Information Security Management And Risk Assessment: A Case Study

Role of InfoSec blueprints, frameworks and InfoSec management models

A technical risk assessment procedure follows a Framework for every organization to handle a wide range of complex process and project to make sure that the risk arising in all the projects are assessed and handled feasibly. In this case, a small scale IT Company has implemented a technological environment and needs to conduct a technical risk analysis for which they have hired a consultant. A management report needs to be constructed in this regard to understand a clear statement of the technology project that is to be assessed and the overview of the recommendation to the management for which the merit of the project is based on for the risk assessment procedure. The entire risk assessment would be based on assets, vulnerabilities, threats and consequences that would be derived from the IT control framework. Along with that, the industry risk recommendations would also be specified for the project along with the key threats and the process to mitigate the threats. The impact that this mitigation process would have on the organization would also be described along with a brief summary of the protection mechanism that would be employed within the organization based on the people, culture and technology. In the end any further analysis of gaps and the reason they would be done will also be explained in the risk assessment report.

The organization on which the risk assessment is to be completed is basically a small scale software organization. This organization mostly deals with the working on innovative software which plans to sell or provide services to the customers in near future. The organization stores its codes and documentation in specific servers that can be accessible via Internet. All the documentation and codes that are stored on servers are also public in nature. Even though the organization is a small scale software company, they have a considerable investment in this data corporation which is mainly developed for corporate purposes. Needless to say, the integrity and confidentiality of the data is thus extremely important. There is a number of staff in this organization that is responsible for the management of the server infrastructure although there are many people across the organization that has the idea of the administrative passwords. This is done only because there is a lack of a full-time administrator in the business right at this point of time and this is why people have the knowledge about the administration password to make sure that anybody can work as a part-time administrator when needed. The administration of the service and systems are the key role of the several developers but they have limited skill based on the administration services for the organization. write at this point of time the employees in the organization is enjoying a free and unrestricted access to the internet but realistically they only need to browse certain websites on the Internet and therefore the management is keen on implementing a system that would minimize the cost of accessing the web resources.

Importance of access control in InfoSec Management

Every business can face more or less threads while conducting the business processes. Therefore it should be implemented within the business process that a proper risk management is held in strategic management system to identify an address all the risk that the business is currently facing so that the likelihood of achieving business objectives in the most feasible way is achieved. Otherwise there are many ways in which these risks can destroy the operations of a business. there is management process normally involves a methodological identifying of the risk that might surround the business activities, the assessing of the priority and likelihood of the risk that might be occurring and its impact on the business events, the understanding of mitigating the risks and responding to the events, putting particular systems in place for dealing with the consequences and monitoring the effectiveness for the disk management approaches and controls.

In this way it would be easier to process the risk management procedure, which also has a number of ways by which a business decision making, prioritization and planning is improved along with the allocation of capital and resources in a more efficiently.

There are several types of IT related risks that a business can face. It can either be strategic, compliance, financial or operational. On the other hand the risks can also be environmental, employee risk, political and economical as well as health and safety related. However since this organization is a small scale software organization, mostly it is assume that the risks that might occur in this particular case might be the operational systems and information technology systems.

According to the information about the organization, it is found that the organization is trying to work on innovative software system and has a plan to sell them to the customers in near future. For this the organization is storing its documentation and codes in server systems and temporary staff or managing those codes and documentation which are publicly accessible via Internet. There are other problems as well within the organization which are handled by the following departments in the organization:

• Research and Development handled by 56 people
• Management handled by 4 people
• Human Resources & Legal department handled by 5 people
• Finance handled by a total of 3 people

The organization also uses service to perform its core business including the infrastructure of the organization. The infrastructure of the organization can be described in details. The organization uses a number of servers to perform its core business. The servers are not very busy. In total there are six servers. These servers include a CIFS (Windows File Sharing) Server (running on a Windows NT server), Windows Active Directory Server (running on a Windows NT server), Apache Web Server (running on Mac OS X machine), Development Server (typically accessed using telnet and ftp) (running on Linux), Exchange Server (running on a Windows NT Server) and Oracle Server (running on a Solaris – Sun machine). Each of these servers is independent machines with vanilla installs of the operating system. The servers are not running the latest operating systems nor have they been patched. These machines have publicly accessible addresses and hence can be access from the Internet.

Key Information Security Management Practices

The servers are commodity x86 boxes or servers that have been acquired through various means i.e. the Sparc Station was purchased from Ebay by some employee’s who wanted to learn Solaris and the Mac, well it was purchased because there is a Mac head in the organization who really loves Mac’s.

There is no maintenance on either the hardware or software. Some of the servers are over five years old e.g. the Sparc Station.

According to the discussion about the organization, the following can be identified as the key threats in the operations of the organization:

• the infrastructure of the organization lacks in maintenance of the hardware and software including some of the service being much older
• The organization mostly utilizes their services to present to their customers with any organization; however some developers also work from home in the evening to access the CVS service from their homework station. This can be a serious threat as there is no way by which the failover of this can be recovered, and if the disk goes bad, the data would be lost associated with its feels.
• In the administration Department external hackers of compromise on desktop machines in the past and administration and reasonably confident that the service is not been compromised yet. How about the organization is entirely depending on the services offered by it servers, what the mean risk resides in the compromising of the host as there is no system developed to disable the hackers. This will make the compromises of data be noticed the match later stage where damage will already be done.
• The organization do not possess a firewall security system and currently all the services offered by the servers are accessible via the internet. There is no email or virus protection in the organization noticed as well. Each employee is provided with the desktop computer however most of them are running a vanilla install of Windows like operating system that has not been passed since its installation. In addition to this every administrator has the privilege of working in their own workstation but the user can have their accounts on other employee computers possibly using the same on different password.
• There is no rule about passwords in the organization and it is also known as that the most common password used in the organization is the name of the person. The passwords are also indicated of what is used on the server machines.

According to the critical analysis of the entire organization, the following approaches have been selected as the processes by which the security risks are on the verge of being mitigated. Therefore it is suggested that the following processes are involved within the system to make sure that there are no risks in pending along with the vulnerability of the organization regarding its Information Technology system:

• Using insurance to transfer IT risk:This is a mitigating process by which the organization can transfer the entire it security risk into insurance so that if in future any kind of threat within the IT security system causes any harm or loss to the organization it can be recovered by the insurance policy.
• Critical evaluation of the IT security risks in terms of vulnerabilities targeted by hackers:It is important that all the IT security risks in terms of the vulnerabilities that has been targeted by the occurs before in the organization is critically evaluated to find out the main problems that has caused the hackers to attack the system. Therefore it should be make sure that through this critical evaluation in the primary problems and vulnerabilities within the organization is found out to make sure that they do not occur anymore.
• The use of intrusion detection systems, firewalls and vulnerability scanners to reduce risk:Since the organization does not on any intrusion detection system like firewalls and vulnerability scanner to reduce the risks of hackers hacking the system, it is suggested that the organization starts investing in all this intrusion detection system so that before any risk or cause it is detected by these security systems so that they do not occur anymore.
• Protection mechanisms:The organization needs to implement protection mechanism in case of the systems and devices utilized by all the employees within the organization, especially the developers who happened to access the system from anywhere. In addition to that the employees in the organization have a very weak setup of passwords which is not clearly understood as a security system. it is important that there are proper medication process and protection mechanism is developed to make sure that the password are made exclusive and there are proper processes developed to make sure that all these passwords are created in the proper way in which the hackers would not find it easy to pass through. Along with that it should also be mentioned that the employees should be divided in such a way that all the departments do not face lack of employees for which other employees handling different departments have to come up to provide support to the particular department.

There are chances that the organization can further have the impact on the impending risks that are already creating an impact on the entire system of the organization. Since the organization is a small scale software company, it can greatly impact the financial systems and other resources of the organization making the business fail in the near future. this is why it is required that any further analysis of upcoming risks are done before declaring the risk management program so that the company would be ready for mitigating on the upcoming threats and vulnerabilities that the company might face constantly. Along with that it is also important that the risk assessment is done in a continual manner; so that the organization is always steer clear of any kind of threats from external sources.

Conclusion

Therefore in conclusion it can be said that the business for this particular small scale software organization has various impending risks that should be minimized or assessed through the risk management analysis process so that they do not make the organization more vulnerable to the external threats as well as the internal threats. Right now the company is at available position where the operational process can fail due to the various problem that is also already been detected within the system. proper methodology is followed to find out the vulnerabilities and the risk that are found within the system along with the goals and key terms used in the risk management and assessment of IT risks in business terms. In addition to that the identification and discussion of the three threads has also been explained in this report with a critical analysis of the various approaches generated for mitigating the security risks has been described. The processes by which the risk introduced is generated within the organization are explained in the report along with the critical analysis of the impact of these risk mitigation processes on the business operation. In the end, there is also a rationale for identifying any gaps for further analysis that describes why the risk mitigation and assessment process needs to continue within the operations of the business to make sure that the business is not being vulnerable to any kind of external threats in the future.

References

Chockalingam, S., Hadžiosmanovi?, D., Pieters, W., Teixeira, A., & van Gelder, P. (2016, October). Integrated safety and security risk assessment methods: a survey of key characteristics and applications. In International Conference on Critical Information Infrastructures Security (pp. 50-62). Springer, Cham.

Farland, W., & Dourson, M. (2018). Noncancer health endpoints: approaches to quantitative risk assessment. In Comparative environmental risk assessment (pp. 87-106). CRC Press.

Gadyatskaya, O., Harpes, C., Mauw, S., Muller, C., & Muller, S. (2016, June). Bridging two worlds: reconciling practical risk assessment methodologies with theory of attack trees. In International Workshop on Graphical Models for Security (pp. 80-93). Springer, Cham.

Jouini, M., & Rabai, L. B. A. (2016). Comparative Study of Information Security Risk Assessment Models for Cloud Computing systems. Procedia Computer Science, 83, 1084-1089.

Layton, T. P. (2016). Information Security: Design, implementation, measurement, and compliance. Auerbach Publications.

Lehmann, J., & Joseph, S. (Eds.). (2015). Biochar for environmental management: science, technology and implementation. Routledge.

Lund, S. H., Aspelund, T., Kirby, P., Russell, G., Einarsson, S., Palsson, O., & Stefánsson, E. (2016). Individualised risk assessment for diabetic retinopathy and optimisation of screening intervals: a scientific approach to reducing healthcare costs. British Journal of Ophthalmology, 100(5), 683-687.

Mehrjoo, M., & Pasek, Z. J. (2016). Risk assessment for the supply chain of fast fashion apparel industry: a system dynamics framework. International Journal of Production Research, 54(1), 28-48.

Sadgrove, K. (2016). The complete guide to business risk management. Routledge.

Sandman, P. M. (2017). Environmental risk and the press. Routledge.

Shameli-Sendi, A., Aghababaei-Barzegar, R., & Cheriet, M. (2016). Taxonomy of information security risk assessment (ISRA). Computers & security, 57, 14-30.

Suter II, G. W. (2016). Ecological risk assessment. CRC press.