IT Risk Analysis - Case Study Example

IT Risk Analysis (College) 0 Introduction In this context, risk analysis involves the techniques used in the identification and assessment of factors that may jeopardize the success of achieving business goals. Decision makes need to be provided with information to understand the factors through risk assessment. Information systems have been at risk due to malicious actions and inadvertent errors brought about by computer users (Brock, 1999, pp. 4). Threats have been highly contributed to by the fact that computers are highly interconnected these days as well as accessible to large number of individuals. The management of security risks in business organization regarding the information technology sector (IT) has been a continuing challenge. Consequently many organizations are struggling to understand the IT risks involved so as to implement appropriate controls to mitigate the risks. This happens to be the subject matter of our study. Generally, we are going to analyze the IT risks involved in the Wolves Techs Limited Company and conduct an IT risk assessment for the company with detailed report and recommendations. The main business of Wolves Techs Linmited is to process data for retailers, meaning it need IT management and internet connections. 2.0 Wolves Techs Limited Company 2.1 Assets The vital assets in Wolves Techs Limited include employees, machinery and electronic devices as computers, and the building. Based on State of Oklahoma (2003) we can rank also information as an asset, "Information is a critical State asset." The new location of Wolves Techs Limited is a business promising location as it is situated near the road in a major town. Ashish Gupta in RAMCO web-page stipulated that "Employees are Valuable Assets of an Organization and the Key to Success." It therefore lies within the company employer to secure their employees from any forms of threats so that they get to satisfy customers. 2.2 Threat and Risk Identification information Stoneburner et al (2002) defines threat as a potential for a specific threat-source to exercise a particular vulnerability successfully. Based on Stoneburner et al’s argument, we can identify threat and risks in Wolves Techs Limited by considering threat-source, and potential vulnerabilities. Through the process we are going to identify the threat-source that can cause harm to the IT system involved. In this context it is therefore appropriate to consider common threat sources and risks which involve natural, human and environmental threats and risks. Risk vulnerabilities in the company can be identified by weakness in system security procedures, design and implementation. If extreme weakness in security is noticeable then the occurrence of a risk or threat can be identified. 2.3 Risk Threats and Losses 2.3.1 Risks and Threats Cyber-attacks: Wolves Techs Limited is susceptible to cyber-attacks given the nature of the business. Exposure of the companys network system to other internet users in the town increases its chances of attack. Especially other company’s doing similar jobs in the town might want to lock it off the market. Ruining of Reputation: As the business seeks to market its products and services over the internet there are ill-wishers and malicious users of the internet who seek to disadvantage the organization for their own personal gains. In that case, the company is targeted so that its reputation gets ruined for it not to offer any form of dominance in the market. Indubitably, this can be done one-line by hacking into the business system or causing jam on its website through denial of service attack (Schwarbach, 2006, pp. 83). Information Theft: Wolves Techs Limited is likely to suffer a risk of internet theft. Information is a very vital asset in a business institution and losing it might cause great losses to the business regardful of all the business’ factors tied to it. Someone might target the business by releasing malwares and viruses into the target business online market and steal from it (Schwarbach, 2006, pp. 89). The theft can be more than just information. Malware and Virus Threats: Given that Wolves Tech Limited is a young growing company, it might find difficulties in dealing with IT-based security incidences due to lack of expertise who can identify and deal with its security issues (Hutchings, 2012, pp. 2). Hulchings further specifies threats; malware infection, wireless internet misuse and session hijacking, unauthorized access and risks associated with cloud computing, online fraud, compromised websites, denial of service attacks (DoS) which is at times distributed (DDos), and phishing. Both the business as a general and its employees are likely to fall victims of these threats. 2.3.2 Losses Threats as such will most likely bring grave losses to the business. These losses include financial fraud, sabotage of data of networks, loss of information, and damage of information or even system software due to virus attacks (Grant, 2011, pp. 167). With all these damage, the business will be obliged to increase security cost, recover from cyber-attacks, and also start building on the ruined reputation all these would mean incurrence of extra expenses and therefore loss (McAfee, 2013, pp. 3-13). During incidents as such, employee information might also be ruined. 3.0 Business IT Security Requirements Given that Wolves Techs Limited is is an average and currently growing company, there is no need for heavy investments on IT Security. A central management controlling all the connectivity within the floors ought to be established and assigned to a single IT expert. There is cost in obtaining information and value in using it, this makes information security policy one very important policy. While shared information is a very powerful tool, losing or misusing it can be very costly (State of Oklahoma, 2003, pp. 6). Therefore, this security policy is a necessary requirement for the protection of information within the firm (State of Oklahoma, 2003, pp. 6). Other essential policies needed by the organization include; the antivirus policy, electronic messaging policy, password, remote access policy, asset management policy, IT user account policy, application control policy, monitoring and logging policy and access control policy. Each and every policy is intended to act as a business IT requirement so that all sectors in the organization are secured (LSE, 2014). For instance with the antivirus and password policies, no entry access should be granted into the system or internet without both antivirus and password. Furthermore, the monitoring login policy enables the system administrator to provide authentication to users. There are also various procedures that should be considered regarding this matter at hand. Such procedures as stipulated by LSE (2014) include; Log duration, Non-standard user account expires, handling copyright infringement notification, and virus outbreak on campus public area workstations. There is a direct relationship between the policies and procedures involved in IT risk analysis. For instance, the monitoring and logging IT systems is mandated and explained by the monitoring and logging policy. We can also take a brief look at the non-standard user account expires procedure. This procedure is about the maximum duration that the non-standard user accounts remain existent and the point of extensions needed to be requested. 4.0 Risks Involved As stipulated earlier by Brock (1999) Wolves Techs Limited may suffer information security risk. Other risks that must be taken into account are the data security risks, malware infections, information distortions among others as discussed earlier. 4.1 Probability of Risk Occurrence Sometimes risks can be influenced by factors outside the business project of an organization. This involves the decisions of stakeholders and competitors (Hillson & Hulett, 2004, pp. 1). Supposing similar investors around the company are so many with far much bigger investments then the probability the Wolves Techs Limited business expansion risk to occur will be very high. This is due to market competition. Attention has to be paid to the manner in which probability and impact are assessed so that assessment of risk can be considered meaningful. The probability of a risk as hacking and stealing of information to occur in the business will be defined by Wolves Techs Limiteds security firewalls. Supposing the firewalls can be easily compromised then the probability of risk occurrence stands at more than 50%. 4.2 Impact of Risk on Wolves Techs Limited Risks cause instability and unrest in an organization. Supposing there was a high probability of Wolves Techs Limited to lose more finance than it can recover from shortly, and then there would have been no likelihood of the company shifting to its new location. This could have been as a result of fear of risk impact. Therefore, to a great, extent risks have got negative impacts on the economic growth of an organization if not impeccably evaluated. 5.0 Wolves Techs Limited Analysis 5.1 Risk Analysis Methods The organization must determine an appropriate method in which to analyze the risks involved. The chosen method could be qualitative, quantitative or even semi-quantitative. Before the analysis of any risk kicks off the risk must first be identified (North, 1995, pp. 914). Quantitative methods risk analysis is most often used for purposes of decision making in business projects. In this case entrepreneur basement for decision making is built on their judgment and experience. The method can be used when risk level is low. When it comes to quantitative methods, we are enabled to assign values of occurrence to the various identified risks. In simple terms we could say quantitative methods are used to calculate project level risks. Yazar (2002) reveals a qualitative risk analysis and management tool known as the CRAMM (CCTA Risk Analysis and Management Method). This tool is developed by the UK governments Central Computer and Telecommunications Agency and is meant for provision of information systems security reviews. A tool as such is quite essential in the analysis of IT risks in the business organization. Other security tools include RiskPAC, Proteus, CORAS and OCTAVE. The variation of these tools range from their level of automation or intelligence to the amount of technical information they gather hence making the analytical process a success. 5.2 Risk Analysis Matrix The derivation of risk determination can be done by multiplication of threat rating such as probability and the impact of the threat (Stoneburner et al 2002). Table 1 below shows how the risk ratings of Wolves Techs Limited Company might be determined. This is solely based on threat likelihood impact and threat impact categories. The presented matrix is a 3x3 matrix of threat likelihood and threat impacts both having high, medium and low levels. This is a representation of the derivation of levels. For instance in, this case, the probability assigned to particular threat likelihood is 10 for High, 5 for Medium and 1 for Low. On the other hand, the assigned value for each specific level of impact is 100 for High, 50 for Medium and 10 for Low. Threat Likelihood Impact Impact Impact High (10) Low 10x10=100 Medium 50x10=500 High 100x10=1000 Medium (5) Low 10x5=50 Medium 50x5=250 Medium 100x5=500 Low (1) Low 10x1=10 Low 50x1=50 Low 100x1=100 Risk scale: High (>500-1000); Medium (>100-500); Low (>10-100) Table 1. Risk Analysis Matrix 5.3 Risk Level and Threats Table 2 below provides the probable levels of risks and threats of Wolves Techs Limited Company with respect to the above matrix. The risk scale represents the level of risk to which and IT system might be exposed under a given vulnerability exercise. Description and Actions High Should an observation of findings be evaluated as high risk or threat then corrective measures are necessary. The company can stick to the existent system for a very short period then put a corrective action plan in place as soon as possible. Medium Should an observation be rated as medium risk or threat, necessity for corrective actions still applies though not as soon as when high. The actions must be incorporated within a reasonable time period. Low Should an observation be rated as a low risk observation, the company can decide whether to apply the necessary actions or just accept the risk. The lowness depends on risk or threat intensity as well as the likely resultant impact. Table 2. Risk Level and Threats 5.4 SWOT Analysis “A SWOT analysis is a tool that helps you evaluate the Strengths, Weaknesses, Opportunities and Threats (SWOT) involved in any business enterprise…” (U.S. Department of Agriculture, Risk Management Agency 2008). Given that Wolves Techs Limited is an IT based company, its weakness mostly lies within cyber-attacks. The business therefore needs to implement reliable IT protection measures so as to stabilize its strength. Such measures include installation of firewall and use of virtual private network (VPN Tunneling). This will limit threats of attack since with VPN Tunneling information is able to floor under a hidden channel where it is only visible to the sender and receiver. The company deserves central management so as to exclude itself from bias and indecisiveness on how to handle IT risks. 6.0 Counter-measures for Identified Risks Risks such as vulnerability to cyber-attacks can be avoided through implementation of VPN Tunneling and installation of antiviruses and antimalware in the company’s PCs. VPN tunneling as discussed earlier locks off snoopers. For Wolves Techs Limited to prevent its reputation from being ruined by competing companies it has to be cautious of the information it lets out. Maximum data security of needed so that sensitive information is not let to ill-wishers. Furthermore, information theft is able to bring down the company financially. More succinct ways the company can avoid information theft include; setting up of strong passwords, paying attention to billing its billing cycle, and keeping of clear business records. Since some attackers in the field of IT may use malwares and viruses to harm the company, it is very important to establish firewalls, preferably physical ones, within the company’s network system. Software updates and antivirus updates are is also advisable as one of the ways of overcoming IT risks. 7.0 Control Recommendations and Conclusion Wolves Techs Limited control measures should strictly be those that mitigate or eliminate identified risks. Recommended control should have a goal of reducing risk level to an IT based system as well as data to an acceptable level (Stoneburner et al 2002). The following factors should be considered in control recommendations so as to minimize the identified risks: Effectiveness of recommended options such as system compatibility, Legislation and regulation, Operational impact, Safety and reliability, Organizational policy (Stoneburner et al 2002). One very important question to be addressed by Wolves Techs Limited is the amount of acceptable risk. As much as investments require risks at the start several suitability factors must be put into place while weighing of a project success or failure is determined. Basic precautions that the business can take to protect itself against loss of reputation, time, money and information include technical countermeasures such as security patches and antivirus tools, organizational policies aimed at the improvisation security culture within the firm (Hutchings, 2012, pp. 4). It is important to acknowledge that the harm caused by computer security issues can at times extend beyond business damage. For instance the rise of botnets and identity crimes have compromised websites as well as resulted to identity theft. Finally, Wolves Techs Limited has to train its staff members regarding the subject matter. 6.0 Reference List Brock, J.L, 1999, Information Security Risk Assessment. United States Accounting and Information Management Division. GAO/AIMD-00-33, PP. 1-48. Retrieved from http://www.gao.gov Gupta, A. Employees are Valuable Assets of an Organization and the Key to Success. Product & Services- Ramco GRP Suite. Retrieved from http://www.ramco.com/blog/employees-key-for-successful-organization Hutchings, A, 2012, Computer Security Threats Faced by Small Businesess in Australia. Trends and Issues in Crime and Crime Justice. NO. 433, PP. 1-5. Schwabach, A, 2006, Internet and the Law: Technology, Society and Compromises. ABC-CLIO, Carlifornia-USA. Grant, K, 2011, EJISE Volume 14 Issue 2. Academic Conference Limited. UK , pp. 167-178 McAfree, 2013 July, The Economic Impact of Cybercrime and Cyber Espionage. Centre of Strategic and International Studies. pp. 3-19 North, D,W, 1995, Limitations, Definitions, Principles, and Methods of Risk Analysis. . 14(4). 913-923, Retrieved from http:/www.oie.int/eng/publicant/A_RT14.htm Yazor, Z, 2002, A qualitative Risk Analysis and Management Tool-CRAMM. SANA Institute InfoSec Reading Room. State of Olkahoma, 2003 September, Information Security Policy, Procedure, and Guidlines. Version 1.5, Revised July 2011, pp.1-84 LSE Staff and Students, 2014, Information Security Policies, Procedures and Guidlines. Page updated 16 December 2014. Retrieved from http://www.lse.ac.uk/Intranet/LSE-services Hillson, D & Hulett, D, 2004, Assessing Risk Probability: Alternative Approaches. PMI Global Conference Proceedings-Progress Czech Republic. pp. 1-7 Stoneburner, G, Goguen, A, Ferings, A. 2002, Risk Management Guide for Information Technology Systems, Recommendations of National Institute of Standards and Technology. Special Publication 800-30, pp. 1-41 U.S. Department of Agriculture, Risk Management Agency, 2008, SWOT Analysis: A Tool for Making Better Business Decisions (Google eBook), Web Source, 8 pages. Read More