The Analysis of the Information Communication Technology - Assignment Example

IMPACT OF THREATS AND VULNERABILITIES TO INFORMATION TECHNOLOGY SYSTEMS In many countries, information technology is big driver of the economy. Information communication technology gives industry players a competitive edge over their rivals. Through IT, governments, organizations, and businesses can provide better services to the general populace. These advantages facilitate greater productivity for businesses and the nation at large. That said it is vital to recognize that information communication systems are subject to serious vulnerabilities and threats that can have adverse effects on business, government or organizational operations. Some of the many risks that are associated with information technology include, budgetary risk, program management risk, inventory risk, supply chain risk, investment risk, safety risk, legal liability risk, and security risk just to name a few. This paper will do a risk assessment of on a business scenario on citizen wellness proposed to a health care company. The paper will identify three threats and vulnerabilities that affect a citizen wellness program. Further, it will detail these threats and vulnerability extensively and how they apply to the business. Finally, the paper will specify countermeasures that the business can use to negate these threats and vulnerability. Specifically the paper will review the above through the following guidelines: NIST 800-30: Risk Management Guide for Information Technology Systems, NIST 800-53: Recommended Security Controls for Federal Information Systems and Organizations, NIST 800-39: Managing Risk from Information Systems: An Organizational Perspective and NIST 800-64: Security Considerations in the System Development Life Cycle. The background of the business scenario is as follows. A health care company would like to do a review on ACMEs security program, including its procedures, and security policies. The main aim for this review is to make sure that ACME Co. can provide an individualized citizen wellness programs to the health care company’s subscribers and that these customers can be authenticate whenever they desire to access the program. ACME Co. specializes in Web sites hosting both for public and private entities. An Information Technology manager of ACME Co. is assigned to work with the health care companys ISSO the idea being to create a detailed list of business needs for security for the health care company. The Chief Information Officer at ACME Co. also directs the IT manager to evaluate the existing ACME Co. enterprise architecture documents with the aim of identifying any additional security requirements for the health care company CW program, data center and any associated loopholes. The IT manager should also make certain that only authorized personnel at ACME Co. are able to gain access to the hardware or software hosting of the citizen wellness program because other customer applications are also located in the same data center. Based on the figures provided by the ISSO, the health care company, and the review of the ACME enterprise architecture, the IT manager comes up with a detailed list. First, the IT manager identifies all the users of the CW program ensuring their authenticity/validity and further provides an application that verifies users and their level of system access. Next, the IT manager identifies a method of accessing the CW program i.e. through a website browser. Further the IT manager secures the users information by identifying that the data that consist of personally identifiable information should be protected. Other things that the IT manager details in his list include the hiring of a qualified information security officer, installing security cameras at strategic entry points at the data center and lastly securing all traffic originating from the user and the application by providing a subscriber portal that requires user login and a unique password. Based on the above proposal, key loopholes, threats, and vulnerabilities are evident. How these threat and vulnerabilities affect the business and how to countermeasure them is the basis of this paper. Risk assessment in information and communication technology by definition is the progression of identifying, estimating, and prioritizing information technology security risks. To assess risk requires an in depth analysis of threats and vulnerabilities on information so as to determine the degree to which circumstances and events could negatively impact the operation of an organization and how likely such circumstances and/or events could occur. Risk assessment is one of the five core pillars in the risk management and is fundamental in determining threats, loopholes, and vulnerabilities in a business’s IT system. A threat in information technology is any event or circumstance that has the potential to negatively affect the business’s or organization’s operations, assets, individuals, other organizations, or the Nation through unauthorized destruction, access, disclosure, denial or modification of information. Typically, threats originate from threat sources. From this definition, four key threats face the above business scenario. The first one is hostile physical and/or cyber attacks. It is possible to attack the health care system CW program through cyber attacks such as introduction of malware to the system or physically attacking and destroying the data center. The second threat originates from human errors and omissions. It is possible for the information security officers to omit data or key in erroneous information to the system since humans are to error. The third is threat could originate from structural failures of the business information technology resources such as hardware, software and environmental controls whose job is to make sure the system works effectively. The fourth source of threat could originate from natural and/ or man-made disasters and accidents. It is a very hard to negate calamities such as those caused by nature and often the organization’s control over such events is zero. Vulnerability in information and communication technology can be defined as a weakness in system’s security procedures, information systems, internal controls, and implementation that can be exploited by a source of threat. Most system vulnerabilities are associated with either security controls that have not been applied or those that have been applied, but still have inherent weakness. In the business scenario described above, a key vulnerability exists in user login and unique password domain on the user’s portal. Though this may seem secure, adding inscription or a pin functionality could make the system even more secure from threat sources. Risk is typically a function of the likelihood or probability of a threat event manifesting itself and potential negative impact the event or occurrence has on the business or organization. This analogy accommodates many types of negative impacts at all tiers in the event of a risk event ever occurring. The threats identified that could have negative impact on the health care business can be classified as high, medium, or low depending on their impact to the business. Damage to the image or reputation of the health care business and/or financial loss is classified as tier 1. Inability of the business or organization to successfully implement its mandate or a specific mission or process is classified at tier 2. The expending of resources in responding to a threat incident in a business’s information system is considered as tier 3. An attack to the health care system Citizen Welfare program through the introduction of malware to the system could cause either a tier 1, 2 or 3 damage. The impact on the business would be medium. Omission of data or erroneously keying in information to the system by information security officers could have high, medium, or low effect to the business depending on the type of data in question. Structural failures of hardware at ACME could have serious ramification to the health care business. Again, the level of impact could be high, low, or medium depending on the hardware. For example, if the main server were to be physically destroyed, the impact could be high. On the other hand, if a backup power supply were to be destroyed, the impact would be low. Natural calamities often have high impact on a business. If the business were to survive an earthquake, the impact would be classified as high more so if the earthquake were major. A countermeasure that the business could use to negate the impact in the event that a threat events manifest itself are diverse and many. One of the most fundamental ways to deal with risk is to accept it, transfer it, or avoid it. A business may accept risk knowing that it could benefit from it by maybe helping it built stronger defenses and providing a learning experience. Most business would accept a threat event if the impact is low yet the business harnesses a lot of learning experience from the occurrence. The business could also transfer the risk. For example, ACME Co. could by a policy to cover them from natural disasters such as earthquakes. Bibliography Bidgoli, H. (2006). Handbook of Information Security Volume 3. Hoboken: John Wiley & Sons. Blank M.R, Gallagher. P. D, National Institute of Standards and Technology. (2012) Security Considerations in the System Development Life Cycle NIST 800-64 Fahlsing. J, Gulick.J, Kissel. R, Scholl. M, Stine.K, Rossman. H, National Institute of Standards and Technology.(2008) Risk Management Guide for Information Technology Systems NIST 800-64: Kale, K. V., Dr. Babasaheb Ambedkar Marathwada University, Institute of Electrical and Electronics Engineers, ACVIT, & IEEE International Conference on Advances in Computer Vision and Information Technology. (2008). Advances in computer vision and information technology: [IEEE International Conference on Advances in Computer Vision and Information Technology (ACVIT-07), Aurangabad, November 28th - 30th, 2007]. New Delhi [u.a.: I. K. Internat. Publ. House. Locke. G, Gallagher. P. D, National Institute of Standards and Technology. (2011) Managing Risk Information security risk An Organizational Perspective NIST 800-39 National Institute of Standards and Technology. (2012) Security and privacy Controls for Federal Information Systems and Organizations NIST 800-53 Read More