Analyzing IT Risk Management Practices for Enhanced Cyber Resilience

Verified

Added on 2020/03/16

AI Summary

This report delves into the critical importance of IT risk management in enhancing an organization's cyber resilience, particularly in the context of Enterprise Resource Planning (ERP) systems. It identifies various security threats, including natural disasters, intentional and unintentional human actions, and vulnerabilities within the system itself. The report categorizes these threats into external factors like weak passwords and social engineering, as well as internal issues stemming from dissatisfied employees and unintended operational errors. It then explores levels of physical security and emphasizes the need for robust measures at the user, database, and transaction levels. Furthermore, the report suggests actionable strategies to improve information system security, such as conducting security audits, implementing intrusion detection and containment measures, performing proof of wholeness control, establishing secure system restoration procedures after breaches, and consistently maintaining up-to-date antivirus software. The conclusion reinforces the necessity of comprehensive security practices to protect core organizational functions and ensure the long-term success of ERP systems.

The importance of is/it risk management practices to improve organization’s cyber resilience
Student’s name
Institution Affiliation(s)
Table of Contents
Introduction......................................................................................................................................2
Security Threats...............................................................................................................................2

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Natural Threats................................................................................................................................2
The vulnerability of the system.......................................................................................................3
External Security Threats................................................................................................................3
Weak Passwords..........................................................................................................................3
Social Engineering.......................................................................................................................4
Internal Threats................................................................................................................................4
Unsatisfied workers......................................................................................................................4
Unintended Threats......................................................................................................................4
Levels of Physical Security.............................................................................................................5
Ways to improve the security of Information Systems...................................................................6
Conclusion.......................................................................................................................................7
References........................................................................................................................................8

Introduction
Being in a position to handle any risks is as important as being able to have a functioning
information system. As a result of the implementation of an ERP by an organization, the security
risks of the organization are increased due to their nature of implementation where different
modules are intergraded together in order to achieve the organizational mission. Risk
management is a strategic issue in the implementation of ERPs systems in any organization. This
is because the success of the ERPs depends on many factors which include technological
(Hardware and software), efficient design of processes, and utilization of human recourses. The
human resources are the users of the new ERP solution. It is with this in mind that organizations
should take risk management strategy that would identify and also control any ERP
implementation risks (Andress & Winterfeld, 2014). An organization at risk is exposed to
potential threats. “Risk management comprises of risk assessment, risk mitigation evaluation and
assessment. Risk assessment is used to determine the extent of the potential.” Some tangible
impacts of the success of a threat are things like loss of revenue and the cost of repairing a
system that has been affected.
Security Threats
Information threats are real therefore it is important not only to identify the threats but also know
the vulnerabilities of the system and look for ways of preventing these threats from breaching the
security of the Information system. The threats may be grouped into the types which include:
Natural Threats
These are threats that are not caused by human beings. They include quakes, floods, tornadoes,
hurricanes, temperature extremes, and many others. Intentional Threats-The best examples of
intentional threats are computer crimes or purposeful damage of property or even information.

Unintentional Threats-These threats may include unauthorized or even accidental modification of
the system. The best way is to study the vulnerability of the system is to identify the threats and
then examine the system under those threats (Axelos, 2015).
The vulnerability of the system
One has to think about business transactions that can lead to losses from the information system
based abuse, fraud and errors. This may lead to losses occurring when users use the system in a
manner that they are not supposed to. It may either be intentional or not. Also, there may be
threats from intrusion and attacks from outsiders. People may steal or come across authorization
credentials and try to enter the system without the knowledge of the authorities and thus
jeopardize the integrity of the information contained in the system database. In addition, there
may also be systems abuse and fraud from the insiders (Campbell, 2016). Authorized users can
attempt and indeed succeed in entering into modules that they are not supposed to enter.
Centralization of everything in the organization can become a performance bottleneck and also
increase the ease with which people can sabotage the entire operations of the organization. One
only needs to ensure that the ERP is not working and the organization will be on its knees unable
to operate.
External Security Threats
Weak Passwords
By use of dictionary attacks, intruders can guess correctly the passwords that are used in the ERP
system and hence cause a malicious damage to the system or even get access to otherwise
confidential data of the organization thereby compromising the integrity of the organization data.
To eliminate this kind of threat, the organization should provide complex passwords and

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

combine them with some biometrics in order to strengthen this authorization mechanism
(Dwivedi, 2014).
Social Engineering
This is a new threat whereby users are duped by nice and appealing information until they give
their access credentials to strangers. For instance, users may be told that they won something and
hence to provide their personal information in order to receive their prizes. This kind of threat
can only be evaded by educating the system users and inform them it is not usually possible for
one to win a prize for a competition they never participated (Mann, 2017).
Internal Threats
Unsatisfied workers
The biggest threat to the ERP is the system users themselves especially if they are not satisfied
with the organization or if they were not consulted during the system development. If they feel
like they do not want the system they may intentionally sabotage it so that it may look to the
senior management not to be working. This is especially so if it may be perceived to result in job
losses or loss of power of some of the employees. Furthermore, the introduction of an ERP will
reduce some levels of bureaucracy and corruption within the organization. This may lead to
resistance from the company employees (Jakubowicz et al., 2017). Also, if there are an
organization strikes, the workers may target the system since it carries almost every function of
the organization.
Unintended Threats
Interference of the system operations by other malicious programs such as spams, denial of
service or worse still viruses (Whitman & Mattord, 2016). This may cause a temporary stoppage
of the system operations which may, in turn, lead to huge losses by the organization. It is in this

in mind that the organization should ensure the firewalls and anti-viruses are up to date and
working properly.
Interception of a message stream when data is being exchanged from one point to another or one
module to another is another threat that may be unintentional. This may either be through session
hijacking or spoofing by doing web page redirection. It may also result due to eavesdropping
using a wiretap and then use a packet sniffer to decipher the meaning of the data obtained.
There may be programming errors that were not discovered during the system testing. Multiple
rounding off of values can lead to cumulative huge losses, duplication of entries is also another
other threat (Joyce, Petit, Phillips, Lowak, & Evans, 2017). This is so especially in situations
where the database has no referential integrity well implemented. Another very serious threat is
that of adding a zero at the end or beginning of values unintentionally thus affecting the final
result of a computation. Testing of the system should continue beyond its commissioning in
order to see how it behaves when large amounts of data are introduced (Whitman & Mattord,
2016).
Levels of Physical Security
Physical Security should be provided to the servers against, fires, water and any other natural
environmental hazards. Access to the servers and other networking equipment such as routers
and switches should be well controlled. Servers should in fact not be used as a workstation since
this may lead to accidental loss of information (Linkov & Palma-Oliveira, 2017). There should
also be adequate door locks and access cards to ensure servers are not accessed by unauthorized
persons.
a) User Level
b) Database Level

c) Transaction-level
Ways to improve the security of Information Systems
Firstly perform an audit of all security-relevant events and then monitor any abnormalities that
may surface and then investigate them objectively. An audit trail is quite important because by
looking at such a log, it would be possible to see all the transactions that have taken place. Any
qualified information systems expert will be able to know when a transaction is an outlier and
thus this would form a subject for a thorough investigation (McGene, 2013).
Secondly, perform an intrusion detection and containment. Instead of waiting until a security
breach occurs, it is advisable to put in place detection measures so that in case of any of the
above threats, the system will know there is a threat and give such message to the system users.
As it has been explained in the previous sections, intrusion detection mechanisms such as
firewalls are quite important. This is because they are proactive measures and can even lead to
the capture of the intruder (Piggin, 2018).
Thirdly, Perform proof of wholeness control by analyzing system integrity and irregularities and
also identify any exposures and any potential threats. Look at the data that has been processed by
the system and check if there are any inconsistencies. This will assist see any mistakes that may
have been overlooked by the system. It is therefore important to ensure whenever the system is
operational, it is in a secure state (Shalamanov, 2017).
Fourthly, restore secure state in an event of a security breach. This will ensure that the system
does continue working with the security risk in place as this may mean a continuation of the
errors caused by the threat. Backups should be performed regularly although this should be based
on data reconstruction difficulty and data volume. The backup procedures are supposed to be
properly documented and accessible to the users. More importantly, maintain a copy at an offsite

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

location. Finally, make sure there is an antivirus installed into the system at all times. Viruses are
a major risk to any system hence this matter should be taken seriously (Rothrock, 2018).
Conclusion
In conclusion, system security is a very important factor in the implementation of any successful
ERP system. The success of the system does not only depend on the successful development of a
nice system but also maintaining it throughout its lifetime and ensuring no threats breach its
security. The implementation of an ERP system which performs the core functions of the
organization means that it should be safeguarded from any threats that may lead to stoppage of
these core functions.

References
Andress, J., & Winterfeld, S. (2014). Cyber Warfare: Techniques, Tactics and Tools for
Security Practitioners.
AXELOS, A. X. (2015). RESILIA"!Pocketbook: Cyber Resilience Best Practice. London: The
Stationery Office Ltd.
Campbell, T. (2016). Practical information security management: A complete guide to planning
and implementation.
Dwivedi, A. (2014). Designing for resilience. Cyber Sensing 2014. doi:10.1117/12.2054389
Jakubowicz, A., Dunn, K., Mason, G., Paradies, Y., Bliuc, A.-M, … Connelly, K. (2017). Cyber
Racism and Community Resilience: Strategies for Combating Online Race Hate.
Joyce, A. L., Petit, F. D., Phillips, J. A., Lowak, L. B., & Evans, N. J. (2017). Cyber Protection
and Resilience Index: An Indicator of an Organization's Cyber Protection and Resilience
Program. doi:10.2172/1433503
Linkov, I., & Palma-Oliveira, J. M. (2017). Resilience and Risk: Methods and Application in
Environment, Cyber and Social Domains.
Mann, I. (2017). Hacking the Human: Social Engineering Techniques and Security
Countermeasures.
McGene, J. (2013). Social fitness and resilience: A review of relevant constructs, measures, and
links to well-being.

Piggin, R. (2018). Cyber Resilience 2035. ITNOW, 60(1), 30-31. doi:10.1093/itnow/bwy014
Rothrock, R. A. (2018). Digital resilience: Is your company ready for the next cyber threat?
Shalamanov, V. (2017). Towards Effective and Efficient IT Organizations with Enhanced Cyber
Resilience. Information & Security: An International Journal, 38, 5-10. doi:10.11610/isij.3800
Whitman, M. E., & Mattord, H. J. (2016). Principles of information security.