Security Risk Review/Contingency Plan | Buy Assignments Online
This week your team needs to look at the Risk Review/Assessment for Ben’s organization. This document provides the basis for which security risks will be addressed and in what order of priority. It also outlines a plan for business continuity in the event of a natural disaster.
Within your team, discuss the process for assessing risk within Ben’s organization. Risk can include threats to information security and business continuity. Take the top three significant risks to be mitigated by priority. In addition, discuss the following: (Answer the following to incorporate the info in the PPT)
- List the types of natural and man-made disasters that could lead to an interruption of business services
- Come to a consensus on a plan to ensure business recovery following a flood
- Discuss how to implement the plan
MAIN INSTRUCTIONS FOR PPT
(Use information from chapter 12 attached, to use as one of the references)
Ben’s business is located in an area that is prone to floods and power disruptions.
Leveraging your Week Three Learning Team collaborative discussion, “Information Security Risk Review/ Assessment and Business Continuity,” create a 10- to 12-slide media-rich Microsoft® PowerPoint® presentation with speaker notes that explains the following:
- The key elements to include in a plan that will help ensure that Ben will be able to continue to service his customers following a flood
- The key items to consider when creating a contingency plan in the event the offsite data backup becomes unavailable
- The key aspects of implementing such a plan
Note: This assignment contributes to your final project in Week Five, “Security Policy Presentation: Final Project,” in which you will compile your PowerPoint® presentation slides from each week’s individual assignment to create your final presentation.
THE MAIN USES FOR AN IT SYSTEM
Communication purposes-in collecting and distributing information, and the IT system can make the process to be more efficient
Operations Management-IT system offers more complete and more recent information.
Communication purposes
Part of management is gathering and distributing information, and the IT system can make this process more efficient by allowing Ben to communicate efficiently
Operations Management
IT system offers more complete and more recent information, allowing Ben to operate the company more efficiently. Ben can use information systems to gain a cost advantage over competitors or to differentiate himself by offering better customer service. Sales data give Ben insights about what customers are buying and let him provide better services that are selling well. With guidance from the information system, Ben can streamline his operations.
*
THE MAIN USES FOR AN IT SYSTEM
Decision-Making- the IT system can help Ben make better decisions by providing all the needed information
Record-Keeping- the shop requires records of its operations for financial and regulatory functions
Decision-Making
The company information system can help Ben make better decisions by delivering all the information he needs and by modeling the results of his decisions. When Ben has accurate, up-to-date information, he can make the choices with confidence
Record-Keeping
Your company needs records of its activities for financial and regulatory purposes as well as for finding the causes of problems and taking corrective action. The information system stores documents and revision histories, communication records and operational data
*
DATA TYPES AND RISKS
All data should be classified into either one of the following
Restricted Data-Data whose unauthorized disclosure, modification or destruction could lead to high level of risk to the business e.g. data protected by state
Data classification based on its level of sensitivity and the impact to the business should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All data should be classified into one of three classifications:
Restricted Data
Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the business or its affiliates. Examples of Restricted data include data protected by state or federal privacy regulations and data protected by confidentiality agreements.
*
DATA TYPES AND RISKS
Private Data-Data whose unauthorized disclosure, modification or destruction could lead to moderate level of risk to the business .
Public Data-Data whose unauthorized disclosure, modification or destruction could lead to little or no risk to the business
Private Data
Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the business or its affiliates.
Public Data
Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would results in little or no risk to the business and its affiliates. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.
*
EXAMPLES OF DATA RISKS ASSOCIATED WITH THE SYSTEM
Low Risk-Information available on the business website and Business contact information not designated as “private”
Moderate Risk-Customer records and purchase orders, Personnel files and personal contact information
High Risk-Social Security Numbers and Credit card numbers
Low Risk
• Research data
• Information available on the business website
• Policy and procedure manuals
• Job postings
• Business contact information not designated as “private”
• Information in the public domain
Moderate Risk
• customer records and purchase orders
• Staff personnel files, benefits, salary, birth date, personal contact information
• Non-public business policies and policy manuals
• Non-public contracts
• Business internal memos and email, non-public reports, budgets, plans, financial info
• Business employee ID numbers
High Risk
• Social Security Numbers
• Credit card numbers
• Financial account numbers
• Driver’s license numbers
• Passport and visa numbers
Data leakage or unintentional sharing of private data as a result of inappropriately classified data
Fraud and misuse of data or theft due to unclear or improper access to customer and suppliers’ resources
Social engineering attacks and phishing
Loss of reputation or legal Implications due to inappropriate e-mail handling and inappropriate utilization of utilities such as messengers or Skype
*
COMMON RISKS ASSOCIATED WITH THE SYSTEM
Inappropriate data access, virus infection, fraud and misuse of the system
Data theft from non-limited access to BYOD devices by employees
Data leakage or unintentional sharing of private
Social engineering attacks and phishing
Loss of reputation or legal Implications
Inappropriate data access due to improperly defined or applied authentication and authorization causing
Virus infection and misuse of the system as a result of non-limited administrative access to physical infrastructure
Data theft from non-limited access to BYOD devices by employees
Unapproved access and data misuse due to weak user passwords in system and applications
Data leakage or unintentional sharing of private data as a result of inappropriately classified data
Fraud and misuse of data or theft due to unclear or improper access to customer and suppliers’ resources
Social engineering attacks and phishing
Loss of reputation or legal Implications due to inappropriate e-mail handling and inappropriate utilization of utilities such as messengers or Skype
*
PRIORITIZED LIST OF THE RISKS IDENTIFIED
| Risk | Likelihood | Low Risk | Moderate Risk | High Risk | Very High Risk |
| Inappropriate data access in secure file storage | Moderate | ✔ | ✔ | ✔ | |
| Virus infection of business network infrastructure | High | ✔ | ✔ | ||
| Fraud | High | ✔ | ✔ | ✔ | |
| Misuse of the system | Moderate | ✔ | ✔ | ||
| Data theft | ✔ | ✔ | |||
| Data leakage or unintentional sharing | High | ✔ | ✔ | ✔ | |
| Loss of reputation or legal Implications | Low | ✔ |
Inappropriate data access due to improperly defined or applied authentication and authorization causing
Virus infection and misuse of the system as a result of non-limited administrative access to physical infrastructure
Data theft from non-limited access to BYOD devices by employees
Unapproved access and data misuse due to weak user passwords in system and applications
Data leakage or unintentional sharing of private data as a result of inappropriately classified data
Fraud and misuse of data or theft due to unclear or improper access to customer and suppliers’ resources
Social engineering attacks and phishing
Loss of reputation or legal Implications due to inappropriate e-mail handling and inappropriate utilization of utilities such as messengers or Skype
*
RISKS MITIGATION
The installation of reliable antivirus software
Utilization of complex passwords in each of the computers and Web-based applications
Provision of guidelines through employee training on dos and don’ts of utilizing systems and Internet.
Creation of security policy to addresses the responsibilities, rights and duties of employees
Risks Mitigation
The installation of reliable antivirus software which acts as the final line of defense from unwanted attacks. The antivirus program detects and removes virus and malware as well as filter possibly malicious downloads or emails.
All employees must utilize complex passwords in each of the computers and Web-based applications that require key for access. Complex passwords make it hard for hackers to crack them.
Installation of encryption software that protects data related to credit cards and bank accounts. Strong encryption algorithms transform readable data into unreadable codes that make altering of information difficult to accomplish. Even when data is lost it becomes obsolete without the keys used to encrypt the data.
Provision of guidelines through employee training on dos and don’ts of utilizing systems and Internet. For example, on how to handle suspicious emails. A security policy provides guidelines on putting limited access to critical data, taking of regular back-ups and the securing of Wi-Fi Networks that are highly vulnerable to attacks.
The security policy to addresses the responsibilities, rights and duties of employees
*
REFERENCES
Berson, A., & Dubov, L. (2011). Master data management and data governance. New York: McGraw-Hill.
DeLuccia, J. J. (2008). IT compliance and controls: Best practices for implementation. Hoboken, N.J: John Wiley & Sons.
Dufey, G., In Frenkel, M., Hommel, U., & Rudolf, M. (2005). Risk management: Challenge and opportunity. Berlin: Springer.
Communication purposes
Part of management is gathering and distributing information, and the IT system can make this process more efficient by allowing Ben to communicate efficiently
Operations Management
IT system offers more complete and more recent information, allowing Ben to operate the company more efficiently. Ben can use information systems to gain a cost advantage over competitors or to differentiate himself by offering better customer service. Sales data give Ben insights about what customers are buying and let him provide better services that are selling well. With guidance from the information system, Ben can streamline his operations.
*
Decision-Making
The company information system can help Ben make better decisions by delivering all the information he needs and by modeling the results of his decisions. When Ben has accurate, up-to-date information, he can make the choices with confidence
Record-Keeping
Your company needs records of its activities for financial and regulatory purposes as well as for finding the causes of problems and taking corrective action. The information system stores documents and revision histories, communication records and operational data
*
Data classification based on its level of sensitivity and the impact to the business should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All data should be classified into one of three classifications:
Restricted Data
Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the business or its affiliates. Examples of Restricted data include data protected by state or federal privacy regulations and data protected by confidentiality agreements.
*
Private Data
Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the business or its affiliates.
Public Data
Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would results in little or no risk to the business and its affiliates. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.
*
Low Risk
• Research data
• Information available on the business website
• Policy and procedure manuals
• Job postings
• Business contact information not designated as “private”
• Information in the public domain
Moderate Risk
• customer records and purchase orders
• Staff personnel files, benefits, salary, birth date, personal contact information
• Non-public business policies and policy manuals
• Non-public contracts
• Business internal memos and email, non-public reports, budgets, plans, financial info
• Business employee ID numbers
High Risk
• Social Security Numbers
• Credit card numbers
• Financial account numbers
• Driver’s license numbers
• Passport and visa numbers
Data leakage or unintentional sharing of private data as a result of inappropriately classified data
Fraud and misuse of data or theft due to unclear or improper access to customer and suppliers’ resources
Social engineering attacks and phishing
Loss of reputation or legal Implications due to inappropriate e-mail handling and inappropriate utilization of utilities such as messengers or Skype
*
Inappropriate data access due to improperly defined or applied authentication and authorization causing
Virus infection and misuse of the system as a result of non-limited administrative access to physical infrastructure
Data theft from non-limited access to BYOD devices by employees
Unapproved access and data misuse due to weak user passwords in system and applications
Data leakage or unintentional sharing of private data as a result of inappropriately classified data
Fraud and misuse of data or theft due to unclear or improper access to customer and suppliers’ resources
Social engineering attacks and phishing
Loss of reputation or legal Implications due to inappropriate e-mail handling and inappropriate utilization of utilities such as messengers or Skype
*
Inappropriate data access due to improperly defined or applied authentication and authorization causing
Virus infection and misuse of the system as a result of non-limited administrative access to physical infrastructure
Data theft from non-limited access to BYOD devices by employees
Unapproved access and data misuse due to weak user passwords in system and applications
Data leakage or unintentional sharing of private data as a result of inappropriately classified data
Fraud and misuse of data or theft due to unclear or improper access to customer and suppliers’ resources
Social engineering attacks and phishing
Loss of reputation or legal Implications due to inappropriate e-mail handling and inappropriate utilization of utilities such as messengers or Skype
*
Risks Mitigation
The installation of reliable antivirus software which acts as the final line of defense from unwanted attacks. The antivirus program detects and removes virus and malware as well as filter possibly malicious downloads or emails.
All employees must utilize complex passwords in each of the computers and Web-based applications that require key for access. Complex passwords make it hard for hackers to crack them.
Installation of encryption software that protects data related to credit cards and bank accounts. Strong encryption algorithms transform readable data into unreadable codes that make altering of information difficult to accomplish. Even when data is lost it becomes obsolete without the keys used to encrypt the data.
Provision of guidelines through employee training on dos and don’ts of utilizing systems and Internet. For example, on how to handle suspicious emails. A security policy provides guidelines on putting limited access to critical data, taking of regular back-ups and the securing of Wi-Fi Networks that are highly vulnerable to attacks.
The security policy to addresses the responsibilities, rights and duties of employees
