Risk Management and Control Effectiveness - Essay Example

Risk Management and Control Effectiveness Management of information security is vital in every organization as itensure security of information, systems infrastructure and data content being processed, accessed, managed and communicated to the public. This paper answers seven questions in relation to effectiveness of security technologies and methodology, risks related to them, additional controls, and access of technology within organizations. Keywords: technology, risk, security Risk Management and Control Effectiveness Introduction According to Oppliger (2003), management of information security in organizations is very vital as it ensures that the security of information is guaranteed. This paper answers seven questions in relation to effectiveness of security technologies and methodology, risks related to them, additional controls, and access of technology within organizations. Questions and Answers a) Evaluate the effectiveness of the security technologies and methodology in your organization The administrative structure of the organization including relationship with the public promotes effective administration of information security. According to Fung (2004), management of information security ensures security of organizational information, systems infrastructure and data content being processed, accessed, managed and communicated to the public. The management is committed and actively supports information security at all levels. This has been clearly demonstrated through support for security initiatives by providing necessary resources for information systems security controls. Additionally, management commitment to information security has been witnessed through effort coordination, formulation and approval of relevant organization-wide security policy. There have been periodic reviews of the information security policy based on the organizational goals, objectives and technological development. The management has ensured appropriate planning and controls to new systems and infrastructure. Security activities are coordinated by staff representatives from different departments of the organization. The execution of security controls are in compliance with the information security and privacy policies. There are also coordinated efforts in the assessment of the implemented security controls and identification of vulnerabilities and recommendation of additional measures. These evaluations have been significant in identifying vulnerability changes, threats and attacks to both external and internal systems and recommendation of mitigation measures. The organization has continuously promoted trainings and security awareness to all stakeholders in the organization. The requirements for non-disclosure agreements and confidentiality reflect information protection needs of the organization. This includes definition of the information, information infrastructure, information types and information systems that are to be protected. The agreements are clear and legally-enforceable terms. Additionally, security requirements identified are addressed prior to giving clients information and assets access. b) Determine your uncertainty Security of data/ information, information system and network infrastructures remain a great anxiety to the management team. There are uncertainties whether the variety of security technology implemented in the organization meets the protection required in the organization. According to Edwards (2004), uncertainties arise when the security solutions implemented disrupt usual operations where employees are denied access to certain services such as critical applications, e-mails and other internal services and resources. Additionally, firewalls, virtual private networks (VPNs) and e-mail gateways can limit interactions between the staff with the clients, suppliers and partners. The managers and administrators are uncertain about whether to invest in the network and information security. These uncertainties lie in evaluating the current implantation position of the organization. Also uncertainties lie in knowing how other peer organizations are doing in implementation of the security measures. Implementation involves comparing the performance of the organization in relation to other peer organizations. The other area of uncertainty is in determining the priority for security in the organization. c) Calculate the risk for each threat. Data breaches news and security threats often abound and are constantly made public. These threats include: Non-existent security architecture which involves lack of established security architecture hence leaving the information systems vulnerable to loss of data (Edwards, 2004). Un-patched client side applications and software, Targeted attacks and phishing, I Internet websites like browsing insecure web pages, poor configuration management, use of mobile devices, cloud computing, hackers’ compromised computer network used to attack other systems, zero-day (Edwards, 2004) Risk calculation and rating involves quantitative measures of the threat level of the computer network system before mitigation. Intrusion prevention systems and intrusion detection systems calculates the risk numbers and risk rating. The formula for calculating the risks rating is: RR= ASR*TVR*SFR + ARR – PD + WLR 1000 Where: RR – Risk Rating; ASR – Attack severity rating; TVR – Target value rating; SFR – Signature fidelity rating; ARR – Attack relevancy rating; PD – Promiscuous delta; and WLR – Watch list rating The threat rating involves quantitative measures to show the threat level of the computer system and network after mitigation. The formula for the calculation of the threat rating is: Threat Rating = Risk Rating - Alert Rating d) Identify any additional controls needed. Remember that there are technical, administrative, and managerial controls. Data in a system need to be protected against modification, unauthorized disclosure, protection, destruction of the system, or denial of service. Security controls implemented should not inhibit productivity hence a balance between productivity and security need to be achieved. Information security controls can be technical, physical or administrative. These are classified as detective or preventive (Edwards, 2004). Detective controls are geared to identifying unwanted events that have been triggered. Preventive controls deter use of information and computer resources only to an acceptable level. Some other detective controls include, intrusion detection systems (IDS), checksums and audit trails. The other types of controls that supplement these include corrective, recovery and deterrent (Oppliger, 2003). Some of the preventive physical controls would include backup files, security guards, badge systems, fences, double door systems, locks and keys, site selection, backup power, biometric access controls, and fire extinguishers. The detective physical controls would include: smoke and fire detectors, motion detectors, closed-circuit television monitors, and sense and alarms. Technical security controls on the other hand, involves use of hardware and software applications (Oppliger, 2003). Preventive technical controls examples include antivirus software, access control software, passwords, library control systems, encryption, smart cards, callback systems and dial-up access controls. The detective technical controls include intrusion detection systems, and audit trails. Preventive administrative or personnel controls would include separation of duties, security awareness, technical trainings, supervision, security procedures and policies, emergency plans, contingency, and disaster recovery among others. Detective administrative controls would include security audits and reviews, background investigations, evaluation of performance, required vacations, and rotation of duties. e) Describe the network security methodology and technology used in your organization. Network security methodology in the organization starts with security assessment. This is simply the measurement of the state or posture of security in a system. This is the examination of the way information security is implemented. The methodology is a risk-based assessment since it focuses on vulnerabilities and their impacts in the organization. The next step is reviewing method. This comprises passive review interviews and techniques. This is instrumental in evaluating applications, systems, policies, networks and procedures in order to identify the vulnerabilities (Oppliger, 2003). It includes documentation review, rule-sets, architecture and configurations review. This provides understanding about the critical information and systems, and the security focus in the organization. The next level is the examination or the analysis stage. This ensures examination of the network/ system to identify information security vulnerabilities that exist in the network/ systems. This also involves analysis of the firewalls, routers, and the intrusion detection systems. It also covers the vulnerability scans of the system/ network. The next method is the testing or penetration testing. This involves one of the members imitating an adversary scanning for vulnerabilities which allows entry or break in to the system/ network. f) Describe the access control technology used in your organization. The organization has set in place measures to avoid, minimize or counteract security risks. The system administrators ensure that each computer system for which they are responsible has at minimum one access coordinator. The access coordinator responsible for each system configures a unique electronic identifier (User ID) to each user. Passwords are used for login in at critical circumstances. These passwords are established by the users and are unique and known only to the user. Every user is responsible to ensure confidentiality of password and accountable for any security breaches committed through his/her user ID or password. System administrators have developed mechanisms to ensure every user changes his/her password regularly for the sensitive and confidential user accounts. Security policy awareness and training are regularly undertaken by the system administrators. In the event of promotion, transfers or termination of contracts, electronic users Ids are revoked. Data managers, network administrators and system administrators conducts and documents threat and risk assessments or analysis for which he/she is responsible. Based on their findings in the analysis they are responsible for implementation of necessary mechanisms. g) Include a discussion of what you learned this week and how this assignment has changed your opinion of security technology and the methodology. Risk management of information security systems is a process of striking a balance on the economic and operational costs and meeting the relevant information security measures. Organizations need to strive for security measures which are able to reduce risk to an acceptable level at the lowest possible costs. Risk is the probability per any time of the occurrence of a coast burden. It is the likelihood of a threat-source exercising a potential vulnerability hence impacting the organization. Conclusion In conclusion, risk evaluation of information security systems, it is vital to assess the threats. Accurate understanding of potential sources of threats is required in prioritizing vulnerabilities for remediation. References Fung, K. T. (2004). Network security technologies. Mason, OH: Taylor & Francis. Oppliger, R. (2003). Security technologies for the world wide web. Norwood, MA: Artech House. Edwards, B. (2004). Data security technologies (5th ed.). Burlington, VT: Gower Publishing. Read More