ZLX05 HND in Computing: Analyse the Risks of Business Functions

⭳   21 Download     📄   21 Pages / 5212 Words

Hackers have denied most of the services of a firm using malicious codes, such as computer systems, networks, servers, and more. It has created chaos in front of a firm, as the company has stored personal details of their employees and customers, which is confidential and sensitive. Thus, the company should adopt firewalls and intrusion detection systems to avoid DDoS attacks. The DDoS attack makes a huge impact on the services of a firm, as it has blocked all the services of a firm, which has affected its internal and external processes. Moreover, a firm can use a security management system to avoid such types of attacks, which are not good for the company as well.  

Data breaches

Data breaches are common issues in most of the organization, which is not good for their customers as well as the company. Customers have provided their personal details to the company, such as name, address, email, credit card number, and many others. Therefore, the company should protect the data and information of customers as well as the company using proper resources.

Source: Publicly available numbers from Javelin Strategy & Research

Viruses

It is the most critical thing for a firm, which has created a critical condition in front of a firm, which is a virus. It is a program, which can damage the data and information of a firm, which is usable and meaningful for the company. Thus, the company should use proper antivirus software to avoid such types of issues.

Phishing

It is different types of IT security risks in which hackers have c
reated a program to take personal information of users or employees to take access to their main systems, such as date of birth, name, mobile number, and many others. Thus, the company should provide training to its employees about their roles and responsibility for IT security. Furthermore, security processes have used monitoring systems, which have analyzed various processes of a firm.

Source: (Norton, 2018)

Virtual Private Network (VPN) 

VPN is separated from the DMZ, as it has included private connection between internal resources of a firm. It will be beneficial for internal programs. Most of the zones have  used private connection for the company as well as other peoples.   VPN is a good solution for solving risks from cyber-attacks. In addition, DMZ can provide a private sector to secure all the components of a network. Moreover, many companies have used DMZ and VPN for security purposes.  Most of the processes have secured using firewalls, DMZ, VPN, and many other procedures and techniques. However, hackers have used new programs to break the security of a system using their vulnerabilities.

Source: (Leiniö, 2015)

DMZ has secured all the internal resources from external risks and threats. It is the best way to make a connection secure in a company.  

Source: author

Internet is available for the company, which is necessary for managing all the external and internal communication skills. It is necessary to implement firewall and DMZ zone for security of servers and systems. The company can setup different setup of servers, which are necessary for managing different domains, such as mail server, MySQL server, and DNS. Moreover, internal network can be used firewall for securing connection from outside as well.   

Data Protection

Data protection is necessary for managing all the things in a better way. Thus, it is necessary to implement regulations for data protection. Third-party devices cannot allow on the premises without proper checking. In addition, an audit is necessary for managing all the things. Most of the risks have generated because of vulnerabilities in the system of a firm. Moreover, companies have ignored the basic functions of security, which is a reason for IT security risks. Vulnerabilities are the reason for threats. Thus, a firm should reduce their vulnerabilities using various methods, such as audit and security frameworks. There are various security frameworks, which have provided security to the system from various threats. ISO 27001 has provided guidelines for audit and monitoring of most of the IT assets (Cobb, 2010). The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR). The Data Protection Act 2018 controls how your personal information is used by organisations, businesses or the government.

Risk assessment procedure

Risk is a business concept, which makes the likelihood of financial losses in different levels, such as low, high, medium. There are three main factors in business. It provides help to calculate risk in a particular sector, which is an asset, threat, and vulnerability (Datameer, 2018). There are some basic financial damages because of risks, which are data loss, legal consequences, and system downtime. There is some basic step for risk assessment, which has provided control to all the risk of assets and other things. These are steps, which areas:

1. Identification of assets: An organization must identify all its assets, which are important for working. In the case of IT risk assessment, assets include documents, servers, trade secrets, client information, and many more. Those assets have collected large amounts of information, which is valuable for a firm. A firm should have this information on their assets, which includes hardware, software, data, IT security policies, network topology, interfaces, storage protection, mission, physical and technical security, information flow, and many more(Dunham, 2018).
2. Identification of threats: the threat is a way to access the vulnerability of a system to damage their data and information. There are different types of threats, which are natural disasters, system failures, human interface, and malicious activities. In addition, natural disasters include earthquakes, floods, fire, hurricanes, and many others. It is necessary to take care about the basic things, such as secure all the devices from natural disasters as possible. System failure has imposed huge losses in some types of businesses, which was based on the systems, such as supermarkets, and retails(Datameer, 2018). Therefore, a firm should implement high-quality equipment to reduce the chances of system failure. Sometimes, unknowingly people have deleted files, which are important for business processes. Moreover, it is an issue in front of various firms to recover damaged files from computer systems (Dutton, 2017). Hackers can use different types of ways to access the data of the system as well as damage the data using distributed denial of service (DDoS).
3. Identify vulnerabilities of the firm: threat can exploit a weakness of systems to damage their architecture in different ways. There are some loopholes in architecture, which can be used by the threats(Humphreys, 2008). In addition, it can be identified using audit and analysis as well. There are some tools and techniques available in the market to analyzed vulnerability, such as penetration testing techniques, scanning tools, and tests and evaluation (Hayslip, 2018).
4. Finding controls: The system manager can create different types of controls to reduce risks and avoid issues base on the software, intrusion detection systems, encryption, authentication, and many other things. Based on the audit of the entire system, the security manager can provide proper controls for each vulnerability(James, 2019).
5. Determine the likelihood of risk: there are different types of systems available in the market, which has used for controlling risk in a network. It depends on the categories of risk as well, such as high, medium, and low.

Source: (James, 2019)

6. Impact of threat on the firm: there are different factors for analyzing the impacts of threats, which are the mission of the system, the value of the data, and the sensitivity of the information in the system(Lopez , 2013). There is some particular analysis about the risk control, such as Business impact analysis (BIA). It has included few things, which are estimated frequency of the threat, the impact of a threat exploiting, and approximate cost of each of these occurrences (Kshetri, 2013).
7. Ranking of risks based on damages: there are different levels of risk. It can be determined using these parameters, which are the impact of threat, likelihood, and reducing the risk(Palmer, 2018). There are differing types of risk-level matrix, which are helpful for the identification of the level of risk (Magid , 2013).
8. Recommend controls: based on the level of risk, action can be defined for managing all the things in a proper manner(Paquet, 2013). It is necessary to consider these things to mitigate risks, which are feasibility, applicable regulations, safety and reliability, operational impact, cost-benefit analysis, applicable regulations, and organizational policies (Pearson, 2013).
9. Documentation of results: it is an important part of risk assessment in which the risk assessment report has created in the end(Peltier, 2016). Thus, management can take proper decisions based on the report, such as policies, procedures, budget, and many more.

Source: Author

All the factors can be managed using proper actions based on various things. It provides growth and success to the organization.  

ISO 31000 applicability 

It is an international standard for risk assessment and management. In addition, there are many benefits to this standard to manage all the risks of an organization. There are many benefits of mitigation strategies, which has provided by the Australian government (ACSC, 2019). Most of the standards have included different things to secure all the IT assets. In addition, many changes have occurred in malicious programs. Thus, it is necessary to update the rules and reregulation (Purdy, 2010).     

Source: (Purdy, 2010)

Most of the risks can be identified using audit and analysis. Therefore, a particular standard has created for the evaluation of vulnerabilities (Rittinghouse & Ransome, 2016). The focus of this standard is based on four things, which are reliability and consistency. It has included these things, which areas:

1. One vocabulary for risk management: it provides a working group, which provides a number of terms, which has used in risk management. These things provide help to know about the risks and their impacts. Guide 73:2002 is available for the identification of different terms. In addition, all the terms have upgraded based on new risks and threats(Rouse, 2019).
2. Performance criteria: there are some performance criteria for different processes, which has assured about the risks(Rouse, 2018). It has managed risks effectively and efficiently. It has included different things, which areas:

• Be dynamic, iterative, and responsive to change;
• Create and protect value;
• Be transparent and inclusive;
• Be an integral part of all organizational processes;
• Be part of decision making;
• Take into account human and cultural factors;
• Explicitly address uncertainty;
• Be systematic, structured, and timely;
• Be tailored;
• Be based on the best available information;
• Facilitate continual improvement of the organization.

3. Process for managing risks: there are different things to manage all the parameters in a better way(Sanchez, 2010). It is necessary to communicate and consult with the external and internal stakeholders, which is better for security and risk reduction. However, monitoring and review are helpful in the action taking a process (Security-trails, 2018). It has considered internal and external environments to complete the task. It is necessary to reduce the consequences of risks using different methods.
4. Framework for managing risks: it has recommended to the management that risk management can be merged with the decision-making processes(Soomro, et al., 2016). In addition, risk management can be implemented with other policies and regulations (Sen, 2014).          

In addition, data security is a huge issue in front of most of the technologies, which can be managed using various things (Chen & Zhao, 2012). Many organizations have ignored this standard because of cost and time. However, data breaches have imposed large amounts of financial losses for the organization. Thus, it is the basic need of an organization to manage all the things.  Moreover, ISO 31000 has used for risk treatment, which is good for an organization. In addition, there are some basic advantages of an international framework to improve the quality of security. Many firms have faced cyber-attacks because of the poor security of IT assets.   

IT security policies 

Security policies are necessary for managing risks and controlling them. In addition, the Australian government has provided a basic code of ethics to manage IT assets (ACSC, 2017). A firm should consider the importance of IT security policies to reduces challenges and avoid issues in its business functions, which are related to IT systems (Sotnikov, 2018).

Many organizations have implemented international standards to avoid risks in their business operations. An international standard of risk management has designed to audit all the assets of the firm, which has used for the creation of controls (Stttech, 2019). It is necessary to improve the business processes to make secure all the data from both ends (Blakstad & Andreassen, 2016).

Moreover, the organization has used different types of security policies, which are helpful to manage risks and threats for their IT assets (Warren, 2011). Besides, it is necessary to improve the outcomes of various processes. In addition, many problems can be solved using rules and regulations. It has created for the prevention and avoidance of threats (Whitman & Mattord, 2011). Threats have exploited vulnerabilities of the system to access the data and controls. Thus, it is necessary to improve the basic services using IT security policies. In addition, cloud computing is helpful in the management of security risks (Bird, 2018). IT security policy has based on differ internal policies for security, which must be implemented in an organization, which areas:

• Acceptable Use Policy (AUP):  it is a process in which all the employees have their network ID to access the IT assets, as without network ID no one can access the system. It makes all the systems secure(Irwin, 2019).  
• Access Control Policy (ACP): an organization should use ACP to protect their system from external threats. This policy has included NIST’s access control guide to monitor and control all the network, server, software, and other things.
• Information Security Policy: This policy has included a high level of control to avoid critical issues in the network of the organization. It makes secure all the IT assets of an organization(James, 2019).
• Incident Response (IR) Policy: it is necessary to recover damages because of threats and attacks. In addition, people should know about the incident response and its benefits for the company. It can reduce losses of data breaches.
• Disaster Recovery Policy: it has included many rules and regulations from cybersecurity. This security policy assures about the backup and recovery of data and information.    
• Business Continuity Plan (BCP): BCP is a common process in the present era, as many organizations have implemented this facility to secure their data and information. It is different for each firm, as it is depending on the organization that how the firm will handle it in an emergency.   

There are many other security policies in international standards, which can be managed using basic services. Most of the important security policy is access control. Moreover, cyber-attacks have increased day by day, which is a huge issue in front of the organization (Bendovschi, 2015).  

Impact of IT security audit on organizational security 

An audit has analyzed most of the vulnerabilities of a system using tools and techniques. It has depended on the basic services of an organization (Zhou, et al., 2017). In addition, security can be improved based on the audit and monitoring of different suspicious processes. It can manage most of the things in a better way (Zhang, et al., 2010). There are many security systems available in the market, which provides proper protection from threats. Most of the firms have ignored the basic risks of IT assets, which can damage data and information   (Beaver, 2013).

Source: (Svantesson & Clarke, 2010)

Moreover, an audit is a good option to analyze various processes. Therefore, the security team can create controls for those vulnerabilities. However, there are many intrusion protection systems are presented in the market. In addition, the firewall is the best option for security, as well as there, are other options in the market to monitor suspicions activities. A honeynet is a new concept to know about the attacks on the system. Security is a huge challenge in front of a human. Thus, it is necessary to increase knowledge about cyber-attacks (Ashenden, 2008). Many organizations can use third parties to secure all IT assets from cyber-attacks.  

Disaster management plan 

It is the best way for business continuity after any type of disaster, such as earthquakes, floods, and many others. A firm should implement a disaster recovery plan, which is a good way to reduce the losses of a firm. It is a part of security as well. Backup and recovery are a basic need in the present era.  

Source: Author

Apart from it, IT security policies have evaluated based on penetration tools and techniques. It will improve their guidelines for users. Employees have made mistakes because of a lack of knowledge, which is harmful to a firm, such as social engineering, phishing, and many others. There are various threats, which have identified vulnerabilities of a system to damage their security.           

Source: Author

There are three types of disasters, as mention in the above diagram, which is natural, technological, human. In addition, a disaster recovery plan can reduce losses from these disasters (Edwards, 2017).   

Source: Author

Evaluation of IT security policies 

There are many ways to evaluate IT security policies. Ethical hackers have used different types of techniques to monitor all the things to secure the whole system. In addition, server-monitoring tools have used to identify suspicious activities, which can damage data and other things in the system. Moreover, there are various things to evaluate security policies based on IT assets. Those assets can be analyzed using different testing tools. There are many data mining tools to evaluate security policies (Tipton & Nozaki, 2007). Most of the threats can be managed using security policies. However, attackers have used different types of programs to access the databases.   

Moreover, IT security policies have included most of the parts of security management in an organization. In addition, most of the systems can be evaluate using proper standards, such as ISO 27001, 31000, and many others. Cybersecurity is necessary for managing all the things in a good manner (Arlitsch & Edelman, 2014). Besides, IT security policies have provided various solutions for particular problems. Moreover, there are some basic concepts to manage risks using policies and regulations.  Furthermore, IT risks can be managed using controls, which are based on the ranking of risks. In addition, most of the people have less knowledge about cybercrimes and cyber-attacks. Thus, knowledge development is necessary for them. Many organizations can provide guides and security manuals to secure all the things (Soomro, et al., 2016).

Recommendations

There are many things to manage using IT security policies. In addition, there are some recommendations for an organization to secure IT assets from different types of assets. These are the recommendations that must be followed by an organization, which areas:

• Develop cybersecurity cells to monitor suspicious activities in the network of an organization
• Establish training and education system to spread knowledge about the security threats and incident response.
• Create and updates rules and regulations based on the various international standards, such as ISO 31000, 27000, and many more.
• Provide knowledge about cybercrimes and cyber-attacks to understand their impacts and consequences.
• Develop and introduce new security policies to secure IT assets from a technical and physical point of view

All these recommendations must follow by an organization to secure their IT assets from different types of threats. Most of the things can be managed using IT security policies and the rest of them have handled using legal procedures.          

Conclusion 

In conclusion, there are many benefits of risk assessment in an organization. In addition, audit and monitoring have used to identify risks of an organization, which can be damaged large amounts of data and IT assets, which makes a huge impact on the financial condition of an organization. This report has provided a deep analysis of IT security policies. It has explained about the procedure of IT risk assessment with their steps. Moreover, it has provided details of the ISO 31000 standard, which is helpful in the risk assessment. In this report, the impacts of the audit have discussed in detail, which is necessary for the identification of threats. Finally, IT risk assessment has used for the identification of the different types of risk with IT assets and their controls. It will provide better outcomes for an organization. It will secure from different types of cyber-attacks and cybercrime. A firm can manage their IT assets using knowledge and policies, which is good for the employees and company.  

References 

ACSC, 2017. Australian Cyber Security Centre. [Online] Available at: https://www.acsc.gov.au/publications/ACSC_Threat_Report_2017.pdf[Accessed 12 December 2018].

ACSC, 2019. Strategies to Mitigate Cyber Security Incidents. [Online] Available at: https://acsc.gov.au/infosec/mitigationstrategies.htm[Accessed 3 September 2019].

Arlitsch, K. & Edelman, A., 2014. Staying safe: Cyber security for people and organizations. Journal of Library Administration, 54(1), pp. 46-56.

Ashenden, D., 2008. Information Security management: A human challenge?. Information security technical report, 13(4), pp. 195-201.

Beaver, K., 2013. Top 5 Common Network Security Vulnerabilities that Are Often Overlooked. [Online] Available at: https://www.acunetix.com/blog/articles/the-top-5-network-security-vulnerabilities/[Accessed 25 November 2019].

Bendovschi, A., 2015. Cyber-attacks–trends, patterns and security countermeasures. Procedia Economics and Finance, Volume 28, pp. 24-31.

Bird, D. A., 2018. Information Security risk considerations for the processing of IoT sourced data in the Public Cloud.

Blakstad, K. . M. & Andreassen, M., 2016. Security in Cloud Computing: A Security Assessment of Cloud Computing Providers for an Online Receipt Storage. [Online]
Available at: https://brage.bibsys.no/xmlui/handle/11250/253189[Accessed 21 February 2019].

Chen, D. & Zhao, H., 2012. Data security and privacy protection issues in cloud computing. International Conference on Computer Science and Electronics Engineering, 1(1), pp. 647-651.

Cobb, M., 2010. ISO 27001 SoA: Creating an information security policy document. [Online] Available at: https://www.computerweekly.com/tip/ISO-27001-SoA-Creating-an-information-security-policy-document[Accessed 25 November 2019].

Cuzzocrea, A., 2014. Privacy and security of big data: current challenges and future research perspectives.. Shanghai, ACM, pp. 45-47.

Datameer, 2018. Challenges to Cyber Security & How Big Data Analytics Can Help. [Online] Available at: https://www.datameer.com/blog/challenges-to-cyber-security-and-how-big-data-analytics-can-help/[Accessed 3 May 2019].

Dunham, . R., 2018. Information Security Policies: Why They Are Important To Your Organization. [Online] Available at: https://linfordco.com/blog/information-security-policies/[Accessed 12 March 2019].

Dutton, J., 2017. three-pillars-of-cyber-security. [Online] Available at: https://www.itgovernance.co.uk/blog/three-pillars-of-cyber-security

Edwards, J., 2017. Disaster recovery vs. security recovery plans: Why you need separate strategies. [Online] Available at: https://www.csoonline.com/article/3218083/disaster-recovery-vs-security-recovery-plans-why-you-need-separate-strategies.html[Accessed 28 January 2020].

Hayslip, . G., 2018. 9 policies and procedures you need to know about if you’re starting a new security program. [Online] Available at: https://www.csoonline.com/article/3263738/9-policies-and-procedures-you-need-to-know-about-if-youre-starting-a-new-security-program.html[Accessed 26 November 2019].

Humphreys, E., 2008. Information security management standards: Compliance, governance and risk management. information security technical report, 13(4), pp. 247-255.

Irwin, L., 2019. 5 information security policies your organisation must have. [Online] Available at: https://www.itgovernance.co.uk/blog/5-information-security-policies-your-organisation-must-have[Accessed 26 November 2019].

James, P., 2019. Information Security Risks That You Need to Careful With Vendors/3rd Parties. [Online] Available at: https://gbhackers.com/information-security-risks/[Accessed 25 November 2019].

Kshetri, . N., 2013. Privacy and security issues in cloud computing: The role of institutions and institutional evolution. Telecommunications Policy, 37(4-5), pp. 372-386.

Leiniö, M., 2015. SoftEther VPN with a VPN Address Pool. [Online] Available at: https://majornetwork.net/2015/05/softether-vpn-with-a-vpn-address-pool/[Accessed 28 January 2020].

Lopez , D., 2013. Data security. Data Science Journal, 10 08, 12(1), pp. 69-74.

Magid , L., 2013. Online Privacy and Security is a Shared Responsibility: Government, Industry and You. [Online] Available at: https://www.forbes.com/sites/larrymagid/2013/02/12/online-privacy-and-security-is-a-shared-responsibility-government-industry-and-you/[Accessed 18 May 2019].

Norton, 2018. 10 cyber security facts and statistics for 2018. [Online] Available at: https://us.norton.com/internetsecurity-emerging-threats-10-facts-about-todays-cybersecurity-landscape-that-you-should-know.html[Accessed 28 January 2020].

Palmer, D., 2018. Cyber security: Hackers step out of the shadows with bigger, bolder attacks. [Online] Available at: https://www.zdnet.com/article/cyber-security-hackers-step-out-of-the-shadows-with-bigger-bolder-attacks/[Accessed 14 June 2019].

Paquet, C., 2013. Network Security Concepts and Policies. [Online] Available at: https://www.ciscopress.com/articles/article.asp?p=1998559&seqNum=3[Accessed 2 november 2019].

Pearson, . S., 2013. Privacy, security and trust in cloud computing. In Privacy and Security for Cloud Computing. 1 ed. London: Springer.

Peltier, T. R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. s.l.:Auerbach Publications.

Purdy, G., 2010. ISO 31000:2009 – setting a new standard for risk management. [Online] Available at: https://broadleaf.com.au/resource-material/iso-31000-2009-setting-a-new-standard-for-risk-management/[Accessed 25 November 2019].

Rittinghouse, J. W. & Ransome, J. F., 2016. Cloud computing: implementation, management, and security. Florida: CRC press.

Rouse, M., 2018. physical security. [Online] Available at: https://searchsecurity.techtarget.com/definition/physical-securityRouse, M., 2019. cybersecurity. [Online]
Available at: https://searchsecurity.techtarget.com/definition/cybersecurity[Accessed 15 August 2019].

Sanchez, M., 2010. The 10 most common security threats explained. [Online] Available at: https://blogs.cisco.com/smallbusiness/the-10-most-common-security-threats-explained[Accessed 12 December 2018].

Security-trails, 2018. Top 10 Common Network Security Threats Explained. [Online] Available at: https://securitytrails.com/blog/top-10-common-network-security-threats-explained

Sen, J., 2014. Security and privacy issues in cloud computing.. In: In Architectures and protocols for secure information technology infrastructures. USA: IGI Global, pp. 1-45.

Soomro, Z. A., Shah, M. H. & Ahmed, J., 2016. Information security management needs more holistic approach: A literature review. International Journal of Information Management, pp. 215-225.

Sotnikov, I., 2018. How to Perform IT Risk Assessment. [Online] Available at: https://blog.netwrix.com/2018/01/16/how-to-perform-it-risk-assessment/[Accessed 25 November 2019].

Stttech, 2019. Integrated Security Management System (ISMS). [Online] Available at: https://stttech.com.my/integrated-security-management-system-isms/[Accessed 14 July 2019].

Svantesson, D. & Clarke, R., 2010. Privacy and consumer risks in cloud computing.. Computer law & security review, 26(4), pp. 391-397.

Tipton, H. F. & Nozaki, M. K., 2007. Information security management handbook. New jersy : CRC press.

Warren, E., 2011. Legal, Ethical, and Professional Issues in Information Security. [Online] Available at: https://www.cengage.com/resource_uploads/downloads/1111138214_259148.pdf

Whitman, M. E. & Mattord, H. J., 2011. Principles of information security. 1 ed. London: Cengage Learning..

Zhang, X., Wuwong, N., Li, H. & Zhang, X., 2010. Information security risk management framework for the cloud computing environments.. s.l., IEEE, pp. 1328-1334.

Zhou, J., Cao, Z., Dong, X. & Vasilakos, A. . V., 2017. Security and privacy for cloud-based IoT: challenges.. IEEE Communications Magazine, 55(1), pp. 26-33.