IT Risk Management: Assessing Security Risks and Recommendations
Added on 2023-04-04
8 Pages1806 Words475 Views
|
|
|
IT RISK MANAGEMENT
Executive summary:
ABC organization (Tentative name) is a software company that works on innovative software
designs that are expected to be sold in the near future. Most of the company's work such as
Executive summary:
ABC organization (Tentative name) is a software company that works on innovative software
designs that are expected to be sold in the near future. Most of the company's work such as
coding and other documentation are stored on the servers on cloud that can be accessed by
internet by anyone from anywhere (Risk). This data is of immense importance for the company
as the company has invested considerable amount on it and thus it is important that the data
should be secured from any confidentiality or integrity breach. The management of the server
infrastructure are in hands of a number of staff, and so the administration which are handled by
different peoples having incomplete knowledge of stuffs, moreover many of the employees have
administrative access (Vulnerability). Company provides open, unrestricted and free internet
service to the employees which they even no need for their jobs as they only have to limited
requirement of web activities (Vulnerability). The company has following departments:
1. Research and development.
2. Management
3. Human Resources and legal
4. Finance
The organization is not abide by any policy framework (Vulnerability). And also there are no
onboarding and off boarding processes for the employees. There are in total six servers in the
organization and each of them are independent having vanilla operating system installed on
them. These servers are neither up to date nor they have patched since long (Vulnerability). The
addresses of the machines are publicly accessible and anyone can access them from internet. The
commodities or servers are obtained from random places wherever the employees feel good
(Vulnerability). The hardware and the software are not maintained at all, even some of them are
very old. The servers store all of the company's data, files, directories and other intellectual
properties. Most of the corporate data are stored on the oracle database. (Research on
Vulnerability). The employees work from home from their personal computers and access all the
organization's data and use some of the services such as CVS from their home. Data redundancy
and fail over is not implemented and hence even a small change in the data can result in loss of
data and services. The root/administrative password of the servers is known to almost every staff
member (Vulnerability). Moreover every user of the server has an account on it irrespective of
them being the admin. Lots of unused accounts that are still active. The machines have been
hacked in the past however they do not seem to bother about that much. There is no security
software such as firewall or antivirus in place similarly there is not security system for shielding
online activities as well. No network security is in place and the server and other workstation
works on the same network. Additionally the server are placed in the physical location which is
accessible by the employees easily. There are no strict password protection policy and most of
the system uses same password which are also easy to identify. Since there seems too many
vulnerability in the security architecture of the company, they should have basic security policies
in place such as Strict administrative practices, Password protections, Encryption of data in rest
and in motion, Network Security, VPN, Strong Work from Home policies, security software and
training to their employees and staff regarding the best practices in handling company's data and
assets
internet by anyone from anywhere (Risk). This data is of immense importance for the company
as the company has invested considerable amount on it and thus it is important that the data
should be secured from any confidentiality or integrity breach. The management of the server
infrastructure are in hands of a number of staff, and so the administration which are handled by
different peoples having incomplete knowledge of stuffs, moreover many of the employees have
administrative access (Vulnerability). Company provides open, unrestricted and free internet
service to the employees which they even no need for their jobs as they only have to limited
requirement of web activities (Vulnerability). The company has following departments:
1. Research and development.
2. Management
3. Human Resources and legal
4. Finance
The organization is not abide by any policy framework (Vulnerability). And also there are no
onboarding and off boarding processes for the employees. There are in total six servers in the
organization and each of them are independent having vanilla operating system installed on
them. These servers are neither up to date nor they have patched since long (Vulnerability). The
addresses of the machines are publicly accessible and anyone can access them from internet. The
commodities or servers are obtained from random places wherever the employees feel good
(Vulnerability). The hardware and the software are not maintained at all, even some of them are
very old. The servers store all of the company's data, files, directories and other intellectual
properties. Most of the corporate data are stored on the oracle database. (Research on
Vulnerability). The employees work from home from their personal computers and access all the
organization's data and use some of the services such as CVS from their home. Data redundancy
and fail over is not implemented and hence even a small change in the data can result in loss of
data and services. The root/administrative password of the servers is known to almost every staff
member (Vulnerability). Moreover every user of the server has an account on it irrespective of
them being the admin. Lots of unused accounts that are still active. The machines have been
hacked in the past however they do not seem to bother about that much. There is no security
software such as firewall or antivirus in place similarly there is not security system for shielding
online activities as well. No network security is in place and the server and other workstation
works on the same network. Additionally the server are placed in the physical location which is
accessible by the employees easily. There are no strict password protection policy and most of
the system uses same password which are also easy to identify. Since there seems too many
vulnerability in the security architecture of the company, they should have basic security policies
in place such as Strict administrative practices, Password protections, Encryption of data in rest
and in motion, Network Security, VPN, Strong Work from Home policies, security software and
training to their employees and staff regarding the best practices in handling company's data and
assets
Security risk to the information technology:
As per industrial definition, Security risk to the IT can be defined as a potential event when
vulnerabilities of a given services are exploited by a threat and thus making potential disaster for
the organization and its business.
Risk: It is the potential reason behind an episode due to which the organization or architecture
can suffer damage.
Vulnerability: It is the weakness in an organization asset or assets which can be misused by
threats.
Threat: It is the potential for damage, problem and/or decimation to the resources or services
during the exploitation of vulnerability (ICT Monitor Worldwide, 2019)
To perform the risk assessment we would first categorize services provided by ABC organization
into the assets given below:
1. Data assets: The Company has both corporate and personal data of the customer. This data is
stored within the Oracle database, company directories, files and folders and hard disk and cloud.
2. Physical assets: These are all the materialistic resources owned by the company such as
property, hardware, inventories, software and cash. These services controls the data. The
company's most important physical assets are the servers and the operating system installed on
them.
3. Individual assets: These are the company's human assets, including the employees, owner,
managerial staff, directors all of which have the required skills and knowledge regarding the
organization and its processes.
4. Intangible assets: These are the intellectual properties of the company, for example, copyright,
confidential information, brand and trademarks etc.
5. Digital assets: These are the media files and other contents that are owned by the company for
their business and marketing purpose.
Risk management approach
To perform risk assessment on the ABC organization, we can chose any one of the following two
methods:
Qualitative Risk Analysis: In this risk analysis, the risk are prioritize for further action by
means of assessing their characteristics such as impact and probability of occurrence.
Quantitative Risk Analysis: In this process the effect of identified risk on the organization
is numerically analyzed of their uncertainty and overall outcomes (Korsakiene,
Smaliukiene & Bileisis, 2018)
For ABC organization we are assessing their risk on the basis of Qualitative risk analysis. The
below diagram clarifies the Qualitative Risk Analysis framework:
As per industrial definition, Security risk to the IT can be defined as a potential event when
vulnerabilities of a given services are exploited by a threat and thus making potential disaster for
the organization and its business.
Risk: It is the potential reason behind an episode due to which the organization or architecture
can suffer damage.
Vulnerability: It is the weakness in an organization asset or assets which can be misused by
threats.
Threat: It is the potential for damage, problem and/or decimation to the resources or services
during the exploitation of vulnerability (ICT Monitor Worldwide, 2019)
To perform the risk assessment we would first categorize services provided by ABC organization
into the assets given below:
1. Data assets: The Company has both corporate and personal data of the customer. This data is
stored within the Oracle database, company directories, files and folders and hard disk and cloud.
2. Physical assets: These are all the materialistic resources owned by the company such as
property, hardware, inventories, software and cash. These services controls the data. The
company's most important physical assets are the servers and the operating system installed on
them.
3. Individual assets: These are the company's human assets, including the employees, owner,
managerial staff, directors all of which have the required skills and knowledge regarding the
organization and its processes.
4. Intangible assets: These are the intellectual properties of the company, for example, copyright,
confidential information, brand and trademarks etc.
5. Digital assets: These are the media files and other contents that are owned by the company for
their business and marketing purpose.
Risk management approach
To perform risk assessment on the ABC organization, we can chose any one of the following two
methods:
Qualitative Risk Analysis: In this risk analysis, the risk are prioritize for further action by
means of assessing their characteristics such as impact and probability of occurrence.
Quantitative Risk Analysis: In this process the effect of identified risk on the organization
is numerically analyzed of their uncertainty and overall outcomes (Korsakiene,
Smaliukiene & Bileisis, 2018)
For ABC organization we are assessing their risk on the basis of Qualitative risk analysis. The
below diagram clarifies the Qualitative Risk Analysis framework:
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents