Thursday, December 12, 2019
Security Risks Pertinent to the Given Scenario
Question: Discuss about the Security Risks Pertinent to the Given Scenario. Answer: Review of information risks Many companies especially small and medium enterprises are finding themselves at an extremely vulnerable situation concerning security risks. Billions of dollars are being channeled towards security risk mitigations and strategies to improve a companys security both from internal and external attacks. Under a heavy mission and focus to succeed, companies have reportedly employed strategies to reduce risks of loss of money from system security damage (Alexander, 2012). Increase in the budget proposed to the IT department and hiring of best minds in information security are just some few steps that companies are using to improve their security. The review of information risks has a wide scope as it includes organizing how safe the companies data will be and how to improve the firewall in case of breach. The security threats come from various sources, namely external and internal sources. External sources- this are external hackers and cyber criminals who specialize in fraud and breaching of companies databases. Internal sources- mostly the most susceptible sources of security breach of the company. They include the employees who especially have an intricate and deeper knowledge of the companies undertakings. They also know various loopholes and how to go about the loopholes. Risks are the adverse events, such as the loss of money in a company or a storm that generates a large number of claims from insurance (Aven, 2013). However, potential positive results can also be discovered during the risk analysis process. By exploring the whole space of potential outcomes for a given situation, a good risk analysis can identify hazards and discover opportunities (Aven, 2013). Risk prioritization finally arriving at a MEDIBLE concept that is the risk to which the entity is exposed, that is to say a vulnerability caused by a threatened. It is necessary to clarify the existence. The information security is the set of preventive and reactive measures of the organizations and the technological systems that allow protecting and protecting the entity seeking to maintain the confidentiality, availability and integrity of the same (Biringer, Matalucci and O'Connor, 2007). There are a series of standards, protocols, methods, rules, tools and laws designed to minimize possible risks to infrastructure or information. One of the techniques to evaluate in an entity its level of Security is to perform a Risk analysis. The study may include the business vision, if the study is performed after conducting the Business Impact Analysis (BIA) Business Analysis. The realization of risk analysis provides organizations with a view of the situation regarding the level of protection of information sy stems. For this reason, it constitutes one of the fundamental pillars in order to know in detail the infrastructure and the internal functioning. With the analysis of risk on the systems of the organization will achieve the following objectives: Identify and evaluate the most critical business processes, in order to identify the appropriate level of protection (Brebbia, 2014). Determine and evaluate existing threats, determining their effectiveness in dealing with existing risks. Calculate the level of risk, so that the organization knows in detail the probability of materialization of each of the threats and the impact they can cause.To carry out a risk analysis with guarantees, among others, one can select the MAGERIT methodology, elaborated by the 'Superior Council of Electronic Administration'. MAGERIT is the acronym for 'Methodology of Analysis and Risk Management of Information Systems', and was born to minimize the risks associated with the use of computer and telematic systems, guaranteeing their authenticity, confidentiality, integrity and availability of such systems and generating Thus the trust in the user of them. At the conceptual level, MAGERIT is based on the evaluation and logical relationship of the following concepts: As the scheme shows, the whole analysis revolves around the concepts: Active: element that has a value for the organization Threat: an event that has a negative impact on the asset and Safeguard: measure implemented to protect the asset itself The main objectives are: Determine the assets relevant to the organization, their interrelation and their value, in the sense of what damage would be degraded. Determine what threats are exposed Determine what safeguards are available and how effective they are against risk. Estimate the impact, defined as the damage on the asset derived from the materialization of the threat. Estimate the risk, defined as the impact weighted with the rate of occurrence (or expectation of materialization of the threat). of two differentiated risk variables. The first one is accustomed to name POTENTIAL RISK, that is to say the risk to which the organization would be exposed, if there were no type of safeguard implemented (Calder and Watkins, 2010). Everything and being a 'dummy' risk value is a very practical value when implementing new safeguards in the entity, since it allows simulating the evolution of the level of risk as new security measures are introduced (De and Le Me?tayer, n.d.). On the other hand, the RESIDUAL RISK is to be considered as the current level of risk, and therefore the basis on which the continuity plans of the services provided will be structured. There are tools, such as EAR / PILAR software, designed to efficiently manage risks according to the methodology outlined. With th is information, together with the requirements of the applicable regulations, the organization / entity may select and prioritize those technical measures There are several problems with this method: Only a few independent results are considered, and hundreds or thousands more are ignored. The same weight is given to each result. That is, it is not a question of evaluating the probability of each outcome. The interdependence between the input variables, the impact of the different variables on the result, and other details is ignored, simplifying the model excessively and reducing its accuracy. As part of the Information Security Management System, it is necessary for the company to do an adequate management of risks that makes it possible to understand what are the primary vulnerabilities of its information communication assets and what are the threats that might exploit the vulnerabilities (Jones and Ashenden, 2005). To this extent, the company is clear on risk identification processes to make known the viable corrective and preventive measures to guarantee higher levels of security information. There are different methods used for risk management. However, it all starts from a focal point: the information communication assets identification. On one hand, a vulnerability feature of an information security is found when a threat materializes. Example, having weak system in password entries and network data is properly protected. This is to mitigate external computer attacks Security risk analysis This work presents a rapid application methodology that implements the necessary steps to analyze a system, identify the threats, the associated vulnerabilities, calculate the probability of occurrence of these threats, determine the impact in case of its materialization and finally obtaining of the risk to which it is exposed. Thus, this methodology would be a tool of easy implementation in a medium or small organization that would allow identifying and managing the risks of information technology. Risk analysis is the first point of an organization's information security management, and it is necessary to carry out risk management, that is, take the decision to eliminate them, ignore them, transfer them or mitigate and control them, it is Say carry out the risk management. The process to develop the new methodology began with the investigation and detailed study of the main methodologies in the market for the analysis of computer risks. In this paper, we present an analysis of the three most used methodologies, in order to determine in detail how they work and what their strengths and weaknesses are. The methodologies studied are Magerit, Octave and Mehari. As a result of this analysis, these strengths were identified and incorporated in the design of the new methodology of analysis of computer risks in question. The limits on the scope of this work were not to incorporate elements of other existing methodologies, other than those not mentioned previously. This allowed us to obtain the best elements of each of these methodologies in order to design and obtain a new one from them. Objectives of methodologies Both the three methodologies studied and the one that will be developed have as objective the following points: Planning for risk reduction Planning of the prevention of accidents Visualization and detection of existing weaknesses in systems Help in making the best decisions regarding information security Risk Analysis Approaches There are a number of different approaches to risk analysis, but in essence they are usually divided into two fundamental types: Quantitative Qualitative The approach used for the development of this methodology is quantitative. Quantitative approach to risk analysis Description of the basic methodology For the design and development of the new methodology of analysis of computer risks, a basic methodology was used, which is followed by a brief description of each of its stages: Characterization of the system Identification of threats Vulnerability identification Analysis of controls Determination of probability of occurrence Impact analysis Determination of risk Control recommendations Documentation of results Lisis of the basic methodology A detailed study of each of the functional elements involved in each stage of the methodology was carried out in order to determine the weaknesses that it presents. In summary, the following results were obtained: Scarcity of theoretical material for each of the stages. Absence of a practical procedure that measures the weaknesses and quality of the security services. Scales of probability of occurrence, impact and risk present simple levels of assessment. Absence of an analysis of the frequency of a threat. Absence of a method that registers the level of impact and risk in its real dimensions. Lack of a mechanism or practical procedure that allows the interpretation of the results obtained. Expressing it in a quantitative way, i.e. calculating all the components in a single economic damage, results in an even more complex and extensive exercise. Although we know well the impact of a successful attack, its consequences can be multiple, sometimes unpredictable and highly dependent on the context in which we handle the information, either in an NGO (human rights, information center, etc.), in a private company Bank, clinic, production, etc.), in a State institution or in the private sphere. Another decisive factor, with respect to the consequences, is also the environment where we are located, that is to say, what are the common and cultural Laws and practices that is applied to sanction the breach of the norms (MacKenzie, 2001). A very important point in the analysis of the consequences is the differentiation between the two purposes of protection of Computer Security, Information Security and Data Protection, because it allows us to determine, who will suffer the damage of an impact, Us, others or both. In any case, all our behaviors and decisions must be guided by a responsible conscience, not to cause harm to others, even if their reality does not have negative consequences. Other questions that we can ask ourselves to identify possible negative consequences caused by an impact are: Are there conditions of breach of confidentiality (internal and external)? This is usually the case when non-authorized persons have access to information and knowledge from others that will jeopardize our mission (Peltier, 2010). Are there conditions of non-compliance with legal obligations, contracts and agreements? Failure to comply with legal regulations can easily lead to criminal or economic sanctions, which harm our mission, work and personal existence. What is the cost of recovery? Not only must we consider the economic resources, time, materials, but also the possible damage of the public and emotional image. Considering all the mentioned aspects, it allows us to classify the Magnitude of Damage. However, again we must first define the meaning of each level of damage (Low, Medium, and High). The definitions shown in the previous image are only an approximate example, but do not necessarily reflect reality and common opinion and therefore it is recommended that each institution define its own levels. . Another decisive factor, with respect to the consequences, is also the environment where we are located, that is to say, what are the common and cultural Laws and practices that is applied to sanction the breach of the norms. Risk Control Plan Strategy Organization should have information technology security as well as confidential usage policies to be in place in order to cover all the use of the information communication devices within the enterprises (D'Arcy, Herath and Shoss, 2014). Additionally, it is important to ensure policies are usually communicated. The risk control plan strategy is a document, which is prepared by the project manager for the foreseeable risks, estimates impact as well as to define on the response to the issues. The risk has been regarded as the uncertain event or perhaps the conditions which if they occurs they could have a positive or a negative effect on the objective of the projects. The risk control strategy contains an analysis of the likely risks with both the high and the low impact as well as mitigate on the strategies to help the company avoid being derailed should problems arise. The risk control plan will contain four potential strategies, which have numerous variations (Duffie, 2013). The organization could choose to avoid the risk, control or mitigate, accept the risk or perhaps transfer the risk (Harbach, Hettig, Weber and Smith, 2014). The risk, which has been associated with the small and medium enterprise, are the clients of the organization. These individual could pose a great risk especially when it comes to the credit facility. The credit is the faith, which is placed to refer to the faith placed by the creditor in a debtor through extending a loan usually in form of money. It is important to have a risk control plan strategy in case the customer default or perhaps steals information of the organization in good faith or perhaps in the event, the client engages in a deal with the company. Control plan strategy for client The following is the risk control plan strategy the organization could undertake in the event these situations arises. One strategy to deal with the client is through information buying. The perceived risks against the client could be reduced in the event of occurrence is through obtaining of the information through investigations (Duffie, 2013). The small and medium enterprise could find all the information regarding the clients who they are working or transaction with in order to know their history so that they do not default the loan or any business they engages. The organization could also educate the staff on knowing the history of the clients before undertaking any business with them (Duffie, 2013). In case the organization will have contact with the vulnerable clients, the organization should have an incident as well as a complaints policy, with procedures, which are appropriate in place. The company should have a clear advice on the distinctions between what is the disclosure , allegation or perhaps the suspicion of the vulnerable clients and what breach off the management strategy. Another plan for control is use of the transferal strategy, which entails sharing of the responsibility for the risk with the third party. They can achieve this through taking of the insurance against the risk occurring, by entering into the contract with other organization (Webb, Ahmad, Maynard and Shanks, 2014). This way they would share the risk as well as the cost. In the event the client default, this cost could be shared. The act of the purchasing of the insurance is an example of the risk transferal. The quantitative risk analysis should be carried to determine the probability of the incurrence of the risk, it is important to assess the consequences of the risk as well as combine the two in order to identify the level of the risk through use of tools. Nonetheless, several factors could complicate the analysis, which include possible multiple effects on the systems thro ugh a single risk event as well as the false impressions of the precision and the reliability through the deployment mathematical techniques. Control plan strategy for freelancer in enterprise The freelancer in the enterprise usually are given an access to the data which could put the company at a risk as the managers open the IT doors to the collaborate. This could give a rise to the data protection breaches if the person was to be moved around the globe or perhaps sent to the external parties. If this data is not handled well by the freelancer the reputation on the risk of the company could be huge (Duffie, 2013). The enterprise could implement a plan on this issue to the freelancers they hire. There could be establishment of agreement, which would allow the business to monitor the devices that these individuals use. The company has implemented the policy of bring your own device which allows them to bring in workplace. In the invent they are not monitored these individuals could sell the information or perhaps hacked through the network. Implementation of this strategy will enable the organization to monitor the information, which is used by these workers and how they a re using it (Webb, Ahmad, Maynard and Shanks, 2014). This enterprise in the case study has many employees and without monitoring of the freelancer as well as the other workers could cause a great risk in case the information was breached. Control plan strategy for employer and non-employer risks Another risk, which has been advertised, is the employers and non-employers. The strategy to use for the kind of risk it is important to develop a tactical plan, which will achieve strategic plan through use of the key value drivers approach (Mezgr and Rauschecker, 2014). This approach provides the organization with the framework, which is designed in order to align the strategic plan with the reporting process of the management. The KVD approach result from the improved business as well as the company performance. Additionally, there should be a risk management plan for the high-risk activities implemented by the employer or the non-employers. Sometimes these individuals may involve the business to high-risk activities as well as events (Slovic, 2016). These events are which the usual environment or perhaps a circumstance of the regulated activity could be changed significantly. It is important that these individuals follow the right guidelines as well as the principles, which are e stablished by the international standards. Mitigation strategy should be established (Webb Ahmad, Maynard and Shanks, 2014). This strategy will try to reduce on the damage as well as vulnerability by employing measures in order to limit a successful attack. This may be done through fixing of the flaw, which create an exposure to the risk by putting of the compensatory control in control to reduce the like hood of the weaknesses (Mezgr and Rauschecker, 2014). The management of the organization may implement that in the event that the employer and the non-employer engages in activities which are against the policy of the company there should be compensatory fines to cater for all the loses which are engaged. This plan work against the risks, which should cover the detail information to the risk, the individuals who are responsible, the costs as well as the schedules that are response to the different risks, and the alternative action in case there is a change. This plan will help save the resources for the events that are unexpected (Duffie, 2013). In the case of the non-employers, which has no paid employees, there could be some who are disgruntled, in such an event there could be internal attacks facing the data and the systems. The rogue employees who has an access to the network, admin account or the data centers could cause serious damage. The strategy plan to handle on such an issue will to have a mitigation plan for the privileged account exploitation through identifying the privileged account and the credentials and terminate on those which no longer in use or perhaps are connected to the employees who are no longer to the organization (Slovic, 2016). The next thing would be to monitor, control as well as manage the privileged credentials in order to prevent exploitation. The last thing on this strategy would be to implement the protocols as well as infrastructure in order to track, log as well as record the activities of the privileged account. Control plan strategy for physical assets (communication equipment) The communication securities are the measures as well as the control, which are taken in order to deny any unauthorized individual information from the telecommunication equipment is while still delivering the necessary content to the recipients who it is intended. The control plan strategy that will be implemented for the communication equipment are for the information transfer. It is important to ask the processes which are in place in order to send the sensitive information, and it is important to note how secure are the processes as well as the formal confidentiality that are in place (Webb, Ahmad, Maynard and Shanks, 2014). The control strategy would be to implement policies for the information transfer. Implementation of information transfer policies as well as procedures, which prescribe minimal mandatory controls in place in order to transfer the information using all the type of the communication equipment within the company (Teixeira, Sou, Sandberg and Johansson, 2015). The company could also have a plan for implementation of the agreements for confidentiality or the non-disclosure with the stakeholders in order to reflect the needs of the organization for the protection of the information, which have been transferred from their communication equipments (Slovic, 2016). This should be documented to the agreed format and it should be reviewed periodically against legislation and any other need for the change. Further, there should be management of the communication equipment through a technology, which could give the full control over this equipment using solution software to lock, control, encrypting as well as enforce on the policies (Schumacher, Fernandez-Buglioni, Hybertson, Buschmann and Sommerlad, 2013). The management of this equipment will consist of two components one is the management agent installed on the communication equipment and the server that is used for communication as well as control function to the management agent software. This a pplication will consist with the equipment management, security management and the synchronization of the files. This will be a major step toward the reduction of the data leakages, the loss of the organizational control as well as the visibility (Von and Van Niekerk, 2013). The strategy to implement this management has certain characteristics that make it the first BYOD solution the organization should implement. Some of these features will include the connection setup of the equipment, the user authentication, encryption and the compliance. The use of the implementation of this application to the communication equipment could be applied to the critical corporate information of the SMEs (Gemenne, Barnett, Adger and Dabelko, 2014. In order for the organization not to incur a fine or even a serious reputational damages due to the result of the breach of the applicable monitoring and the data protection legislation, SME that wish to monitor the employees devices. There should be a pol icy in place to make sure they do so in a manner that is lawful (Duffie, 2013). A plan should have steps in order to inform the employees that their communication equipment are monitored and the reason to do so. Conclusion The risk management has been the process of identifying of the risk which have been associated with the Small and medium enterprise. Some of the risk that have been identified are employer and non-employers, clients and freelancers. Others are the physical assets on the communication equipment. Various steps have been taken to reduce or perhaps mitigate on the risk to a level that is acceptable. Furthermore, the risk management approach determines on the process as well as the tools, which would be used for the purpose of the risk control plan strategy for the organization. The strategy have been developed for the purpose planning in the event that risk may arise in the future. References Alexander, C. (2012).Market risk analysis. Chichester [u.a.]: Wiley. Aven, T. (2013).Foundations of risk analysis. Hoboken, N.J.: Wiley. Aven, T. (n.d.).Risk analysis. 1st ed. Belloc, H. (2007).On. Freeport, N.Y.: Books for Libraries Press. Belloc, H. (2017).On. Freeport, N.Y.: Books for Libraries Press. Biringer, B., Matalucci, R. and O'Connor, S. (2007).Security risk assessment and management. Hoboken, N.J.: John Wiley. Brebbia, C. (2014).Risk Analysis. SOUTHAMPTON: WIT Press. Calder, A. and Watkins, S. (2010).Information security risk management for ISO27001/ISO27002. Ely, U.K.: IT Governance Pub. D'Arcy, J., Herath, T. and Shoss, M.K., 2014. Understanding employee responses to stressful information security requirements: a coping perspective. Journal of Management Information Systems, 31(2), pp.285-318. De, S. and Le Me?tayer, D. (n.d.).Privacy risk analysis. Duffie, D., 2013. Systemic risk exposures: a 10-by-10-by-10 approach. In Risk Topography: Systemic Risk and Macro Modeling (pp. 47-56). University of Chicago Press. Harbach, M., Hettig, M., Weber, S. and Smith, M., 2014, April. Using personal examples to improve risk communication for security privacy decisions. In Proceedings of the 32nd annual ACM conference on Human factors in computing systems (pp. 2647-2656). ACM.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.