Information System Risk Management - Case Study Example

Running head: Information System Risk Management Information System Risk Management Lucky XXXXXXXXXXXXXXXXX XXXXXXXXX June 3, 2009 1.0 Abstract Successful risk management is very important in the success of the implementation of any information system. The principle goal of risk management is to protect the company and its ability to achieve their mission of ensuring that there is no loss of integrity, availability or even confidentiality while using the Enterprise Resource Planning (ERP) system (Campell, 2007). 2.0 Main Body As a result of the implementation of an ERP by an organization, the security risks of the organization are increased due to their nature of implementation where different modules are intergraded together in order to achieve the organization mission. Risk management is a strategic issue in the implementation of ERPs systems in any organization. This is because success of the ERPs depends on many factors which include technological (Hardware and software), efficient design of processes, and utilization of human recourses. The human resources are the users of the new ERP solution. It is with this in mind that organizations should take risk management strategy that would identify and also control any ERP implementation risks. An organization at risk is exposed to potential threats. Risk management comprises of risk assessment, risk mitigation evaluation and assessment. Risk assessment is used to determine extent of the potential. Some tangible impacts of the success of a threat are thins like loss of revenue and the cost of repairing a system that has been affected (Stoneburner, 2008). Security Threats-ERP threats are real therefore it is important not only to identify the threats but also know the vulnerabilities of the system and look for ways of preventing these threats from breaching the security of the ERP system. The threats may be grouped into the types which include the following:- 3.0 Natural Threats-These are threats that are not caused by human beings. They include quakes, floods, tornadoes, hurricanes, temperature extremes, and many others. Intentional Threats-The best examples of intentional threats are computer crimes or purposeful damage of property or even information. Unintentional Threats-These threats may include unauthorized or even accidental modification of the system. The best way is to study the vulnerability of the system is to identify the threats and then examine the system under those threats. 4.0 Vulnerability of the system One has to think about business transactions that can lead to losses from the information system based abuse, fraud and errors. This may lead to losses occurring when users use the system in a manner that they are not supposed to. It may either be intentional or not. Also there may be threats from intrusion and attacks from outsiders. People may steal or come across authorization credentials and try to enter the system without the knowledge of the authorities and thus jeopardize the integrity of the information contained in the system database. In addition there may also be systems abuse and fraud from the insiders. Authorized users can attempt and indeed succeed in entering into modules that they are not supposed to enter. Centralization of everything in the organization can become a performance bottleneck and also increase the ease with which people can sabotage the entire operations of the organization. One only needs to ensure that the ERP is not working and the organization will be on its knees unable to operate. 5.0 External Security Threats Weak Passwords- By use of dictionary attacks, intruders can guess correctly the passwords that are used in the ERP system and hence cause a malicious damage to the system or even get access to otherwise confidential data of the organization thereby compromising the integrity of the organization data. To eliminate this kind of threat, the organization should provide complex passwords and combine them with some biometrics in order to strengthen this authorization mechanism. 6.0 Social Engineering - This is a new threat whereby users are duped by nice and appealing information until they give their access credentials to strangers. For instance, users may be told that they won something and hence to provide their personal information in order to receive their prizes. This kind of threat can only be evaded by educating the system users and inform them it is not usually possible for one to win a prize for a competition they never participated (university, 2009). Competitors- When many organizations conduct a SWOT analysis of their organizations, they always want to know the strengths of their competitors. They may therefore send spies to these competitors in order to study their strengths and strategic objectives. Among an organization employees, it might not be possible to differentiate genuine employees and spires for the competitors. 7.0 Internal Threats 7.1Unsatisfied workers - the biggest threat to the ERP are the system users themselves especially if they are not satisfied with the organization or if they were not consulted during the system development. If they feel like they do not want the system they may intentionally sabotage it so that it may look to the senior management not to be working. This is especially so if it may be perceived to result to job losses or loss of power of some of the employees. Further more, the introduction of an ERP will reduce some levels of bureaucracy and corruption within the organization. This may lead to resistance from the company employees. Also, if there are an organization strikes, the workers may target the system since it carries almost every function of the organization. 7.2 Unintended Threats Interference of the system operations by other malicious programs such as spams, denial of service or worse still viruses. This may cause a temporary stoppage of the system operations which may in turn lead to huge losses by the organization. It is in this in mind that the organization should ensure the firewalls and anti viruses are up to date and working properly. Interception of a massage stream when data is being exchanged from one point to another or one module to another is another threat that may be unintentional. This may either be through session hijacking or spoofing by doing web page redirection. It may also result due to eavesdropping using a wire tap and then use a packet sniffer to decipher the meaning of the data obtained (Schulz, 2001). There may be programming errors that were not discovered during the system testing. Multiple rounding off of values can lead to a cumulative huge losses, duplication of entries is also another other threat. This is so especially in situations where the database has no referential integrity well implemented. Another very serious threat is that of adding a zero at the end or beginning of values unintentionally thus affecting the final result of a computation. Testing of the system should continue beyond its commissioning in order to see how it behaves when large amounts of data are introduced. 8.0 Natural Threats Earth Movements such as earthquakes, fires and storms can destroy the centralized servers and thus loose all the data stored in them. To reduce this type of risk, the organization should consider either replication or backing up the database so that it may be possible to recover any crash of the system due to natural causes. Once this is done the backup or replication sites should be located at different places in order for this strategy to work. Distribution is another strategy that can be employed to mitigate the threat of natural causes, this can be done by ensuring that the databases are not centralized but each module has its database in a specified geographical location. 9.0 Levels of Security Physical Security Physical Security should be provided to the servers against, fires, water and any other natural environmental hazards. Access to the servers and other networking equipment such as routers and switches should be well controlled. Servers should in fact not be used as a workstation since this may lead to accidental loss of information. There should also be adequate door locks and access cards to ensure servers are not accessed by unauthorized persons. 1. User Level - logical security ERP security starts with user based controls where only authorized users log in with secure usernames and passwords. The users should have limited access based on their individual customized authorization levels. For instance an accounts clerk should never have access to the human resource database or modules of the system. 2. Database Level Data encryption could be used to limit the users from exporting the system database. Further more data encryption will prevent the database from eaves dropping. Since the ERP is interconnected through different points that are at different locations. There is a threat of malicious persons tapping this information as it is being transmitted. Data encryption would therefore ensure that any tapped data will not be readable and thus useless. There should be network perimeter defenses such as firewalls, VPN, intrusion and detection. 3. Transaction level With the introduction of audit logs within the ERP system, the organization would be able to track individual transactions made by the users of the system. Internal auditors can then examine the audit logs to look for any outliers. For instance weird hours of transactions and weird amounts transacted. Since logging can be a performance bottleneck, the organization can configure the ERP system to only log the relevant information. There should be a continuous monitoring of what the users are doing with the system in order to anticipate any causes of alarm. Since organizations are required by law to maintain confidentiality of their customers, this level of security is quite important. Some controls may include intrusion detection methods and check sums. 10.0 Suggestions:- Firstly perform an audit of all security relevant events and then monitor any abnormalities that may surface and then investigate them objectively. An audit trail is quite important because by looking at such a log, it would be possible to see all the transactions that have taken place. Any qualified information systems expert will be able to know when a transaction is an outlier and thus this would form a subject for a thorough investigation. Secondly, perform an intrusion detection and containment. Instead of waiting until a security breach occurs, it is advisable to put in place detection measures so that in case of any of the above threats, the system will know there is a threat and give such message to the system users. As it has been explained in the previous sections, intrusion detection mechanisms such as firewalls are quite important. This is because they are proactive measures and can even lead to the capture of the intruder. Thirdly, Perform proof of wholeness control by analyzing system integrity and irregularities and also identify any exposures and any potential threats. Look at the data that has been processed by the system and check if there are any inconsistencies. This will assists see any mistakes that may have been overlooked by the system. It is therefore important to ensure whenever the system is operational, it is in a secure state. Fourthly, restore secure state in an event of a security breach. This will ensure that the system does continue working with the security risk in place as this may mean continuation of the errors caused by the threat. Backups should be performed regularly although this should be based on data reconstruction difficulty and data volume. The backup procedures are supposed to be properly documented and accessible to the users. More importantly, maintain a copy at an offsite location. Finally make sure there is an antivirus installed into the system at all times. Viruses are a major risk to any system hence this matter should be taken seriously. 11.0 Conclusion In conclusion, system security is a very important factor in the implementation of any successful ERP system. The success of the system does not only depend on the successful development of a nice system, but also maintaining it throughout its lifetime and ensuring no threats breach its security. The implementation of an ERP system which performs the core functions of the organization means that it should be safeguarded from any threats that may lead to stoppage of theses core functions. References Campell, J. (2007). The Future of Multi-Level Secure Information Systems. New York: The Aerospace Corporation. Schulz, E. (2001, June 02). Internal vs, External Threats. Retrieved June 1, 2009, from http://searchsecurity.techtarget.com/tip/1,289483,slide14_gci520075.00.htm Stoneburner, G. (2008). Risk Management Guide for Information Technology Systems. National Institute of Standards and Technology , 55. university, P. (2009). Threats to security. Information Assurance and Security , 43. Read More