CSM305 Risk Management | IT Organisation Governance

1. Pictorial representation of current security risks which are considered by the VIC government.

The security risk and threats considered by the VIC government is pictorially shown in the figure with the help of

Figure: Secure coding controls

2. Diagram explanation and recognising the areas of high, medium, medium-low, and low risk exposure.

The risks are classified into various ways depending upon the situation. Generally, the risk is classified are low and medium risk. The Medium risk is further classified as low medium risk and high medium risk.

Figure: The figure showing the level of risks.

The risk bearing firm or management must classify their own risk levels. One must take preventive steps in all the cases of risk. The further classification of the risks is shown in below figure.

Figure : Types of risks

The process risk is classified into various forms. The infrastructure risk is the outrage of the infrastructure related to communication links failure. The second process risk is the information technology risk. It arises due to the technical errors in the process and becomes an invalid process. The third process risk is the human error (Tsoumas & Tryfonas, 2004).

It is necessary to create a human error free system and human-friendly system. The fourth process risk is the work place safety. The risk exposures are basically divided into 3 types. They are transaction risk, translation risk and economic risk. The transaction risk is happened due to the loss of currency due to the change in the stock market values and the share value in the international value. According to Stoneburner, Goguen, & Feringa (2002), the Economic risk is one which changes the macroeconomics. This may include things like a stock exchange, the countries government regulation and instability in the government like political situation.  This is going to affect the investments. This is related to the major or minor accidents and strains for the human beings. (Purtell, 2008).

The exposures are classified as expected and the exposure and the unexpected exposure. The expected exposure comes under the low-level of exposure and a medium level of exposure. The unexpected exposure has the high level of exposure and catastrophic level of exposure. The low-level of exposure risk solution is yearly profit or internal control. The advantages of this are operating group focus and efficiency. The medium level of risk exposure solution is yearly profit analysis with the profit control, the advantage here is cash flow. The high level of exposure solution has a form of insurance, this may be self-insurance or any risk based insurance. The advantage of this kind of risk is the diversification, it has various types in it in which one can divide them into a particular field. The next advantage is pooling. It has an established mechanism.The final one is catastrophic risk exposure. The risk solution is to have capital markets and the capital hybrid markets. The solution is to plan for the long term analysis and it must have acess to larger pool of the capital (Liderman, 2008).

3.A Comparative analysis of the deliberate threats to underdstand their importance.

Accidental threats are one which deletes the files accidentally and some files are sent to wrong persons like emails to wrong persons. One must take care in sending files like confidential information to a person. It has a critical impact. The other area where the threats are possible is smart and mobile hacking. This will target the mobile devices, tablets and the embedded systems. It will gain access to the personal data, OS and applications. SQL injection is the next area where the attacks are possible. It will affect the database servers. The sensitive data may be lost or stole. The data and the programs both can be prone to accidental threats and the deliberate threats. The internal threats can do in the form of hardware failure due to internal system failure or man-made an error. Faculty procedures also must be avoided. Natural disasters are not in the hands of human beings. This cannot be avoided. The dishonest employees and staff must be tracked from the time to time. This is one of the precautionary measures to avoid any kind of threats. The hackers are a primary problem to any kind of system. A powerful security system in necessary for avoiding problems like threats. Viruses can be eliminated by using some anti-virus software and filters. The pop-ups and bad websites must not access for the safe maintenance of the system. The catastrophic issues also must be kept in mind for the system operation. Authentication is also most important precaution. The system authentication in all the levels of data usage is necessary. The software and best methods should be employed in the maintenance in the organisation. The qualitative initiation is required in all the areas. Nowadays electronic access of data has to be carefully managed. The software piracy is the other area one must concentrate. The best software must be used in the elimination of threats. The legal rights also must be maintained in all the maintenance aspects (Orzechowski, 2007). They are incidental disclosure, stopping of work, malfunctioning of the equipment, errors in the system .

Figure : IT Threat Analysis

The deliberate threats are caused by the inactiveness or inaction, misuse of the source, abuse, Fraudulent, a crime like extortion and vandalism. These deliberate threats occur due to the unauthorised usage or access of some service like desktops, tablets and servers. It can be done by bypassing the network or through the hacking. This can also occur through the flaws of the security system. Only persons who know the flaws in security can do this. There is a chance that mostly an internal person can do this. The password is the other areas one must be careful. The password brake or copy can lead to access the system or data. Some passwords are predictable and some are copied (Halliday, Badenhorst & Solms, 1996).

Security guidelines for other private and public organizations

According to Carr (2004), the preventions of insider threats are to be implemented. The deliberate insider is difficult. More focus has to be taken in the authorization and access of the file both soft copies and hard copies which include the devices. The accidental insider threats are also to be taken care. One has to differentiate between the required action of the work and the optional work. The typical attacks may in the area of attachments of exe files, macros in the files and system, the active scripting, HTML scripts. The social phishing targets the individual users. This is due to the trust maintained in fake social profiles and the initial infections. Malware will establish the command over the network of devices. The next areas are passwords and configuration.

The threat agents may be due to human beings, not-human beings or some acts of nature. The theft and hacking come under the act of human beings. The non-human being threats like forgot password or device lost. The act of nature is fire accident, earth quake. The human causes are classified as deliberate threats and the accidental threats. This is passwords will target the end point systems and servers. The next area is distributed denial of services, the target area is network applications and any level of infrastructure. This causes operation disturbance and also leads to threats in other forms.

4. VIC government facing challenges while carrying out security or risk management within internally or externally via outsourcing.

The management must know the cause and its consequences of the risk. The is likelihood for the security. The risk level must be analysed and determined. The stakeholder's views must also keep in mind.The structure of the governance from the top to bottom we must understand. The organization structure is not same for all the organization. Hence, organization flow is very important. The policies followed by the system and its objective. The resources provided in the organization are very important and one must have proper knowledge on it. The information flow is very confidential in many cases.

In every area, the communication and consultation are required. The context has to be defined properly for a better understanding of the situation. The risk has to be identified for the better security. After the risk identification one has to analyse the risk at its best. The risk has to be evaluated properly for the solution. Before treating the risk one has to accept the risk for the safety of the system and data. Finally, all the points have to be monitored and review (Grzywak, 2000).

Figure: IT Organisation Governance and Risk Management

The relationship with the stake holders must be always good for the matter of trust. One must adopt the culture of the organization. The standards of the system are fixed and one must raise the standards. The management must commit to few things for better security and risk management.

The objectives of Risk management

The primary objective is to understand the business risk. One has to create the opportunity for avoiding the risks. The resources must be allocated properly in all the areas. One must also meet the requirements of the stake holders. The risk can be defined as the product of impact and probability. The elements of risk can be divided into impact and the probability. The impact is further divided into asset and threat. The threat has three parts. They are threat source, initiation probability and the success probability. The probability is divided into two parts. They are a vulnerability and the mitigation. The vulnerability is divided into three cases they are predisposing conditions, pervasiveness and severity (Bandyopadhyay, Mykytyn & Mykytyn, 1999). The mitigation leads to effectiveness.

The owners always keep an eye on assets at the same time must take care of threats and attacks. The owner must always have the counter measures. The revenue generating assets are different from the profitability assets. So the people have classified them before assigning the counter attacks. Any organization faces multiple threats. The risks must be manageable at any given point of time. The threat ranking is the other kind of criterion for the quantitative and the qualitative analysis. Flaws and weakness in assets must be strengthened. The risk assessment gives possible numerical value and analysis. The risk assessment required for providing the security to the calculated risks. Hence the risk can be successfully blocked. (Tsoumas & Tryfonas, 2004).

5. Comparison between the concepts of ‘’Risk’’ and ‘’Uncertainty’’ with the help of case study of Victorian Data security.

The risk is the sub set of uncertainty. Five steps are required to deal with the risk and the uncertainty. The preparation must be improved by gathering the data, creating some standards and the templates creation. Expanding is the evaluation of the system by conducting the strategic assessment. One must assess the risk and the uncertainty. We also must conduct the value based assessment. The decision making must be improved over the period of time with the prediction calculations. We also have to improve the tracking the uncertainty event. This can be done by performance tracking and conduct assessment (Liderman, 2008).

The risks can be controlled in various possible ways. This is also known as risk management. The first step is avoidance. The avoidance of any risk will help us to control the loss. The name says it all, avoiding the risks completely. This is the first and foremost way of avoiding any threats in the organization. The second step is loss reduction. The loss reduction is in which it accepts the risk and it analyzes the loss associated with the risk. This method will try to minimize the loss due to a particular threat. The best example of this method is the company having flammable and explosive items. The company will read for the risk and uses water and fire safety measures to prevent the future threats. The next method is the loss prevention. The loss prevention is one which cannot eliminate the loss but it can minimize the impact of the loss due to some unknown threats. The example of this technique is to protect a secret item or inventory from the theft. These can of threats are possible but still one must take preventive measures to eliminate the loss. The preventive measures like strict security check up, video surveillance and secured the place of storage.

Figure : Risk and Uncertainty

The next technique is the separation, this deals with separation of data, files and assets into different places to avoid the threat. This will help to preserve the assets in other places if there is a catastrophic occur in one place. Duplication is the next management technique in which the back up of the data, files and other services are done. Hence this back up will allow recovering the complete loss from the threats. The best examples of these services can be seen in the organizations associated with the computers and the disaster management. The last step is the diversification of resources and it creates multiple areas in business. This will help us to control the loss to the firm by avoiding the loss in other areas due to diversification. The diversification is a long term process. The regular inspections in the work area of any field will reduce the loss. The proper maintenance is required in all areas for the best results and least chance of failure. Testing is one of the methods in which the life of the process, system or machine can increase, this will lead to better reliability. (Purtell, 2008).

6. Discussion and evaluation of different approaches which are available to the VIC government for risk control and mitigation.

The preliminary step of the risk management is to identify the risk. There are various ways in doing the risk identification. Automation is the modern day risk avoidance step. The system automation, cloud data back up, duplication via automation and the human errors can also be removed in a huge way. There are some physical control techniques also there in which many preventive measures can be taken. An engineering control is the next kind of step up in which the damage to the machines can be avoided by the automatical shut down before it breakdown. Better communication is required in all areas to know the limitations and threats. The redundancy has to be eliminated in all forms. Training is the best methodology one must adopt for improving the skills for man power and their strength. One must have a proper business plan for facing the threats and reducing the risk. Quality also has to be in the product based environment.

Figure: Risk management cycle

The risk identification is necessary for any model. The general category of the risk is genetic risk and product specific risk. This has further classified as project risk, product risk and business risk. Some of the risk items are a loss of team member, which will decrease the efficiency of the system and the balance, flow also will be lost. If the team leader is lost them the future work will definitely lose. The timings of the meetings are also necessary. It is advised to have common meeting times to increase the efficiency and reduce all kinds of risk. Lack of communication also a key factor, hence the communication of the idea or the concept is necessary (Orzechowski, 2007). The work integration is an art and the business firms must establish the good work integration process.

The risk mitigation is the plan in which the options were developed to increase the opportunities and at the same time to reduce threats to the system.

Figure: Risk mitigation

The basic step is to identify the risk. The events lead to risk and their relationships. Then one must access the probability and know the consequences. The next step is to risk impact assessment. This will include the cost and the technical performances. Then one must access the risk critically. The next step is to prioritization the risks. In every aspect one must track the risk, this is known as risk tracking. The final step is the risk mitigation. This can monitor the situation and leads to progress. It manages the risk in the business to the acceptable level.

Conclusion

The IT threats with the relevnce of VIC government has been discussed throughly. The risk mitigation is to decrease the impact of loss or damage to the company in risk times. It also involves the evaluation of the system. The probabilities must also be calculated and alternatives must be planned. Loss prevention and the loss control are main ideas behind the risk mitigation. This has to be done in both the quantitative and qualitative way. The final result must be to avoid the loss as maximum as possible.

Reference

Bandyopadhyay, K., Mykytyn, P.P., & Mykytyn, K., (1999). A framework for integrated risk management in information technology, Journal: Management Decision, Volume 37, Issue: 5, Page: 437 – 445.

Carr, N., (2004). Does IT Matter? Information Technology and The Corrosion of Competitive Advantage, Harvard Business School Press.

Grzywak, A., (2000) (ed.) Security of IT systems (In Polish), Jacek Skalmierski Publishing House, Gliwice.

Halliday, S., Badenhorst, K., & Von Solms, R., (1996). A business approach to effective information technology risk analysis and management, Journal of Information Management & Computer Security, 1996, Volume: 4, Issue: 1, Page: 19 – 31

Liderman, K., (2008). Risk analysis and information security in computer systems (In Polish), PWN SA, Warsaw.

Orzechowski, R., (2007).  Effective application of IT in the enterprise, (In Polish) E-mentor no 3(20).

Purtell, T., 2008). New View on IT Risk: Building a successful Information Technology risk management program, The RMA Journal.

Stoneburner, G., Goguen,  A., & Feringa, A., (2002). Risk Management Guide for Information Technology Systems. Recommendations of the National Institute of Standards and Technology, National Institute of Standards and Technology.

Tsoumas, V., & Tryfonas, T., (2004), From risk analysis to effective security management: towards an automated approach. Information Management & Computer Security Vol.12.