IT Risk Management Report: Analyzing BYOD Risks at Aztec Company
VerifiedAdded on 2020/03/16
|16
|4683
|56
Report
AI Summary
This report delves into the critical aspects of IT risk management, specifically addressing the challenges and potential liabilities that arise when employees are permitted to use their personal devices (BYOD) in the workplace, with a focus on the financial services sector and a case study of Aztec. The report examines the risks associated with data breaches, legal compliance, and the overall security posture of an organization, highlighting the importance of IT risk assessment, including both qualitative and quantitative methodologies. It emphasizes the need for a comprehensive enterprise risk management system, covering operations, compliance, strategy, and financial reporting. The analysis underscores the significance of establishing context, stakeholder considerations, and the risk assessment process, including risk estimation. The report offers valuable insights into mitigating risks and ensuring data security in the context of BYOD policies.
Running Head: IT RISK MANAGEMENT 1
IT Risk Management
Student’s Name
Institution
IT Risk Management
Student’s Name
Institution
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
IT RISK MANAGEMENT 2
IT Risk Management
Executive Summary
We shall identify and evaluate risks management relating to the act of allowing
employees to bring their own devices into the workplace. These devices are allowed in the
workplace for use by employees in their work tasks. They include devices such as their personal
tablets, mobile phones or laptops. When employees bring in their devices into the workplace
which commonly referred to as bring your own device (BYOB) they put the company in which
they work for at risk of being liable to any laws that have been broken with the use of the outside
device (Anderson, 2005). Aztec is a company that operates in the Australian Financial Services
sector. The company handles a lot of information which is sensitive and can cause them to be
legally liable if the information they have is leaked or happens to fall into the wrong hands.
When employees use their own devices at work they may also be doing some of their private
communication practices as well. A good example is when an individual is sexting using their
personal device. It is in their own right to use their devices as they please but when they come
with the same device into the workplace the company can be charged with misbehavior because
the contents of the device can be used as concrete evidence. This goes to show how costly it can
be for a company if their employees use their personal devices in doing their work. When an
employee of a company is out in the field for example a company driver, if they happen to be
distracted while driving and they are on the clock the company will be liable for any damage the
employee might have caused (Lock, 2017). In some states the case has become so severe that
they have banned emailing, photography, texting talking and pretty much use of a handheld
devices while they drive. This measure has helped improve road safety by reducing the number
of accidents on the road.
IT Risk Management
Executive Summary
We shall identify and evaluate risks management relating to the act of allowing
employees to bring their own devices into the workplace. These devices are allowed in the
workplace for use by employees in their work tasks. They include devices such as their personal
tablets, mobile phones or laptops. When employees bring in their devices into the workplace
which commonly referred to as bring your own device (BYOB) they put the company in which
they work for at risk of being liable to any laws that have been broken with the use of the outside
device (Anderson, 2005). Aztec is a company that operates in the Australian Financial Services
sector. The company handles a lot of information which is sensitive and can cause them to be
legally liable if the information they have is leaked or happens to fall into the wrong hands.
When employees use their own devices at work they may also be doing some of their private
communication practices as well. A good example is when an individual is sexting using their
personal device. It is in their own right to use their devices as they please but when they come
with the same device into the workplace the company can be charged with misbehavior because
the contents of the device can be used as concrete evidence. This goes to show how costly it can
be for a company if their employees use their personal devices in doing their work. When an
employee of a company is out in the field for example a company driver, if they happen to be
distracted while driving and they are on the clock the company will be liable for any damage the
employee might have caused (Lock, 2017). In some states the case has become so severe that
they have banned emailing, photography, texting talking and pretty much use of a handheld
devices while they drive. This measure has helped improve road safety by reducing the number
of accidents on the road.
IT RISK MANAGEMENT 3
Introduction
IT risk management is a risk management method in which information technology is
assessed to identify the risks it poses or exposes a company to while being utilized. In a business
or firm IT risk can be considered as part of a full scale enterprise risk management system
(Crockford, 1986). An information security management system which is present in a company
which is continually updated and maintained is a sign that the company has setup the necessary
resources in helping to identify, manage and assess information security risks. IT risk
management involves the assessment of not only the negative effects of using technology in a
company but also the benefits that may be accompanied with it (Verin & Trumper, 2007).
Decision theory should be utilized when assessing risk because it is something that is comprised
of a lot of uncertainty. IT risk management as with all forms of risk management should be done
continuously to ensure that the information obtained is updated. This is because there are
changes which are ongoing all the time that can affect a company and therefore for IT risk
management to be effective the process of analysis of risk should be continuous to ensure the
company can be able to avert a lot of risk when it faces a problem (Katsicas, 2009).
Need for Risk Assessment System
Organizations should have in place an enterprise risk management system (ERM) which
is very comprehensive. There are four main categories which should be addressed when
implementing an enterprise risk management system. They are operations which focuses on the
effective use of resources in an organization, compliance which ensures the company is
compliant with the legal regulations and laws that are applicable to it, strategy which ensures the
Introduction
IT risk management is a risk management method in which information technology is
assessed to identify the risks it poses or exposes a company to while being utilized. In a business
or firm IT risk can be considered as part of a full scale enterprise risk management system
(Crockford, 1986). An information security management system which is present in a company
which is continually updated and maintained is a sign that the company has setup the necessary
resources in helping to identify, manage and assess information security risks. IT risk
management involves the assessment of not only the negative effects of using technology in a
company but also the benefits that may be accompanied with it (Verin & Trumper, 2007).
Decision theory should be utilized when assessing risk because it is something that is comprised
of a lot of uncertainty. IT risk management as with all forms of risk management should be done
continuously to ensure that the information obtained is updated. This is because there are
changes which are ongoing all the time that can affect a company and therefore for IT risk
management to be effective the process of analysis of risk should be continuous to ensure the
company can be able to avert a lot of risk when it faces a problem (Katsicas, 2009).
Need for Risk Assessment System
Organizations should have in place an enterprise risk management system (ERM) which
is very comprehensive. There are four main categories which should be addressed when
implementing an enterprise risk management system. They are operations which focuses on the
effective use of resources in an organization, compliance which ensures the company is
compliant with the legal regulations and laws that are applicable to it, strategy which ensures the
IT RISK MANAGEMENT 4
systems support are in line with the mission of the organization and financial reporting which
ensures financial records are reliable (Flyvbjerg & Budzier, 2011). IT risk management
encompasses all these categories and therefore plays a critical role within an organization to
ensure risk is kept at manageable level in a company. Risk sensitivity and risk appetite should be
a guiding in factor within the IT risk management process (Taylor & VanMarcke, 2002).
Consequences of Risk
Companies are now not being faced with lawsuits due to such cases because it has been
stated in the law that all individuals including their employees are not to handle any handheld
device while driving. If a company has blocked social media sites their employees can be able to
access these sites using their personal devices. They can engage on social media as usual but if
there is a case such as racial discrimination on social media which was instigated by an employee
while at the work place the company is liable to any damages that may have been caused by the
employee (Roehrig, 2006). An unknown device which is lost and found and used within a
company can be a major risk factor. The device might contain unwanted information which
might put the company at risk of having legal problems. These devices are also used by
individuals who have malicious intent against the company or have purposed to carry out
corporate espionage. It is therefore very important for the company to ensure that it has a strict
policy which restricts employees from using their personal devices as they work (Antunes &
Vincente, 2015). The personal devices pose a major risk factor and are best avoided when at the
workplace to ensure the level of risk that may come from them is minimal or none at all.
Financial institutions such as Aztec usually have to adhere to the set industry or
government compliance or regulation. This is mainly to ensure that such institutions operate
systems support are in line with the mission of the organization and financial reporting which
ensures financial records are reliable (Flyvbjerg & Budzier, 2011). IT risk management
encompasses all these categories and therefore plays a critical role within an organization to
ensure risk is kept at manageable level in a company. Risk sensitivity and risk appetite should be
a guiding in factor within the IT risk management process (Taylor & VanMarcke, 2002).
Consequences of Risk
Companies are now not being faced with lawsuits due to such cases because it has been
stated in the law that all individuals including their employees are not to handle any handheld
device while driving. If a company has blocked social media sites their employees can be able to
access these sites using their personal devices. They can engage on social media as usual but if
there is a case such as racial discrimination on social media which was instigated by an employee
while at the work place the company is liable to any damages that may have been caused by the
employee (Roehrig, 2006). An unknown device which is lost and found and used within a
company can be a major risk factor. The device might contain unwanted information which
might put the company at risk of having legal problems. These devices are also used by
individuals who have malicious intent against the company or have purposed to carry out
corporate espionage. It is therefore very important for the company to ensure that it has a strict
policy which restricts employees from using their personal devices as they work (Antunes &
Vincente, 2015). The personal devices pose a major risk factor and are best avoided when at the
workplace to ensure the level of risk that may come from them is minimal or none at all.
Financial institutions such as Aztec usually have to adhere to the set industry or
government compliance or regulation. This is mainly to ensure that such institutions operate
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
IT RISK MANAGEMENT 5
within the law by acts such as ensuring they safeguard the data and finances of their clients
Kasperson, Renn, Slovic, Brown, Emel et al., 1988). The presence of government or industry
regulations ensure that any financial institution such as Aztec which may be in operation follows
the set standards as it carries out its mandate. The regulations are created in a way that will
reduce risks in which clients may have to face by setting up key standards in which the
institution should adhere to while in operation. The regulations also ensure outsourced operations
are evaluated before being given out to find out how much risk a financial institution can have
when it gives out it work to a third party. Financial institutions such as Aztec handle a lot of
sensitive information which belongs to its clients and shareholders. In the advent of various
digital breaches and ransomware attacks governments and other regulatory bodies have had to
enact stringent policies that ensure these financial institution invest heavily in keeping their data
secure (British Standard Institute, 2006). It is a good approach both for the financial institutions
and their clients.
Reviewing of the risks which are posed when individuals are allowed to bring and use
their personal devices at Aztec will demonstrate the importance of the IT risk management
process and the benefits it has to a company. It will also shed light on the security posture of
Aztec. IT risk management includes a number of processes which are undertaken by a company
to establish the potential risks they face and how they can be able to mitigate them (ISACA,
2006). The first step involves establishing some context that can be used for the risk assessment.
In this stage or process all the relevant information that pertains a company in our case Aztec is
acquired followed by the scope, purpose, boundaries and basic criteria of the risk assessment
being established (Technical Standard Risk Taxonomy, 2009). In this stage also the organization
which will carry out the risk assessment is determined. The gathering of required information
within the law by acts such as ensuring they safeguard the data and finances of their clients
Kasperson, Renn, Slovic, Brown, Emel et al., 1988). The presence of government or industry
regulations ensure that any financial institution such as Aztec which may be in operation follows
the set standards as it carries out its mandate. The regulations are created in a way that will
reduce risks in which clients may have to face by setting up key standards in which the
institution should adhere to while in operation. The regulations also ensure outsourced operations
are evaluated before being given out to find out how much risk a financial institution can have
when it gives out it work to a third party. Financial institutions such as Aztec handle a lot of
sensitive information which belongs to its clients and shareholders. In the advent of various
digital breaches and ransomware attacks governments and other regulatory bodies have had to
enact stringent policies that ensure these financial institution invest heavily in keeping their data
secure (British Standard Institute, 2006). It is a good approach both for the financial institutions
and their clients.
Reviewing of the risks which are posed when individuals are allowed to bring and use
their personal devices at Aztec will demonstrate the importance of the IT risk management
process and the benefits it has to a company. It will also shed light on the security posture of
Aztec. IT risk management includes a number of processes which are undertaken by a company
to establish the potential risks they face and how they can be able to mitigate them (ISACA,
2006). The first step involves establishing some context that can be used for the risk assessment.
In this stage or process all the relevant information that pertains a company in our case Aztec is
acquired followed by the scope, purpose, boundaries and basic criteria of the risk assessment
being established (Technical Standard Risk Taxonomy, 2009). In this stage also the organization
which will carry out the risk assessment is determined. The gathering of required information
IT RISK MANAGEMENT 6
based on the scope and purpose of the risk assessment will help the individual performing the
task to determine in which areas they are going to assess risk so that they may deliver on their
mandate. Aztec has commissioned an IT risk analysis expert to assess the risk and impact which
faces the company when employees are allowed to user their personal devices such as tablets,
mobile phones and laptops as they work and carry out their mandate in the organization.
Purpose of Risk Assessment
The purpose of establishing context is to ensure that all the legal procedures and
requirements are followed and evidence of this should be provided so that the whole IT risk
assessment can be certified as a legitimate and trustworthy process (IEEE, 2006). Context
establishment is also done to bring strategic value to the business from the information which
will be acquired. This means that the risk assessment should be of benefit to the strategic plan of
the business by indicating what kind of risks they can take and those that they cannot afford to
take. Stakeholders and shareholders in an organization are the people who own the company.
The company may have employees and a chief executive officer but these employees all work
for the shareholders. The shareholders have invested their money in the organization because
they believe in their mission and vision (Lacey, 2011). They also want to turn a profit from their
investment. The shareholders invest in the company with the expectation of making a profit but
with investments come risks. The risk assessment will give the shareholders more insight on the
risks the company might face. It will also give the shareholders confidence in the company being
able to bring them a profit or dividends while growing their share value (Korstanje, 2014). A risk
assessment also enables an organization to establish a baseline which can help them determine
based on the scope and purpose of the risk assessment will help the individual performing the
task to determine in which areas they are going to assess risk so that they may deliver on their
mandate. Aztec has commissioned an IT risk analysis expert to assess the risk and impact which
faces the company when employees are allowed to user their personal devices such as tablets,
mobile phones and laptops as they work and carry out their mandate in the organization.
Purpose of Risk Assessment
The purpose of establishing context is to ensure that all the legal procedures and
requirements are followed and evidence of this should be provided so that the whole IT risk
assessment can be certified as a legitimate and trustworthy process (IEEE, 2006). Context
establishment is also done to bring strategic value to the business from the information which
will be acquired. This means that the risk assessment should be of benefit to the strategic plan of
the business by indicating what kind of risks they can take and those that they cannot afford to
take. Stakeholders and shareholders in an organization are the people who own the company.
The company may have employees and a chief executive officer but these employees all work
for the shareholders. The shareholders have invested their money in the organization because
they believe in their mission and vision (Lacey, 2011). They also want to turn a profit from their
investment. The shareholders invest in the company with the expectation of making a profit but
with investments come risks. The risk assessment will give the shareholders more insight on the
risks the company might face. It will also give the shareholders confidence in the company being
able to bring them a profit or dividends while growing their share value (Korstanje, 2014). A risk
assessment also enables an organization to establish a baseline which can help them determine
IT RISK MANAGEMENT 7
the negative consequences which can befall them and to what extent their reputation can be
damaged (Verin & Trumper, 2007).
Risk Assessment Process
Information technology being known as a critical resource within any organization helps
in running most of the systems in a company. IT risk assessment is therefore a key factor while
doing a risk assessment because it is an underlying factor in most of the operations of an
organization. The constraints in which an organization faces are also documented and collected
for use in guiding the risk assessment process (Spring, Kern & Summers, 2015). The constraints
may include cultural, technical, political or budgetary constraints. Risk management deals with
continuously analyzing, controlling, implementing, monitoring and planning of the measures that
a company has implemented to ensure that the security policy is maintained and enforced within
a company. Risk assessment is usually carried out on demand or once a year until a clear view of
assessed risk can be established. The risk assessment as established was to determine the risk
factors that come with employees bringing their personal devices to the workplace and using
them in work related tasks. After the risk to be assessed has been identified the next step is to
perform a risk estimation. Risk assessment in relation to information security field can be done
through two methods. These methods are the qualitative and quantitative method.
Quantitative Risk Assessment
Quantitative risk assessment is the act of performing mathematical calculations that are
solely about the security metrics of an application or a system (Lieberman, 2009). In quantitative
risk assessment each risk scenario that is being assessed is based on a collection of risk factors
the negative consequences which can befall them and to what extent their reputation can be
damaged (Verin & Trumper, 2007).
Risk Assessment Process
Information technology being known as a critical resource within any organization helps
in running most of the systems in a company. IT risk assessment is therefore a key factor while
doing a risk assessment because it is an underlying factor in most of the operations of an
organization. The constraints in which an organization faces are also documented and collected
for use in guiding the risk assessment process (Spring, Kern & Summers, 2015). The constraints
may include cultural, technical, political or budgetary constraints. Risk management deals with
continuously analyzing, controlling, implementing, monitoring and planning of the measures that
a company has implemented to ensure that the security policy is maintained and enforced within
a company. Risk assessment is usually carried out on demand or once a year until a clear view of
assessed risk can be established. The risk assessment as established was to determine the risk
factors that come with employees bringing their personal devices to the workplace and using
them in work related tasks. After the risk to be assessed has been identified the next step is to
perform a risk estimation. Risk assessment in relation to information security field can be done
through two methods. These methods are the qualitative and quantitative method.
Quantitative Risk Assessment
Quantitative risk assessment is the act of performing mathematical calculations that are
solely about the security metrics of an application or a system (Lieberman, 2009). In quantitative
risk assessment each risk scenario that is being assessed is based on a collection of risk factors
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
IT RISK MANAGEMENT 8
which lead to the establishment of a single loss expectancy (SLE). After the single loss
expectancy is established the annual loss expectancy can be known by finding the product of the
annual rate of occurrence and the single loss expectancy based on the probability of a certain
event occurring in a set period such as in a year which is the annual rate or occurrence (ARO).
When performing a quantitative risk assessment it is a key factor to note that the total value of all
the assets of a company are considered rather than the specific resource which was affected by a
problem. From the risk assessment being done at Aztec we can demonstrate quantitative risk
assessment by understanding that when employees bring their own devices to the work place
they not only expose their devices to risk but they also expose any company or relating data that
has passed through their device. The company can be legally liable for any damages such as loss
of confidential data or any other issues that pertain to the use of the employees’ personal devices
as they work (Hubbard, 2009).
Qualitative Risk Assessment
Qualitative risk assessment is a risk assessment process which is utilized when an
organization needs a risk assessment to be performed based on some certain constraints in which
they may have. These constraints may include the company having a small budget to perform the
risk assessment, the company needing the risk assessment to be performed in a short period of
time, when the individuals performing the risk assessment are not equipped with the necessary
skills such as financial, mathematical or risk assessment experience to perform a conclusive risk
assessment or there is an absence of a significant amount of data which may be crucial in
performing a comprehensive risk assessment. The main difference between a qualitative and
quantitative risk assessment is that a qualitative risk assessment can be accomplished with the
which lead to the establishment of a single loss expectancy (SLE). After the single loss
expectancy is established the annual loss expectancy can be known by finding the product of the
annual rate of occurrence and the single loss expectancy based on the probability of a certain
event occurring in a set period such as in a year which is the annual rate or occurrence (ARO).
When performing a quantitative risk assessment it is a key factor to note that the total value of all
the assets of a company are considered rather than the specific resource which was affected by a
problem. From the risk assessment being done at Aztec we can demonstrate quantitative risk
assessment by understanding that when employees bring their own devices to the work place
they not only expose their devices to risk but they also expose any company or relating data that
has passed through their device. The company can be legally liable for any damages such as loss
of confidential data or any other issues that pertain to the use of the employees’ personal devices
as they work (Hubbard, 2009).
Qualitative Risk Assessment
Qualitative risk assessment is a risk assessment process which is utilized when an
organization needs a risk assessment to be performed based on some certain constraints in which
they may have. These constraints may include the company having a small budget to perform the
risk assessment, the company needing the risk assessment to be performed in a short period of
time, when the individuals performing the risk assessment are not equipped with the necessary
skills such as financial, mathematical or risk assessment experience to perform a conclusive risk
assessment or there is an absence of a significant amount of data which may be crucial in
performing a comprehensive risk assessment. The main difference between a qualitative and
quantitative risk assessment is that a qualitative risk assessment can be accomplished with the
IT RISK MANAGEMENT 9
use of less data and shorter time periods as compared to the amount of data and time needed to
accomplish a quantitative risk assessment (Hallenbeck, 1986). Qualitative risk assessment are
implemented through holding interviews with the involved stakeholders. In our case interviews
can be performed on individuals or employees who use their personal devices at the work place
as they do their mandated tasks (O’Brien, 2002). Qualitative risk assessments are usually
compared based on the description versus its measurable extent. In a risk assessment process a
qualitative classification is performed which is later followed by a quantitative evaluation
between the costs incurred in implementing security measures compared to the highest risks
present.
Risk Estimation
Risk estimation comprises of assessing the consequences of how a risk or problem has
impacted an organization. This can be done through valuing the assets in which the company
holds. It is also done through assessing the chances in which a risk might occur through
vulnerability and threat valuation (Flyvbjerg, 2003). Lastly the chances of a risk occurring are
recorded in the measured estimates and the consequences which are accompanied with the risk
occurring. A risk registry is a document which contains information on all the risks discovered
and the value levels of these risks. Risk evaluation is the process of comparing the risk levels
obtained from the risk assessment process against the risk acceptance criteria which the company
has specified and prioritizing the risks identified with risk treatment indications (Mayo, 2011).
use of less data and shorter time periods as compared to the amount of data and time needed to
accomplish a quantitative risk assessment (Hallenbeck, 1986). Qualitative risk assessment are
implemented through holding interviews with the involved stakeholders. In our case interviews
can be performed on individuals or employees who use their personal devices at the work place
as they do their mandated tasks (O’Brien, 2002). Qualitative risk assessments are usually
compared based on the description versus its measurable extent. In a risk assessment process a
qualitative classification is performed which is later followed by a quantitative evaluation
between the costs incurred in implementing security measures compared to the highest risks
present.
Risk Estimation
Risk estimation comprises of assessing the consequences of how a risk or problem has
impacted an organization. This can be done through valuing the assets in which the company
holds. It is also done through assessing the chances in which a risk might occur through
vulnerability and threat valuation (Flyvbjerg, 2003). Lastly the chances of a risk occurring are
recorded in the measured estimates and the consequences which are accompanied with the risk
occurring. A risk registry is a document which contains information on all the risks discovered
and the value levels of these risks. Risk evaluation is the process of comparing the risk levels
obtained from the risk assessment process against the risk acceptance criteria which the company
has specified and prioritizing the risks identified with risk treatment indications (Mayo, 2011).
IT RISK MANAGEMENT 10
Risk Mitigation
Risk mitigation is the process of evaluating, implementing and prioritizing the necessary
steps or actions which are recommended to reduce risks which have been identified in the risk
assessment process (Lerche & Glaesser, 2006). The removal or elimination of risk is a task
which is not practical or is hard to achieve. Senior management and other top management
within an organization should utilize the least cost approach to have in place the controls which
will be appropriate in controlling or reducing the risks which have been identified to reach a
level that is minimal or acceptable such that it does not have any adverse impact on the mission
or resources of an organization. In an organization such as Aztec there are measures in place to
control which employees have access to what kind of information. The problem is that for any
employee to play their needed role in carrying out their mandate within the company they needed
to be given access to the resources and assets of the company. If an employee used their personal
device to login to the company database or system they might put the company at risk. This is
because their personal device has not undergone any form of screening or testing to establish
whether it is safe for use within the company (Simon & Hillson, 2012).
Data Security
Data security is a key aspect in any organization because their data is a valuable resource
to them. Data in an organization which is a financial institution such as Aztec is very important
and if this data it tampered with or accessed by unauthorized personnel it can become a great risk
to the company because they might incur a lot of costs and legal problems (Rob, 2016).. The
equipment used by an organization is usually prescreened and continually patched and updated
to ensure that it does not pose a risk which can be capitalized upon by malicious individuals in
Risk Mitigation
Risk mitigation is the process of evaluating, implementing and prioritizing the necessary
steps or actions which are recommended to reduce risks which have been identified in the risk
assessment process (Lerche & Glaesser, 2006). The removal or elimination of risk is a task
which is not practical or is hard to achieve. Senior management and other top management
within an organization should utilize the least cost approach to have in place the controls which
will be appropriate in controlling or reducing the risks which have been identified to reach a
level that is minimal or acceptable such that it does not have any adverse impact on the mission
or resources of an organization. In an organization such as Aztec there are measures in place to
control which employees have access to what kind of information. The problem is that for any
employee to play their needed role in carrying out their mandate within the company they needed
to be given access to the resources and assets of the company. If an employee used their personal
device to login to the company database or system they might put the company at risk. This is
because their personal device has not undergone any form of screening or testing to establish
whether it is safe for use within the company (Simon & Hillson, 2012).
Data Security
Data security is a key aspect in any organization because their data is a valuable resource
to them. Data in an organization which is a financial institution such as Aztec is very important
and if this data it tampered with or accessed by unauthorized personnel it can become a great risk
to the company because they might incur a lot of costs and legal problems (Rob, 2016).. The
equipment used by an organization is usually prescreened and continually patched and updated
to ensure that it does not pose a risk which can be capitalized upon by malicious individuals in
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
IT RISK MANAGEMENT 11
order for them to gain access to the data in a company. Personal devices which are used by
employees have not been prescreened to ensure that they are secure for use in an organization.
An employee poses a data risk when they come with their personal devices to use in the
company. As soon as they gain access to the company data malicious individuals can use this
loophole to again access to company data and demand for a ransom for it or tamper with the data
which will cost the company being attacked immensely. Devices in which employees do not
know of their origin should also not be used in the company. A device such as a flash disk may
contain a virus which affects the computer or system in which it is plugged into. The company
can reduce risks concerning data security by having a backup of their data such that when their
primary database is attacked they can utilize their backup and continue their operations. The
company can also instill a policy which bans employees from using their devices while they do
their work (Shrader & Westra, 1997). This will go a long way to ensure that the level of risk
which might be posed by these devices is reduced immensely.
Intrusion Detection Systems
The company should also have a firewall in place to ensure that even when employees
use their personal devices as they work any malicious software can be blocked from accessing
the company system and its resources. The firewall will keep the company system protected and
will ensure that the data which is stored on the company database is valid and can be used by the
employees effectively as they carry out their duties. The company should also implement
vulnerability scanners within their system to ensure that they can detect any risks before they
become too severe (Caballero, 2009). Vulnerability scanners are built to regularly check a
system for any vulnerabilities present. Unlike a firewall the vulnerability scanner is purposes
order for them to gain access to the data in a company. Personal devices which are used by
employees have not been prescreened to ensure that they are secure for use in an organization.
An employee poses a data risk when they come with their personal devices to use in the
company. As soon as they gain access to the company data malicious individuals can use this
loophole to again access to company data and demand for a ransom for it or tamper with the data
which will cost the company being attacked immensely. Devices in which employees do not
know of their origin should also not be used in the company. A device such as a flash disk may
contain a virus which affects the computer or system in which it is plugged into. The company
can reduce risks concerning data security by having a backup of their data such that when their
primary database is attacked they can utilize their backup and continue their operations. The
company can also instill a policy which bans employees from using their devices while they do
their work (Shrader & Westra, 1997). This will go a long way to ensure that the level of risk
which might be posed by these devices is reduced immensely.
Intrusion Detection Systems
The company should also have a firewall in place to ensure that even when employees
use their personal devices as they work any malicious software can be blocked from accessing
the company system and its resources. The firewall will keep the company system protected and
will ensure that the data which is stored on the company database is valid and can be used by the
employees effectively as they carry out their duties. The company should also implement
vulnerability scanners within their system to ensure that they can detect any risks before they
become too severe (Caballero, 2009). Vulnerability scanners are built to regularly check a
system for any vulnerabilities present. Unlike a firewall the vulnerability scanner is purposes
IT RISK MANAGEMENT 12
with checking the system periodically for any suspicious software or vulnerabilities.
Vulnerability scanners are important because they enable a company to find any malicious
software or system which might have embedded itself within the company system. When
employees come with their own devices and use them as they work a vulnerability scanner
comes in handy in reducing the risk of the company being affected by any vulnerability or
malicious software. The vulnerability scanners can scan their devices and block them from
accessing the system to ensure that the risk of affecting the company is reduced.
Risk assumption
Risk assumption is when a company accepts the potential risks it may face and continue
with their business operations as they work on ways to lower their level of risk. Most companies
when they encounter a risk usually follow this path because they can work on the problem at
hand and still serve their clients (Commoner, 2010). It may however be a risky venture because
if the risk gets out of hand they might get into more problems than if they had stopped their
operations initially to focus all their resources on fixing the issue. Risk avoidance can be
practiced by a company if they deal with the cause of the risk and eliminate it. Risk limitation is
the reduction or limitation of risk by having in place controls which can reduce the impact a risk
may have on a company. Risk planning is when a company manages risk by coming up with a
plan to take care of the risk. Research and acknowledgement is when a company or organization
accepts that they are being faced with a risk and they research on methods which can help them
correct or rectify the risk.
with checking the system periodically for any suspicious software or vulnerabilities.
Vulnerability scanners are important because they enable a company to find any malicious
software or system which might have embedded itself within the company system. When
employees come with their own devices and use them as they work a vulnerability scanner
comes in handy in reducing the risk of the company being affected by any vulnerability or
malicious software. The vulnerability scanners can scan their devices and block them from
accessing the system to ensure that the risk of affecting the company is reduced.
Risk assumption
Risk assumption is when a company accepts the potential risks it may face and continue
with their business operations as they work on ways to lower their level of risk. Most companies
when they encounter a risk usually follow this path because they can work on the problem at
hand and still serve their clients (Commoner, 2010). It may however be a risky venture because
if the risk gets out of hand they might get into more problems than if they had stopped their
operations initially to focus all their resources on fixing the issue. Risk avoidance can be
practiced by a company if they deal with the cause of the risk and eliminate it. Risk limitation is
the reduction or limitation of risk by having in place controls which can reduce the impact a risk
may have on a company. Risk planning is when a company manages risk by coming up with a
plan to take care of the risk. Research and acknowledgement is when a company or organization
accepts that they are being faced with a risk and they research on methods which can help them
correct or rectify the risk.
IT RISK MANAGEMENT 13
Conclusion
A company such as Aztec can transfer risks to its insurers. Transferring risk in such a
case to an insurer will ensure that any risk the company is exposed to the insurer can cover them
(Dorfman, 2007). This is however a costly venture because the insurer has to be paid hefty
premiums depending on the kind of cover the company has taken. Although it may be expensive
it can help the company to save its reputation if there is a problem. The insurer will simply step
in on behalf of the company and cover any damages the company has been imposed on (Costas,
Gritzalisa, Petros, Athsnasois & Sokratis, 2005). For a company such as Aztec risk assessment
and management should be an activity which is carried out regularly to ensure that the company
is always alert of any potential risk that may affect their business. When such a company
implements a policy which ensures their employees do not use their personal devices for work
related activities or at the work place they can be able to mitigate a lot of risks and vulnerabilities
before they become adverse and impact the company largely in a negative way. It is therefore
very important for such a company to carry out risk assessment regularly so that they are
confident in the integrity of their database. It will also give them confidence to operate in the
financial industry since they adhere to the legal requirements concerning risk assessment and
mitigation.
References
Anderson K. (2005). Intelligence Based Threat Assessments for Information Networks and
Infrastructures: A White Paper.
Conclusion
A company such as Aztec can transfer risks to its insurers. Transferring risk in such a
case to an insurer will ensure that any risk the company is exposed to the insurer can cover them
(Dorfman, 2007). This is however a costly venture because the insurer has to be paid hefty
premiums depending on the kind of cover the company has taken. Although it may be expensive
it can help the company to save its reputation if there is a problem. The insurer will simply step
in on behalf of the company and cover any damages the company has been imposed on (Costas,
Gritzalisa, Petros, Athsnasois & Sokratis, 2005). For a company such as Aztec risk assessment
and management should be an activity which is carried out regularly to ensure that the company
is always alert of any potential risk that may affect their business. When such a company
implements a policy which ensures their employees do not use their personal devices for work
related activities or at the work place they can be able to mitigate a lot of risks and vulnerabilities
before they become adverse and impact the company largely in a negative way. It is therefore
very important for such a company to carry out risk assessment regularly so that they are
confident in the integrity of their database. It will also give them confidence to operate in the
financial industry since they adhere to the legal requirements concerning risk assessment and
mitigation.
References
Anderson K. (2005). Intelligence Based Threat Assessments for Information Networks and
Infrastructures: A White Paper.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
IT RISK MANAGEMENT 14
Antunes R. & Vincente G. (2015). A Production Model for Construction. A Theoretical
Framework. Buildings. 5(1): 209 – 228.
British Standard Institute. (2006). ISMSs-Part 3: Guidelines for information security risk
management.
Caballero A. (2009). Computer and Information Security Handbook. Morgan Kaufmann
Publications Elsevier Inc. p. 232.
Commoner B. (2010). Comparing apples to oranges: Risk of cost/benefit analysis. From
Contemporary moral controversies in technology. Pp 64 -65.
Costas L., Gritzalisa S., Petros H., Athsnasois N. Y. & Sokratis K. (2005). A formal model for
pricing information systems insurance contracts. Computer Standards & Interfaces. p.
531 -532.
Crockford N. (1986). An Introduction to Risk Management. Woodhead-Faulkner. p.18.
Dorfman M. S. (2007). Introduction to Risk Management and Insurance. Englewood Cliffs, N.J:
Prentice Hall.
Flyvbjerg B. & Budzier A. (2011).Why Your IT Project May Be Riskier Than You Think.
Harvard Business Review. 89(9): 601 – 603.
Flyvbjerg B. (2003). Megaproject and Risk: An Anatomy of Ambition. Cambridge University
Press.
Hallenbeck W. H. (1986). Quantitative risk assessment for environmental and occupational
health. Lewis Publishers
Hubbard D. (2009).The Failure of Risk Management: Why Its Broken and How to Fix it. John
Wiley & Sons. p.46
IEEE (2006). Systems and software engineering – Life cycle processes – Risk management.
Antunes R. & Vincente G. (2015). A Production Model for Construction. A Theoretical
Framework. Buildings. 5(1): 209 – 228.
British Standard Institute. (2006). ISMSs-Part 3: Guidelines for information security risk
management.
Caballero A. (2009). Computer and Information Security Handbook. Morgan Kaufmann
Publications Elsevier Inc. p. 232.
Commoner B. (2010). Comparing apples to oranges: Risk of cost/benefit analysis. From
Contemporary moral controversies in technology. Pp 64 -65.
Costas L., Gritzalisa S., Petros H., Athsnasois N. Y. & Sokratis K. (2005). A formal model for
pricing information systems insurance contracts. Computer Standards & Interfaces. p.
531 -532.
Crockford N. (1986). An Introduction to Risk Management. Woodhead-Faulkner. p.18.
Dorfman M. S. (2007). Introduction to Risk Management and Insurance. Englewood Cliffs, N.J:
Prentice Hall.
Flyvbjerg B. & Budzier A. (2011).Why Your IT Project May Be Riskier Than You Think.
Harvard Business Review. 89(9): 601 – 603.
Flyvbjerg B. (2003). Megaproject and Risk: An Anatomy of Ambition. Cambridge University
Press.
Hallenbeck W. H. (1986). Quantitative risk assessment for environmental and occupational
health. Lewis Publishers
Hubbard D. (2009).The Failure of Risk Management: Why Its Broken and How to Fix it. John
Wiley & Sons. p.46
IEEE (2006). Systems and software engineering – Life cycle processes – Risk management.
IT RISK MANAGEMENT 15
ISACA (2006). CISA Review Manual 2006. Information Systems Audit and Control Association.
p.85.
Kasperson R. E, Renn O., Slovic P., Brown H. S., Emel J. et al. (1988). The social amplification
of risk: A conceptual framework. Risk Analysis. 8(2): 177 -187.
Katsicas S. K. (2009). Computer and Information Security Handbook. Morgan Kaufmann
Publications Elsevier Inc. p. 605.
Korstanje M. E. (2014). Why risk research is more prominent in English speaking countries in
the digital society. International Journal of Cyber Warfare and Terrorism. 4(1): 8 -18.
Lacey P. (2011). An Application of Fault Tree Analysis to the identification and Management of
Risks in Government Funded Human Service Delivery. Proceedings of the 2nd
International Conference on Public Policy and Social Sciences.
Lerche I. & Glaesser W. (2006). Environmental risk assessment: quantitative measures,
anthropogenic influences, human impact. Springer
Lieberman D. (2009). Using a Practical Threat Modelling Quantitative Approach for data
security.
Lock G. (2017) Public Safety Driving Dynamic Risk Assessment. PS Driver Magazine.
Mayo D. G. (2011). Sociological versus metascientific views of technological risk assessment.
O’Brien M. (2002). Making better environmental decisions: an alternative to risk assessment.
MIT Press
Rob A. (2016). 3 Types of Security Assessments. Threat Sketch
Roehrig P. (2006). Bet On Governance To Manage Outsourcing Risk. Business Trends
Quarterly.
Shrader F. K. & Westra L. (1997). Technology and values. Rowman & Littlefield.
ISACA (2006). CISA Review Manual 2006. Information Systems Audit and Control Association.
p.85.
Kasperson R. E, Renn O., Slovic P., Brown H. S., Emel J. et al. (1988). The social amplification
of risk: A conceptual framework. Risk Analysis. 8(2): 177 -187.
Katsicas S. K. (2009). Computer and Information Security Handbook. Morgan Kaufmann
Publications Elsevier Inc. p. 605.
Korstanje M. E. (2014). Why risk research is more prominent in English speaking countries in
the digital society. International Journal of Cyber Warfare and Terrorism. 4(1): 8 -18.
Lacey P. (2011). An Application of Fault Tree Analysis to the identification and Management of
Risks in Government Funded Human Service Delivery. Proceedings of the 2nd
International Conference on Public Policy and Social Sciences.
Lerche I. & Glaesser W. (2006). Environmental risk assessment: quantitative measures,
anthropogenic influences, human impact. Springer
Lieberman D. (2009). Using a Practical Threat Modelling Quantitative Approach for data
security.
Lock G. (2017) Public Safety Driving Dynamic Risk Assessment. PS Driver Magazine.
Mayo D. G. (2011). Sociological versus metascientific views of technological risk assessment.
O’Brien M. (2002). Making better environmental decisions: an alternative to risk assessment.
MIT Press
Rob A. (2016). 3 Types of Security Assessments. Threat Sketch
Roehrig P. (2006). Bet On Governance To Manage Outsourcing Risk. Business Trends
Quarterly.
Shrader F. K. & Westra L. (1997). Technology and values. Rowman & Littlefield.
IT RISK MANAGEMENT 16
Simon P. & Hillson D. (2012). Practical Risk Management: The ATOM Methodology.
Management Concepts.
Spring J., Kern S. & Summers A. (2015). Global adversarial capability modelling. 2015 APWG
Symposium on Electronic Crime Research (eCrime) 1- 21.
Technical Standard Risk Taxonomy. (2009). Published by The Open Group.
Taylor C. & VanMarcke E. (2002). Acceptable Risk Processes: Lifelines and Natural Hazards.
Verin L. & Trumper M. (2007). Project Decisions: The Art and Science. Management Concepts.
Verin L. & Trumper M. (2007). Project Think: Why Good Managers Make Poor Project
Choices. Gower Pub Co.
Simon P. & Hillson D. (2012). Practical Risk Management: The ATOM Methodology.
Management Concepts.
Spring J., Kern S. & Summers A. (2015). Global adversarial capability modelling. 2015 APWG
Symposium on Electronic Crime Research (eCrime) 1- 21.
Technical Standard Risk Taxonomy. (2009). Published by The Open Group.
Taylor C. & VanMarcke E. (2002). Acceptable Risk Processes: Lifelines and Natural Hazards.
Verin L. & Trumper M. (2007). Project Decisions: The Art and Science. Management Concepts.
Verin L. & Trumper M. (2007). Project Think: Why Good Managers Make Poor Project
Choices. Gower Pub Co.
1 out of 16
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.