Identification of vulnerabi: A case study
VerifiedAdded on  2021/05/27
|12
|2668
|329
AI Summary
IS/IT RISK MANAGEMENT 8 IS/IT RISK MANAGEMENT IS/IT Risk Management (VitaCrux Pty Ltd) Name of the student: Name of the university: Author Note Executive summary The following report includes the analysis and identification of most of vulnerabilities and threats under VitaCrux. Impact analysis through qualitative and quantitative methods: 4 2.1. Identification and analysis of threats & vulnerabilities within VitaCrux: 3 1.1. Protection of intellectual property, sensitive customer data and various other business-critical data needs
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Running head: IS/IT RISK MANAGEMENT
IS/IT Risk Management
(VitaCrux Pty Ltd)
Name of the student:
Name of the university:
Author Note
IS/IT Risk Management
(VitaCrux Pty Ltd)
Name of the student:
Name of the university:
Author Note
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
1IS/IT RISK MANAGEMENT
Executive summary
The following report includes the analysis and identification of most of vulnerabilities and threats
under VitaCrux. Then an impact analysis is conducted with qualitative and quantitative methods.
Then a thorough likelihood analysis and control analysis is done relating to every complex
vulnerabilities.
Executive summary
The following report includes the analysis and identification of most of vulnerabilities and threats
under VitaCrux. Then an impact analysis is conducted with qualitative and quantitative methods.
Then a thorough likelihood analysis and control analysis is done relating to every complex
vulnerabilities.
2IS/IT RISK MANAGEMENT
Table of Contents
1. Identification and analysis of threats & vulnerabilities within VitaCrux:.........................................3
1.1. Technical threats and vulnerabilities:.........................................................................................3
1.2. Operational challenges:..............................................................................................................4
1.3. Managerial challenges:...............................................................................................................4
2. Impact analysis through qualitative and quantitative methods:.........................................................4
2.1. Qualitative analysis:....................................................................................................................4
2.2. Quantitative analysis:..................................................................................................................5
3. Control assessment and likelihood analysis for VitaCrux:................................................................5
3.1. Control assessment:....................................................................................................................5
3.2. Likelihood analysis:....................................................................................................................6
4. Various risk analysis for VitaCrux:...................................................................................................6
4.1. Threat analysis:...........................................................................................................................6
4.2. Vulnerability and threat analysis of acceptable risks:................................................................7
4.3. Impact analysis:..........................................................................................................................8
4.4. Likelihood analysis:....................................................................................................................8
4.5. Risk determination:.....................................................................................................................8
5. References:......................................................................................................................................10
Table of Contents
1. Identification and analysis of threats & vulnerabilities within VitaCrux:.........................................3
1.1. Technical threats and vulnerabilities:.........................................................................................3
1.2. Operational challenges:..............................................................................................................4
1.3. Managerial challenges:...............................................................................................................4
2. Impact analysis through qualitative and quantitative methods:.........................................................4
2.1. Qualitative analysis:....................................................................................................................4
2.2. Quantitative analysis:..................................................................................................................5
3. Control assessment and likelihood analysis for VitaCrux:................................................................5
3.1. Control assessment:....................................................................................................................5
3.2. Likelihood analysis:....................................................................................................................6
4. Various risk analysis for VitaCrux:...................................................................................................6
4.1. Threat analysis:...........................................................................................................................6
4.2. Vulnerability and threat analysis of acceptable risks:................................................................7
4.3. Impact analysis:..........................................................................................................................8
4.4. Likelihood analysis:....................................................................................................................8
4.5. Risk determination:.....................................................................................................................8
5. References:......................................................................................................................................10
3IS/IT RISK MANAGEMENT
1. Identification and analysis of threats & vulnerabilities within VitaCrux:
VitaCrux Pty Ltd or VitaCrux is a mid-sized organization producing and selling health and
food supplements. Protection of intellectual property, sensitive customer data and various other
business-critical data needs a comprehensive security strategy closely matching business objectives.
In current world, information and protecting information have been complex considerations
for businesses. Customers of VitaCrux need to assure that their data is kept secured. As they cannot
keep that safe, the organization would be losing their business. There are many clients having
sensitive data demands that they have a solid infrastructure for data security in proper place. This
must be done before performing business. Vitacrux must determine that with those considerations as
the basis, how much confidence they have been possessing as it comes to IT security of the
company.
1.1. Technical threats and vulnerabilities:
Hacking It provides scopes to extract data regarding monetary and political gains.
Cracking Various personnel changes have been taking place along with security policies that
are likely to be changed in due time. This leads towards unauthorized access towards
sensitive data (Csrc.nist.gov, 2018).
Malware It disrupts computer operations and collects sensitive data, gaining access to computer
systems compromising information.
Data
leakage
This refers to various unauthorized physical and electronic transmission of data
within Vitacrux. This is done to external recipients and destinations leaving data in
wrong hands (Laudon and Laudon 2016).
1. Identification and analysis of threats & vulnerabilities within VitaCrux:
VitaCrux Pty Ltd or VitaCrux is a mid-sized organization producing and selling health and
food supplements. Protection of intellectual property, sensitive customer data and various other
business-critical data needs a comprehensive security strategy closely matching business objectives.
In current world, information and protecting information have been complex considerations
for businesses. Customers of VitaCrux need to assure that their data is kept secured. As they cannot
keep that safe, the organization would be losing their business. There are many clients having
sensitive data demands that they have a solid infrastructure for data security in proper place. This
must be done before performing business. Vitacrux must determine that with those considerations as
the basis, how much confidence they have been possessing as it comes to IT security of the
company.
1.1. Technical threats and vulnerabilities:
Hacking It provides scopes to extract data regarding monetary and political gains.
Cracking Various personnel changes have been taking place along with security policies that
are likely to be changed in due time. This leads towards unauthorized access towards
sensitive data (Csrc.nist.gov, 2018).
Malware It disrupts computer operations and collects sensitive data, gaining access to computer
systems compromising information.
Data
leakage
This refers to various unauthorized physical and electronic transmission of data
within Vitacrux. This is done to external recipients and destinations leaving data in
wrong hands (Laudon and Laudon 2016).
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
4IS/IT RISK MANAGEMENT
5IS/IT RISK MANAGEMENT
1.2. Operational challenges:
Insider threat Here, the partners, contractors and employees are able to commit fraud, theft and
espionage of various intellectual properties.
Social media The employees have been often falling victim to various scams or revealing data that is
not expected for social media and public media.
Dumpster diving The improper disposal of various sensitive data leads to poor disclosures and different
sensitive information. In this way the internal processes while disposing sensitive data
has been vital to prevent those types of non-technical vulnerabilities.
Social
engineering
The attackers have been highly depending in human interactions to access into
company networks (Greenberg 2017).
1.3. Managerial challenges:
This has not been obvious that most of the data has needed in short-terms. However, there are
troubles lurking in those data archives. In this way VitaCrux has been the victim of silent crisis in
this making (Coronel and Morris 2016). There are various chances that the data is turns out to be no
longer readable and devices they need to read the media.
2. Impact analysis through qualitative and quantitative methods:
2.1. Qualitative analysis:
A qualitative analysis is needed to be done on various employees of VitaCrux. This is helpful
to uncover various trends at opinions and thoughts and then research more into those problems. Here
the participant observation is very important. The analysis must be made on the methods to enter the
context, role of researcher as participant, storing and collecting field notes and assessment of field
data. The participant can requires months or been years of high level research. This is needed to be
1.2. Operational challenges:
Insider threat Here, the partners, contractors and employees are able to commit fraud, theft and
espionage of various intellectual properties.
Social media The employees have been often falling victim to various scams or revealing data that is
not expected for social media and public media.
Dumpster diving The improper disposal of various sensitive data leads to poor disclosures and different
sensitive information. In this way the internal processes while disposing sensitive data
has been vital to prevent those types of non-technical vulnerabilities.
Social
engineering
The attackers have been highly depending in human interactions to access into
company networks (Greenberg 2017).
1.3. Managerial challenges:
This has not been obvious that most of the data has needed in short-terms. However, there are
troubles lurking in those data archives. In this way VitaCrux has been the victim of silent crisis in
this making (Coronel and Morris 2016). There are various chances that the data is turns out to be no
longer readable and devices they need to read the media.
2. Impact analysis through qualitative and quantitative methods:
2.1. Qualitative analysis:
A qualitative analysis is needed to be done on various employees of VitaCrux. This is helpful
to uncover various trends at opinions and thoughts and then research more into those problems. Here
the participant observation is very important. The analysis must be made on the methods to enter the
context, role of researcher as participant, storing and collecting field notes and assessment of field
data. The participant can requires months or been years of high level research. This is needed to be
6IS/IT RISK MANAGEMENT
accepted as the natural part of that culture. This must be helpful to ensure that those observations are
of natural phenomenon. The various questions to be asked are the top risks and the extent to which
the effect has been likely occurring. Then it must be determined how often has the company been
refreshing their analysis of top risks. Further the owner of tip risks and who have been accountable
for those results are to be determined. Then questions must be asked regarding how efficient
VitaCrux has been in terms of managing its top most risks. Further, it must be found out from the
employees whether VitaCrux has understood the primary assumptions underpinning to the IT/IS
risky strategy.
2.2. Quantitative analysis:
A quantitative analysis is needed to be conducted at VitaCrux. It must consider risks that are
to be marked for future analysis in performing qualitative risk analysis process. It comprises of risks
that have larger effect on various project objectives. For this a probability distribution is to be made
using a project model of cost estimate and schedule along with simulation and mathematical tools
for calculating impact and probability. It has predicting the project results in terms of time or money
on the basis combined effect of various risks for IS/IT risks for VitaCrux.
3. Control assessment and likelihood analysis for VitaCrux:
3.1. Control assessment:
The control assessment for VitaCrux is to be basically designed for assisting the business to
document and identify various material risks together with various related controls. The level of
every risk has been to enable against risk appetite tolerance within VitaCrux. Risk analysis can be
increased by VitaCrux through control assessment (Li et al. 2014). Managing security puts emphasis
on the necessities of organizations for developing, documenting and implementing effective
accepted as the natural part of that culture. This must be helpful to ensure that those observations are
of natural phenomenon. The various questions to be asked are the top risks and the extent to which
the effect has been likely occurring. Then it must be determined how often has the company been
refreshing their analysis of top risks. Further the owner of tip risks and who have been accountable
for those results are to be determined. Then questions must be asked regarding how efficient
VitaCrux has been in terms of managing its top most risks. Further, it must be found out from the
employees whether VitaCrux has understood the primary assumptions underpinning to the IT/IS
risky strategy.
2.2. Quantitative analysis:
A quantitative analysis is needed to be conducted at VitaCrux. It must consider risks that are
to be marked for future analysis in performing qualitative risk analysis process. It comprises of risks
that have larger effect on various project objectives. For this a probability distribution is to be made
using a project model of cost estimate and schedule along with simulation and mathematical tools
for calculating impact and probability. It has predicting the project results in terms of time or money
on the basis combined effect of various risks for IS/IT risks for VitaCrux.
3. Control assessment and likelihood analysis for VitaCrux:
3.1. Control assessment:
The control assessment for VitaCrux is to be basically designed for assisting the business to
document and identify various material risks together with various related controls. The level of
every risk has been to enable against risk appetite tolerance within VitaCrux. Risk analysis can be
increased by VitaCrux through control assessment (Li et al. 2014). Managing security puts emphasis
on the necessities of organizations for developing, documenting and implementing effective
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7IS/IT RISK MANAGEMENT
program, across the organization. Detailed designing of control assessment methods have been
depending on the type of organization it has been developed for ad the people involved within it to
design (NIST, 2018).
3.2. Likelihood analysis:
As VitaCrux analyzes the risks of IS/IT in their organization, the identification of
vulnerabilities, threats and resources has been the first task. Secondly, it has been no less vital and
difficult to calculate how large the risk has been through analyzing consequences (Stark 2015). As
the risks get materialized and analyzed how likely the risk might take place with the data, one can
easily calculate various risk levels. Hence, it can be said that the risk management in general and
particularly risk analysis and assessment has seemed to the best scopes for making things complex.
However, VitaCrux can incorporate more elements to make the approach a scientific one.
4. Various risk analysis for VitaCrux:
4.1. Threat analysis:
It involves the following steps:
Scope:
It provides the information about what is to be included and what not. The various items
under consideration are to be protected in terms of cyber security. However, they are needed to be
identified at first and the level of sensitivity of what has been guarded must be also defined also
through analysis drafters (Van De Walle, Turoff and Hiltz 2014).
program, across the organization. Detailed designing of control assessment methods have been
depending on the type of organization it has been developed for ad the people involved within it to
design (NIST, 2018).
3.2. Likelihood analysis:
As VitaCrux analyzes the risks of IS/IT in their organization, the identification of
vulnerabilities, threats and resources has been the first task. Secondly, it has been no less vital and
difficult to calculate how large the risk has been through analyzing consequences (Stark 2015). As
the risks get materialized and analyzed how likely the risk might take place with the data, one can
easily calculate various risk levels. Hence, it can be said that the risk management in general and
particularly risk analysis and assessment has seemed to the best scopes for making things complex.
However, VitaCrux can incorporate more elements to make the approach a scientific one.
4. Various risk analysis for VitaCrux:
4.1. Threat analysis:
It involves the following steps:
Scope:
It provides the information about what is to be included and what not. The various items
under consideration are to be protected in terms of cyber security. However, they are needed to be
identified at first and the level of sensitivity of what has been guarded must be also defined also
through analysis drafters (Van De Walle, Turoff and Hiltz 2014).
8IS/IT RISK MANAGEMENT
Data collection:
VitaCrux compromises of some kind of procedures and policies. These are required to
identify for various purposes of compliances. It is also found VitaCrux has failed to meet the various
minimum security standards.
4.2. Vulnerability and threat analysis of acceptable risks:
Here the various collected data must be tested to find poyt the level of present exposures
(Hammer 2015). Above all, the current defenses have been solid enough in neutralizing data threats
as per integrity, confidentially and availability is concerned.
Anticipation and mitigation:
As all the previous steps are finished, the competent security analyst can utilize the corpus of
treating data. This is to arrange those groups in active patterns having closer similarity. This also
includes attributes of every pattern for particular threat actors, implementing mitigation measures
promptly and anticipating the rise of same kind of cyber attacks for future (Peltier 2016).
Vulnerability analysis:
The vulnerability analysis is the process to define, identify, classify and prioritize
vulnerabilities within computer systems, network infrastructures and applications. This is helpful for
VitaCrux in performing the analysis with risk background, awareness and necessary knowledge for
understanding threats to the scenario and respond to that properly (Cherry and Jacob 2016).
Data collection:
VitaCrux compromises of some kind of procedures and policies. These are required to
identify for various purposes of compliances. It is also found VitaCrux has failed to meet the various
minimum security standards.
4.2. Vulnerability and threat analysis of acceptable risks:
Here the various collected data must be tested to find poyt the level of present exposures
(Hammer 2015). Above all, the current defenses have been solid enough in neutralizing data threats
as per integrity, confidentially and availability is concerned.
Anticipation and mitigation:
As all the previous steps are finished, the competent security analyst can utilize the corpus of
treating data. This is to arrange those groups in active patterns having closer similarity. This also
includes attributes of every pattern for particular threat actors, implementing mitigation measures
promptly and anticipating the rise of same kind of cyber attacks for future (Peltier 2016).
Vulnerability analysis:
The vulnerability analysis is the process to define, identify, classify and prioritize
vulnerabilities within computer systems, network infrastructures and applications. This is helpful for
VitaCrux in performing the analysis with risk background, awareness and necessary knowledge for
understanding threats to the scenario and respond to that properly (Cherry and Jacob 2016).
9IS/IT RISK MANAGEMENT
4.3. Impact analysis:
It must be done for understanding various possible outcomes to implement the changes.
Induction of too much functionality to products reduces the overall performances of products. It is
helpful to recognize all kind of files, models and documents that can be modified as team decides to
implement that change within the product (Ross 2017). Further, they can estimate efforts needed
behind implementation of the changes. Further, they can recognize tasks needed to implement those
changes. This has been listing the dependencies on particular elements. In impact analysis, the
information to be incorporated is the brief descriptions of problems. They must show and explain
examples how to defect the cause of failures and includes estimation of complexities. It has included
time and costs for fixed times. Further, various functionalities are also needed to be tested here. This
can be done through providing generic guidelines and principles over risk management (Iso.org,
2018).
4.4. Likelihood analysis:
The risk assessments through likelihood have been involving assigning of overall risk rating
for every risk events recognized through various steps. They are analyzing inherent risks including
consequences and likelihoods of risk events as they are needed to take place in any uncontrolled
scenario. Then various controls are needed to be evaluated and identified (Stair and Reynolds 2017).
The various existing controls have been put in place to address the identified risks and determine
how effective the controls has been in operation and designing. The last step is analyzing residual
risks. Here the consequences and likelihoods of risk events are to be determined whether they have
been occurring in present control environments. Damaging brand reputation, cyber crimes,
terrorisms, political risks can be faced by VitaCrux as the likelihood analysis is not properly
implemented (ISO, 2018).
4.3. Impact analysis:
It must be done for understanding various possible outcomes to implement the changes.
Induction of too much functionality to products reduces the overall performances of products. It is
helpful to recognize all kind of files, models and documents that can be modified as team decides to
implement that change within the product (Ross 2017). Further, they can estimate efforts needed
behind implementation of the changes. Further, they can recognize tasks needed to implement those
changes. This has been listing the dependencies on particular elements. In impact analysis, the
information to be incorporated is the brief descriptions of problems. They must show and explain
examples how to defect the cause of failures and includes estimation of complexities. It has included
time and costs for fixed times. Further, various functionalities are also needed to be tested here. This
can be done through providing generic guidelines and principles over risk management (Iso.org,
2018).
4.4. Likelihood analysis:
The risk assessments through likelihood have been involving assigning of overall risk rating
for every risk events recognized through various steps. They are analyzing inherent risks including
consequences and likelihoods of risk events as they are needed to take place in any uncontrolled
scenario. Then various controls are needed to be evaluated and identified (Stair and Reynolds 2017).
The various existing controls have been put in place to address the identified risks and determine
how effective the controls has been in operation and designing. The last step is analyzing residual
risks. Here the consequences and likelihoods of risk events are to be determined whether they have
been occurring in present control environments. Damaging brand reputation, cyber crimes,
terrorisms, political risks can be faced by VitaCrux as the likelihood analysis is not properly
implemented (ISO, 2018).
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
10IS/IT RISK MANAGEMENT
4.5. Risk determination:
Step 1: Identifying the hazards:
Here the first step in risk analysis has been to recognize potential hazards. This has been
negatively influencing the ability of VitaCrux.
Step 2: Determining who and what has been harmed:
As the hazards are identified, the following step is to find out what business resources have
been negatively influenced as the risks originates (Fang et al. 2014).
Step 3: Evaluation of risks and developing control measures:
Risk analysis has been helpful to identify how the hazards have been impacting business
resources and has been measuring that it can be put in place for minimizing or eliminating the
impact those hazards over resources of VitaCrux.
Step 4: Recording the findings:
Here, the risk analysis findings has been recorded by the company and is needed to be easily
accessible with official documents (Kavanagh and Johnson 2017).
Thus the above discussion has showed various ranges of risks that VitaCrux can be exposed
to. The study is useful to understand the procedures of risk management that is needed to be included
in VitaCrux. The analysis provides the structure to investigate various kinds of IT/IS risks for the
organization (IEEE Spectrum: Technology, Engineering, and Science News, 2018).
4.5. Risk determination:
Step 1: Identifying the hazards:
Here the first step in risk analysis has been to recognize potential hazards. This has been
negatively influencing the ability of VitaCrux.
Step 2: Determining who and what has been harmed:
As the hazards are identified, the following step is to find out what business resources have
been negatively influenced as the risks originates (Fang et al. 2014).
Step 3: Evaluation of risks and developing control measures:
Risk analysis has been helpful to identify how the hazards have been impacting business
resources and has been measuring that it can be put in place for minimizing or eliminating the
impact those hazards over resources of VitaCrux.
Step 4: Recording the findings:
Here, the risk analysis findings has been recorded by the company and is needed to be easily
accessible with official documents (Kavanagh and Johnson 2017).
Thus the above discussion has showed various ranges of risks that VitaCrux can be exposed
to. The study is useful to understand the procedures of risk management that is needed to be included
in VitaCrux. The analysis provides the structure to investigate various kinds of IT/IS risks for the
organization (IEEE Spectrum: Technology, Engineering, and Science News, 2018).
11IS/IT RISK MANAGEMENT
5. References:
Chang, J.F., 2016. Business process management systems: strategy and implementation. CRC Press.
Cherry, B. and Jacob, S.R., 2016. Contemporary nursing: Issues, trends, & management. Elsevier
Health Sciences.
Coronel, C. and Morris, S., 2016. Database systems: design, implementation, & management.
Cengage Learning.
Csrc.nist.gov. (2018). SP 800-30, Risk Management Guide for Information Technology Systems |
CSRC. [online] Available at: https://csrc.nist.gov/publications/detail/sp/800-30/archive/2002-07-01
[Accessed 9 May 2018].
Fang, S., Da Xu, L., Zhu, Y., Ahati, J., Pei, H., Yan, J. and Liu, Z., 2014. An integrated system for
regional environmental monitoring and management based on internet of things. IEEE Transactions
on Industrial Informatics, 10(2), pp.1596-1605.
Greenberg, J.S., 2017. Comprehensive stress management. McGraw-Hill Education.
Hammer, M., 2015. What is business process management?. In Handbook on Business Process
Management 1 (pp. 3-16). Springer, Berlin, Heidelberg.
IEEE Spectrum: Technology, Engineering, and Science News. (2018). Whose Risk? Whose
Responsibility?. [online] Available at: https://spectrum.ieee.org/at-work/tech-careers/whose-risk-
whose-responsibility [Accessed 9 May 2018].
ISO. (2018). The new ISO 31000 keeps risk management simple. [online] Available at:
https://www.iso.org/news/ref2263.html [Accessed 9 May 2018].
5. References:
Chang, J.F., 2016. Business process management systems: strategy and implementation. CRC Press.
Cherry, B. and Jacob, S.R., 2016. Contemporary nursing: Issues, trends, & management. Elsevier
Health Sciences.
Coronel, C. and Morris, S., 2016. Database systems: design, implementation, & management.
Cengage Learning.
Csrc.nist.gov. (2018). SP 800-30, Risk Management Guide for Information Technology Systems |
CSRC. [online] Available at: https://csrc.nist.gov/publications/detail/sp/800-30/archive/2002-07-01
[Accessed 9 May 2018].
Fang, S., Da Xu, L., Zhu, Y., Ahati, J., Pei, H., Yan, J. and Liu, Z., 2014. An integrated system for
regional environmental monitoring and management based on internet of things. IEEE Transactions
on Industrial Informatics, 10(2), pp.1596-1605.
Greenberg, J.S., 2017. Comprehensive stress management. McGraw-Hill Education.
Hammer, M., 2015. What is business process management?. In Handbook on Business Process
Management 1 (pp. 3-16). Springer, Berlin, Heidelberg.
IEEE Spectrum: Technology, Engineering, and Science News. (2018). Whose Risk? Whose
Responsibility?. [online] Available at: https://spectrum.ieee.org/at-work/tech-careers/whose-risk-
whose-responsibility [Accessed 9 May 2018].
ISO. (2018). The new ISO 31000 keeps risk management simple. [online] Available at:
https://www.iso.org/news/ref2263.html [Accessed 9 May 2018].
1 out of 12
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
 +13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024  |  Zucol Services PVT LTD  |  All rights reserved.