Delivery in day(s): 4
ITC 596 IT Risk Management Assignment
This is the assessment 2 of ITC 596 IT Risk Management
Task 1 Use a diagram to illustrate current security risks and concerns considered by the VIC government.
Task 2 Provide detailed explanation of the diagram and identify the areas of: high, medium, medium-low, and low risk exposure.
VIC government considers all security risk concern to provide security of data of a business.The basic security requirements are given below:
Basic security consideration :
1. Organizational Security Risks: These types of risks may affect the structure of the business. Security threat prevention is necessary to secure the data from any threats and vulnerabilities. Organizational security includes employee security, financial security, and its IT infrastructure. Security threats for an organization:
Spam: Spam is an enemy for all email users. Email is the fake message that promotes fake items, designer goods, bogus schemes of getting rich quick, improves love skill messages are etc. This fake message fills up our inbox and creates a big problem. The solution to prevent from Spam is organization must have the Anti-Spam software. Spam is a low-risk exposure because it does harm system it just irritates the user.
Viruses:Virus is really bad news for any organization because the virus may copy itself on user’s machine with user’s awareness. If a virus enters the network then it transfers files into other systems which are connected to the network. The virus is a major problem for an organization. Anti-virus software is a solution to prevent the organization from this type of security risks.
Malware:Malware consists of many software types like Trozen, Spyware, and worms which will infiltrate the system without the user realizing. Some Malware simply disrupts the system while other may be creating for financial gain. Malware intentionally enters into user’s system to take control of the system and can track the user’s login details, credit card details if he made any payment. Malware also track the account details if the user has an online banking account. Anti-Virus implementation is a solution of this type of security risk. Anti-virus must be up-to-date to protect PC from Malware.
Network monitoring:For an organization to complete task workstation, Network and server are important to work seamlessly together. If server crashes then employees can’t carry their work so network and server must be monitor time to time (Darmanin,2009).
2. Physical Security Risks: These types of risks involve the physical asset damage or loss like hardware, software, data, network by physical action and unauthorized access (Techopedia, n.d.).
3. Compliance and Audit Risks:These types of risks are legal issues and related to law. Compliance and audit risks ensure that organization runs ethically and legally so sometimes it is also known as integrity risks (SearchCompliance, 2014).
4. Data Security Considerations:
Data security consideration includes Confidentiality, Integrity, and Availability also referred as CIA Triad which is a model which is designed to provide data security.
Confidentiality:Confidentiality is same as privacy in which sensitive information is protected from reaching unauthenticated person also ensures that right person will get it. For online banking data encryption method is an example of confidentiality.
Integrity:Integrity ensures that data will not be changed when transmitting. It involves the consistency, accuracy of the data and also ensures that data will not be changed by an unauthorized person. Data might involve checksum for integrity verification. Backups also include recovering data if altered by an unauthorized person.
Availabilities:Availabilities maintain the hardware and software, repair hardware immediately whenever needed, and keep system upgrades, preventing the bottleneck occurrence. In short, availabilities ensure that authorized person can access authorized information whenever they needed for the authorized purpose (WhatIs,2014).
Task 3 Carry out comparative analysis of the Deliberate and Accidental Threats.
The threat can be categorized on the basis accidental threats and deliberate threats as per VIC government. These threats are shown below:
The most common threat inside the security is the people itself. Most of the damages are due to the negligence of the person. These attacks can be caused by the following methods that are shown below:
Poor password security: In if the peer password which can be easily guessed by a user. Many times, user share or write the password to places which can be easily accessed by the person. All these activities lead to accidental threats cause by poor security (Casesa, 2016).
Social engineering: In this type vishing and phishing attacks are the common example of attacks. Through this sensitive data of the user can by impersonating some .
Unauthorized download: In this type when users download the software from the link then there may be a of the of the malware in the software. This malware can damage the network by spreading across the network .
These threats as the international threats. There are different types of deliberate threats which are as follow:
Information extortion: In this type of threat, the attacker theft the information inside the organization. Attacker acknowledged the organization before attempting the theft of information.
Trespass or espionage: In this type of attack, the attacker tries to get the illegal access to the information which is stored inside the organization.
Vandalism or Sabotage: This type of attack is performed to harm the reputation of the organization. This can be performed by damaging the website of the organization. All these things are done so that customer lost their trust from the organization (Learn-informationsystem, 2014).
Comparative analysis on accidental and deliberate which is based on different threat categories are as follows:
Table 1- Comparative analysis of accidental threats and deliberate threats
Yes (Vavoulas and Xenakis, 2010)
As per the analysis is shown above deliberate analysis show higher ranking when compare with the accidental threats. This is because; in accidental threats, there is no evidence of attack threat. Attack threat is only possible in deliberate threat. Attacker through attack threat can easily steal, expose, destroy or disable the access. Also, risk, vulnerability, asset, and threat-source are also a major concern.
Task 4 Explain the challenges that the VIC government is going to face while deciding on whether security/risk management.
Password Management:Password challenge is a big challenge faced by VIC government. Their challenge is creating and placing a strong Password which can’t be broken by anyone but it requires creative solution and techniques such a strong password.
DDOS (distributed denial of service attack): The second challenge faced by VIC government is a DDOS attack. This type of attack is different from computer-based attack, generating low bandwidth events. This attack put organization’s virtual server in risk by generating Ultra high bandwidth events.
Sabotage: Sabotage of computer network is a big challenge because it impacts the organization infrastructure and may crash backbone and corporate network of the organization. Sabotage is done intentionally by an attacker to crash the network and access the sensitive information.
Mobility:Management and security of the business app, mobile devices and the network is a big challenge because employees use a mobile device to access business and another business purpose. Mobile devices trends exasperate Mobility challenge because VIC government have to protect sensitive information which is required to manage the organization and create a secure network which will protect the user’s personal information and activities
Internet:This is one of the biggest challenges faced by VIC government because there is a perception that the internet is secure infrastructure but it’s not true. The Internet is an open connection connected by a diverse network so this requires different security policies rather than general security. This challenge includes the network which is embedded security control to provide security to infrastructure and reduces the organizational risks.
Cloud migration: Now a day’s every organization are migrated from critical system to the cloud. The challenge is how we perform security and risk management when migrating into virtual shared infrastructure.
Insider threat: Every organization has some employee which is dissatisfied with your company which may insert a malware through removable devices or web interconnection to Violet network security (Walker, n.d.).
Detection of Threats before they affect business:Almost 35% business face this challenge because big technology threats hidden itself in user’s system can’t be easily found out. These put the system in risk. These threats also enter in the network and then share data to other which are connected to the network. The threats also enter in the user PC to financial gain purpose. They can find out the user login details, account details, credit/credit card details. So, it is a big challenge faced VIC government to find out the hidden threat and then destroy without losing any data.
Protect sensitive data: Sensitive data is highly distributed and can’t be enough to guard only IT parameter. Mostly Organization’s value resides in a rational property like customer data, software design, algorithms, Communications. So sensitive data is vital and it’s difficult to guard it.
Privacy law: Privacy law is biggest and final challenge faced by VIC government. This challenge includes organization must be legislated worldwide. We must provide privacy to the organization by gathering information which provides security and associated with legislating.
Task 5 Explain the difference between the concepts of Risk and Uncertainty.
In risk management process different things like threat control, identification and asses are done. There are different risk standards which are made to manage the risk. Different principles like ISO 31000 principles which are used to provide the framework for risk management process improvements (Rouse, 2016).
Uncertainty is something which is not known. This is due to the insufficient information regarding the condition. As a result, the future outcome can’t be predicted (S, 2016).
There are different differences that are involved in the risk and uncertainty that are as follow:
1. In case of risk strategies, the outcome can be judged very easily whereas in the uncertainties the outcome can’t be measured very easily.
2. In the risk management, the VIC government can easily assign the probability to the set of circumstances which is not possible in the uncertainty.
3. VIC government can easily monitor or control over the risk very easily. But this is not possible in the uncertainty part because future outcome can’t be predicted easily.
4. Risk management can be quantified and measured by the VIC government easily. But uncertainty can’t be measured.
5. Whenever VIC government see potential outcomes then it is risk whereas in the case of uncertainty there is no outcome.
Task 6 Discuss and evaluate different approaches available to the VIC government for risk control and mitigation.
By taking the help of the risk management strategies, the VIC government can easily do risk control and mitigate them. This is the efficient, relevant, sustained and effective method to achieve risk control. Risk management strategies can be applied to operational, strategic or tactical level. By taking the help of the examples, the difference between the strategic risk, operational risk, and tactical risk is shown below:
Strategic risk: Transport planning policies the best example to understand the strategic risk. Doing amendments in the strategic plans which can alter the emphasis of the plans, changing the nature and type of the predicted imbalances in the transport network can be an of the strategic risk. In general, strategic risk includes the influences of the environment.
Operational risk: This can be explained by taking the help of the contract work used in transport. If there is any contract work which is implemented to improve the transport. But it is falling behind the schedule which is causing the dissatisfaction and disruption among . Operational risk is used to deal the risk at an level.
Tactical risk: Due to the of undisclosed asbestos which are identified on the node of which in the closure of worksite and site safety plan amendments. All these results are going to impact the outcomes of the in terms of schedule and cost. Tactical risks are those risks which are going to impact on ability related to strategies.
Also, risk can be classified on the basis of , medium and . This is completely based on the of the project. This explained by taking the help of example which is shown below:
Long term risk: Whenever the project is halted so that demographic impact can be re-evaluated. This is going to create the impact on public expectation, and cost.
Medium term risk: Community cost blow-out and anger which are by the project delay is the best example to show medium term risk.
Short term risk: If there is any asbestos find on the site then community anger and minor cost blow which can harm the community is the best example which can explain the risk.
There are different applications of risk management strategies which are as follow:
1. Resources can be allocated successfully.
2. Environmental issues can be solved very easily.
3. Fraud, ethics, probity and security issues can be solved easily.
4. A feasibility study is also possible through risk management strategies.
5. Maintenance and operation of the system can be performed easily.
6. Project management can be done easily (vuir, 2007).
Casesa, P. 2016. The Accidental Security Threat: Insiders. Retrieved from http://blog.isc2.org/isc2_blog/2016/03/the-accidental-security-threat-insiders.html
Darmanin, J. 2009. 10 Security Threats to an Organization – Part 1. Retrieved from https://techtalk.gfi.com/10-security-threats-to-an-organization-part-1/
Learn-informationsystem. 2014. Deliberate Threats to Information System. Retrieved from http://learn-informationsystem.blogspot.com/2014/12/deliberate-threats-to-information-system.html
Rouse, M. 2016. What is risk management? Retrieved from http://searchcompliance.techtarget.com/definition/risk-management
S, S. 2016. Difference Between Risk and Uncertainty. Retrieved from http://keydifferences.com/difference-between-risk-and-uncertainty.html
Samarati, M. 2016. Accidental or malicious insider threat: staff awareness makes the difference. Retrieved from https://www.itgovernance.co.uk/blog/accidental-or-malicious-insider-threat-staff-awareness-makes-the-difference/
SearchCompliance. 2014. What is compliance risk? Retrieved from http://searchcompliance.techtarget.com/definition/compliance-risk
Calpoly n.d. Information Security Asset Risk Level Definition - Information Security - Cal Poly, San Luis Obispo. Retrieved from https://security.calpoly.edu/content/policies/asset-risk-definition
Techopedia. n.d. What is Physical Security? Retrieved from https://www.techopedia.com/definition/14514/physical-security
Vavoulas, N. and Xenakis, C. 2010. A Quantitative Risk Analysis Approach for Deliberate Threats. Retrieved from http://cgi.di.uoa.gr/~xenakis/Published/39-CRITIS-2010/CRITIS2010-RiskAnalysisDeliberateThreats.pdf
Vuir. 2007. Victorian Government Risk Management Framework. Retrieved from http://vuir.vu.edu.au/21330/3/APPENDIX_10.1_RISK_VICGOVNT_RISK_FRAMEWORK_JUL07.pdf
Walker, D. n.d. Top 10 security challenges for 2013. Retrieved from https://www.scmagazine.com/top-10-security-challenges-for-2013/article/542937/
WhatIs.com. 2014. What is confidentiality, integrity, and availability (CIA triad)? Retrieved from http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA