Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Risk Management in Information Systems

Verified

Added on 2020/02/24

AI Summary

This assignment delves into the crucial topic of risk management specifically applied to information systems. It examines diverse categories of security threats, analyzes common vulnerabilities, and explores established frameworks and methodologies for effectively managing these risks. The focus is on understanding how to identify, assess, and mitigate potential threats to ensure the security and integrity of information systems.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: VICTORIAN GOVERNMENT
Victorian Government
Name of the student
Name of the University
Author Note

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

1VICTORIAN GOVERNMENT
Executive summary
The following report discusses about the topics related with the risks and threats affecting the
Victorian Government. The standards that are to be followed are also discussed in this report.
The chosen organization is the Victorian Protective Data Security framework. The report further
discusses about the risks in the form of a diagram.

2VICTORIAN GOVERNMENT
Table of Contents
Introduction:....................................................................................................................................3
Discussion:.......................................................................................................................................3
Risks and concerns:.....................................................................................................................4
Analysis of the diagram:..............................................................................................................6
Deliberate and accidental threats:................................................................................................8
Challenges:................................................................................................................................11
Risks and uncertainties:.............................................................................................................12
Risks and mitigation:.................................................................................................................14
Conclusion:....................................................................................................................................15
References:....................................................................................................................................16

3VICTORIAN GOVERNMENT
Introduction:
The Government of Victoria (VIC) is termed as the democratic and administrative
authorities that are used to manage the risks and threats involved in Victoria, which is a state of
Australia. The constitution of the VIC government shows the year of formation of the framework
in the year 1851. Victoria is considered as the commonwealth resource of Australia since the
year 1901. Due to the presence of commonwealth, Victorian government got their rights of
legislature and judiciary supremacy included under the Australian constitution. To address the
risks and threats in the public sector organization of Victoria, the governing body known as the
Victorian Protective Data Security Framework (VPDSF) was formed. The organizational
framework comprising of the Victorian Protective Data Security Framework (VPDSF) includes
the Assurance Model, guides for security, supporting resources and the Victorian Protective Data
Security Standards (VPDSS). The resources used here are used to help the government involved
take effective decisions in ensuring the right allotment of access to the right people involved.
The following report discusses about the risks and threats that are currently present in the
Victorian government. The analysis of these risks in terms of high, low and medium is also
included in the report to be discussed. The challenges that can be faced in the public sector
organization are also included in the report. In addition, the uncertainties involved and the
mitigation of the risks are also included in the report.
Discussion:
The standards and protocols maintained in the Victorian Protective Data Security
Framework (VPDSF) are present to help the government make right decision when access to
certain information is given to a people. It ensures that the right of access to certain sensitive

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

4VICTORIAN GOVERNMENT
information is not exploited in the name of unauthorized access (Toohey, 2016). The standards
and protocols that are being followed comply with the national and international laws of policies
and standards. The operations and processing of the public sector organizations and the public
agencies involved with the Victorian government are identified by the Victorian Protective Data
Security Framework (VPDSF). The Assurance model followed by the VPDSF is used to follow
and monitor the activities that are currently undertaken in the various involved organization and
agencies (Redley & Raggatt, 2017). Moreover, the economic benefits and the security in
operation are also maintained by the assurance model. The VPDSF also promotes the need for
cultural changes in an organization by strengthening and upgrading the security protocols in the
organization. This facilitates the organization involved in doing their operations while complying
with the various standards and policies.
Risks and concerns:
The presence of various risks and concerns as identified by the government of Victoria is
being discussed in this section. The respective fields of the risks and threats involved are to be
addressed to provide solutions to each of them. The steps for addressing the identified risks and
threats, various steps are to be followed. However, the threats and risks are different for two
different governing bodies ("VICTORIAN PROTECTIVE DATA SECURITY
FRAMEWORK", 2017). The Commissioner for privacy and protection of data (CPPD) needs to
establish the framework needed to monitor the operations of the organization of the public
sector. The presence of promotion of security standards and policies are to be emphasized by the
CPPD and the need for formal reporting of the security assessment profiles are also to be
emphasized.

5VICTORIAN GOVERNMENT
For the process followed by the public sector organizations, the need for developing and
assessing the security profile and the security plan development is emphasized. The annual
attestation of CPPD is also emphasized by the process followed in the public sector organizations
(Peltier, 2013). The VPDSF has made successful analysis that notifies the presence of 18
requirements for emphasizing the protection of the information associated with the public sector
organization. This data analysis has made the presence of four specific domains to address,
which consists of information, physical security, ICT and personnel.
Fig: Risks and concerns identified
(Source: Made by the author)
The CIA triangle corresponds to the confidentiality, integrity and availability. The model is used
to provide guidelines addressing the policies for security of information in the organization
involved (Sadgrove, 2016). Confidentiality in the model refers to the limit of access to the

6VICTORIAN GOVERNMENT
resource present. Integrity is the presence of accuracy and trust in the information present.
Availability is the presence of guaranteed access to the information.
Fig: CIA triangle
(Source: Made by the author)
Analysis of the diagram:
The diagram of risks and threats presented in the diagram of the above topic clearly
depicts the awareness of such concerns. The different aspects depicted in the diagram are the
physical security, personnel, information and ICT. These are the main aspects that are addressed
by the standards and policies followed by the VPDSF. The risks and concerns are depicted as:
High-risk areas Medium-risk areas Medium-Low risk areas Low-risk areas
Security in information ICT Policies and
responsibilities of the
organization
Public sector
organizations
National and
international securities
Compliance with
standards

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

7VICTORIAN GOVERNMENT
The analysis of the diagram is made in respect to the areas depicted in the table. These
include the high-risk areas, medium-risk areas, medium low and low-risk areas. The high-risk
aspects are present in the Information securities and securities in national or international
standards. However, the problems that are present in the information securities includes the
disclosure of information in organizations involved, unauthorized access and data destruction,
which can affect the operation on a large scale (Sadgrove, 2016). The security related to the
computer and its associated aspects are included in the information security. The assurance of
information is termed as the assurance of trust in the information regarding the CIA model
discussed above. In addition, the security of national and international standards is used to refer
to the protection of assets, which is directly related to the protection of national and international
standards. This portion is also of high importance, as the measures to analyze the importance in
compliance to their standards should be followed.
The ICT security is included in the areas of medium risk and concerns. The ICT security
is used to define the security provided in the information shared via communications. This aspect
of ICT is same as that of the information security but the direct emphasis is given to the security
on communications (Almeida, Hankins & Williams, 2016). The telecommunication aspect gives
the people the advantage to communicate with each other without the requirement of any
problems.
The medium low risk areas include the policies and responsibilities of the various public
sector organization involved with the VIC government. The need for compliance with the
government standards is also a place of medium low risk. The policies and responsibilities of the
various public sector organizations are to be addressed so that the threats and risks in their

8VICTORIAN GOVERNMENT
assessment are minimized. In addition, the need for compliance to the standards and protocols
are to be maintained as the risks and threats involved in the assessment of the standards are to be
followed. This is the reason of placement of the risks in the medium low zone.
The low risk aspects include the public sector organization. These organizations are
intended to serve the public and protection of their assets is required (Almeida, Hankins &
Williams, 2016). These places are prone to risk by the outsiders as the present of certain
individual may try to get information that jeopardizes the activity of the affected individual. This
is the reason of implementation of enhanced security protocols to help address them.
Deliberate and accidental threats:
The provided document reference the need for applying enhanced security protocols in
the public sector organization for protecting the assets present. The risks for security are to be
identified and analyzed to follow the risk management standards. The public sector organization
needs the acquisition of data from the public to facilitate effective operation. The users of this
organization provide the information as the need to access is acquired from it. This in turn
requires the organization involved with the public services to assure the effectiveness of their
work and the security in their information content (Cole, Giné & Vickery, 2017). Although, the
presence of public information like the user credentials including the name, address and other
aspects, the company or organization involved must provide assurance in not exploiting the
acquired resource as this may lead to problems in trust and ethics if hampered with. This is the
basic threat that is a place for concern among all organizations dealing with pubic services.
Deliberate threats are those types of threats that are done with the sole intent of getting
unauthorized information or access to a system. With respect to an organization, the deliberate
threats are those that involve trespassing in the system to get access, sabotage of system,

9VICTORIAN GOVERNMENT
extortion and software attack. These types of attacks are those one, which involves the misuse of
security standards followed by the organization to get the required information or access in an
unethical way. This is a major concern that is present in all the organizations and the need for
enhanced and strong security protocols for addressing such concerns are required to be present or
else the operation of the organization can be hampered leading to extreme loss of business
(Nurse et al., 2014). However, the sabotage in system and the software attacks are the most
important place of concern in the system as they can affect the system in an extreme way and the
security standards must address them to ensure the operations of the organization involved. The
information security and the ICT are the main places where these deliberate threats can take
place. The reason for effective security standards are the threats to these aspects. Another place
where the deliberate threats are possible is the compliance of the service providers. The service
providers may not comply with the government standards due to the presence of discrepancies
and the provision of unsuccessful products to the public sector organization will take place. This
can lead to risks to the public sector sensitivity. However, the first level of importance are to be
given to the information security and ICT security as the problems faced in these sectors can lead
to major effects in the system (Pritchard & PMP, 2014). An example for an attack that was
supposed to be deliberate is the civilian attack in Catalonia. The main suspect is a van, which
was made to go through the crowded places that led to major injuries of the affected individuals.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

10VICTORIAN GOVERNMENT
Fig: Threats
(Source: Created by the author)
The attacks that are supposed to be accidental are those attacks that do not follow a
pattern and control of these attacks is not possible. However, the impacts of these attacks can be
lessened. These attacks are not intentional. The natural disasters, human errors in working or
technical issues are the accidental threats. These threats cannot be controlled but if present, the
operation can be impacted in some extreme cases. However, the technical errors and human
errors can be significantly reduced (Luiijf, 2012). As these problems, involve the threats
occurring due to human problems, the presence of such errors can be minimized. The technical
errors occur due to the negligence of employees or the public individuals and the faulty
management of the devices like lack of internet access. The presence of such threats can be
reduced by efficient and regular training and presence of personnel to help address the issues.
However, the natural disasters cannot be controlled or reduced at all. Nevertheless, the impact it
creates can be reduced. The need for backup of the acquired data both internally and externally is
required. Internal backup means saving up the recent work in the device to roll back the changes
once affected. External backup means the presence of cloud to store the backed up information.
After the passage of the disaster, the changes that were saved can be rolled back and the
operation can continue without any grievances. The organizational polices as well as the
standards of national and international level are a place where the accidental problems are
eminent. The policies may not always comply with the set standards due to many accidental
reasons. One such example of an accidental threat is the ransomware attack on an oil company in
Russia. The company is a very well known one operating in Russia (Davies, 2014). Due to such
attacks in the system, the company faced grave threats and the need to secure the system was

11VICTORIAN GOVERNMENT
implemented by halting the operations in information technology department. The ransomware
attacks made by the hackers did not target the organization, which makes this a possibility for an
accidental attack.
Challenges:
During the conduction of risks and threats internal assessment, the public sector
organization need to determine the already set standards and policies present in the policies but
during the external assessment of the risks or threats involved, the assessment reports conducted
by the public sector organization are to be submitted to the Commissioner for privacy and Data
Protection (CPDP). During the internal assessment, the organization to be involved is to carry
out the required assessment (Jouini, Rabai & Aissa, 2014). The accountability and responsibility
for assessment are given to the public sector organization. The CPDP is responsible to help the
organizations involved to carry out the assessments. In addition, during the conduction of
external assessment, the accountability and responsibility for the execution of the assessment is
present with the CPDP itself. The public sector organizations are then consulted for carrying out
the assessment effectively. The assessment is then reported to the organizations involved.
The CPDP is considered responsible for establishing the framework necessary to
maintain and monitor the activities of the information and data in the public sector organization.
The promotion of security related parameters are also done by the CPDP itself. The maintenance
and audits of assessment are made to see the impact of compliance to the set standards. The
recommendation to the system and the formal reporting in terms of the security of the system is
also maintained by the CPDP (Heazle et al., 2013). Moreover, the research for upgrading the
policies and security protocols are also conducted by the CPDP itself.

12VICTORIAN GOVERNMENT
For assessment of the required responsibilities, the presence of certain procedures in the
step is required to carry out the report. They are also required to make and maintain the
Protective data Security Plan (PDSP) and Security Risk Profile Assessment (SRPA). The
organizations are also required to provide the resources needed for carrying out the assessment
by the CPDP (Paschen & Beilin, 2017). Moreover, the compliance of the standards is to be
followed as ensuring the protection of government assets are to be maintained. The internal
formal reporting mechanism and audit process are followed by the organization to do their
operation effectively.
The VIC government is required to implement the technology adopted by the digital
innovation in the system. The protocols, which define such digital activities, are required for
performing and maintaining the smooth operation in the system involved. To implement this, the
present security protocols are to be upgraded and constantly reviewed to ensure effective
performance in terms of operation (DeAngelo & Stulz, 2015). This will help the organization
involved to conduct better assessment of the risks or threats and help in understanding the
concepts more.
Risks and uncertainties:
Risks are defined as a state of condition where loss or profit pertaining to a decision is
present. Risks can also be associated with an interaction of uncertainty (Howes et al., 2015). In
financial aspect, the deduction of loss in the business is a risk.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

13VICTORIAN GOVERNMENT
Fig: Risks and uncertainties
(Source: Created by the author)
The uncertainties in the system are termed as the complete absence of information
about a certain parameter form the system. Uncertainty is the presence of a situation without the
presence of the description (Glendon, Clarke & McKenna, 2016). It is seen in future analysis
predictions where the descriptions are totally missing.
The various risks included in this section are the ICT and the information security. The
national and international policies are not always constant and thus risks in operational
requirement are always evident. The service compliance are the uncertainties as the presence of
compliance can be present or not at all (Hopkin, 2017). The security of information and ICT are
a place where risks are evident as the presence of any implications can jeopardize a large
prospect in the system. In addition, information in a public sector organization is always
subjected to risks as unauthorized access and breach is always a mechanism that is affecting the
system constantly. However, the national and international standards are an aspect where

14VICTORIAN GOVERNMENT
uncertainties are present due to their constant change in nature(Loke et al., 2016). Thus, the
factor of uncertainty always shows in the compliance of the international and national standards.
Risks and mitigation:
The risks and the mitigation techniques followed by VIC government is done to address
the threats and the risks faced by them. The use of security protocols are done to assess the
presence of security in the system involved. The risk management techniques are included in the
public sector organizations to maintain the risks and security involved (Howes et al., 2015). The
VPDSF are used to address the risks involved in doing their operations and the approach for
mitigation is included in the standards of the VPDSF. This helps in safe business operation of the
organization involved. To ensure the mitigation of risks is addressed, the presence of four
protocols in the system is evident in the VIC government.
The first protocol of the mitigation procedure claims that the sponsorship for risk
management should be present in the constitutional framework ("VICTORIAN PROTECTIVE
DATA SECURITY FRAMEWORK", 2017). The second protocol defines the need for analyzing
and registering the risks that are evident in the organization involved. The third protocol requires
the assessment of monitoring of risks involved and their addressing to meet the analyzed risks.
The last protocol refers to application of improvement in the present security protocol by the
organization.
Conclusion:
The VIC government needs the operating presence of the VPDSF to help in identification
of the risks and threats involved in the security of the four major domains identified in the public
sector organization. The following report concludes by showing the usefulness and effectiveness

15VICTORIAN GOVERNMENT
of various standards involved for the public sector organizations to address the various risks or
uncertainties identified.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

16VICTORIAN GOVERNMENT
References:
Almeida, H., Hankins, K. W., & Williams, R. (2016). Risk management with supply
contracts. The Review of Financial Studies.
Cash, C. E., & Securities, M. (2014). Risks and Uncertainties.
Cole, S., Giné, X., & Vickery, J. (2017). How does risk management influence production
decisions? Evidence from a field experiment. The Review of Financial Studies, 30(6),
1935-1970.
Davies, J. C. (2014). Comparing environmental risks: tools for setting government priorities.
Routledge.
DeAngelo, H., & Stulz, R. M. (2015). Liquid-claim production, risk management, and bank
capital structure: Why high leverage is optimal for banks. Journal of Financial
Economics, 116(2), 219-236.
Glendon, A. I., Clarke, S., & McKenna, E. (2016). Human safety and risk management. Crc
Press.
Heazle, M., Tangney, P., Burton, P., Howes, M., Grant-Smith, D., Reis, K., & Bosomworth, K.
(2013). Mainstreaming climate change adaptation: An incremental approach to disaster
risk management in Australia. Environmental Science & Policy, 33, 162-170.
Hopkin, P. (2017). Fundamentals of risk management: understanding, evaluating and
implementing effective risk management. Kogan Page Publishers.
Howes, M., Tangney, P., Reis, K., Grant-Smith, D., Heazle, M., Bosomworth, K., & Burton, P.
(2015). Towards networked governance: improving interagency communication and
collaboration for disaster risk management and climate change adaptation in
Australia. Journal of Environmental Planning and Management, 58(5), 757-776.

17VICTORIAN GOVERNMENT
Hsu, W. K., Tseng, C. P., Chiang, W. L., & Chen, C. W. (2012). Risk and uncertainty analysis in
the planning stages of a risk decision-making process. Natural Hazards, 61(3), 1355-
1365.
Jouini, M., Rabai, L. B. A., & Aissa, A. B. (2014). Classification of security threats in
information systems. Procedia Computer Science, 32, 489-496.
Lam, J. (2014). Enterprise risk management: from incentives to controls. John Wiley & Sons.
Loke, P., Koplin, J., Beck, C., Field, M., Dharmage, S. C., Tang, M. L., & Allen, K. J. (2016).
Statewide prevalence of school children at risk of anaphylaxis and rate of adrenaline
autoinjector activation in Victorian government schools, Australia. Journal of Allergy
and Clinical Immunology, 138(2), 529-535.
Luiijf, E. (2012). Understanding cyber threats and vulnerabilities. In Critical Infrastructure
Protection (pp. 52-67). Springer Berlin Heidelberg.
McNeil, A. J., Frey, R., & Embrechts, P. (2015). Quantitative risk management: Concepts,
techniques and tools. Princeton university press.
Morris, J., Beedell, J., & Hess, T. M. (2016). Mobilising flood risk management services from
rural land: principles and practice. Journal of Flood Risk Management, 9(1), 50-68.
Nurse, J. R., Buckley, O., Legg, P. A., Goldsmith, M., Creese, S., Wright, G. R., & Whitty, M.
(2014, May). Understanding insider threat: A framework for characterising attacks.
In Security and Privacy Workshops (SPW), 2014 IEEE(pp. 214-228). IEEE.
Paschen, J. A., & Beilin, R. (2017). How a risk focus in emergency management can restrict
community resilience–a case study from Victoria, Australia. International Journal of
Wildland Fire, 26(1), 1-9.
Peltier, T. R. (2013). Information security fundamentals. CRC Press.

18VICTORIAN GOVERNMENT
Pritchard, C. L., & PMP, P. R. (2014). Risk management: concepts and guidance. CRC Press.
Redley, B., & Raggatt, M. (2017). Use of standard risk screening and assessment forms to
prevent harm to older people in Australian hospitals: a mixed methods study. BMJ Qual
Saf, bmjqs-2016.
Sadgrove, K. (2016). The complete guide to business risk management. Routledge.
Toohey, A. (2016). New Victorian protective data security standards roll-out: Will you be at the
table?. IQ: The RIM Quarterly, 32(2), 16.
VICTORIAN PROTECTIVE DATA SECURITY FRAMEWORK. (2017). Retrieved 18 August
2017, from
https://www.cpdp.vic.gov.au/images/content/pdf/data_security/20160628%20VPDSF
%20Framework%20June%202016%20v1.0.pdf

1 out of 19

+13062052269

info@desklib.com

Risk Management in Information Systems

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Related Documents

Risk Management in Information Systems

Information Security Risks and Mitigation Strategies

Information Security and Privacy Challenges

Risk Management Strategies and Practices

Cybersecurity for Victorian Public Sector

Victorian Government Risk Management