Information System Risk Management - Report Example

Information System Risk Management Everything in this universe ranging from small entities to large ones, is vulnerable to mishaps and unforeseen situations, and therefore, needs arrangements of their kind to avoid any losses and damages in turbulent situations .The damages could be in various forms and can have grave impact on the entire idea and project. Information system is not an exception to this rule and requires preemptive measures in order to ensure smooth working and avoid any damages. A separate discipline exists in this regard that provides specialization for emergency situations. The field can be termed as emergency management discipline or risk management discipline, and it can be defined as field that looks into those sectors of an entity that are vulnerable to external factors and can have negative impact on the organization, life of project or individuals. Risk management has prevailed over last few decades as an essential component of any organization and task, and awareness has been created in this regard and its need has been realized. A common saying goes about management of unforeseen situation and that is “a stitch in time saves nine” (McDaniels & Small, 2004). This phrase applies aptly to the field of risk management and little effort done in time can save large effort needed on rescue and survival later. Information system is a setup consisting of various components which make up an information system, the components of which include hardware, software, and group of personnel specialized in the field of information and technology facilitating the basic components of a management project that are namely planning, controlling, leading, staffing (Stair, Reynolds, 2009).The hardwares can be in form of switches, routers, computers and other connecting devices. Softwares can be of data bases, the manual function softwares , simulation softwares. Information security is a related term which is associated with the proper working of an organization or project by mitigating all the challenges and threats faced by it in form of risk management. It is the effort of ensuring that no malware or malicious act hampers the project mission and work (Rainer & Cegielski, 2009). Need for risk management in the field of information systems: Information system constitutes a large enterprise, and has many things at stake in it. The system encompasses not only the individuals and the company itself but also many other firms with it, therefore small negligence can have serious consequences on the entire scenario. For this reason management and risk evaluation are very important. Risk management allows the top management assessing the economic costs and evaluating the entire needs of project. The first step towards risk management is the understanding of threat. A common management statement tells us that the first step to solving the problem is defining and indentifying the problem. The same goes for risk management in the field of information system, the aim should be to identify the problem, This will be followed by the management and action policy, the final part constitutes the practical action. Risk element identification: The most important part of any effort is identifying its applications and the need. In case of information system assessment allows identification of those components and entities that can be a weak link in the entire product and family. This step requires establishment of proper team which acts to the need and identifies and then eliminates all those factors which could create any disturbance in the performance of the system. Based on the studies and analysis, proper recommendations are provided and actions are taken. The risk identification team plays an important role in the entire scenario and provides foundation for secure working in future. Any lapses at this stage or by the assigned team for this task can have serious impact on the further proceedings and can result in loopholes in the system and hence risk to the entire setup. Risk in terms of Information system: Just like any other field, information system field is equally prone to risks and emergency situations. Information system often gets confronted with a number of unforeseen situations. Mitigating the risk requires applying the right kind of strategy and right choice of tool and technique. These include system failure in form of the components going down, the components maybe the hardware or software, other risks might include security breach, important personnel loss due to various reasons, stoppage of funds, contract disputes, and other natural hurdles. Threats from human side are important part of it, and they can be either intentional or unintentional. In unintentional risks from human end, it could be the loss of data, error in reporting, inability at a point, or any other reason that is not being done deliberately. Risk can be in form of break in link, since most of the activities are performed through internet connections and servers. Any drop down in the network or any hardware failure can result in the entire system going down, hence this also serves as a threat in this regard (Wu, 2010). Components of risk: Risk can have different faces, it can be either a threat itself, or a source of threat, depending on the scale of threat and danger, and it can have different repercussions on the information system in place. Some risks might be of large scale that can damage the entire structure of organization and system, while others might only damage a section or cause a hurdle at particular point. Though small or large, all must be dealt with equal care and importance since it stops the way of progress. Likelihood relationship concept: Confidentiality Integrity Availability Low Limited impact on organization Limited impact Limited impact Moderate Relatively serious impact Relatively serious impact Relatively serious impact High Grave consequences Grave consequences Grave consequences The likelihood relationship provides the probability in terms of high, low and moderate scales. Internal risks: the internal risks can come from the hardware, the personnel involved, the software implemented the assets stability factor, data loss from internal sources and employees also serve as an internal risk. External Risks: external risks can include the malware attacks on the system and software. In modern times viruses on internal scale and Trojans and other malicious softwares play part as an external threat, and their elimination is vital. The smooth running of corporation with external organizations also serves as an external threat. Similarly, the natural disasters, which are not in the human control, fall in this category and can have negative impact on the system, the stability of government and the situation (Kouns & Minoli, 2011). Identifying vulnerabilities: Various vulnerability measurement schemes and analysis can be applied in this regard. The vulnerability criterion dealing section contains various tools and techniques and tests for evaluating the risk to the organization. This in brief includes the following: Vulnerability scanners: various softwares can be installed for this purpose that serve the purpose of screening out the data and material which can cause any damage to the enterprise Penetration testing: this is a pilot test of the security layer, and the activities performed in this stage mostly include the monitoring of the operational tasks. Operational Audit: this kind of testing looks into the practical implementation and the documented rules that are available and stated as the standard operating procedures. All these activities help identifying vulnerabilities and enable the responsible ones to address all those areas which can cause any problem (Antón, 2003). Risk management handlers: the risk management task is part of the organization and requires input from the entire unit. Each member of the team has the responsibility of ensuring risk free work and identifying all those areas that can create any problem, and should further proceed by informing the concerned authorities. Threat vulnerability (T-V) relationship: A concept exists in the risk management field that co-relates the threat and vulnerability. It is the cause and effect case where there is an action to planning phenomena amongst these two which are quite vital for each other and mitigating the risks faced by information system (Park, Zhan, & Lee, 2009). Qualitative vs. Quantitative assessment: The qualitative assessment tool helps in prioritization and allows targeting of those areas that are relatively more prone to threats and require efforts on urgent scale. The quantitative assessment, on other hand, provides the degree of measure of the threat faced by the system in a certain proportionate value. It provides a fixed numerical value. For any information related organization, to ensure success and smooth sailing, risk management should be made part of their agenda and project policies. Proper guidance and trainings should be provided in this regard in order to create awareness about this field and its importance. Over last few years this field has been encouraged in many multinational platforms. However, the need is to implement risk management schemes at grass root level in order to bring about relevant stability in the working and improve the working of organizations and ultimately win back the trust of customers. Backup: backup of the data and other valuables is always an option in mitigating the risk, since the information system bulk of the activities is associated with online handling. Hardware or software failure can always occur. For this purpose a multi tier structure must be developed where backups are available and even if a single element goes down, the back up in next tier should be available for ensuring the continued transmission. Bibliography: McDaniels, T., & Small, M. J. (2004). Risk Analysis and Society: An Interdisciplinary Characterization of the Field. UK: Cambridge University Press. p.188 Stair, R. M., Reynolds, G., & Reynolds, G. W. (2009). Principles of Information Systems. US: Cengage Learning Rainer, R. K., & Cegielski, C. G. (2009). Introduction to Information Systems: Enabling and Transforming Business. US: John Wiley and Sons Wu, D. D. (2010). Modeling Risk Management in Sustainable Construction. US: Springer Kouns, J., & Minoli, D. (2011). Information Technology Risk Management in Enterprise Environments: A Review of Industry Practices and a Practical Guide to Risk Management Teams. US: John Wiley & Sons. Antón, P. S. (2003). Finding and fixing vulnerabilities in information systems: the vulnerability assessment & mitigation methodology. US: Rand Corporation. Park, J. H., Zhan, J., & Lee, C. (2009). Advances in Information Security and Its Application: Third International Conference, ISA 2009. Seoul: Springer. p. 126 Read More