Risk Management: Cybersecurity Plan for New IT Business Venture

Verified

Added on 2023/03/23

AI Summary

This cybersecurity risk management plan for a new IT business focuses on identifying and mitigating potential risks to protect intellectual property, financial data, and client information. The plan emphasizes defining the scope and focus of the business information system, including asset identification and data storage considerations. It involves analyzing the threat landscape, categorizing assets based on vulnerability to internal and external threats, and developing a common understanding of risk across business units. The plan incorporates cybersecurity measures using products from companies like Cisco, and addresses specific threats such as hacking, denial of service, spoofing, and tampering. It also includes a risk assessment matrix, outlining the likelihood and consequence of each threat, and proposes risk treatment strategies, such as setting up firewalls, enhancing network components, and implementing encryption and authentication measures. The goal is to create a dynamic and understandable plan that ensures data security and builds client confidence.

SURNAME 1
Student name
Lecturer’s name
Unit title
Date
Assessing the Risks of Creating a Business Information System
When assessing the risks of creating a business information system, it is important to
come up with the scope and focus of the system. For an IT business, the focus would be on the
assets by identifying the assets that should be included and clear definition of what and where the
data is contained. The focus should aim to acquire an understanding of the amount of
information that will be stored and shared within the system (Ružić-Dimitrijević, 2009). Another
factor to include under the scope of the company’s risk assessment is the threats landscape that
concerns the business. Under threats, the assets identified are classified under categories of the
ones susceptible to attacks from risky external actors and the ones vulnerable to internal threats.
The general goal for the analysis is for the business to develop a common understanding
of risk over multiple business units and functions that will enable the managers to handle risk
cost-effectively on an enterprise broad basis. The business also aims to get an improved
understanding of threat for competitive advantage (Ross, 2018). Through the analysis the
business also targets to achieve cost savings by improving management of inner resources and
assigning capital more efficiently. Different cyber security product categories such as next-
generation firewalls, next-generation intrusion prevention, web gateway and advanced malware
protection could be used in developing the cyber security measure. One party that will be
involved is Cisco Company which is a leader in the networking field. The company offers among

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

SURNAME 2
the broadest lineups of security products of any vendor. Their products include firepower
NGIPS, Firepower Management Center,Cisco Umbrella, Cisco Cloudlock as well as Cisco
Advanced Malware protection.
Some of the network assets include customer database, user devices such as laptops,
tablets and personal phones as well as company data and information including customer
information and employee information.
Cyber-security threats to the business network
Source of threat What may take place Enabler
Hacker Breach company database SQL penetration
Denial of service Loss of events and accessing
network resources
Multiple users accessing
common resources at the
same time
Spoofing Company information is Operating system through
End user
device End user
device
End user
device
End user
device
Company database
Customer data
Company data
Employee data

SURNAME 3
leaked to the public illegal access to the database
Tampering Customer information is
illegally accessed and certain
data could be misused such
as credit information
Insecure wireless connections
Likelihood of the cyber-security threats occurring
Threat type Likelihood Description
hacking Possible Other companies in the IT
business have reported cases
of network hacking
Denial of service Certain With multiple users sharing
common resources under the
network, denial of service
looks to occur often
Spoofing Unlikely Only authorized users with
appropriate authenticating
credentials can access the
company database
Tampering Rare Insecure wireless connections
are common and difficult to
identify but attacks through
these networks require skilled
programmers to carry out
hence are not popular.
. Consequence scale
Threat type Consequence Description
hacking serious Sensitive company data that
forms part of their
competitive edge is leaked to
the public losing its market
value
Denial of service Moderate System will experience
downtime for several minutes
or hours
Spoofing Catastrophic Private user information and
network activities can be
revealed breaching users’

SURNAME 4
privacy while using the
company network
Tampering Minor Accessing and modifying
company data on its servers
through unauthorized
wireless means is difficult
hence not common.
. Risk Function and assessment measures
Likelihood/Consequence Irrelevant Unimportant Reasonable severe tragic
Unusual Tampering
Likely hacking
Sure Denial of
service
Doubtful Spoofing
Risk Treatment
Serious
Catastrophic
Moderate
Hacker Introduces
malicious code
through SQL
penetration
Possible
Company database
Customer data
Company data
Employee data
Unauthorized
user
Penetrates the
company network
through spoofing
Unlikely
Company staff
Experiencing
DDos and system
crashes
Certain The internet

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

SURNAME 5
Relations between threats and assets
Handling
Handling Cost Danger Risk decrease
Management
1:Setting up firewalls
within the network to
reduce unauthorized
low Risk 1 Monitor to acceptable
Hacker Sensitive
company data
is leaked
Unacceptable
Employee database
Company
Employees
System
experiencing
downtime
Acceptable
Data
recovery
Network resources
Company
reputation
Unauthorized
user
Exposing data
to third parties
Monitor
Customer
information
Customer
data
privacy

SURNAME 6
access
Managament
2:Adding more
network components
to reduce number of
shared devices
Expensive Risk2 Monitor to acceptable
Treatment 3:
Including encryption
and authenticating
measures within the
network
Moderate Risk 3 Unacceptable to
monitor

SURNAME 7
References
Ross, R. S. (2018, December 20). Privacy, Risk Management Framework for Information
Systems and Organizations: A System Life Cycle Approach for Security and Privacy.
Retrieved from NIST: https://www.nist.gov/publications/risk-management-framework-
information-systems-and-organizations-system-life-cycle
Ružić-Dimitrijević, B. N. ( 2009). Risk Assessment of Information Technology Systems. Issues
in Informing Science and Information Technology, 570-620.