Information Systems Security Assignment: Risk Management Report For The Sprout Foundation
Question
Task: Prepare a detailed risk management report in the information systems security assignment identifying the existing risks and assessment factors in The Sprout Foundation (TSF)
Answer
1. Introduction
The current report on information systems security assignment is based on security management and risk identification at the information system 'The Sprout Foundation.' The IT system manager of TSF and the board of directors are willing to adopt a risk assessment audit for understanding their most vulnerable and risk related areas and generate a security management report from an external 'Information System Security' auditor. The threats related to the information security risks related to its stakeholders and their association with the vulnerabilities, such as technical insufficiencies, 'unauthorized' activities in an organization's information system, lack of 'essential' services, and other physical consequences. In the current scenario, information security is one of the most crucial aspects of any organization in transferring and acquiring important data over a network without interfering with an external source. It leads the various organization to apply and adopt 'information security risk management' (ISRM) in developing economic and efficient control viabilities (Shamala et al., 2017). The current report will analyze the value and potential risk to the information system at TSF, and its associated people.
2. Assessment of TSF’s Value
2.1 Activity and Strategic Context Creation
In the current business management process, the organizations are heavily dependable on the technologies and 'information systems' to conduct works efficiently. The IT system manager at TSFs is inclined towards understanding the existing risk at their organization with the help of an external auditor. The reason behind this decision by the IT manager and the board of directors at TSF is to conduct the risk assessment process in an unbiased way. The ‘human resource information systems’ (HRIS) is known to be one of the crucial assets in the ‘information security system’ in an organization that is related to the organization’s valuable assets related to the ‘human resource’ (Buzkan, 2016). Any internal asset, such as information related to customers and employees, financial reports, transactions and other property-related documents that can be a threat to be in the hand of an external source are the valuable asset in terms of activity and strategic context of the organization.
2.2 Target Risk ‘Appetite’ and Risk Tolerance Level
The risk 'appetite' at TSF organization is related to their operational process related to their cloud computing, information security risk policies, 'BOYD' policy, malware threat, and lack in detecting and disseminating knowledge on cybersecurity. The time and economic conditions are also in the question of calculating risks and predicting 'corporate' bonds on assessing the return (Bekaert, Engstrom and Xu, 2019). TSF is capable of tackling their potential and existing risks with the help of appropriate information security policies and proper knowledge-based training to the employees. The risk tolerance will be measuring any cyberattack in both economic and non-economic effects to analyze their mitigation process and strengthen the IT management to be aware of any uncertain situation.
3. Key Roles and Responsibilities of Individuals in the Department
The stakeholders and board of directors of TSF are responsible for the risk assessment process and new change adoption in the management.
|
Stakeholders/Individuals |
Priority |
Responsibility |
|
CTO (‘Chief Technical Officer’) |
High |
The CTO of TSF will analyze the current existing risks from the risk assessment report and consult with the IT manager and financial head of the organization in calculating the future changes and investment process |
|
CFO (‘Chief Financial Officer’) |
High |
The CFO has already agreed to propose a budget conducting with the risk and security management department of TSF to improve its current situation. CFO is also responsible for observing the whole analysis and resolving process to continue the 'cash-flow' for sustainability. |
|
Manager (IT Systems) |
High |
The IT systems manager is responsible for working with the external ‘information systems security’ auditor to approve the risk assessment report and start working on resolving the problematic areas. The manager is also responsible for directing the employees in the right direction. |
|
Risk and Security Management Employees |
Medium |
They will help the external auditor with the internal security processes and help in identifying the potential risks |
|
IT Employees |
Medium |
They will cover the directions achieved from the IT systems manager in improving the information security system at TSF |
|
‘Information Systems Security’ Auditor (External) |
High |
The main responsible person for the current risk assessment report consulting with the IT systems manager and other employees. The auditor is responsible for identifying the internal risks and present a management report on risk and security at the information systems. |
4. Audit and Analysis Case Evidence
4.1 Inventory Assessment
One of the most crucial principles at the 'information assurance' field identified in this information systems security assignment is ‘information asset inventory.’ It helps in accounting organization’s data during the business process infrastructure. Maintenance of an ‘inventory asset’ list related to the information systems is important in managing the risk areas effectively. The inventory assets under the TSF are their employee and customer details, business data, financial information, and transaction report, business files that are saved at the cloud storage, etcetera. This inventory asset at the information system of TSF is related to the ‘physical,’ ‘information,’ ‘staff,’ and ‘service’ assets.
4.2 Information Asset Identification
The identification of the assets related to the information system at TSF is comprised of the security system at the information, internal network, computer system, cloud computing system, and other data-driven devices. Anything that manages information with a technology-led data is considered as an asset at the information system. It is stated herein information systems security assignment that the 'information security risk assessment' (ISRA) in an organization like TSF is responsible for identifying the assets related to information systems systematically and comprehensively (Shedden et al., 2016). The assets are considered to those devices and data that are important for processing the organization's business activities and are valuable in both economic and non-economic ways.
4.3 What are the TSF’s Significant, Physical and Logical Information Resourcesmentioned in this information systems security assignment?
|
Asset Field |
Significant Resources |
Description |
|
Physical |
Internal servers, hardware devices, RTU device, PLC device, processors |
The physical assets are mainly the hardware systems that help in managing the information systems in the TSF organization. |
|
Logical |
Operating systems, cloud storage |
It is the operating system and cloud storage system that helps in managing the data and documents digitally with the help of physical resources. |
|
Information |
Database, ‘SCADA’ software, ‘firmware’ |
The information resources are mainly the database system and 'SCADA,' which is a control system architecture that managers data from computer, network, and 'graphical user interfaces' (GUI). |
|
Service |
Gateways, firewalls, anti-malware software |
The service resources will help in reducing the malware attack, and cyberattacks by creating a strong anti-virus ‘firewall’ |
5. Risk Identification
5.1 Analysis of Existing Threats and Vulnerabilities that Provide Risks to the TSF
The threats at the information security system can be related to malware attacks, 'software' attacks, intellectual theft, data breaching, and external interference in the cloud storage and data documentation system. Different tools and technologies used by organizations to provide 'safeguard' including the risks assessment methodology (Figueira, Bravo and López, 2020). The vulnerability at the information systems risks can be related to the 'destruction' and error at the system. The existing threats at the information system at TSF as noted in the information systems security assignmentcan be related to the inefficient 'cybersecurity' policies, lack in detecting the cyberattacks, lack of proper cybersecurity knowledge, cloud storage, and 'BOYD' policy. These risks can affect the company for a long duration if not taken any management decisions.
5.2 TSF’s Most Important Information Asset that can Face High Risks
The risks from the information systems and management can make a significant impact on the organization’s mission and goals (Figueira, Bravo and López, 2020). The most important asset related to the information systems at TSF can be the data related to the employees and customers, financial reports, transaction documents, cloud storage systems, external network systems, and malware attacks. These risks can lead the organization to face various problems from financial and non-financial related factors.
6. Likelihood and Impact Analysis on Six Distinct Risks at TSF
The significant risks under the TSF organization that has been identified as the 'information system security' auditor can be,
|
Risks |
Likelihood |
Impact |
Description |
|
Lack in Detecting Cyberattack |
High |
High |
After analyzing the current internal activities at the TSF, it has been pointed out there is a lack of understanding of the on-going cyberattack at the organization. The lack of knowledge and information among the current IT specialist makes the whole process difficult in detecting the cyberattack when it occurs. The 'static' approach at the organization's traditional security detection process mentioned in this segment of information systems security assignment is inefficient and cannot detect the new age complex and resilient cyber threats (Tounsi and Rais, 2018). |
|
Insufficient ‘cybersecurity’ policy |
Medium |
Medium |
Another crucial factor can be noticed at the TSF in their policy regulations, where the 'cybersecurity' policy has been considered as not according to the standard. The increasing security breaches with the 'advanced' technologies make it difficult for the organizations to complain against these new age attacks with appropriate laws. The appropriate understanding of the information security policy in an organization can help them in reducing risks from the employees and external sources (Safa, Von Solms and Furnell, 2016). Organizations are spending millions of dollars each year to deal with cyberattack cases, and some of them face more problems due to inappropriate policy. |
|
‘BYOD’ (‘bring your own device’) policy |
High |
Medium |
TSF generates a more flexible working environment for its employees by allowing them to bring their devices at the workplace. However, it has been in a great concern recently, that the 'BYOD' policy can generate huge threat by conducting malicious works with the organization's network. This particular policy mentioned in the present context of information systems security assignment comes with both employee productivity and security risks in conducting business activities (Alotaibi and Almagwashi, 2018). |
|
Internal Cloud storage accessed by public network |
Medium |
Medium |
Cloud computing is an integral part of the TSF in managing their valuable data and information securely to sustain its operation process. However, cloud storage management can be conducted over the network system, which makes the system exposed to external networks. As the cloud storage application runs without accessing the 'on-premise' architecture, it works on the encryption system (Odun-Ayo et al., 2017). Sometimes cyber-criminals break the encryption from a public network to breach the information. |
|
Inefficient ‘information security’ training |
High |
Medium |
TSF is currently facing difficulties in engaging their employees with proper training on the information security system. Almost half of the companies out there are emphasizing on providing security training to their old and new employees. It has been identified that training on the information does not only expands the knowledge of security information but also makes a significant impact on shaping their behavior towards security awareness (Stefaniuk, 2020). |
|
Threat from malware |
Low |
High |
Malware threat is not a new thing in the world of the information security system. There is various harmful malware such as Trojan, spyware, and other viruses that generate destruction to the computer through any software. However, TSF has a strong team in their information security process with effective algorithms in detecting malware with a 'bag-of-words' (BOW) approach (Halim, Abdullah and Ariffin, 2019). |
7. Evaluate and Prioritize Six Significant Risks at TSF to Manage
After identifying the potential risks at TSF organization in the above section of information systems security assignment related to its internal network and storage system along with other policies, the evaluation and prioritization of those six risks can be,
|
Risks |
Evaluation |
Prioritizing |
|||||
|
|
|
Impact when the Risk Occurs |
Probability of Risks being Occurring |
||||
|
|
|
H |
M |
L |
H |
M |
L |
|
Lack in Detecting Cyberattack |
The IT professionals at the TSF organization are still comfortable in practicing the traditional cyberattack detection process. However, the new age virus and cybercrimes are advanced and cannot be detected by the traditional process. The organization can adopt a 'cumulative' algorithm in detecting the cyberattack fast from both distributed and centralized detection settings (Kurt, Y?lmaz and Wang, 2018). The contemporary detection process at the TSF can be evaluated by engaging proper information security knowledge and training programs among the IT employees. |
|
|
|
|
|
|
|
Insufficient ‘cybersecurity’ policy |
Every company including TSF has its regulation policies for its working environment to the information security service. TSF can develop policies related to their cybersecurity process, and establishment of cybersecurity governance among the operational factors. However, the inappropriate policy can restrict the organizations to deal with the cybersecurity from both internal and external sources. It is a global 'phenomenon' and the awareness and visibility among the public on various impacts from the cyberattack are still questionable (de Bruijn and Janssen, 2017). It is derived from the inability in detecting the failing policies in detecting and identifying cyberattacks with the help of appropriate policies (de Bruijn and Janssen, 2017). |
|
|
|
|
|
|
|
‘BYOD’ (‘bring your own device’) policy |
TSF can increase their 'BYOD' policy with a protection security password and enhance their security budget for identifying loopholes in using their device in generating cybersecurity threats. The lack of a proper policy system and 'safeguards' makes the 'BYOD' policy to make a negative impact on security risks (Dhingra, 2016). Under the ‘BYOD’ policy makes it secure for the employees. |
|
|
|
|
|
|
|
Internal Cloud storage accessed by public network |
In the current scenario, cloud computing has become an integral 'paradigm' in providing high-quality services to the customers and makes the work of IT professionals efficient. However, it is mainly associated with various risks, such as loss of data, information breaching, and inefficient policies (Al-Ruithe et al., 2018). |
|
|
|
|
|
|
|
Inefficient ‘information security’ training |
TSF can add the training program on the information security system to both new and old employees. In various organizations, the management has pointed out that the information security system is one of the weak links in the operation process, also it an important asset in decreasing risks related to the 'data' security (Shouran, PRIYAMBODO and Ashari, 2019). |
|
|
|
|
|
|
|
Threat from malware |
The threat from malware can be generated from both internal and external sources in the TSF. The increasing 'cyberattacks' makes cyber risks aggressive and vulnerable. No matter how the technologies become advanced in the current situation, cyber-criminals have evolved their tactics in spreading malware from their extended family of 'ransomware' (Vermeulen, 2018). A strong anti-virus system at the internal system can resolve the threat. |
|
|
|
|
|
|
8. Conclusion
From the above analysis on information systems security assignment, it can be stated that the information systems security and management in an organization is the most crucial aspect in the current scenario. The risks related to the TSF organization from the cyberattack, lack of appropriate cybersecurity policies, and malware attacks can make the business processes vulnerable and imply a threat to the organization. The current risk assessment reportwill help in the management and board of directors of TSF in identifying their weak spots for increasing the cyberattacks and provide details in mitigating the risks to sustain their operational processes.
9. Bibliography
Al-Ruithe, M. et al. (2018) ‘Addressing Data Governance in Cloud Storage: Survey, Techniques and Trends’, information systems security assignmentJournal of Internet Technology, 19(6), pp. 1763–1775.
Alotaibi, B. and Almagwashi, H. (2018) ‘A Review of BYOD security challenges, solutions and policy best practices’, in 2018 1st International Conference on Computer Applications & Information Security (ICCAIS). IEEE, pp. 1–6.
Bekaert, G., Engstrom, E. C. and Xu, N. R. (2019) The time variation in risk appetite and uncertainty. National Bureau of Economic Research.
de Bruijn, H. and Janssen, M. (2017) ‘Building cybersecurity awareness: The need for evidence-based framing strategies’, Government Information Quarterly, 34(1), pp. 1–7.
Buzkan, H. (2016) ‘The role of human resource information system (HRIS) in organizations: a review of literature’, Academic Journal of Interdisciplinary Studies, 5(1), p. 133.
Dhingra, M. (2016) ‘Legal issues in secure implementation of bring your own device (BYOD)’, Procedia Computer Science, 78(C), pp. 179–184.
Figueira, P. T., Bravo, C. L. and López, J. L. R. (2020) ‘Improving information security risk analysis by including threat-occurrence predictive models’, Computers & Security, 88, p. 101609.
Halim, M. A., Abdullah, A. and Ariffin, K. A. Z. (2019) ‘Recurrent Neural Network for Malware Detection’, Int. J. Advance Soft Compu. Appl, 11(1).
Kurt, M. N., Ylmaz, Y. and Wang, X. (2018) ‘Distributed quickest detection of cyber-attacks in smart grid’, IEEE Transactions on Information Forensics and Security, 13(8), pp. 2015–2030.
Odun-Ayo, I. et al. (2017) ‘An overview of data storage in cloud computing’, in 2017 International Conference on Next Generation Computing and Information Systems (ICNGCIS). IEEE, pp. 29–34.
Safa, N. S., Von Solms, R. and Furnell, S. (2016) ‘Information security policy compliance model in organizations’, computers & security, 56, pp. 70–82.
Shamala, P. et al. (2017) ‘Integrating information quality dimensions into information security risk management (ISRM)’, Journal of Information Security and Applications, 36, pp. 1–10.
Shedden, P. et al. (2016) ‘Asset identification in information security risk assessment: A business practice approach’, Communications of the Association for Information Systems, 39(1), p. 15.
Shouran, Z., PRIYAMBODO, T. K. and Ashari, A. (2019) ‘Information System Security: Human Aspects’, International journal of scientific & technology research, 8(03), pp. 111–115.
Stefaniuk, T. (2020) ‘Training in shaping employee information security awareness’, Entrepreneurship and Sustainability Issues, 7(3), pp. 1832–1846.
Tounsi, W. and Rais, H. (2018) ‘A survey on technical threat intelligence in the age of sophisticated cyber attacks’, information systems security assignmentComputers & security, 72, pp. 212–233.
Vermeulen, J. (2018) ‘An analysis of fusing advanced malware email protection logs, malware intelligence and active directory attributes as an instrument for threat intelligence’.
