for the users in such an
occurrence
Insider threats and attacks may also take place in Aztek in which the threat agents will be the
employees. BYOD scheme is a new scheme that will be used in Aztek and the employees will
also not be aware of the threats that they might bring along with the use of unsecure networks
and applications. The device of the employees, such as the Smartphone will be used for many
personal activities along with the professional tasks. There may be certain applications that may
not be secure and may cause a negative implication on other applications or the security of the
device. There may be malware attacks or eavesdropping activities that may take place. Also, the
use of devices on the public Wi-Fi connections may also bring in many unknown risks to the
employee’s Smartphone (Qld, 2016). There are two forms of insider threats viz. deliberate and
accidental. The scenario just discussed is an example of the accidental threat as the employee
was not aware of the risk and its impact. However, there may be selfish motives that may be
13

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
Aztek: Risk Management & Assessment
involved and the employee may purposely transfer the information to the unauthorized entites
(Markovic-Petrovic & Stojanovic, 2014).
Data Security for the BYOD Scheme
An organization has many assets that it requires to manage. Some of these assets come under the
category of critical assets and some are classified as non-critical assets. The security
requirements of critical assets are more than the non-critical assets. Data and information are the
organizational assets that are included in the critical assets classification and the security
requirement of these assets is therefore very high (Scu, 2016).
Aztek is carrying out its business since a long time and there are many projects that it handles.
Due to the involvement of different clients and employees along with the execution of many
projects simultaneously, there are huge data sets that the organization is required to manage
securely. The data sets include the information from different categories, such as, confidential,
public, sensitive, private etc (Test-institute, 2016).
There are many risks to these data sets in terms of security and the primary reason of these risks
is the involvement of different components and sources (Chapman, 2000). The security
parameters and mechanisms that are applied for the private information and data set is different
form a public data set or confidential data set. This may lead to the presence of security
weaknesses and vulnerabilities.
There are various operations that can be performed on the data and information sets. These
operations may include the read only ability, modification or deletion of the data etc. The users
that are allowed to execute these operations must be selected and provided with the privileges on
the basis of the user type and the information category.
All the modification, deletion and any of the updates on the data shall be allowed to be
performed by the data administrator or the security manager only. This will avoid the attacks
associated with integrity and availability of the data. The sensitive and confidential data sets
shall be allowed to be accessed only by the CEO, Board of directors along with Security
Manager and Database Administrator. The private data sets shall be accessible to be read by the
14
Document Page
Aztek: Risk Management & Assessment
stakeholders of the data and the data analysts. The public data sets must be allowed to be read by
the stakeholders, data analysts, data scientists and data owners.
Conclusion
Aztek has decided to implement BYOD scheme in its infrastructure which would lead to various
benefits and will also come up with certain issues.
The use of technical gadgets is on a rise in the current times and there are individuals that own
many such gadgets and devices. Some of the examples of these devices include mobile phones,
desktops, laptops, modems, connecting wires, tablets etc. Most of these devices are portable in
nature and be carried from one place to the other. BYOD allows the employees to bring such
devices to office and use them to execute business activities, services, tasks and operations.
BYOD will offer many benefits and advantages to Aztek in terms of the ability to achieve the
organization goals with ease, enhanced engagement of the customers and employees of the
organization and many others. One of the major benefits as discussed under the financial aspect
of the project above would be the elimination of unnecessary costs and expenses.
There will also be many issues that will be related with BYOD in the areas of implementation,
integration and usage. Security will be the main issue in this area and there will be numerous
risks to the information and network security that might be witnessed. There are many threat and
risk agents that will be the carriers of these security issues and these carriers will be required to
be checked in all the measures that are implemented from the security point of view. The various
forms of the risks and security attacks in association with the BYOD scheme can be categorized
in three broad categories and areas viz. information security risks, risks to the device security and
network security risks. Insider threats and attacks may also take place in Aztek in which the
threat agents will be the employees.
For the management of the risks that will emerge with the implementation of the BYOD scheme
in Aztek, there is a process that has been defined to control, avoid, prevent and detect the risks.
The process is termed as risk management and it is also one of the knowledge areas that come
under the domain of project management. This process will provide the management and
leadership with the guidelines and mechanisms on adequate management of the risks.
15
Document Page
Aztek: Risk Management & Assessment
16

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
Aztek: Risk Management & Assessment
References
Berg, H. (2016). Risk Management. Retrieved 25 September 2017, from http://ww.gnedenko-
forum.org/Journal/2010/022010/RTA_2_2010-09.pdf
Berg, H. (2010). Risk Management: Procedures, Methods and Experiences. Retrieved 25
September 2017, from http://ww.gnedenko-forum.org/Journal/2010/022010/RTA_2_2010-
09.pdf
Capterra,. (2016). Best Risk Management Software | 2016 Reviews of the Most Popular Systems.
Capterra.com. Retrieved 25 September 2017, from http://www.capterra.com/risk-
management-software/
Castsoftware,. (2016). What is Software Risk & How To Prevent Software Risk | CAST Software.
Castsoftware.com. Retrieved 25 September 2017, from
http://www.castsoftware.com/research-labs/software-risk
Chapman, C. (2000). A desirable future for technology risk management. International Journal
Of Risk Assessment And Management, 1(1/2), 69.
http://dx.doi.org/10.1504/ijram.2000.001488
Cioupdate,. (2016). Effective Measures to Deal with Cloud Security -- CIO Update.
Cioupdate.com. Retrieved 25 September 2017, from http://www.cioupdate.com/technology-
trends/effective-measures-to-deal-with-cloud-security.html
Coleman, T. (2011). A Practical Guide to Risk Management. Cfapubs.org. Retrieved 25
September 2017, from http://www.cfapubs.org/doi/pdf/10.2470/rf.v2011.n3.1
Crane, L. (2013). Introduction to Risk Management. Retrieved 25 September 2017, from
http://extensionrme.org/pubs/IntroductionToRiskManagement.pdf
Development, C. (2013). What are the 5 Risk Management Process Steps?. Continuing
Professional Development. Retrieved 25 September 2017, from
http://continuingprofessionaldevelopment.org/risk-management-steps-in-risk-management-
process/
Dey, P. (2008). Risk management in information technology projects. International Journal Of
17
Document Page
Aztek: Risk Management & Assessment
Risk Assessment And Management, 9(3), 311. http://dx.doi.org/10.1504/ijram.2008.019747
Gessner, D. (2016). Towards a User-Friendly Security-Enhancing BYOD Solution. Retrieved 25
September 2017, from http://in.nec.com/en_IN/images/120324.pdf
Grimes, R. (2016). The 5 cloud risks you have to stop ignoring. InfoWorld. Retrieved 25
September 2017, from http://www.infoworld.com/article/2614369/security/the-5-cloud-
risks-you-have-to-stop-ignoring.html
InformationWeek,. (2016). 9 Worst Cloud Security Threats - InformationWeek.
InformationWeek. Retrieved 25 September 2017, from
http://www.informationweek.com/cloud/infrastructure-as-a-service/9-worst-cloud-security-
threats/d/d-id/1114085?page_number=2
Markovic-Petrovic, J., & Stojanovic, M. (2014). An Improved Risk Assessment Method for
SCADA Information Security. Elektronika Ir Elektrotechnika, 20(7).
http://dx.doi.org/10.5755/j01.eee.20.7.8027
Microsoft,. (2016). Risk Management Process Overview. Technet.microsoft.com. Retrieved 25
September 2017, from https://technet.microsoft.com/en-us/library/cc535304.aspx
Newton, P. (2015). Managing Project Risks. Retrieved 25 September 2017, from
http://www.free-management-ebooks.com/dldebk-pdf/fme-project-risk.pdf
Proconceptsllc,. (2016). Risk Radar® Enterprise, Risk Management Software | Pro-Concepts
LLC. Proconceptsllc.com. Retrieved 25 September 2017, from
http://www.proconceptsllc.com/risk-radar-enterprise.html
Qld,. (2016). Risks of cloud computing | Queensland Government. Business.qld.gov.au.
Retrieved 25 September 2017, from
https://www.business.qld.gov.au/business/running/technology-for-business/cloud-
computing-business/cloud-computing-risks
Retailwire,. (2016). Happiness Is … Bringing Your Own Computer Devices to Work –
RetailWire. Retailwire.com. Retrieved 25 September 2017, from
http://www.retailwire.com/discussion/16188/happiness-is-bringing-your-own-computer-
devices-to-work
18
1 out of 18
circle_padding
hide_on_mobile
zoom_out_icon
[object Object]

Your All-in-One AI-Powered Toolkit for Academic Success.

Available 24*7 on WhatsApp / Email

[object Object]