logo

IT Risk Assessment Case Study

   

Added on  2020-04-01

16 Pages5118 Words65 Views
IT Risk Assessment Case StudyContentsExecutive Summary...............................................................................................................................1Project Review.......................................................................................................................................2Security Posture of Aztek.......................................................................................................................4Risk Assessment....................................................................................................................................7Data Security.......................................................................................................................................12Conclusions..........................................................................................................................................13References...........................................................................................................................................14Executive SummaryThis report includes IT risk assessment of a project of Aztek which is a financial services organizationfrom Australia. The objective is to explore security challenges that would result fromimplementation of Bring Your Own Device scheme by the company. At BYOD deployment wouldresult into addition of personal devices of employees to the company infrastructure and thus, thesecurity posture of the organization would change upon its adoption. The report includesexploration of security posture of the company and identification as well as assessment of risksfaced by the organization considering the new posture.The report would begin with the exploration of the industry best practices utilized for managementof the security systems in organizations using BYOD. It would also explore how the IT project couldget affected by industrial or government needs for compliance. The processes of surveillance,industrial standards such as Workplace Privacy Act and NSW acts are explored for exploring and

understanding methods that can be used to strengthen the security posture of Aztek whendeploying BYOD in the organization[ CITATION Eng14 \l 16393 ].The report identifies various vulnerabilities and risks that the company would face as a result ofusing mobile and tablet devices of the employees for official use. It also explores various methodsthat can be used to protect organization from exploitation of these vulnerabilities[ CITATIONEur101 \l 16393 ]. The risks identified in the process would be assessed using a cybersecurity framework as thefoundation. This includes formation of risk profile of Aztek, identification of the security systemsused in the company and establishing of a plan for the improvement of the security posture. The fivecore functions identified in the framework are explored for assessment including identification,detection, protection, response and recovery. For each categories and subcategories of risks, thesecurity controls that can be used are identified[ CITATION Nat111 \l 16393 ].Lastly, the report would analyze the security related data of the financial industry to assess howBYOD affects a financial organization and what specific measures are required to be used by financialorganization for brining improvements and for protecting company from security risks.Project ReviewAztek is a financial services company based out of Australia. The management of the organization isfacing challenges in managing IT infrastructure costs and is looking forward to minimize theinvestments in the IT systems. Thus, the management has decided to implement a BYOD scheme inthe organization thereby allowing its employees to use their own devices for the office work. Thisproject involves implementation of the components and processes involved in the BYOD schemedevelopment and implementation[ CITATION ACH13 \l 16393 ].

With the adoption of BYOD, the management would have to comply with several regulatoryprocedures and policies. Thus, before beginning implementation of BYOD, there is a need to explorethe related acts and regulatory policies. Australian Capital Territory is a key area of jurisdiction inAustralia that has defined regulator policies. At the level of the organization, policy basedsurveillance system can be used for tracking communication by employees. At other levels includingterritory, state or federal, there are certain laws that can be used for regulating the access to systemby employees of the organization. Use of access control systems in user devices and prohibition ontracking or listening of employees are some of the compliance requirements of theproject[ CITATION APM17 \l 16393 ].NSW Act has been made for employee’s management such that they can be made a part of thesurveillance system even when they are out of the premises of their offices. Surveillance can bedone by preventing them from sharing confidential records but this can go against the act. A covertsurveillance is but allowed in which the employee is monitored outside office premises only after anotification of 14 days in advance[ CITATION Sal141 \l 16393 ].Workplace Privacy Act 2011 (ACT) provides a framework for surveillance and as per this actsurveillance can be exercised by tracking what is being sent or received by an employee outside theoffice premises but on their official email accounts. This may not include exploration of the resourcesthat employees use on a BYOD device[ CITATION Pet141 \l 16393 ].Another applicable act is Telecommunications (Interception and Access) Act 1979 which covers thepermissions on the use of interception by employers on communication is established between twoemployees without their knowledge. The act allows companies to only track the content duringinterception and not any other related information which can include the email addresses used, timeof communication and other metadata. The transmissions that can be intercepted this way aredefined on the section 5F of the act. This gives protection to the employees from misuse ofresources but it is only limited[ CITATION Hei10 \l 16393 ].

Employers create a usage policy which complies with the regulators and acts by adhering to rules onfollowing aspects:Type of surveillance that tracks communicationHow would surveillance be done If surveillance is intermittent or continuousWill it be for a limited time or throughout employment[ CITATION Ala12 \l 16393 ]As per the Privacy Act (APP 5), the policy can have following provisions:If the content is being shared between two employees, company may have visibility to itNo personal information of consequence of the personal communicated between employeeand others may be recorded.Employees must have the knowledge about what information is made visible to employerThe privacy policy can define some access and usage procedures in case of personalcommunications[ CITATION Eur101 \l 16393 ]The policy can also include procedures of data reporting inside and outside of the company [CITATION Pet141 \l 16393 ]Security Posture of AztekWhen BYOD devices would be added to the corporate network of the company, the security postureof the company would change as the personal devices of employees would become a part of thecritical infrastructure of the organization. Thus, considerations should be made for the risks that canarise as a result while building strategies for security management in the organization such that itssecurity posture can be bolstered[ CITATION Ser11 \l 16393 ].In the finance industry, there are certain barriers to implementation of BYOD because of the securityrisks attached. In order to cope with these risks, regulations have been defined by various countries

End of preview

Want to access all the pages? Upload your documents or become a member.

Related Documents
IT Risk Assessment Aztek | Case Study
|16
|5483
|42

Aztek IT Risk Assessment Case Study September 26 2017 Aztek Financial Services
|17
|5482
|245

Report on IT Risk Management for Aztek
|17
|4994
|31

Risk Management Report Assignment
|14
|4599
|37

ITC596 - IT Risk Management - Case study of Aztek company
|18
|4571
|103

Aztek: Risk Management & Assessment
|18
|4841
|31