Information System Risk and Security Management Plan: Cornersea Shire

Verified

Added on 2023/06/13

AI Summary

This report provides a comprehensive risk management plan for The Shire of Cornersea, a medium-sized council, focusing on information system and security risks. It outlines the purpose, significance, risk appetite, and tolerance of the council, considering its management of diverse data sets. The plan includes risk identification, analysis & prioritization, treatment, control, monitoring, and reporting. Key roles and responsibilities are defined for IT management, infrastructure, security, and technical expertise. The report identifies information security, legal, resource, physical security, data backup, and natural hazard risks, along with a threat and vulnerability analysis. It assesses the likelihood and impact of these risks, highlighting significant threats like information security breaches and physical security vulnerabilities. The report concludes with recommendations for mitigating these risks, emphasizing the importance of robust security measures and data protection strategies. Desklib offers students access to this and other solved assignments.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

qwertyuiopasdfghjklzxcvbnmqw
ertyuiopasdfghjklzxcvbnmqwert
yuiopasdfghjklzxcvbnmqwertyui
opasdfghjklzxcvbnmqwertyuiop
asdfghjklzxcvbnmqwertyuiopasd
fghjklzxcvbnmqwertyuiopasdfgh
jklzxcvbnmqwertyuiopasdfghjkl
zxcvbnmqwertyuiopasdfghjklzxc
vbnmqwertyuiopasdfghjklzxcvb
nmqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmqw
ertyuiopasdfghjklzxcvbnmqwert
yuiopasdfghjklzxcvbnmqwertyui
opasdfghjklzxcvbnmqwertyuiop
asdfghjklzxcvbnmqwertyuiopasd
fghjklzxcvbnmqwertyuiopasdfgh
jklzxcvbnmrtyuiopasdfghjklzxcv
Information Systems Risk & Security
The Shire of Cornersea
4/11/2018

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Information System Risk & Security
Table of Contents
Introduction...........................................................................................................................................2
Purpose..............................................................................................................................................2
Significance.......................................................................................................................................2
Risk Appetite & Risk Tolerance........................................................................................................2
Risk Management Plan – An Outline....................................................................................................3
Scope & Boundaries..........................................................................................................................3
Schedule............................................................................................................................................4
Risk Assessment....................................................................................................................................5
Key Roles & Responsibilities............................................................................................................5
Proposed Schedule.............................................................................................................................6
Information Assets & Systems at Risk..................................................................................................6
Threat & Vulnerability Analysis............................................................................................................7
Likelihood & Impact Analysis of Risks.................................................................................................8
Significant Risks for the Shire of Cornersea..........................................................................................9
Risk Assessment Table........................................................................................................................10
Recommendations & Conclusion........................................................................................................10
References...........................................................................................................................................12
Appendix.............................................................................................................................................13
Gantt chart.......................................................................................................................................13
1

Information System Risk & Security
Introduction
The Shire of Cornersea is a medium-sized council that is spread over the area of 900 square
kilometres. There are twenty townships and 18 postal districts in the council with a
population of over 150000. The residents are from diverse cultural and ethnic backgrounds,
such as Europe, Asia, and Africa. There are numerous risks that are identified in relation with
the information system and information security of the council. There are also legal risks,
physical security risks, resource risks, risks of natural hazards, and communication risks that
may take place. The report covers a risk management process for the council.
Purpose
The purpose of the plan is to highlight the outline and schedule that will be followed in risk
management process associated with The Shire of Cornersea. The plan is also prepared to
define the key roles and responsibilities for risk management and assess the risks in terms of
likelihood, impact, and priority.
Significance
The risk management plan is extremely significant for The Shire of Cornersea as there are
information security and information system risks that may occur. These risks shall be
prevented, controlled, detected, and avoided with the aid of this plan failing which there may
be adverse implications on the council and its associated entities.
Risk Appetite & Risk Tolerance
The Shire of Cornersea is composed of 150000 residents and manages huge data sets
associated with its residents. These data sets comprise of varied categories of information,
such as public information that may comprise of location details of the council, facilities, and
services offered, etc. There are also private, sensitive, and confidential data sets associated
with the council as well (Calandro, 2015).
For instance, demographic and health details of the residents is extremely private and
confidential in nature. The legal norms and principles that the council shall maintain along
with the regulatory policies is also sensitive information. The internal processes and
information is private information.
The risk tolerance level would be high for public information sets as compared to the private,
confidential, or sensitive data. The Shire of Cornersea is exposed to numerous risks and
2

Information System Risk & Security
vulnerabilities that are covered in the later sections of the report; however, the risks with low
probability and low impact levels may be tolerated.
Risk Management Plan – An Outline
Risk Management Process
An outline of the risk management plan has been depicted in the diagram above. There will
be five processes involved in the risk management plan viz. risk identification, risk analysis
and prioritization, risk treatment, risk control, and risk monitor & report.
The first process will include a listing of all the risks that may occur in association with The
Shire of Cornersea irrespective of their probability and impact score. There will be
information investigation techniques, such as interviews, surveys, observations, and domain
analysis conducted to identify the risks (Bromiley, Rau and McShane, 2014).
The second process will analyse and prioritize the risks identified. In this process, a risk
assessment table will be developed that will include the probability and impact score for each
risk and a priority will be assigned accordingly.
The risk treatment process will include the assigned of a treatment strategy to each risk that
may include risk avoidance, risk mitigation, risk acceptance, or risk transfer. The strategy
selected will be implemented for each risk (Frigo and Anderson, 2011).
The risk control process will be applied in the fourth process. It will include the attempts to
reduce the risk impact on the council and its associated entities and may include controls,
such as internal controls, preventive, or detective controls (Ykhlef and Algawiaz, 2014).
The application of the risk treatment strategy and risk controls will be monitored in the last
process and the risk reports will be prepared to trach status and completion.
Scope & Boundaries
The scope of risk management process will cover the identification, analysis & prioritization,
treatment, control, monitoring and reporting of the risks. The identification process will
3
Risk
Identification
Risk Analysis
and
Prioritization
Risk
Treatment Risk Control Monitor &
Report

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Information System Risk & Security
include risk planning as well which will include data collection process and distribution of
key roles and responsibilities along with estimation of schedule and budget (Schiller and
Prpich, 2013).
Schedule
4

Information System Risk & Security
Risk Assessment
Key Roles & Responsibilities
 Lex Georghiu – IT Manager: Development of a risk management plan and strategy
for The Sire of Cornersea and ensure that the risks are avoided, prevented, controlled,
and detected. Risk monitoring and control processes (Arnaboldi and Lapsley, 2014).
 Mal Locking – Director of Infrastructure: Assistance and support to Lex by providing
the relevant information on that may improve the processes of risk identification,
analysis, and treatment, approvals on the deliverables.
 Wolfgang Kauffman – Development Team Leader: Assistance and support to Lex by
providing the relevant information on that may improve the processes of risk
identification, analysis, and treatment.
 Chief Information Security Officer (CIO): Assistance and support to Lex by providing
the relevant information on that may improve the processes of risk identification,
analysis, and treatment.
 Business Analyst: Analysis of the council policies, norms, and principles to provide
information on the business strategies to be developed and implemented, maintenance
of ethical compliance.
 Security Advisor: Providing information on the latest security controls and
mechanisms that can be applied.
 Environmental Expert: Listing and identification of the probable environmental
changes that may impact the council in an adverse manner, identification and
assessment of the environmental risks.
 Technical Expert: Analysis of the technical components and applications associated
with the council to identify, assess and prioritize technical risks.
 Technical Writer: Status reporting and documentation of the risk completion report.
 Legal Expert: Details on the legal and regulatory aspects and ensuring that legal
compliance is always maintained to avoid any obligations.
5

Information System Risk & Security
Proposed Schedule
Information Assets & Systems at Risk
These data sets at the council comprise of varied categories of information, such as public
information that may comprise of location details of the council, facilities, and services
offered, etc. There are also private, sensitive, and confidential data sets associated with the
council as well. For instance, demographic and health details of the residents is extremely
private and confidential in nature. The legal norms and principles that the council shall
maintain along with the regulatory policies is also sensitive information. The internal
processes and information is private information (Tohidi, 2011).
The information assets and systems are at risk and the top 6 risks are described below.
Information Security Risks: There may be information security risks that may come up and
may involve malware attacks, denial of service attack, distributed denial of service attack,
media alteration attack, message alteration attack, eavesdropping attack, man in the middle
attack, spoofing attack, phishing attack, database injection attack and account hijacking attack
Legal Risks: There are various laws followed and implemented in the council as road and
transport laws, local laws, waste management, food transportation laws, and likewise. Non-
compliance or violation of these laws or improper handling by the IT department may result
in legal obligations.
6

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Information System Risk & Security
Resource Risks: The recent employee turnover and leaves may lead to scarcity of the
resources or may impact the productivity and efficiency levels of the existing resources.
Physical Security Risks: The access to the IT department is not secure and protected by
strong access control mechanisms. This may lead to unauthorized access to the area and
exposure of confidential data and information.
Data Backup & Data Loss Risks: There has been no testing on the data backup process
since the initial testing was performed. There may be performance issues associated with the
backup process which may lead to data loss or leakage.
Risks of Fire/Natural Hazards: The server room of the council does not have a separate fire
extinguisher system that may lead to unrecoverable data loss in case of fire.
Threat & Vulnerability Analysis
The risks with the highest priorities include information security risks and attacks, data
backup (data loss) risks, and physical security risks. The threats associated with the resources
engaged with the council are also of a great concern as the scarcity of the resources may lead
to the breakdown of service and business continuity.
There are several vulnerabilities present in The Shire of Cornersea. The first category is the
network security vulnerabilities. The network security protocols and access points used in the
current systems may provide the attackers to have a larger attack window and attack surface
making it easier for them to give shape to the information security risks and attacks. There
are a number of information security risks that the council is exposed due to the
vulnerabilities present in the systems and networks. These vulnerabilities, such as insecure
access points, weak passwords, poor access control and authentication mechanisms etc. may
be used by the malicious entities to give shape to the security attacks. The poorly tested
backup system and processes and lack of physical security in the IT division and server room
may lead to occurrence of the risks such as exposure of confidential information to the
unauthorized entities and likewise (Brustbauer, 2014).
There can be any non-IT member that may gain access to the IT department and may look in
to the operations being carried out by the resources or over-hear the discussions on important
system operations being executed by the team. This may lead to exposure of the information
to the unauthorized entity. With the current state of untested back-up processes, the system
7

Information System Risk & Security
may fail to capture the data sets in such situations leading to increased damage and difficulty
in the process of disaster recovery.
Likelihood & Impact Analysis of Risks
The operational risks and risks of fire and natural hazards will have low probability. It is
because the natural hazards and similar occurrences seldom take place and the operational
issues associated with the systems is also less due to familiarity of the resources with the
systems in place. The probability of legal, ethical, supplier, and communication risks has
been found to be moderate while technical risks, data back & data loss risks, and technical
risks may have high probability. Due to increased security vulnerabilities, the information
security risks and physical security risks have a very high probability.
The impact of resource risks, legal risks, ethical risks, information security and physical
security risks, and risks of fire or natural hazards will be high. It will be because legal
obligations, ethical non-compliance, resource scarcity or drop in productivity, compromise of
information properties, and damage to lives and properties will not be easy to recover from.
Supplier, communication, technical risks will have an intermediate impact as there will be
mitigation techniques in place to control the damage. The occurrence of operational errors
and mistakes will have a mild impact.
Significant Risks for the Shire of Cornersea
 Information Security Risks & Attacks: These risks will have severe impact and high
probability that may result in compromise on the information properties, such as
confidentiality, integrity, and availability.
 Physical Security Risks: The entry to the IT department or data centres by an
unauthorized entity will lead to compromise on the security of the systems and the
data sets. The impact and probability of these risks are high making it significant in
nature.
 Resource Risks: The human resources are the most significant organizational assets
and a drop in their productivity and efficiency levels or lack of satisfaction will be of
a great concern for the council.
 Data backup & data loss risks: The poor and untested backup processes may lead to
permanent data loss that may cause legal obligations and poor reputation in the
8

Information System Risk & Security
market for the council. The possible consequences and higher probability of the risk
makes it significant.
 Technical Risks: There are technical systems and applications that are used in the
council that may turn faulty. These risks will be significant if they impact the
continuity of operations.
Risk Assessment Table
The Shire of Cornersea Risk Assessment Table
Impact Severe Risk of Fire
& natural
hazards
Legal Risks
Ethical Risks
Resource
Risks
Data backup
– data loss
risks
Information
Security
Risks &
Attacks
Physical
Security
Risks
Intermediate Supplier Risks
Communication
Risks
Technical
Risks
Mild Operational
Risks
Low Moderate High Very High
Probability
Recommendations & Conclusion
The council must develop and implement risk controls for the avoidance and prevention of
the risks. For instance, it shall implement advanced technical controls, such as anti-denial
tools, intrusion detection and prevention systems, anti-malware tools, firewalls, etc. to
prevent the information security risks from taking place. It must also use encryption
techniques for data protection (Domanski, 2016). The state of physical security shall be
improved by implementing multi-fold authentication, biometric authentication, and advanced
access control. The security and safety against fire or other natural hazards shall be upgraded
and implemented in all the sections and divisions. There must be standard protocols and
9

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Information System Risk & Security
policies followed for communication internally and externally and tele-communication
protocols and secure information sharing portals shall be included. There shall also be
resource engagement and assessment programs carried out to maintain the motivation of the
resources and bring down the employee turnover rate (Merigo, 2014).
10

Information System Risk & Security
References
Arnaboldi, M. and Lapsley, I. (2014). Enterprise-wide risk management and organizational
fit: a comparative study. Journal of Organizational Effectiveness: People and Performance,
1(4), pp.365-377.
Bromiley, P., Rau, D. and McShane, M. (2014). Can Strategic Risk Management Contribute
to Enterprise Risk Management? A Strategic Management Perspective. SSRN Electronic
Journal.
Brustbauer, J. (2014). Enterprise risk management in SMEs: Towards a structural model.
International Small Business Journal, 34(1), pp.70-85.
Calandro, J. (2015). A leaderâ€™s guide to strategic risk management. Strategy &
Leadership, 43(1), pp.26-35.
Domanski, J. (2016). Risk Categories and Risk Management Processes in Nonprofit
Organizations. Foundations of Management, 8(1).
Frigo, M. and Anderson, R. (2011). Strategic risk management: A foundation for improving
enterprise risk management and governance. Journal of Corporate Accounting & Finance,
22(3), pp.81-88.
Merigo, J. (2014). Decision-making under risk and uncertainty and its application in strategic
management. Journal of Business Economics and Management, 16(1), pp.93-116.
Schiller, F. and Prpich, G. (2013). Learning to organise risk management in organisations:
what future for enterprise risk management?. Journal of Risk Research, 17(8), pp.999-1017.
Tohidi, H. (2011). The role of risk management in IT systems of organizations. Procedia
Computer Science, 3, pp.881-887.
Ykhlef, M. and Algawiaz, D. (2014). A New Strategic Risk Reduction For Risk
Management. International Journal of Computational Intelligence Systems, 7(6), pp.1054-
1063.
11