Risk Assessment Of Community Development Foundation (CommDev)
Structure of CommDev organisation and operations carried out by the company
This report focuses on risk assessment of a company named Community development Foundation. It is commonly known as CommDev and is a tier-2 not for profit (NEP) organization. The organisation is focussed on transforming the society such that the children living in the society gets fair chance to live their life, get educated like children of other societies and grow into an adult with high dignity and adequate skills with the help of web marketing strategy. This will help in the development of community. The organisation mainly operates in Australia, Asian countries and Pacific. They do fund-raising campaigns along with community development activities (CDA). The offices of Community Development Foundation or CommDev are in Pacific and Asian countries that are established to monitor, maintain and arrange the community development services in the countries where they operate. The corporate system that CommDev utilizes internally is called MicroForce. It was implemented in the year 2000. Despite of its robustness it becomes significantly difficult to maintain the system. To expand the operations of the company, CommDev had to work with a number of software vendors. The human resource team of CommDev decided to switch to cloud considering the benefits of services provided. SaaS (Software as a Service) was decided to be adopted as a cloud platform. To secure the operational data stored in cloud, the management should impose strong security in cloud (Ahmed and Hossain, 2014). The main aspect in IS/IT that employee in the company are proud of, is the establishment of CommDev data centre located in the east wing of the headquarter.
As the organisation experiences growth with respect to its operations in several countries, it is required to follow specific regulation of the countries in which it is operating. Along with maintaining the regulations of other countries, CommDev has to maintain the Australian law as the headquarters of the organisation is in Australia. This is one of the main challenge that the organisation is facing. The following paragraphs will deal with the severe challenges, threats and vulnerabilities that are faced by CommDev and assessing the risks
The framework that will be followed for risk assessment is according to ISO: 31000:2009 standard of risk management. The first step involves developing the context. This process includes a brief explanation of the company or organisation and mentioning the reasons for adopting risk management. The second step according to the above-mentioned standard includes identification of the risks (Parra Crespo Alvarez Huerta and Paton, 2016). The third step is risk analysis that includes determining likelihoods and consequences of risks along with estimating the risk levels. Next, is the risk evaluation process where risk prioritization is done and lastly risk treatment that involves implementing the risk treatment plans.
Challenges, threats, and vulnerabilities faced by CommDev and risk assessment
Structure of CommDev organisation and the operations carried out by the company:
CommDev is a not for profit organisation that undertakes web marketing strategy such that they attract people for donating funds. They make use of a web portal that has been developed by a web hosting company. The web hosting company additionally deals with payment gateways along with donors and customers data that CommDev web platform captures. Several volunteers are appointed by the company that reaches to householders, schools and other publics for collecting donations. Therefore, they are man in the middle between CommDev and its donors. CommDev consists of a team and several partners. They also have backup providers that provides them backup services.
The data that has to be handled by the company involves SCPP sales data (Sustainable Community Partnerships Programme is a unique programme that has been initialised by CommDev to increase community bargaining power and control quality of products), donor’s transactional data, donors list, information of the donors and information of project (Di Falco and Bulte, 2013). Therefore, the company faces several risks, threats and vulnerabilities regarding confidentiality of data in data centre (Bolton Chen and Wang, 2013). The risks, threats and vulnerabilities are discussed in details in following paragraphs.
Use of personal devices in the organisation:
Previously, staffs were allowed to bring their own device to perform their operations. The coordinator of CommDev allowed the activity considering employee satisfaction. The employees wanted to use their own devices, as they were more familiar to it. However, it led to several operational issues like compatibility and formatting issues along with support for devices issues (Fernando Loke and Rahayu, 2013). The threats arises when malicious codes are introduced in the systems that mostly affects the local and regional operations. An issue relating to implementation of malicious codes in systems was detected one year ago in headquarter of Melbourne. Therefore, potential threats arise from the use of personal device in the company.
Unauthorized access to CommDev’s cloud network:
As the company is planning to shift(one of its department)and its data to cloud, therefore it faces threats from various malwares that exists in cyber world. Software is used to run cloud computing and they are vulnerable to attacks. The adversaries take advantage of these vulnerabilities and perform attacks on cloud (Didraga, 2013). The HR team of CommDev has also decided to use SaaS as a cloud service platform that are available at low costs and can be implemented easily. This increases the probability of attacks by unauthorized use. The cloud service providers additionally provides some services without the consent of IT department of the cloud customer (Kazim and Zhu, 2015). If the organisation carry out practices using software that are not supported by the IT department, the data of the company become vulnerable to attacks and are commonly referred to as shadow IT.
Risk identification and analysis of the threats
Threats from man in the middle that is the volunteers:
CommDev appoints volunteers that talk with people like householders, schools and other publics for collecting donations from them. The volunteers can pose great threats to the organisation by providing false information regarding fund raising. The actual amount of fund raised by them might be hidden for their personal motives.
Financial Risk for CommDev:
CommDev is a non-profit organisation and therefore faces great problems while undertaking costly and inefficient programs. The Board of Directors and the CEO of CommDev should prevent the company from fraud and theft. Insufficient internal control provides a great financial risk to the organisation. The employees of the organisation might steal the funds raised for carrying out operations.
Reputation Risk of CommDev:
Expansion of CommDev is based on the reputation of the company among public. As it carries out social activities therefore, to maintain its good will, the organisation needs to perform better and increase the quality of work. As a result, the organisation face great reputational risks. To combat reputational risks, leaders of CommDev must listen to the advice of the stakeholders and consider the feedbacks essential.
Raising funds risks:
All not for profit organisation, including CommDev faces risks related to raising funds. They strive to maintain their reputation in the market so that the donors willingly donate money for their activities. CommDev faces risks, as the funds raised are not enough to carry out the needed operation to change the society.
Other threats are described in the table given below:
|
Threat |
Location |
Threat Source |
Threat Event |
Description |
|
Adversarial, structural, environmental and accidental threats |
CommDev Headquarters in Australia |
Malicious codes(technical) |
Unwanted programs can find their way to the server and the system |
The unwanted programs can find their way into the system and the server through user computers, the internet, and other network connections which causes systems failure |
|
Unauthorized access (technical) |
An adversary can carry out procedures that can lead to server failure. |
The adversary can damage the server physically or through other malicious activities that can make server inaccessible or make it malfunction. |
||
|
Use of outdated and incompetent operating system (system Failure of Micro Force) (technical) |
CommDev has been using old computing systems that have limited functionality. |
The condition of server failure among other failures of the system may be caused by using an outdated system. Incompatibility issues may also arise, causing the server to crash upon carrying out attempts to force integration and synchronization |
||
|
Failure of software (technical) |
The company is using old systems that are susceptible to wearing out. Security on such old systems weakens |
Failure of hardware and software components imply that the whole server may not work, consequently disrupting operations. Also, they expose the system to security threats through attacks as adversaries may have ample time to study their way of infiltrating the servers without authorization. |
||
|
Damage to infrastructure and malfunctioning (technical) |
Damage to infrastructure and system malfunctioning in the headquarters at Melbourne |
Damage and destruction to the infrastructures makes the system non-functional. |
||
|
Increased complexity of operation (operational) |
Increased complexity of operations in the headquarters |
Increased complexity of operations reduce the efficiency of employees working in headquarter office |
||
|
Failure of equipment and hardware (technical) |
Failure of equipment and hardware in Melbourne headquarter |
Failure of equipment and hardware might take place due to aging and lack of maintenance |
||
|
Bushfire (operational) |
The Data Backup provider is situated in the Dandenong range. Therefore, the forest fire might occur. |
If forest fires occur in Dandenong range then data backup provider will burst and become inoperable. |
||
|
Reputational risks as a source of threats (managerial) |
CommDev works for transforming the society and faces risks of reputation. |
Reputational risks might slow down the operations of CommDev |
||
|
Failing or crushing “patches” and “extension” of MicroForce. |
Some software, due to incompatibility or incompetence in development may make the server fail to function. |
Some software, due to incompatibility or incompetence in development may make the server fail to function. |
||
|
Downtime |
Due to increased functions in the server, as CommDev increases its activities, large traffic and long hours of activity may cause server downtime |
Downtime means halting of operations until the servers are back up. This is a server failure. As the company increases its operations, the activities may increase day by day to the extent that the server cannot handle them anymore. |
||
|
Leakage of Crucial Information |
Unauthorized access to the database might lead to leakage of crucial information. Malwares and bots introduced in the network might cause the leakage. |
Introduction of malwares to the network will jam the network and bring all operations to a halt. As a result, outsiders will be able to access Micro Force server easily and gain crucial information. |
||
|
SQL injection |
An adversary may inject malware or bots into the database. |
The injection can cause adverse effects depending on the motives of the adversary. If bots are injected, the injector can use them to take control of the database. Other virus and warms can be injected to delete files, distort the normalization of the database, or make it inaccessible, rendering the database inaccessible. |
||
|
Operational Errors |
||||
|
Electrical Surges |
Electrical surges may occur. |
The surges may lead to the destruction of electricals that may not be protected using power stabilizers. |
||
|
Improper installation of software |
Upon installation of new software updating, the process may fail midway; some files may miss, resulting in incomplete or improper installation. |
The improperly installed software may not boot correctly and may corrupt other files in the system, causing server failure. |
||
|
Incompetent Operations |
Incompetence in skills regarding operating and interacting with computers may lead to server failure. |
Incompetent and inexperienced users may carry out forbidden operations such us moving root files while interacting with computer systems. The forbidden operations may cause instant or progressive server failure. |
||
|
Storage space running out |
CommDev has grown to interact with large amounts of data as it grows larger each day. |
Upon interacting with large chunks of data, the firm is found with the need to store larger and larger volumes of data with time. Considering that it has not yet updated its server, it may get full and cause the server to crash, resultantly disrupting operations. |
||
|
Weather Emergencies- that cause a power failure, leading to server failure. |
Too harsh weather conditions may tamper with the supply of power to the server and cause power surge as well. This can cause failure to the system as some hardware components can burn out; some system files can be compromised or deleted. |
In further describing this threat, the failure threatens operability and normal running of operations that involve computation in the firm. Some of the failures that can be caused by this threat include the inability to carry out transactions where it would be impossible to receive funds from donors. |
||
|
Donors and Funders (operational) |
The funders and donors may contribute little amounts, be less in numbers, and other be reluctant |
Failure of a collection of sufficient funds may make the firm fail to have enough funds to continue conducting its operations. |
||
|
All areas of CommDev Operations |
Human Resource |
The human resource may not be well managed |
Poor management of Human Resource (HR) may lead to poor performance in whatever operations CommDev undertakes. |
|
|
The CommDev policy makers |
“Bring Your Own Device” Policy |
This policy requires each worker, even those who cannot be able to secure good computing devices to hurt economically so that they can afford the devices. Secondly, using one’s device at work exposes the user to distractions from interaction with the device in activities that are not work-related. |
||
|
Government Policies |
Different countries in which CommDev operates have different government policies. |
CommDev has to abide by all the respective government policies, which might greatly hinder the company’s smooth operations. The policies exercised by different governments may conflict posing great hindrances. |
||
|
Partners |
Partners may fail to buy or market the products produced by communities through CommDev |
Due to market pressure or inability to conduct fair trade, the partners may choose to opt out since to them it is not charity work but business. The partners may, therefore, quit, forcing CommDev to find a new market for the communities’ products and projects get halted in the process. |
The vulnerabilities of CommDev are discussed below:
Reliability and availability of service:
The services that are provided by the cloud service providers to CommDev should be such that applications are always available to them when they need them. However, the network of cloud becomes interrupted in bad weather when a lot of lightning takes place. This damages the MicroForce server. Information in databases might be tampered due to malfunctioning of the system. Power fluctuations might lead to system failure that would also lead to server failure. The cloud service providers face uninterrupted power supplies because of which the cloud service providers cannot provide 100% of the time service (Li Yu Zheng Ren and Lou, 2013). Updated versions of operating systems should be used to support cloud infrastructures. However, the system is prone to bad weather conditions that causes electrical surges. This might lead to damage of electrical components that are used in the infrastructure. Servers and routers connected to the network are the components that are mainly affected by bad environmental conditions. Therefore, CommDev cloud services are vulnerable to bad environmental conditions.
Risk evaluation and prioritization
Cloud service provider Lock-in:
CommDev mainly prefer to use services of one service provider. However, they might face problem while transferring from one service provider to other (Dutta Peng and Choudhary, 2013). This is necessary to CommDev because the organisation may like some service of one provider and other service of the other providers.
Protection of data and Portability:
Using software services, it invites attackers. Therefore, the data that is stored in the database of CommDev are vulnerable to attacks and portability of data is lost.
System Characterization of CommDev:
|
System Characterization |
Description |
|
Software |
– No such information is provided regarding the use of software in CommDev – It can be assumed that for daily operations CommDev uses Microsoft Office like Microsoft Word and Microsoft PowerPoint. |
|
Hardware |
Devices provided by CommDev: – Mobile communication devices like smart phones, satellite phones and laptops are used. Devices provided by the users (BYOD): – Personal devices like mobile phones and laptops Devices required to setup IT infrastructure at Operation Data centre: – Hardware like servers, tape drives, routers, hard drives, firewalls modems and so on. Devices required to setup IT infrastructure at Disaster Recovery site: – Hardware like servers, tape drives, routers, hard drives, firewalls modems and so on. |
|
Information/ Data |
Between CommDev and public (CommDev’s homepage or web portal): – Personal information of the donors – Credit card information of the donors as they donate money for fund raising Between CommDev and its partners: – Personal information of the partners – Information of purchasing materials, logistics and other operations from the partners Between CommDev and overseas counterparts: – SCPP sales data – Information/ Data obtained from overseas counterparts of CommDev. |
|
System Interfaces |
Internal system: – MicroForce – “Patches” and “Extensions” to manage the increasing growth of CommDev. – It has been assumed that CommDev has a HR team that keeps a track of employee information and wages. – It has been assumed that CommDev has a finance department that handles all the information related to finance and accounting – It has been assumed that CommDev has a sales team that prepares sales quotation. – It has been assumed that CommDev has several projects to undertake and therefore, documenting project and activities is done on the web portal External System: – CommDev homepage/ website on social media. – CommDev off-site backup at Dandenong Range. |
|
Practices in the industry |
|
|
Architecture of system security |
– Limited information is provided on architecture of system security in the case study. – No antivirus and security software has been used to combat the malicious code that were introduced and affected the local and regional operations. |
|
Safeguarding data integrity, availability and confidentiality with help of data storage protection |
– Limited information is provided in the case study. – Data backup is done on a monthly basis by CommDev and connects to data backup vendor in Dandenong Range to perform off-site backup. – A continuous redundant backup capacity is provided by CommDev’s data centre along with RAID technology with removable HDD (Aljawarneh, 2013). |
|
Topology used in current network of CommDev |
– Limited information is provided in the case study regarding this. – A significant bandwidth is provided by CommDev to connect to its data backup vendors for providing off-site backup – It has a high speed broadband connection to connect to outside people. – It has been assumed that CommDev communicates with its overseas offices through emails that are sent using the high speed connection. – It has been assumed that off-site employee of CommDev communicates with CommDev headquarter through public or home Wi-Fi services. |
|
IT system flow of information |
– No such information is provided in the case study |
|
IT system management controls |
– Adequate information is not provided in the case study – The management of CommDev has allowed its employees to bring personal laptops so that they can get access to key operational areas. |
|
IT system technical controls |
– Adequate information is not provided regarding this issue in the case study |
|
IT system operational controls |
– Adequate information is not provided regarding this issue in the case study |
|
Risk Classification |
Threat Source |
Threat Event |
Vulnerability |
Threat Likelihood |
Consequences |
Risk Score |
Risk Description |
Risk Level/Risk Determination |
|
Management Risk |
Poor leadership and management |
The middle-level managers are unable to implement proper leadership strategies. |
Poor leadership leads to incompetence, poor performance, and poor implementation of leadership strategies. |
Likely |
Catastrophic |
8/10 |
Leadership strategies are not implemented, which imply that development goals have a high likelihood of failing |
Severe |
|
Management Risk |
Members of Staff |
The aspect of members of staff being inexperienced make the undertaking of services impossible. |
The incompetence may call off donors and any willing contributors to the charity organization, making the firm get deprived of finances for running further projects |
Possible |
Major |
7/10 |
With CommDev being a non-profit oriented firm, it needs donors and charity contributors as well as volunteer workers who may not be highly experienced for the job |
High |
|
Governance Risk |
Some governmental policies and rules of the law may create a hostile environment for CommDev to operate on. |
The law can hinder the firm from conducting developmental projects. |
The inability for the company to conduct developmental projects can lead to the project being crippled such that it cannot undertake any developmental projects. |
Possible |
Major |
7/10 |
In further describing this risk, some rules are an obstacle to the smooth running of the governments. This makes it impossible for the government to run successfully. |
High |
|
Governance Risk |
Hindrance to free trade |
Community products may lack market |
Community products lacking market means the firm would have no benefit to communities as it cannot help them generate any profit. |
Possible |
Major |
7/10 |
If CommDev does not meet all government regulations regarding fair trade, it may not be able to find buyers for community products, which means projects such as SCPP may be of no use |
High |
|
Technical Risk |
Website Failure |
Server failure may lead to failure of the website |
Interested donors may get a bad impression of the firm. They may not also get the details required if they may want to get in touch with the firm. |
Possible |
Minor |
5/10 |
The website, along with various social sites such as Facebook help in connecting the company to the world, but this can fail when the website can go down. |
Moderate |
|
Technological Risk |
Cybercrime |
Hacking |
There are numerous vulnerabilities at this juncture which include overriding of systems, information theft, information destruction, corrupting the database, among others. |
Almost certain |
Catastrophic |
8/10 |
Overriding of the system may lead to CommDev lacking control over their systems. The firm’s crucial data can be stolen. Funds can be stolen, the firm’s crucial data be leaked, and the firm fails to continue operating. |
Severe |
|
Technological Risk |
Network failure |
Downtime or periodic network outages |
Network outage means information sharing is suspended until a strong connection is established again. This indicates that such a network is unreliable. |
Likely |
Major |
7/10 |
Downtime in the network may lead to the delayed relay of message and exchange of files from one department to another or from a branch to the other. |
High |
|
Technological Risk |
Computer Hardware Failure |
Computer hardware malfunction |
This leads to an inability to compete for tasks properly. Too much technical support is required to recover or replace these systems. |
Likely |
Major |
6/10 |
Failure of computer hardware may lead to the incompleteness of tasks too. |
High |
|
Technological Risk |
Software Failure |
Some software may run out of licensed period or have crucial module s in them destroyed, causing them to fail to function correctly |
When software fails, it means that the crucial functions that the software should play cannot run anymore. This can fail too many other functions. |
Unlikely |
Minor |
5/10 |
The risk of software failure is associated with both the software systems in place and the new SaaS that the firm seeks to implement. |
Moderate |
|
Technological Risk |
Server Failure |
Failure of the server can cripple communication and information storage and share in all branches of the firm. |
The inability of sharing information can also lead to many activities standing still until the system get back up. Marketing operations for community products may fail to succeed. |
Unlikely |
Minor |
4/10 |
The server is the center of the company’s information services as well as the main backbone of communication. The firm, therefore, would not have proper communication if the server goes down. |
Moderate |
|
Technological Risk |
Malware and virus attack |
This can destroy all information systems |
Destruction of information systems by malware can lead to some operations in the company stopping such as funding. The website can go down if hosted on the on-premises server. |
Possible |
Major |
7/10 |
Overriding, database manipulation, among other vices, can result. This can bring down the website and make the server to malfunction. |
High |
|
Technological risk |
Human computation error |
Some computer users in the firm may perform illogical operations which may be considered as malpractice |
The malpractice can lead to the destruction of crucial files that can halt proper functioning of the firm’s information systems. |
Almost Certain |
Major |
7/10 |
Disasters such as leakage of sensitive information, destruction of computer systems, and shutting down may result from malpractice by users. |
High |
|
Technological Risk |
Payroll systems failure |
Staff members need to be paid in time for them to continue rendering their services. |
When not paid, employees may stop working, or fail to perform well. |
Likely |
Major |
6/10 |
Production may go down as employees get to be unproductive. Ongoing projects may get abandoned while no others can commence. |
High |
|
Technical Risk |
Transaction Management System Failure |
Transaction management software or recordkeeping systems may fail to operate. |
All transactions being stopped means no operation involving finances that CommDev can run. |
Unlikely |
Minor |
5/10 |
Inability to transact least to inability to collect any funds or pay off any workers or even partners. |
Moderate |
|
Technological Risk |
Software as a Service (SaaS) implementation failure |
Implementation of new technology (SaaS) |
IT experts and other workers may take time to master the technology, thus reducing production and overall performance in the firm. |
Unlikely |
Major |
7/10 |
Failure of implementation of the new technology can cost the firm financially, and have it spend much time trying to come up with a new system or roll back to the old one. |
High |
|
Technical Risk |
Man in the middle attack and sniffing that might cause data interruption (adversarial) |
Devices sniffed intercepts the wireless traffic. |
Man in the middle attack is common to CommDev due to the presence of volunteer that act as the middle man |
Possible |
Major |
9/10 |
Capability of sniffing detection with CommDev increases susceptibility to attacks that are port sniffed |
Severe |
|
Governance Risk |
The formation and communication of IT/IS was incoherent (accidental) |
When applied to incidence response conflictive advice is provided by the policy content. |
Limited evidence is provided in the case study of CommDev and clarity regarding policies and procedures. |
Possible |
Minor |
4/10 |
Clarity is not provided regarding the policies and procedures, whether it is enforced in the organisation |
High |
|
Governance Risk |
Limited maintenance of control |
Outdated non reviewed controls are the potential threats |
Limited information is provided about the review of internal controls |
Unlikely |
Major |
8/10 |
Internal control review process in place |
High |
|
Governance Risk |
Governance framework is limited and the IT/IS spend within the IT department along with other organisational departments (accidental) |
Procurement is unauthorized |
However, no such evidence is given in the CommDev case study |
Unlikely |
Major |
8/10 |
There is no such evidence that relates to unauthorized procurement in CommDev |
High |
|
Governance Risk |
PCI DSS and its non-conformance (transactional as well as accidental) |
Accreditation to PCI DSS will be lost |
However, no such evidence is provided in the case study |
Possible |
Minor |
5/10 |
No evidence is provided in CommDev case study regarding this issue |
High |
|
Internal Business Control |
Default operation of the IS vendor that gives access to data and is application specific (accidental) |
The vendors cannot provide agreed service |
No such contractual agreement with the vendor is provided in the case study |
Unlikely |
Major |
9/10 |
No evidence of contractual agreement |
High |
|
Compliance and Regulatory risk |
System configuration and design (accidental) |
Integrity and availability failure of the IS automated processes |
The IT process is slow and inefficient in the business, availability and integrity of data is compromised |
Unlikely |
Major |
8/10 |
The IT process is slow and inefficient in the business, availability and integrity of data is compromised |
High |
|
Management Level |
Risk Management |
Performance Measurement |
Process Assurance |
Strategic Alignment |
Value Delivery |
Resource Management |
|
Steering Committee |
The responsibility of the steering committee is to identify emerging risks and compliance issues along with promoting security practices for CommDev |
To review that the initiatives taken to ensure security meets the objectives of CommDev |
Identifies the critical processes of business and assurance providers. |
Reviews the strategies taken to mitigate risk issues along with ensuring business owners support integration |
The adequateness of mitigating activities are reviewed to severe business functions |
Dissemination and knowledge capture is reviewed |
|
Executive Management |
The responsibilities include management of risks in all activities along with regulatory compliance monitoring |
Their responsibility is to monitor and supervise the security activities |
Plans for integration and assurance functions are insighted by the executive management |
Develops process so as to integrate risk strategies with business objectives |
Needs business case studies for monitoring security activities |
Ensures processes that might lead to dissemination process and knowledge capture |
|
Chief Information security Officer |
To assess the risks and its impacts on business along with developing strategies for mitigation. They help in enforcing policy and regulatory compliance |
Their responsibility is to develop and implement activities that involve monitoring the security activities. They monitor the activities of security |
They combine with other assurance providers to check security. |
Develop and implement mitigation strategies, take initiatives and combine with process owners for ongoing alignment |
The utilization and effectiveness of security resources are monitored |
Develop and implement the methods for dissemination and knowledge capture such that the effectiveness of the risk mitigation activities increases |
|
Board of Directors |
Ensures regulatory compliance along with risk management |
Reports the effectiveness of security activities |
Policy of assurance process integration |
Require demonstrable alignment |
The costs of security activities are reported by the board of directors |
Ensure the policy to manage knowledge and utilize the resources. |
Risk Analysis for CommDev:
|
Likelihood |
Consequences |
||||
|
Insignificant |
Minor |
Moderate |
Major |
Catastrophic |
|
|
Almost certain |
Control |
Control |
transfer or avoid |
Either transfer or avoid |
Either transfer or avoid |
|
Possible |
Control |
Control |
control or transfer |
transfer or avoid |
transfer or avoid |
|
Likely |
Control |
Control |
transfer or avoid |
Either transfer or avoid |
transfer or avoid |
|
Unlikely |
Control |
Control |
control or transfer |
Transfer |
Transfer |
|
Rare |
Control |
Control |
control or transfer |
Transfer |
Transfer |
The risks that are identified are technical risk, operational risks, governance risk and technological risk. These risks will have a huge impact on the company. They might reduce company revenues and in adverse cases, operations might come to a halt. Therefore, risk mitigation strategies are recommended that will help to handle the existing risks.
Impact of operational risks on the CommDev: Existing operational risks might affect reputation and financial state of business. CommDev is a foundation that carries out its operation for people. Therefore, goodwill in market is one of the main criteria for the company. If there are no mitigation strategies to handle operational risks then operational failures might take place that will lead to crisis of operational management.
Mitigation strategies for operational risks: The operational risks identified in CommDev are electrical surges, improper installation of software, incompetent operations, storage space running out, weather emergencies that cause a power failure leading to server failure and insufficient funds collected from donors and funders. Therefore, to mitigate these risks following steps should be followed:
- Electrical surges can destroy electricals that are not protected by power stabilizers. Therefore, experts should do electrical wiring in CommDev to avoid these risks. Importance should be given for the installation of power stabilizers to prevent power fluctuations.
- Improper installation of software might lead to server failure. Therefore, an IT expert should be hired to take care of the IT operations. This would eliminate the risks of server failure and improper software update.
- Qualified and competent users should be hired who has complete knowledge of computers. This will help in mitigating risks of improper use of computer.
- An estimation of data that is to be stored should be made before installing server to eliminate shortage of storage devices.
- Strong power stabilizers thatcan withstand all weather conditions should be used.
Impact of technical risks on CommDev: Technical risks might lead to complete halt of CommDev operations. With advancement of technology, companies are increasingly becoming dependent on technology. Therefore, technical failures might cause shutdown of CommDev. It is identified as one of the major risks that a company can face.
Technical risk mitigation strategies: The technical risks that are identified in CommDev are introduction of malicious codes, unauthorized access to databases, use of outdated and incompetent operating systems, failure of software, damage to infrastructure and malfunctioning, failure of equipment and hardware. To eliminate these risks following strategies should be followed:
- Strong passwords should be used to protect databases from non-registered users.
- Strong antiviruses and firewalls should be used to protect computers and servers from malwares and bots.
- Updated operating systems should be used to eliminate system failure. Updated operating systems has a number of new features that will automatically protect system against malwares and other such actions.
- Proper infrastructure using modern methods should be implemented.
Mitigation of Governance risks: The executive management, steering committee and Board of Directors of CommDev should comply with the rules and regulations laid down by the government. Government has laid down 34 federal laws for system design and operation. The laws describes certain actions of cybersecurity, malwares and other malicious actions.
Risk treatment and plan implementation
Conclusion:
From the above discussions, it can be concluded that risk assessment and management is a vital part of an organisation using IT infrastructures. As for the given case study that considers a non- profit organisation, needs to assess the risks as the organisation is using IT/IS infrastructure to handle its data. CommDev as the case study mentions utilizes a web marketing strategy to advertise the services that it provides to its customers. The company is aimed at uplifting communities of the developing and the under-developed countries. They mostly operate in Pacific, Asian and Australian countries with its headquarters at Melbourne. A start-up web hosting company developed the homepage for CommDev. All the information and data of donors and partners of CommDev are stored in the database that can be accessed through the web page. They have also appointed volunteers that would talk with different people raise fund. The above discussions enlightens on the risks and the threats that CommDev faces. It is concluded from the risk analysis that the vulnerabilities that CommDev face for involving middle man in the funding process is severe and the risk level associated with it is quite high. The risk analysis performed on CommDev describes the risks that are almost certain, is possible to occur, is likely to occur, is unlikely and can rarely occur. Based on likelihood the consequences of the risks and risk level is determined. The level of risk is determined by based on action that can be taken to mitigate the risk. The actions for mitigation might be controlling the risk, avoid or transfer them and control or transfer the risks. Therefore, the steering committee, executive management, Board of directors and the Chief information security officer needs to undertake some responsibilities to develop and implement strategies that would mitigate the risks.
Ahmed, M. and Hossain, M.A., 2014. Cloud computing and security issues in the cloud. International Journal of Network Security & Its Applications, 6(1), p.25.
Aljawarneh, S., 2013. Cloud security engineering: Avoiding security threats the right way. In Cloud Computing Advancements in Design, Implementation, and Technologies (pp. 147-153). IGI Global.
Almorsy, M., Grundy, J. and Müller, I., 2016. An analysis of the cloud computing security problem. arXiv preprint arXiv:1609.01107.
Bolton, P., Chen, H. and Wang, N., 2013. Market timing, investment, and risk management. Journal of Financial Economics, 109(1), pp.40-62.
Botta, A., De Donato, W., Persico, V. and Pescapé, A., 2016. Integration of cloud computing and internet of things: a survey. Future Generation Computer Systems, 56, pp.684-700.
Conclusion
Brender, N. and Markov, I., 2013. Risk perception and risk management in cloud computing: Results from a case study of Swiss companies. International journal of information management, 33(5), pp.726-733.
Cardona, O.D., 2013. The need for rethinking the concepts of vulnerability and risk from a holistic perspective: a necessary review and criticism for effective risk management. In Mapping vulnerability (pp. 56-70). Routledge.
Chen, F., 2015. An Investigation and Evaluation of Risk Assessment Methods in Information systems.
Chen, J., Sohal, A.S. and Prajogo, D.I., 2013. Supply chain operational risk mitigation: a collaborative approach. International Journal of Production Research, 51(7), pp.2186-2199.
Chou, T.S., 2013. Security threats on cloud computing vulnerabilities. International Journal of Computer Science & Information Technology, 5(3), p.79.
Coetzer, C., 2015. An Investigation of ISO/IEC 27001 Adoption in South Africa (Doctoral dissertation, Rhodes University).
Di Falco, S. and Bulte, E., 2013. The impact of kinship networks on the adoption of risk-mitigating strategies in Ethiopia. World Development, 43, pp.100-110.
Didraga, O., 2013. The role and the effects of risk management in IT projects success. Informatica Economica, 17(1).
Dutta, A., Peng, G.C.A. and Choudhary, A., 2013. Risks in enterprise cloud computing: the perspective of IT experts. Journal of Computer Information Systems, 53(4), pp.39-48.
Fadun, O.S., 2013. Risk management and risk management failure: Lessons for business enterprises. International Journal of Academic Research in Business and Social Sciences, 3(2), p.225.
Fernando, N., Loke, S.W. and Rahayu, W., 2013. Mobile cloud computing: A survey. Future generation computer systems, 29(1), pp.84-106.
Hashem, I.A.T., Yaqoob, I., Anuar, N.B., Mokhtar, S., Gani, A. and Khan, S.U., 2015. The rise of “big data” on cloud computing: Review and open research issues. Information Systems, 47, pp.98-115.
Jabareen, Y., 2013. Planning the resilient city: Concepts and strategies for coping with climate change and environmental risk. Cities, 31, pp.220-229.
Kazim, M. and Zhu, S.Y., 2015. A survey on top security threats in cloud computing. International Journal of Advanced Computer Science and Applications (IJACSA).
Khan, F., Rathnayaka, S. and Ahmed, S., 2015. Methods and models in process safety and risk management: Past, present and future. Process Safety and Environmental Protection, 98, pp.116-147.
Khan, G.F., Swar, B. and Lee, S.K., 2014. Social media risks and benefits: A public sector perspective. Social Science Computer Review, 32(5), pp.606-627.
Latif, R., Abbas, H., Assar, S. and Ali, Q., 2014. Cloud computing risk assessment: a systematic literature review. In Future information technology (pp. 285-295). Springer, Berlin, Heidelberg.
Li, M., Yu, S., Zheng, Y., Ren, K. and Lou, W., 2013. Scalable and secure sharing of personal health records in cloud computing using attribute-based encryption. IEEE transactions on parallel and distributed systems, 24(1), pp.131-143.
Modi, C., Patel, D., Borisaniya, B., Patel, A. and Rajarajan, M., 2013. A survey on security issues and solutions at different layers of Cloud computing. The journal of supercomputing, 63(2), pp.561-592.
Monzón, F.M.H., 2014. Diseño de procedimientos de auditoría de cumplimiento de la norma NTP-ISO/IEC 17799: 2007 como parte del proceso de implantación de la norma técnica NTP-ISO/IEC 27001: 2008 en instituciones del estado peruano (Doctoral dissertation, Pontificia Universidad Católica del Perú, Facultad de Ciencias e Ingeniería. Mención: Ingeniería Informática).
Ntouskas, T. and Gritzalis, D., 2016. Innovative Security Management Services for Maritime Environment.
Parra, A.S.O., Crespo, L.E.S., Alvarez, E., Huerta, M. and Paton, E.F.M., 2016. Methodology for dynamic analysis and risk management on ISO27001. IEEE Latin America Transactions, 14(6), pp.2897-2911.
Ryan, M.D., 2013. Cloud computing security: The scientific challenge, and a survey of solutions. Journal of Systems and Software, 86(9), pp.2263-2268.
Sanaei, Z., Abolfazli, S., Gani, A. and Buyya, R., 2014. Heterogeneity in mobile cloud computing: taxonomy and open challenges. IEEE Communications Surveys & Tutorials, 16(1), pp.369-392.
Shojaie, B., Federrath, H. and Saberi, I., ATINER’s Conference Paper Series COM2016-1986.
Whaiduzzaman, M., Sookhak, M., Gani, A. and Buyya, R., 2014. A survey on vehicular cloud computing. Journal of Network and Computer Applications, 40, pp.325-344.
Xiao, Z. and Xiao, Y., 2013. Security and privacy in cloud computing. IEEE Communications Surveys & Tutorials, 15(2), pp.843-859