Enterprise Risk Assessment, Audit, and Cyberlaw Policy - Case Study Example

Enterprise Risk Assessment, Audit, and Cyberlaw Policy Bryant Wiersema American Public System Foltz The continuous process of ERM is becoming a crucial component of any successful company’s assessment, since the process of identifying different risk factors and interpretation of their potential disadvantages and advantages, make sure that a company remains capable of addressing and anticipating external and internal contingencies. The plan is intended to offer a navigable benchmark for developing a comprehensive standard that includes guidelines to guide the construction and internal auditing of a contemporary and capable cyber law policy. Within the structure of any successful enterprise, the continuous data necessary exchange facilitates the efficiency of operation and enables the presence of identifiable risk factors, including the financial risk, operational risk, hazard risks, and strategic risks. The purpose of the plan is the assessment of the various risks that are associated with an interaction network which happens daily between the suppliers, investors, stakeholders, and employees while offering clear guidelines of conducting intentions to mitigate the risks. Risk Assessment Mematech Company has consumed a lot of money, time, and human resources to ensure the security of the company is up-to –date. The company has partnered with companies like Symantec. Symantec develops industry’s security software and web security threat analysis for MemaTEch. In the report, the company outlines some of the security trends and threats and then guide on how it can be fixed and prevented. The partner also provides some practices for the company. Therefore, based on the company’s study, MemaTech has ten security practices, procedures and guidelines. The company encrypts its file systems, encrypts stored data, and encrypts the entire wire transfers. Encryption is important because it protects sensitive data and helps in preventing data loss due to equipment loss or through theft. The company also uses digital certificates to sign its sites. MemaTech saves its certificates to hardware machines like the router, or even load balancers. The company has avoided, saving the certificates on their web server and has resolved to obtain their certificate from trusted authorities only. In addition, the company has implemented auditing and DLP. The company uses data loss prevention and auditing of files in monitoring, alerting, identifying, and blocking the data flow out and into the company’s network. MemaTech has implemented are removable policy in the media. Here, the company has restricted using USB drives, thumb drives, external hard disks, external DVD writers, and any other writable media. The devices facilitate the security breaches that leave and come into the company’s network. The company has also secured their website against malware infections and MITM. The company has used SSL, scanned their website for any possible malware, and has set flag for every cookie, used SSL certificated with validations that are extended. Consequently, the company uses email servers or spam filters. The company has used time-tested filters like Spam Assassin to get rid of the unwanted mails from entering the company’s junk folders and inboxes (Hiles, 2002) The company teaches its users how to flag out junk mail, irrespective of its source. Subsequently, the company uses a comprehensive endpoint security guidelines where the partnering Symantec suggested using products that are multi-layers in preventing the infection of malware on user devices. Using antivirus software is not a sure way to safeguard the information. Intrusion detection, antivirus, personal firewall is all inclusive in the final approach for protecting endpoint. The MemaTech Solutions Company has networked based security software and hardware. Here, the company uses intrusion detection devices, firewalls, honey pots, monitoring, and gateway anti-virus to screen for any DoS attack, port scans, virus signature and other attacks, and attempts of security breaches. The company has also maintained security breaches where some anti-virus is kept up-to-date on a daily basis. The company has ensured that the defenses of hardware and software are up-to-date with latest patches and antimalware signatures. When the automatic updating is turned off, they normally activate remediate plan and regular scan for the system. Finally, the company has educated its employees on how to behave responsibly and take fewer risks with private data of the company, email inclusive. Other security measures include the physical security. Here the security screened software is used, where software that has undergone regression testing with the operating system are used. MemaTech Company cannot take chances with issues of security. This is because doing so is very expensive. It is the company’s priority to be on top of securities with multi-tiered and multilayered approach (Marchetti, 2012). The risks that need assessment from the company include financial risks, operational risks, strategic risks, and hazard risks. The operational risks are concerned with storage, proprietary exchange, and with the generation otherwise confidential data are the most important from the organizational perspective. The external malfeasance threats in the form of hacking, data theft, and other tasks are designed to encourage the continued growth of the company. The company needs to maintain extensive digital records that documents different transactions, together with looming of data theft over a variety of exchanges, risk management data protection is a critical component that is required. Security policies The Executive Department of MemaTech Solutions Ltd., In addition, any third partner that links to the company’s wide area network must conform to this policy. MemaTech Solutions Ltd. Is required to make sure compliance by all the business partners that can access the Executive Department Information Technology Resources or the shared environment. The Executive Department of MemaTech Solutions Ltd. is needed to make sure compliance by third parties in any framework of the process of offering services to their companies such as the collection, storage, maintenance, and dissémination of electronic data. The businesses partners can interact with the resources of the company are required to abide by this policy. The company is encouraged to implement the security requirements according to the Enterprise Information Security Policy at stringent agency policy, according to the business and agency related regulations, directives, and laws. MemaTech Solutions Ltd. is required to implement procedure, associated policies, and controls that safeguard the company’s information assets, including the personal information and information resources from all attacks, where external, internal, accidental, or deliberate. Additionally, the guiding principles of IT information (availability, confidentiality, and integrity) must be defended from attacks. The company must review the general implementation of the security, safety against all the regulations, associated risk, standards, and applicable laws (Ou & Singhal, 2012). MemaTech Solutions Ltd. is required to implement the Information Security Program. The program is a management system representing the controls and policies implemented within the company. An effective and efficient management system offers both the users and the management control to secure the information asset of the company, its sensitive information, and must take note the Lifecycle of Information Security Program. These include the risk treatment, risk assessment, implementation and selection of security control, and ongoing maintenance and evaluation. The company is required to prioritize, quantify, and identify risks against the control and operational objectives and to exercise, design, and implement controls that offer reasonable assurance that aims will be achieved and that risk will be mitigated to a level that is acceptable. Risk auditing considers the perspective threat to information and the resources of information technology, including losing information from accidents, system unavailability, and system dynamics. Consequently, the company needs to identify threats on their costs and threats (Marchetti, 2012). MemaTech has properly implemented and conceives the security programs, policies, and programs in ensuring their facilities resists myriad threat when meeting the performance, demanding uptime, and reliability objectives. The security programs are fundamental in safeguarding the processes, people, equipment, and information housed within the areas of protected space. The company has security risk evaluations that identify the assets that need protection and how important they are. There are three risks that the company is involved. The first risk arises from the failure of protecting confidential information. This normally affects the performance of the company. The second risk is inability to protect the confidential information that can result to ripple effects that surpasses the company’s organization. This is in terms of the suppliers, customers, and stakeholders. The losses in this are very extensive with both permanent and temporary damage to the company’s operation and organization. The third level of the company’s risk is inability to safeguard confidential data or preventing unscheduled downtime with cascading effect with devastating effects which is felt beyond the company. The resulting losses and damage may be massive with perspective global effects. Downtimes that are unscheduled can threaten the financial stability, worker safety, regulatory compliance and even loss of life in the company. The company assesses other vulnerabilities and risks and has been prioritized with other means to respond and counter them. The final procedure enables given weakness to be addressed and identified accordingly. A comprehensive security system risk assessment is important from a budgeting point of view. The senior management of the company has a comprehensive analysis of all vulnerabilities and risks to make decisions on the capital resource allocation (Hiles, 2002). The responses can be used in mitigating the disruptions, liabilities, and losses to operating businesses of the company, and need development as part of the process. The security plans for the company need to be updated often to make sure that the company’s objectives are met. A common error when the company’s security is updated happens in the company’s physical asset. This is because of the incompatibilities between the management system and the workers’ security system. The outcome of this can be incompatible and redundant system that raises the expenditures that are involved. The security policy of Mematech Solutions Limited has established the security system foundation. However, despite MemaTech having a security policy, it is not a guarantee that the company will eradicate loss of information and intrusion. However, the security policy of the company offers a foundation for subsequent actions, and it enables the company to come up with procedures to that they can carefully audit their network. A security policy ensures that they build an effective security infrastructure. Lack of effective security policy, the implementation of the company’s security will not be successful (Ou & Singhal, 2012). MemaTech Solution security policy performs various tasks. They clearly show the individual in the company who are responsible for altering, creating, and implementing the various policies. The policies also secure the resources that include the actual operations themselves, in addition to the information that are stored on them. The security policy of the company also allows the workers to conduct their jobs faster. Consequently, they define proper measures and equipment’s which are important in implementing the policies. For instance, they determine the kind of traffic the firewall will deny or permit and recognize which network servers will be audited and scanned frequently than others. The security policy of the company has provided guidelines. The policies have reduced risks that are associated with company through various steps like system classification, resource prioritization, assigning risk factors, definition of unacceptable and acceptable activities, educating workers according to the company’s role, and determining those responsible with administering the policies (Marchetti, 2012). Guidelines for Intellectual policy Intellectual property is a wide category of law that concerns the owner’s right of intangible products of creativity or invention. MemaTech Company is granted the right to undertake system development and other technological inventions. Sub-branches of Intellectual Property include the copyright, trade sector, and patent. MemaTech is given an exclusive right to invent and incentivize the dissemination and creation of important IT inventions. The company got the patent from the Trademark Office and a grant from the US government. MemaTech company is having a grant right to come up with original work including the software code. The law intends to incentivize the dissemination and creation of their work and protects the work whether unpublished or published. The company’s thought and ideas have never been expressed or recorded since the copyrighted expressions are tangible. MemaTech has also the trade secrets that enable the company to maintain confidentiality of economic beneficial information. The company has relied on the trade secret rather than the patent. In conjunction with lawyers, they have crafted non-compete and non-disclosure employment contracts that safeguard the trade secret and comply the employment law (Ou & Singhal, 2012). In this case, having a strategy of triple factor authentication will be important. This means having in place the authentication methods for the users to access to the resources. The method majorly comprises of the access code and the user password, physical item like a token, and anything that is not common to the user like the retinal scan, voice, biometrics, and fingerprints. After the study, the identity manager will have to help in implementing this. Some features of the manager include the User Self-Service, Auditing and Reporting, Fine Grained Entitlements Management, Scalability and Integration, and Delegation Administration with Centralized Control, and Main Frame and Server Support. The above characteristics together with choices of the hardware and the strategies of the network will of help in keeping the information and data of the project secure. Reference Hiles, A. (2002). Enterprise risk assessment and business impact analysis best practices. Brookfield, Conn.: Rothstein Associates. Marchetti, A. M. (2012). Enterprise risk management best practices from assessment to ongoing compliance. Hoboken, N.J.: Wiley. Ou, X., & Singhal, A. (2012). Quantitative security risk assessment of enterprise networks. New York, NY: Springer. Read More