StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

Information Systems Risk and Security - Pax Nane Company - Case Study Example

Cite this document
Summary
The paper "Information Systems Risk and Security - Pax Nane Company" is an outstanding example of an information technology case study. This report is a follow-up to the risk assessment report for Pax Nane Company, which outlined the anticipated risks in the organization. Consequently, the report identifies the possible strategies that can be used to address the risks inherent in the organization and its effectiveness…
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER95.1% of users find it useful

Extract of sample "Information Systems Risk and Security - Pax Nane Company"

Information Systems Risk and Security. Name Number Course Code Lecturer Date Executive summary This report is a follow-up to the risk assessment report for Pax Nane Company, which outlined the anticipated risks in the organization. Consequently, the report identifies the possible strategies that can be used to address the risks inherent in the organization and their effectiveness. Risk mitigation for the identified risks at Pax Naney is achieved by implementing several controls that are aimed at different levels of risks as outlined in the report. Conventionally, all risk mitigation strategies are aimed at risk reduction, emergency planning and implementation. Therefore, this risk mitigation report identifies mitigation strategies and controls that are based on the standardised frameworks aimed at reducing the impact of accepted risks and implementing controls for the identified physical, logical and operational security threats in the organization. Based on the risk assessment of the company, the report is built on the NIST SP 800-30 information security management framework. Table of Contents Executive summary 2 1.0 Introduction. 4 1.2 Scope 4 2.0 Risk Mitigation. 5 2.1.1Business strategy. 6 2.1.2Technology options and strategy. 6 2.2.1 Prioritization of Actions. 7 2.2.2 Evaluation of Proposed Control Options. 7 3.0 Cost Benefits Analysis. 10 4.0 Select Controls 12 5.0 Responsibilities 14 1.0 Introduction. 1.1 Purpose The purpose for this report is to provide a mitigation strategy which provides proactive solutions to the risks identified in the risk assessment stage of the risk management process. The risks identified for the Pax Nane Company are crucial items that could result in detrimental impacts to the company if not adequately addressed. Consequently, this report will act as a guideline and a reference manual to the senior management as well as the technical IT staff with regard to addressing security risks in the organization. 1.2 Scope This report is aimed at performing a risk mitigation plan and cost- benefits analysis for the possible risks in Pax Nane Pty Ltd. The scope of this report is to: Identify and prioritise actions; Formulate and implement a risk mitigation plan Provide possible responses to critical risks in Pax Nane. Define responsibilities for implementing the identified controls. The risk mitigation strategy will, therefore, be based on the risk assessment report and the frameworks stipulated in the NIST SP 800-30 information security framework. 2.0 Risk Mitigation. 2.1 Risk Mitigation strategy According to Merkow & Breithaupt (2014), risk mitigation is the systematic process of identifying the possible ways of reducing risks and minimizing the impacts of identified risks. There are many options that can be used to achieve risk mitigation in the company as stipulated by the NIST SP 800 30 frameworks (Stoneburner & Feringa, 2002). Risk Assumption/ acceptance: The Pax Nane Ltd. can choose to accept the potential risk and allow operations to continue in the organization. Then strive to implement the necessary controls to reduce risks to an acceptable level. Risk Avoidance: This option involves avoidance of the risk by eliminating the cause of the risk by foregoing activities that might result in the exposure to the risk in the organization. Risk Planning: It includes identification and development of a plan to mitigate risks that prioritizes controls and subsequently implements and maintains the controls. Risk limitation: adverse impacts of a risk can be limited by implementing controls aimed at minimizing the adverse impacts of the threats. The mentioned vulnerabilities at Pax Nane Pty Ltd. in the Risk assessment report can be addressed by using preventive or detective controls. Risk transference: in situations where the risk is too severe and unmanageable, it is advisable to transfer the risk to avoid the damage that is associated with it. Physical threats like fires, floods that are unexpected and which the damage cannot be known beforehand can be managed through other options such as insurance. The choice of a particular option is determined by the level of the risk identified. Low Level Risks- acceptance or Assumption of risk. Medium Level Risks – use identified controls to mitigate the risks. High Level Risks – this kind of risk is detrimental and should be accorded high priority status. Therefore, it would require avoidance, limitation and transference options. To effectively achieve risk mitigation, Pax Nane Pty Ltd must use both business and technology options strategy. 2.1.1 Business strategy. The business strategy involves setting policies and procedures, designing an information security plan and centralization control of policies. It also involves documentation of strategies, identifying all barriers and looking for future competitor advantages and applying design principles. Finally, the strategy must consider the cost of the economic scale and economic substitution and assigning responsibilities (Verner et al., 2014). Pax Nane Ltd has for a long time overlooked the importance of information technology and the associated risks. They have overlooked the importance of factoring in the purpose of information technology in their strategic business plans. 2.1.2 Technology options and strategy. The first approach in this strategy is to establish an IT / information security director in the company who will also act as a representative of IT department in the board. As mentioned in the risk assessment report, Pax Nane Ltd has no personnel in charge of Information technology in the company. They have no representation in the board and worst of all information security issues are not considered an aspect to be discussed at the board of directors’ level. Therefore, the director will play a major role in articulating information system security issues to the senior management and board members of Pax Nane Ltd . The strategy also involves limiting the use of cloud for data storage, and if there is a need for this, then the company should develop their cloud storage. This will limit the risk of unauthorised access and loss of information (Zhang & Zhang, 2010). Information system security can further be reinforced by providing a strong network to the company. This can be done using antivirus, employing central login, using administrative controls and other network security techniques such as firewalls to safeguard the organization (Yeo et al., 2014). Other strategies include safe storage of backed up data. 2.2 Implementation of Security Controls. 2.2.1 Prioritization of Actions. This step is informed by the possible risks and threats that have been identified during risk identification and assessment (Grace & Myers, 2003). In the case of Pax Nane Pty Ltd, there are three levels of risks; High, medium and Low. Each of the levels will have different actions to mitigate them. Notably, the actions are prioritised based on the level of risk as identified in the assessment report. High risks such as fires and floods that may result in extreme impacts to the company such as loss of data and information, company assets among others, need priority actions that include; insurance policies, business continuity plans and recovery plans. Others include access restrictions, offsite back-ups and corporate policies. The table below shows prioritization of actions based on the risks identified in the organization; Risk Item Action Priority Virus Infection Secure system using antivirus High External theft of data Install firewalls High Unauthorized Access Enforce Access authorization and controls High Sabotage Enforce Access Authorization controls Medium Espionage Enforce Access Authorization controls Medium System Hacking Enforce Access Authorization controls, Use firewalls Medium Non- compliance with regulations Task legal team Low Natural Disasters Insurance policy, system back up Low 2.2.2 Evaluation of Proposed Control Options. The proposed strategies must be evaluated to determine their effectiveness and suitability in solving or minimizing the identified risk. The table below shows the identified risks and the proposed control strategy and an explanation of how the strategy is effective. Risk Mitigation Strategy Unauthorized access Establish a centralised authorization control centre in the IT department where employees are assigned Login credentials and passwords. Pax Nane has a central data centre that could easily be compromised hence requiring the use of the RSA security tokens for remote logins to enhance security. The company should also install firewalls to prevent backdoor entrances into the company information systems and the central data system. Pax Nane should establish the position of director of ICT. The IT director will define different levels of Access to different users depending on their roles in the company. Set policies regarding sensitive data and information. Pax Nane Pty Ltd is currently facing an imminent problem of unauthorised access due to its poor security of the VPN. Therefore, it is important that the company firewall is reinforced to minimize unauthorised access. Financial transaction access. Pax Nane Ltd should establish a secure connection to the servers using the https protocol and SSA authentication. Given the flaws in its VPN, financial transactions should be done through trusted and recognised financial service providers such as Paypal. Lost backup Lost backup can be experienced given the establishment of Pax’s data centre. Hence, it is advisable to maintain a strong back up in separate places that ensure availability of back up data and information. External data theft External theft such as the one experienced currently in the company is due to the presence of flaws in the network. It is important to install firewalls to prevent unauthorized digital access from remote places. Pax Nane should also enhance physical security to its buildings and office premises to prevent unauthorised access to the company premises. The company can use biometric recognition systems and check points during entry and exit of the building. It is also advisable to employ encryption techniques to prevent unauthorised access. Virus infection Pax Nane Ltd should install efficient and effective antivirus software to detect and remove viruses from the systems. Additionally, they should use firewalls to prevent remote virus infection. They should also establish policies regarding the use of external storage devices as well as BYOD. Incorrect data The company should use automated validation techniques in all its branches to ensure the correctness of data entered into the system. They must also formulate policies for data entry and access to enhance accuracy. System hacked Maintain multiple backups of the system to ensure availability of the system restore. Use encryption techniques to minimize chances of system hacking. Establish a logging system that will record all users of the system including the location and IP addresses. Finally, create internal policies that will provide guidance on the actions to be taken by employees, IT staff and the management in case of exposure to system hack. Web provider closes Have backup of site stored with backup provider and at another company-controlled location. Use established organisation with positive record and future. Internal data theft Keep records of all log activities of all employees in the system. Establish policies regarding company property and include terms of use and responsibilities of each employee particularly those interacting with data stored at the data centre. Keep track of employee access and terminate access credentials once employee is terminated. The policy should also have reference for penalties in case one commits a crime of theft in the company. Non-compliance with regulations Establish a forum where the IT department and the legal team of Pax Nane Ltd, can work together to determine all the legal requirements and ensure they are all met. Pax Nane Ltd should meet all the legal requirements and always rectify any issues as they arise. System breaks down Pax Nane Ltd should have a system backup onsite as well as offsite to ensure continuity of business activities in case of system break-down. Additionally, the IT department at Pax Nane should have a policy detailing what all employees and the management should do in the event of a system failure to minimize disruption of business activities. Incorrect use of System Pax Nane Ltd. Should maintain system back-ups (primary and secondary) and also automate validation techniques, software design methods that will limit potential for incorrect use system and encourage correct use of System. Additionally, the company should establish policies for employees and external contractors that abuse the system including penalties. Natural disaster It is difficult to secure all assets from natural disasters; however Pax Nane ltd should place sensitive information data and assets in secure location and maintain documentation. The company should also insure the most expensive and vital resources and assets in case there is a natural disaster. Third party integration The company should minimize third party integration and maintain strict policies to be used in the event of the possibility of third party integration. Going to cloud Cloud service is risky to Pax Nane Ltd in many ways. To prevent risk from cloud sit polices such as using cloud in non-important information. Otherwise create own cloud between the various branches and locations of Pax Nane Ltd. Social Media Pax Nane should provide facilities and devices to employees to prevent them bringing any personal device with them. Restrict employees using BYOD in the organization and sit as policy and procedure should there be a need for BYOD. Using Non- standard devices The company should always use standardized devices and hardware particularly network devices. Some of the standardised devices include Cisco routers among others. 3.0 Cost Benefits Analysis. Creation of Information and Communications Directors role: The creation of the position of the Information Systems director is the first step towards enhancement of system security in the company. The role of the Director will be mainly to oversee the management of information systems and security in the company. He will also be a member of the board representing the Information technology and information system requirements to the senior management of the company. Currently, Pax Nane Ltd doesn’t have an ICT manager to carry out these roles. The management and board has for a long time considered IT matters lightly. The role will oversee the management of IS security throughout the organisation. The ICT manager role will work closely with CEO, IT systems management and contracted organisations. The benefits of this role are to realise IS security initiatives and to enforce the continuation of the standards. The estimation of costs to be incurred by the company is approximately $150,000. Software security enhancement: Secondly, Pax Nane Ltd. must carry out software security enhancement. The modifications of the system security that include installation of firewalls, and antivirus software can be done in-house or outsourced. When these changes are implemented, the Pax Nane will realise improved data security and privacy. The cost is approximately $4000 for the following activities: Secure logins and password security encryption. Recording of system logging and activities of users in the system. Create different access levels to different employees. Encryption of vital and confidential documents. Restricted activities for different data to prevent unauthorised use of data. Network Security: Internal network and data security is enhanced by enforcing network security. With the current problem faced by Pax Nane Ltd, there is a need for network security to ensure secure transactions within and outside the company’s VPN. This will be achieved by: Installing stronger and more efficient firewalls. Establish secure connections to the servers in the company. It is also important to establish a secure financial transaction channels that limit third party access. The cost for carrying out these activities will vary depending on the security agents employed. The cost is approximately $1000. Information System Security Policy: Another important change that needs to be effected is the information system security policy for the organization. This change is beneficial to Pax Nane since it sets in place a policy that will ensure the company moves forward in information system security. This is approximated at $5000. Data Backup testing and Audit: We will also need to carry out data backup testing and audit to ensure that the backup integrity meets the expectations. Alternative actions should immediately be taken should the backup have any glitches. The cost for this activity is estimated at $150 per month. Hardware and physical security:Security to the system hardware and other physical resources of Pax Nane Ltd can be achieved through physical data security. The cost to be incurred is approximated at an initial cost of $2,000 and additional costs for physical security upgrade procedures. Security software: Security software is also needed to secure the company’s network from external attacks such as the one it's currently facing. Additionally, it also prevents the company’s system from infection. The cost is estimated at $2,500 per year. Data Auditing software: The company must also purchase a data auditing software to detect incorrect data entered either internally or from external sources. It is also used to detect unusual changes to data. The cost is approximately $3000 per year. Staff compliance with IS security: New staff and contracted business should be aware of the Pax Nane IS policy, therefore, the company must ensure they are compliant with the IS security policy of the company. The cost for this activity is estimated at $2000. Secondary System: Finally, Pax Nane Ltd. must set up a secondary system in case of failure of the primary system. It is beneficial to the company since it ensures continuity of business activities should there be any failure in the primary system. The cost is estimated at $5,000 per year. The total cost of implementing the Information security initiative and risk mitigation in the company is summarised in the table below: Security Control Initial Cost ($) Continuous Cost ($) IS security compliance 2, 000 - Information System Director - 150,000 Secondary system - 5,000 Security software/ service - 2,000 Data auditing Software - 3,000 Physical security 2,000 - Data backup and testing - 1,800 Network security 1,000 - Software security 4,000 - TOTAL 9,000 161,800 (p.a) 4.0 Select Controls As identified in the risk assessment report, there are three categories of risks or threats to information security in the company: Physicals security threats Logical security threats and Operational security threats. Therefore, the controls selected will address the three categories of security threats as shown below: 4.1 Technical security controls. These controls are implemented to prevent the company’s infrastructure against the possible IT security threats. These threats are mainly categorised as high priority threats. The chosen technical security controls should correspond to the defence-in-depth model. This model proposes a set of measures that are mixed to ensure maximum security. The model has several layers the ensure security of all aspects of the organisation’s information system security (Agrawal & Pierce, 2014). It ensures security of data by restricting and managing access to the sensitive organizational data. It is also concerned with data back up by providing secondary data backups. They also implement intrusion detection mechanisms. The model is also concerned with risks that could affect running applications in the system. They maintain defences such as periodic updates to applications and implementation of virus detection mechanisms. Securing operating system of the host computers against malware. Protects internal networks from external communications by limiting unauthorized access to data in the network. Enforces firewall networks that limit perimeter access to data in the network. Enhances physical security of devices and risks that are associated. The risks include the malware transmitted by USB devices. It includes the use of physical security such as doors, locks, surveillance cameras and check- points in the company premises. 4.2 Management security controls. Management security control involves the use of policies, procedures and regulations to manage and control the risks identified risks. The risk mitigation, therefore, involve establishment of policies regarding the carrying out of activities in the company. Most importantly, it involves the training and awareness of the employees on the importance of the security policies and why they should adhere to them (Ekelhart & Neubauer, 2009). 4.3 Operational security controls. The ICT director will ensure all the proposed security measures are implemented in the company. Additionally, they will ensure maintenance, monitoring and evaluation of the proposed mitigation strategies in the company. The operational security controls are preventative such as: Limit data distribution Control access to data and other resources. Control viruses. Fire damage protection. Workstation security Backup capabilities and security of IT environment. 5.0 Responsibilities Risk Responsibility Unauthorized access ICT director. Systems Administrator. ICT management team Financial transaction access. ICT director System administrator Lost backup ICT director System administrator IT technical staff External data theft ICT director System administrator IT technical staff Virus infection System Administrator IT technical staff. Incorrect data ICT director System administrator System hacked System administrator. IT technical staff. Web provider closes ICT director System administrator It technical Staff Internal data theft ICT director System administrator Non-compliance with regulations ICT director System Administrator Legal department System breaks down System Administrator It technical Staff ICT director Incorrect use of System ICT director Departmental Heads System Administrator IT technical staff. Natural disaster ICT director. System administrator Senior Management staff Third party integration ICT director Senior Management System administrator Going to cloud ICT director System administrator Social Media ICT director Systems administrator IT technical staff. Using Non- standard devices ICT director Procurement officers System administrator IT technical staff. Reference. Agrawal, M., Campoe, A., & Pierce, E. (2014). Information Security and IT Risk Management. Wiley Global Education. Alberts, C. J., & Dorofee, A. (2002). Managing information security risks: the OCTAVE approach. Addison-Wesley Longman Publishing Co., Inc.. Ekelhart, A., Fenz, S., & Neubauer, T. (2009, January). AURUM: A framework for information security risk management. In System Sciences, 2009. HICSS'09. 42nd Hawaii International Conference on (pp. 1-10). IEEE. Grance, T., Stevens, M., & Myers, M. (2003). Guide to selecting information technology security products. Network Security. Merkow, M. S., & Breithaupt, J. (2014). Information security: Principles and practices. Pearson Education. Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems. Nist special publication, 800(30), 800-30. Verner, J. M., Brereton, O. P., Kitchenham, B. A., Turner, M., & Niazi, M. (2014). Risks and risk mitigation in global software development: A tertiary study. Information and Software Technology, 56(1), 54-78 Yeo, M. L., Rolland, E., Ulmer, J. R., & Patterson, R. A. (2014). Risk mitigation decisions for IT security. ACM Transactions on Management Information Systems (TMIS), 5(1), 5. Zhang, X., Wuwong, N., Li, H., & Zhang, X. (2010, June). Information security risk management framework for the cloud computing environments. In Computer and Information Technology (CIT), 2010 IEEE 10th International Conference on (pp. 1328-1334). IEEE. Read More
Tags
Cite this document
  • APA
  • MLA
  • CHICAGO
(Information Systems Risk and Security - Pax Nane Company Case Study Example | Topics and Well Written Essays - 3250 words, n.d.)
Information Systems Risk and Security - Pax Nane Company Case Study Example | Topics and Well Written Essays - 3250 words. https://studentshare.org/information-technology/2083150-information-systems-risk-and-security-2
(Information Systems Risk and Security - Pax Nane Company Case Study Example | Topics and Well Written Essays - 3250 Words)
Information Systems Risk and Security - Pax Nane Company Case Study Example | Topics and Well Written Essays - 3250 Words. https://studentshare.org/information-technology/2083150-information-systems-risk-and-security-2.
“Information Systems Risk and Security - Pax Nane Company Case Study Example | Topics and Well Written Essays - 3250 Words”. https://studentshare.org/information-technology/2083150-information-systems-risk-and-security-2.
  • Cited: 0 times

CHECK THESE SAMPLES OF Information Systems Risk and Security - Pax Nane Company

Asset Assesment and E-Commerce

The focus of this paper is to the manifest changes in information technology standards, processes, and practices in safeguarding the company assets of NIRA Ltd.... Employees shall not expect privacy of using company-owned technology resources.... The paper also investigates all information system, software applications, hardware, servers, networks controlled by NIRA Ltd....
13 Pages (3250 words) Essay

What is security Why network security is important

Moreover, there is no room for risk and threats in a computing network where thousands of online transactions are in process.... The volatile expansion of computer systems and the interconnectivity of these devices via a network have significantly amplified the dependence of organizations on the information systems.... Moreover, due to vast dependency of organization on information systems, security and protection of these systems has become a mandatory factor....
9 Pages (2250 words) Coursework

The role if Integrated Management System in Developing Inventory Management system in Government Sector

The review of the company internal processes in select departments offers a vantage point of identified gaps, such as, safety issues, building development, staff quality, material requisitions, and material transfers.... The pursuit for the organization to lower service levels often it has been noticed that company'... security- risk involved with being associated with criminal activity during the provision of a product The core investment in business relates to the managing the resources that improves the overall profitability of the organization....
15 Pages (3750 words) Dissertation

Information System In Organizations

This coordinating ability of information systems is especially vital in large organizations that have different interests or subsidiaries.... information systems streamline the business processes to make it more uniform among the different groups within the organization, guaranteeing efficiency and better transition in terms of information transfer.... Because of increasing technology and unparalleled reliance to how organizations are run, the practice of ensuring that the security of the organization's information system is a vital aspect of an organization's survival (Willcocks, 1996). ...
5 Pages (1250 words) Essay

Global Internet Security

This paper ''Global Internet security'' tells that Internet is employed in businesses, educational institutes, governmental institutes, social institutes, researching, and many other places because it keeps the capability of allowing a communication path that is easier, wider, faster, and user friendly.... Because of the internet, there are many global internet security concerns.... Global internet security is a concern for all the world be because of teethe intermeddle have gained many benefits, there are also many disadvantages such as internet fraud, loss of security and privacy, virus attackman, threats to data protection and computer misuse....
19 Pages (4750 words) Essay

Why Information System Is Extremely Crucial for Hewlett Packard

The chosen company is Hewlett-Packard (HP), which is a global provider of products that include personal computing products, printing and imaging products, services, software, technologies and solutions to individual consumers as well as small and large companies.... The company.... The chosen company is Hewlett-Packard (HP), which is a global provider of products that include personal computing products, printing and imaging products, services, software, technologies, and solutions to individual consumers....
8 Pages (2000 words) Case Study

Organization Security Plan

fter completing the first draft, the directors shall review it together with the company attorney general before rolling it out.... The writer of the paper 'Organization security Plan' states that Unless the department of defence understands different aspects of computer and its applicability, the department may find it a challenge in applying computer and its related technology in its security system.... All Members of the department of defence must understand the security planning guidelines from the engineering task and from Microsoft for the preparation of the security plan....
5 Pages (1250 words) Outline

Auto Supplys New Information System Project's Risks

The project manager should not hire two resources for one task, should cut costs by eliminating resources that are not still in use, should not over-allocate resources, should allocate resources on a periodic basis, and should use the specified amount of money for the resources irrespective of the company's policy that both allocated and unallocated resources should be paid.... From the information given in the paper "Auto Supply's New information System Project's Risks", it is clear that the client's highest priorities are the cost and scope....
7 Pages (1750 words) Assignment
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us