Itc596 It Risk Management For Assessment Answers

Introduction

Considering the Aztek management directive committee in the request of the Aztek Assessment team to assess and analyze the It risk management in the company. The team appointed a few intellectuals from its members to undertake the process. The team consists of members with experience with diverse academics in governance and IT management and with deep knowledge in IT risk management above all with in addition to that they are experienced in process management.

The function of the committee has been to review and comment on the Aztec company plan to upgrade their systems generally and manage the IT risks in the process. The committee divided itself into severally phases. The first phase was assessment of the need of the system updates and their risks. The second phase with the same members was to analyze the existing system, the topics handled in risk management include vulnerability and any consequence evolved in IT risk management. The last part of our assessment is the Data security which defines who will have access to the data and way data will flow. The committee noted that It risk management in  any company is the most crucial process so it needs to be undertake with a lot of care  and concern. The committee has recommended Aztek company managers to involve our team in many of the process they are going to undertake in  the company for concerning IT risks.

The report is on the basis of the expertise of the experts of the committee. The report also is represented as a resource property of Aztek all the IT risks are available for the managers anybody within the company. The project involves property of risks discusses the risks and how to manage these risks. Risk management and evaluation covers the risks and they can be managed. Risk mitigation covers how owners can manage the risks .And lastly it covers contingency the implication of various processes to settle contingency in the projects which include cost and time scheduling. In the conclusion part the method that owners can take to completely be aware of the risks in IT management.

Financial service sector review

The financial service sector plays a key role in the implementation of the new technology. A financial system facilitates resource allocation, risk allocation and liquidity prioritization which are the factors that enhance the Implementation of the new system.

This review focuses on encouraging the implementation of the new project. All the focus of the financial service is set on the implementation of the new project. This involves the stability, efficiency and utility of the financial service sector towards the new project Contractor et al (2003)

Stability means that the financial service sector is safe can withstand the implementation and realization of the new project.

Efficiency is where the sector contributes efficiently in the realization of the new project.

Reliability. The sector should meet the financial needs that are needed to aid with the implementation and realization of the new project.

Financial service industries

Australia has the most complex financial service sector which is strategically positioned at the center of Asia. She has got one of the vast contesting currencies under management worldwide approximated to A$1.3 trillion.

Finance.

Export. The Australian state governments, financial service industries and firms in Australia work together to ensure their funds are spread globally, through fund profiting products.

Investment. The Australian government is committed to support the expansion of markets for Australian products by investing in firms and creating an environment that will enable Australia to be the financial center in the region. The following are some of the policies the Australian government has put in place:

It has passed bills which have gradually reduced the withstanding tax rate on specific distributions and is taking it to heights in the most competitive countries in the world today. The government has started a review of taxation systems, putting into consideration the role of taxes and tax systems for the global competitiveness and the competitiveness of the financial services sector.

The government is making efforts to make Australia’s financial services regulation simple and trying to find side by side recognition covenants with the major international markets. Covenants have already been signed between Australia and U S, China and New Zealand. Moreover Australia is now recognized globally as a secure investor destination thanks to China’s QDII program.

The Australian government has brought together a committee of qualified personnel which include the financial sector representatives, intelligent literates and government officials which – with the help of Commonwealth Treasury team –will analyze the factors that hinder Australia’s investment schemes and help realize the goal of making Australia the financial center in the region.

Established best practice

Financial sector regulation is referred to as the best practice globally which encourages room for expansion in the region.

Security Posture Review

Impact of the project to the current system

The upgrade to the system will have the follow have the following impacts on the current security system. During upgrade the system may experience some disruptions e.g.  client applications may not connect.

• IT security incident management.  this is to ensure incident management of information and security features to the company. The information that is found should always be confidential reliable and believable. The security in this part involves the following.
• Unauthorized personnel access to information especially confidential data like persons data and passwords.
• Computer infections with virus such as Trojan.
• Violations of information roles.
• Denial service attack
• Website defacement.
• Security attacks such has vulnerability

Exposure of personnel data .This is the release of individual information to   the environment without their knowledge. E.g.  Identity theft and credit card exposure.

• Mobile device security. Increasing number of the Aztek employees take advantage of the wireless network. The fact that our employees walk free with the laptops and phones to access information thieves also may use the opportunity access the network get access to unauthorized information. The following are recommended to prevent the above.
• Securing of the wireless network.
• Encryption of the data
• Sensitive information should be transferred while encrypted to prevent unauthorized access.

          Also the following guidelines should be considered while dealing the mobile phones to handle data.

Storing Sensitive Information: Important information should not be stored on or accessed from mobile devices. This simple rule will do much to reduce risk of information.

Cryptography: If significant information is to reside on a mobile device Stallings & Tahiliani (2014), it should undergo enciphering. The deciphering key should be entered manually; this step should not be automated. A means should exist to recover encrypted data when the decryption key is lost.

Data Backup: information should be stored in many devices to enable retrievable when information in one device is interfered Kaufman (2009). Data security in the world of cloud computing.

Protection using strong passwords: Mobile device access should be controlled by the use of strong combination passwords that keys provided Aztec by company.

• Client application may experience disruptions.

The client application may receive disruption while trying to access data this is because connectivity will be altered during the system upgrade.

• Vulnerability alert

This is to provide a reliable communications channel for the facility at large. As a general guideline, the first decisions to take a certain approach to a problem will come from the managerial decision after it has taken various contact security.

They will be created through the following order.

   The alert will be created by the Aztek IT Security Officer and edited by assessment members via their offices. The final version of the message will be approved by the Aztek IT Security Officer.

• Disconnecting non-functional computers from the network.

With the rising incidences of situations where computers in a network have their vulnerabilities exploited by worms, viruses, and other malware, this precaution was set to wipe out the impact of compromised and vulnerable machines on other machines in a network. Some computers may not be able to work under current version of the software hence they need to be out of the new system.

• Configuration changes are restricted

Some computers or mobile devices may  not able to handle some software  provide environment for writing  running of the software .For that case new  machines are required to provide  to implement ne to software and procedures.

• Assigned agent for receiving notification

The Aztek needs an assigned agent of the institution who is assigned the responsibilities of receives notifications of alleged copyright infringement. This agent receives a notification of alleged copyright infringement from the copyright owner or agent authorized to act on behalf of the owner.

Risk Assessment based in threats, vulnerability and consequences.

Most, if not all facilities, face a degree of risk from threats available. The causes of these threats might be natural occurring events, incidents, or global cause Liang (2007, August). An approximate reasoning model for a situation and threat assessment.

Facilities are liable to prevent these threats with every necessary measure so as to ensure a continuous flow of activities in the facility. Risk is a combination of the values of threat, consequence, and vulnerability. The main aim of risk management is to provide a degree of protection that weighs the weaknesses of a system to threats and the possible consequences, and thus minimizing risk to a tolerable degree. Various arithmetic models that are present and tend to figure out the risk and to demonstrate the effect of enhancing protective metrics on the risk equation.

Threat assessment.

Threat assessment is the first thing that should be performed in the e.g. to create an assessment I Aztek company. Threats may come from criminals, fraudsters, accidents and natural calamity.  The assessment is set to analyze backup information to find the relative possibility of a certain threat happening. For threats that occur naturally the archived information on the occurrence of these threats can be used to determine how to prevent these threats e.g. can cause destruction of a network configuration in a company or organization.

In case of a criminal threat, the crime measures in the bound vicinity gives a better impression of the types of malicious acts that are likely to weigh down the facility. Moreover, the property types owned by the facility may also increase the subject appealingness of the facility to the aggressors. The property types and operations done in the facility will associate directly to the probability of several types of incidents happening. Consider a facility located where there are many unemployed IT graduates the facility may be faced with cracks and hacks in to their system from time to time.

Consider a terrorist threat, the appealing property of the facility as a subject is to be considered major. Moreover, the types of malicious activities may change on the basis of the possible opportunity and the way of attack that is most likely to succeed for a given facility. For instance, a malicious person that wants to launch an attack against a company may most probably attack a vast building than to attack a building containing many offices owned by tenants. However, if secure measures are put in place at the large building makes it difficult for launching successful attack, the terrorist will be attracted to a close by facility that obviously might not be that appealing from the occupation viewpoint, but has a higher chance of succeeding in the attack due to poor security measures put in place. Terrorism is in many cases random and is done with no plan at all therefore; it cannot be quantified in anyway. Specified conditions are vital in rating the level of each threat. The more detailed a specified condition, the more effective the assessments can be.

Example assessments are provided below according to Rausand  (2013). Risk assessment: 

• Specified:Artificial: Aggressors known to use this approach are known to target this facility or organization. There is a prevalence of this type of approach in the vicinity and this facility is a known subject. Specified threats have been taken or identified by law enforcement agencies. Non-artificial: Events of this form occur in the immediate vicinity most frequently as possibility may allow.
• Reliable:Human-made/Artificial: Aggressors known to target this facility are present and available. There is a prevalence of use of this approach in the area and the facility in subject has been a subject to this type of approach in the past and is still is the target to this approach. No specified threat has been received or identified by law enforcement agencies. Natural: Events of this nature take place in the immediate vicinity in periods (i.e. once every 15 years).
• Potential: Human-created: Aggressors who put this approach into practice are available but they tend to target certain facilities. There is a prevalence of use of this approach in the vicinity but this facility has never been a target before. Natural: Events occur naturally without being influenced by any factors.
• Minimal:Human-created: No aggressors who put this approach into practice are present or available plus there is no history of the use of this approach anywhere in the facility either in the past or present.

Vulnerability Assessment

Vulnerability assessment is done after threats are identified and well laid or spelt out. The vulnerability assessment, Hartmann & Steup(2013),  tends to recognize the potential disaster that will occur due to loss from attack to the project as well as the weakness of the facility to be susceptible to the attack. Effect of loss is the extent to which the facility can be impaired by a certain attack as a threat.

The main feature of the vulnerability assessment is well spelt out by the measure for effect of loss and weakness, and can change from organization to organization. For instance, the duration that the project is impaired by the attack is very vital. Consider the facility being attacked as a system upgrade, a downtime of a few minutes may cause a major impact of loss, whilst for a Social Security office a break out of the system would be minor. A sample set of specifications for effect of loss is specified below. These specifications are for the upgrade of the current system.

• Devastating:The facility is destroyed beyond a stable use. Most items are lost, destroyed, or damaged beyond repair. The number of clients will reduce by a high percentage as long as the attack is not rectified immediately and quickly.
• Severe:The facility is partly destroyed. Examples include network failure to function properly and the facility activities may be closed or halted for some time. Other resources might be moved to a secure location for security purposes.
• Noticeable:The facility is partially locked down or cannot perform its activities, but is able to carry on without a break of more than 24hrs. A small number of properties may be in bad condition, and the rest of them function normally. The number of clients to this facility will reduce minimally for a specified time limit.
• Minor:The facility incurs no pressing impact on operations and the major assets are not lost.

Vulnerability is a fusion of the appealing nature of a facility as a subject and the level of deterrence and defense provided by the existing and available measures. Subject appealingness is a measure of the properties according to the judgment of the aggressor and is greatly affected by the function and symbolic significance of the property to the facility. Example specifications for weakness measures are:

• Highest profiled:A high profiled facility that produces a very appealing subject for possible advancements, and the level of deterrence or defense deployed by the present measures are not enough.
• High profiled:A high profiled regional facility or a middle profiled nationwide facility that the present measures are not enough.
• Average profiled: An averageprofiled facility that deploys a substantial subject provided by the present measures are almost enough.
• Lowest profiled:A low profiled facility and deploys a probable subject defense provided by the existing countermeasures which is enough.

The vulnerability assessment may also include detailed analysis of the potential impact of loss from an explosive, chemical or biological attack. Professionals with specific training and experience in these areas are required to perform these detailed analyses.

Vulnerability risk assessment can be summarized by the following. 

Consequences

IT Management risk management is fully of consequences and uncertainty Johnstone et.al (2001).Some people in an organization accept the unexpected while others strive in their all means to make sure the unexpected never happens. This is referred to as risk management- trying to prevent or take control of something that might or might not happen.

Absence of documentation

Many projects nowadays are hit by absence of documentation which is a necessary tool when a project is to be upgraded Sjoberg (1999). The most common reason for this is because the implementation team wants to meet the deadline so soon so as to forget the documentation.

Employee relationships

Married couple in work places or even people dating is only healthy in an organization with policies or guidelines addressing the same.

Participation in making decisions

Many are times IT issues are taken slightly and are left out of a boardroom. The importance of the role of IT in business is often ignored and this is a risk not worth taking. On the other hand there are also risks that come as a result of the board becoming over concerned with IT matters. In some cases every board member may have a suggestion of what software type to implement, which application of new employees to see through which becomes a huge risk-Disagreement.

Poor communication

Many people tend to operate on a haste causing the pace of information sharing to increase and information becomes scattered, not complete, jumbled, and misinterpreted. One should take time to clearly elaborate on projects, tasks, and directives. Not doing so would lead to inappropriate projects not suitable for the task. 

Risk for data security according to Stallings & Tahiliani (2014).

Unauthorized personnel access to information especially confidential data like persons data and passwords. If there is no proper way to secure the data like using Strong passwords which cannot be bypassed the new system at Aztek is vulnerable to unauthorized access. If Aztek does not use strong passwords they should encrypt the data and information in their systems so that even when the system is hacked into the data and information is safe. Decryption might take a lot of time to crack the algorithm used to encrypt the data and information in Aztek databases and data warehouses.

Computer infections with virus such as Trojan. Due to the new feature of network connectivity the system is exposed to all types of malicious programs or applications present in the network. These malicious applications can be rabbits, viruses, Trojan horse, worms. Trap bombs which cause the system to function in a manner way out of the normal. This can be prevented by the installation of an up to date antiviruses which are readily available.

Violations of information roles. Unauthorized personnel might hack into the system and change the sender intended meaning of a message in order to mislead or misinform.

Denial service attack. A hacker, Pfleeger & Pfleeger (2002) Security in computing, can access a system and deny the authentic users the ability to perform their normal activities with the system. Some do this for fun, some for money and others to prove a point.

Website defacement. Unauthorized personnel might access Aztek website files and map another website on top of the Aztek website  Kaufman (2009). This is to ensure that when somebody searches for Aztek website, the feedback one gets is the mapped website.

Security attacks such as vulnerability.

The type of data to be used in the system should be cipher text or the encrypted data and information. This enhances protection of the information in the system in that the encryption or decryption algorithm is difficult to crack.

Only the authorized personnel should be able to access the information. For this instance only the executive, the managers and the junior staff of Aztek should be able to access Aztek information.

References

Contractor, F. J., Kundu, S. K., & Hsu, C. C. (2003). A three-stage theory of international expansion: The link between multinationality and performance in the service sector. Journal of international business studies, 34(1), 5-18.

Shahbazi, M. (2013). U.S. Patent No. 8,495,700. Washington, DC: U.S. Patent and Trademark Office.

Stallings, W., & Tahiliani, M. P. (2014). Cryptography and network security: principles and practice (Vol. 6). London: Pearson.

Hartmann, K., & Steup, C. (2013, June). The vulnerability of UAVs to cyber attacks-An approach to the risk assessment. In Cyber Conflict (CyCon), 2013 5th International Conference on (pp. 1-23). IEEE.

Remington, M., Pyryemybida, P., Bringle, M. P., & Monasterio, J. (2007). U.S. Patent Application No. 11/828,179.

Boehm, B. W. (1991). Software risk management: principles and practices. IEEE software, 8(1), 32-41.

Aloini, D., Dulmin, R., & Mininno, V. (2007). Risk management in ERP project introduction: Review of the literature. Information & Management, 44(6), 547-567.

Kaufman, L. M. (2009). Data security in the world of cloud computing. IEEE Security & Privacy, 7(4).

Liang, Y. (2007, August). An approximate reasoning model for situation and threat assessment. In Fuzzy Systems and Knowledge Discovery, 2007. FSKD 2007. Fourth International Conference on (Vol. 4, pp. 246-250). IEEE.

Rausand, M. (2013). Risk assessment: theory, methods, and applications (Vol. 115). John Wiley & Sons.

Pfleeger, C. P., & Pfleeger, S. L. (2002). Security in computing. Prentice Hall Professional Technical Reference.

Kaufman, L. M. (2009). Data security in the world of cloud computing. IEEE Security & Privacy, 7(4).

Johnstone, K. M., Warfield, T. D., & Sutton, M. H. (2001). Antecedents and consequences of independence risk: Framework for analysis. Accounting Horizons, 15(1), 1-18.

Sjoberg, L. (1999). Consequences of perceived risk: Demand for mitigation. Journal of risk research, 2(2), 129-149.