IT risk management assignment: Case Analysis of SoftArc Engineering Ltd
Question
Task: You have been employed by SoftArc Engineering Ltd as their first ever Chief Information Security Officer (CISO). You have been tasked by the Board to conduct a review of the company’s risks and start to deploy security policies to protect their data and resources. You are required to write a detailed policy report on IT risk management assignment to preserve the integrity and confidentiality of SoftArc Engineering Ltd data.
Answer
1. Brief Overview
The importance of IT risk management is related to the risks that are faced by the organizations and that impacts the outcome of their business operations(Hopkin, 2018). SoftArc Engineering Ltd. (SEL) is a private civil engineering company. It is located in Australia. It also has branches in many counties of the world – Vanuatu, Timor-Leste, New Zealand, Fiji, and New Guinea. The company has a data center in Bathurst, which is the company’s main site for managing their internal data. The company has 70 engineers and other staff who supports works for various projects. They help the clients in those are in Australia where the company is located and overseas. They are currently up for securing some of the projects from the government of their different operative countries, which required strict security in their data management center.
The company has various servers in its data center infrastructure, such as 'Active Directory’ domain controllers, ‘SQL server,’ ‘Windows server 2003,’ ‘Microsoft SharePoint 2013,’ ‘Red hat enterprise,’ ‘Cisco ASA,’ etcetera. These servers help the organization in managing securely their information and reports. Among the supporting staff, most of them have access to their personal and shared PC. However, currently, they are concerned over their old up-gradation in their servers, and there are increasing possibilities of being threatened by the 'cyberattack.' The current report is a review on the IT security and risk management processes of SoftArc Engineering Ltd. (SEL) from the perspective of a newly appointed Chief Information Security Officer (CISO).
2. Policy Purpose and Rationale
2.1 Policy Purpose
The main purpose of the current IT risk management review of SEL organization is to understand the potential threat to the organization in terms of the IT security process in its data management center. Many organizations are already adopting the 'Information Security Risk Management' (ISRM) that analyzes the potential risks, integrates the risk identification process, and make an impact on the 'decision-making' process to mitigate those risks (Naseer et al., 2017). In the current report, SEL is looking forward to identifying its IT-related risks with its new collaboration with government projects from various countries. The main addressing area of the new security policy would be,
- The up-gradation of the old server infrastructure of SEL. It has been identified that the organization is still using servers from 2003, 2007, and 2008 at their 'email server,' 'SQL server' for database, 'print server,' 'domain controllers,' and 'Microsoft SharePoint.'
- The organization's small 'data center' is situated only at their main site – Bathurst. The company is operating in various other countries that face difficulties in connecting with the main station effectively.
- The engineering and system supporting staffs are allowed to share their PC, and many of them are connecting through a remote work system with the SEL 'data center' from their system. It can enhance 'cyberattack' and 'data breaching' possibility from the employees or any external networking system.
2.2 Rationale
In the current data management scenario among various technical and non-technical organizations, most of them are concerning the possible results from the increasing cyberattack. The important data and documentation related to the business activities, employee and customer identity, financial details, and transactions, etcetera saved in the 'data center' of the SEL organization. These data are one of the most valuable assets of the organization. It has been identified that employees who understand the 'information security' policy of an organization plays a significant role in ensuring the mitigations of 'human risk,' internal IT data errors, and strengthen the 'information security' culture (Da Veiga, 2016). SEL needs to upgrade its existing servers as well as train its employees in understanding the importance of 'security management' to avoid any IT risks.
3. Policy Scope
SEL should create their IT risk management policy with the help of the appointed CISO after analyzing the infrastructure and operation system of their ‘data center,’ existing IT security policy and system, new policy adoption facility, adoption level from the employees and engineers, and management system of the organization. The development process related to the ‘information security’ policy is consisting of an entire ‘life cycle’ that fulfills the required development of the current IT security system and establish an effective 'information security' policy (Flowerday & Tuyikeze, 2016). The SEL also needs to identify their scopes of the new policy and its effective areas,
- Who
The newly modified 'information security' policy will be for the engineers and supporting staff who use a personal system and shared PC to prevent any external or internal 'data breaching' or 'cyberattack' incident. The policy will also derive the organization from strengthening its security system in conducting new government projects with up-gradation of their old servers and management processors. - Effective Areas (What)
The modified ‘information security’ policy will cover,
- Upgradation of existing server infrastructure and replacement of them with the newer version
- Establishing individual ‘data center’ in every branch to avoid any external network interference
- Prevent the ‘BYOD’ policy and personal system using policy among the supporting staffs
- Sustaining confidentiality and integrity of the documents related to the SEL’s government projects
- Increase the knowledge related to IT security and risk management process
4. Roles and Responsibilities
Role |
Status |
Interest Level |
Responsibility and Affected Area |
CISO |
Management |
High |
The newly appointed CISO will analyze the existing server and IT 'security management' to make proper plans and scopes to create the new 'information security' policy. CISO will ensure the integration of new IT security setting in managing risks will be based on the proper ISO standard to continue the improvement activities (Barafort et al., 2017). The new policy will affect the CISO by identifying the potential risk areas and sustain the new ‘information security’ policy for more improvement. |
CFO |
Management |
High |
CFO will understand the whole plan on the new 'information security' policy and identify the beneficial factors to make an effective budget for implementing the new policy. CFO will arrange the organization to adopt ‘ISPC’ to sustain the ‘information security’ awareness and ‘security’ culture (Hina & Dominic, 2018). |
COO |
Management |
High |
COO is the one who is responsible for current existing operations and IT management systems. COO will help CISO to understand the current problems and make suitable policies for SEL. |
HRM |
Management |
High |
HRM will ensure the human and existing other resources to make the organization flexible to adopt the new 'information security' policy. HRM will also identify the organizational shortage in sustaining the new policy to make significant changes in preventing the 'cyber attack' and interference of the external networks. HRM is also responsible for documenting the employee's and customer's information in the company's 'data center.' |
Engineers |
Employee |
Medium |
There are 70 engineers at SEL and a system supporting staff. The new 'information security' policy will help them in proceeding their work in the correct direction and manage the organization's servers. The new policy has addressed in engaging new 'data center' in other branches to secure their security process. The effect of the new policy will help in minimizing the occurrence of potential risks and 'standardize' the IT management (Lošonczi et al., 2016). |
System Support Staffs |
Employees |
Medium |
The supporting staff will face the urgency of not using their devices in adopting the new policy. SEL needs to provide official devices that will incorporate some 'anti-virus' and 'firewalls' to conduct the works without having any risks. |
5. Mandatory Requirements
The ‘information security management system’ (ISMS) maintains the ISO27001 standard, which is one of the main priorities proposed in creating the new policy. The mentioned standard is known for providing appropriate requirements to the'information security' system-related risks (Al-Dhahri et al., 2017). In the current report, there are some mandatory factors that the appointed CISO will ensure, such as proper security for the organization according to their potential risks, rules, and regulations for the engineers and employees to obtain, management and system requirements to strengthen the 'network' security at the company's server and computer systems. The components related to an 'information security' system that is mandatory in creating a policy can be,
- Provide solutions relevant to the current problems related to SEL
- Make the policy simple to make everyone understood about the required security factors
- The enforcement of new policy needed to flexible and certain
- The policy is also needed to be measurable and mitigate any ‘unintended’ consequences
The increasing usage of the 'internet of things' (IoT) enhances a deep concern among various organizations in securing their operational activities on their network from interfering with any external sources (Chen & Zhu, 2019). The ‘information security’ policy in SEL will maintain some mandatory areas to improve its existing IT management system, such as
- The standard security system related to 'information security' system in the IT department requires a strong 'firewall,' 'ani-malware' application, 'encryption' process, secure 'back-up' process in the organization's cloud storage, and identify the weak server system at the ‘data center.’
- The servers situated at the 'data center' of SEL needed to have some upgrade as most of the servers are from 2003, 2007, and 2008. Old servers without up-gradation enable the cyber-criminals to easily infiltrate into the system for breaching valuable data.
- SEL should restrict its employees from using their devices for official usage. It makes the system vulnerable towards the 'third-party' to breach data from the system. Instead, the company should provide a system to their support staff to work from their home without doubting any data misplacement.
- SEL should impose some rules and regulations in its 'information security' system to let its employees and engineers maintain the system with appropriate rules to mitigate any risks from the internal sources.
6. Exemptions
It is a hard factor to exempt anything from the 'information security' system in an organization during making the security policies. Especially at the SEL company, where they share PC among the employees, even let the employees use official data in their system. It leaves traces for the cyber-criminals in easily locating the data and steal them within a minute. In the current fast pacing system, makes the organizations secure their 'tangible' assets into 'intangible' form that heavily requires 'IT' technologies to play a significant role among various organizations (Klju?nikov et al., 2019). Some of the exemption that SEL can make,
- The lesser impactful areas, such as establishing additional 'data center' in every branch of SEL can be postponed to some time. It can be conducted in the future with more discussions.
- SEL can engage some of the regulations and rules to their existing 'code of conduct' among the employees and staff without making a new policy regime.
7. Glossary
Words |
Meaning |
CFO |
Chief Financial Officer |
COO |
Chief Operating Officer |
HRM |
Human Resource Management |
BYOD policy |
‘Bring Your Own Device’ which enables the employees to use their personal device for professional works |
IT-related Risk |
Risks related to ‘Information Technology’ systems in an organization |
Server |
The computer program that manages a 'centralized' service or resources within a network |
Data Center |
A facility that provides ‘centralized’ IT equipment and operations to store, process, apply and disseminate ‘organizational’ data as an asset |
8. References
Al-Dhahri, S., Al-Sarti, M., & Abdul, A. (2017). Information Security Management System. International Journal of Computer Applications, 158(7), 29–33.
Barafort, B., Mesquida, A.-L., & Mas, A. (2017). Integrating risk management in IT settings from ISO standards and management systems perspectives. Computer Standards & Interfaces, 54, 176–185.
Chen, J., & Zhu, Q. (2019). Interdependent strategic security risk management with bounded rationality in the internet of things. IEEE Transactions on Information Forensics and Security, 14(11), 2958–2971.
Da Veiga, A. (2016). Comparing the information security culture of employees who had read the information security policy and those who had not. Information & Computer Security.
Flowerday, S. V, & Tuyikeze, T. (2016). Information security policy development and implementation: The what, how and who. Computers & Security, 61, 169–183.
Hina, S., & Dominic, P. D. D. (2018). Information security policies’ compliance: a perspective for higher education institutions. Journal of Computer Information Systems.
Hopkin, P. (2018). Fundamentals of risk management: understanding, evaluating and implementing effective risk management. Kogan Page Publishers.
Klju?nikov1, A., Mura, L., & Sklenár, D. (2019). Information security management in SMEs: factors of success.
Lošonczi, P., Ne?as, P., & Na?, N. (2016). Risk management in information security. Journal of Management, 1, 28.
Naseer, H., Shanks, G., Ahmad, A., & Maynard, S. (2017). Towards an analytics-driven information security risk management: A contingent resource based perspective.