INF80043 IT Risk Management For Lifeskills Engagements Assignment

Answers:

Introduction

Information is the key asset for all the organizations and it becomes a prime topic of concern for the organizations to effectively manage the information and data sets that are associated with them. There are various categories of information such as sensitive information, internal information, information only for office use, public information, private information and a lot more. The information sets that the organizations deal with on a routine basis are huge in terms of volume. Also, the information that is present in these sets varies in terms of the contents, type and many other factors. It is essential to develop policies and strategies for the management of information of all classes and types and the document highlights some of the information security vulnerabilities, countermeasures and mitigation strategies that may be followed. 

Overview

Lifeskills Engagements and Activities Foundations (LEAF) is a not-for-profit tier-2 organization. The aim of the organization is to provide every child in the society with the ability to acquire their dreams. Community development is the primary goal of LEAF. LEAF is the organization that has introduced Community Based Improvement Programme (CBIP) for the community development and improvement. There are also several third parties that are associated with LEAF such as other organizations, donors, volunteers and many more. LEAF-ONE is a corporate system for LEAF that was in use since long and was designed as a robust system; however, with the expansion of the organization and increase in the number of partners and vendors, the performance of LEAF-ONE has come down and it has become essential to replace the same with a new system. Also, there are several issues associated with information and device security that the employees of LEAF bring in to the organization for their professional activities.

Purpose

The purpose of the document is to cover security risks and vulnerabilities that are associated with the organization along with the risk assessment and mitigation strategies that shall be followed.

Scope

The scope of the document has been listed below:

• Identification of the risks and vulnerabilities that are associated with LEAF
• Develop an understanding on risk identification and risk assessment approach
• Discussion on risk mitigation strategies
• Compilation of results

Risk Identification Approach

Security vulnerability that is associated with the information contained in the systems refers to the weaknesses that may be related to it and may result in the occurrence of a variety of security threats and attacks. Threats refer to the security occurrences that may result in a negative impact on the data and the information that may be present within a particular system (Webb et al., 2014). The identification of the risks has been carried out on the basis of several factors.

Asset Management

The assets that are associated with LEAF are required to be managed through proper tracking along with the execution of risk management activities to make sure that the assets are kept safe and protected at all times.

Asset Identification

The assets that are associated with LEAF are the information sets along with the resources that include human as well as non-human resources.

The information sets and the variety of information that LEAF analyzes and goes through on a per day basis along with its usage in the number of business services and operations is huge.

Threat & Vulnerabilities of LEAF

The existence of a variety of data sources along with varied formats of the same is also a prime reason of the presence of so many security threats and vulnerabilities. Some of these security occurrences in the form of risks, threats and vulnerabilities in association with LEAF have been listed and explained below.

Threats associated with the devices

There are several devices that are used by the employees of LEAF to carry out the business activities and operations. As LEAF is a Not for Profit (NFP) organization, there cannot be huge investment made to the devices and equipment to be provided to the employees. It was therefore decided to allow the employees to bring their own devices to the workplace to carry out the organizational activities. There are several risks associated with Bring Your Own Devices (BYOD) scheme in the organizations as the information gets exposed to a large set of people along with the increased risk of the malicious codes. The employees also may lead to execution of accidental risks such as exposure of information associated with the organization to the unauthorized entities and likewise.

Breaching of the information

LEAF is an organization that is associated with a lot of information such as those around donors, volunteers, third-parties, several offices, partners and many more (Michael, 2012). Web hosting, web development and mobile devices are also used in the organization which leads to the occurrence of a lot many web-based risks associated with information breaching. The attackers succeed in obtaining the unauthorized access and entry to the chunks and clusters of information and misuse their access to violate some of the essential properties of information resulting in breaching of the same. It is these cases in which the properties of information such as its privacy and confidentiality are hampered (Ngoma, 2012).

Loss & Leakage of Information

Another major security concern that emerges in the form of a security threat and attack is the leakage and eventual loss of data and information that gets executed by the malevolent entities. The information related with LEAF is exchanged amongst several stakeholders on a regular basis and the exchange normally takes place through the use of Internet or another network. There are a number of access points that are present in the network on which the information travels and these access points become the agents of the threats. There are scenarios in which the information is also transferred by the employees that are associated with the organization to the fellow employees or the third parties. There are accidental and also deliberate attacks that are executed during the transfer and handling of information by the employees (Humphreys, 2008).

Malware Attacks

Malware attacks on the information are a common practice that has been observed in association with LEAF along with other systems and organizations as well. A number of different types of malware have been created such as viruses, Trojan horses, Logic Bombs, worms, ransomware, adware, spyware and many more. These malware are the software packages that are exclusively created in order to cause damage to the system and are therefore designed to have a negative impact which may fall in the range of low to severe impacts. These malware packages are also designed to be reproducible in nature which get triggered and multiplied with each of the user action (Lopez and Pastor, 2013). Malware get entry in to the LEAF database and the information sets through the external devices owned by the employees or through the network as well.

Insider Threats

Human resources are associated in abundance with any of the organizations and LEAF is no exception. There are several resources that are engaged with the organization in several different departments. These employees have a varying degree of privileges and roles that are defined in terms of the level of access to the information. Because of the additional abilities and privileges that are granted to the employees, it has been observed that there are numerous information security attacks and threats that are given shape by these employees only. Most of these attacks are deliberate in nature to gain a personal benefit. Some of these threats are also accidental in nature and are caused due to certain operational errors. However, irrespective of the type and nature of the attack, the impact that results out from these attacks is negative in nature (Feng and Yu, 2012).

Legal Risks and Attacks

LEAF collaborates with a number of different agencies and organizations all across the globe that has their own set of applicable legal policies and rules. There are scenarios wherein legal obligations emerge due to non-adherence to the rules associated with one of the parties and the impacts that come out of the same are also negative in nature (Chakrabarti, 2009). Security and integrity of the information will also be negatively impacted.

Weaknesses of LEAF-ONE

LEAF-ONE is an outdated corporate system that is being followed at LEAF which will also lead to the emergence of a lot many security risks and attacks. The attackers would find it easy to take advantage of the security vulnerabilities and exploits that are associated with LEAF-ONE to gain access to the private and sensitive information.

Network Availability Attacks – DoS and DDoS attacks

Web hosting and web development activities are carried out in LEAF that involves active use of networks. Availability attacks that are executed on the information impact the availability of the information and make it inaccessible to the users. There are many services and applications that parallel run on the organization’s internal and external networks which are made available by the execution of the Denial and Distributed Denial of Service attacks on the same. These are the attacks in which the malevolent entities introduce unnecessary and garbage traffic on the network of a particular service or application to deteriorate its quality which often leads to the scenario of a breakdown. Some of the services that are often attacked are the hosting services along with the availability of the portal of LEAF. It is through this process that the services and applications become inaccessible and unavailable for the end users (Ipa, 2009).

Man in the Middle Attacks

Impersonation is one of the major activities that are performed by the malevolent entities to gain sensitive and private information from the system. Man in the middle attacks are the impersonation attacks in which the attackers make use of the network and eavesdrop on the same through unauthorized manner and capture all the activities that take place on the same (Tsoumas and Tryfonas, 2004).

Risk Assessment Approach

Participants

Senior Executives and Senior Management of the Organization along with Project Resources

Risk Assessment Methods & Technologies

The risks that have been associated above in association with LEAF can be managed and handled with the aid of a dedicated and a phased approach.

There are several steps that shall be associated in the risk management process associated with the organization to put a check on the security risks and vulnerabilities that have been listed above.

The phases that will be present in the risk management activities and operations are listed and explained below.

Table 1

Total Risk Calculation

The total risk that is associated with a particular occurrence can be calculated on the basis of the impact and likelihood that is associated with it.

The risk value can be calculated with multiplying the values assigned to the impact and likelihood of the risk and the risk will signify the total risk that will be associated. Higher the value, higher will be the risk and vice versa.

Table 2

Likelihood Determination

Likelihood of the risk is dependent upon the following factors and is estimated with the aid of the same.

• Type of the risk
• Category of the risk
• Impact of the risk
• Source of the risk

Table 3

Control Management

There can also be a number of controls that may be applied internally in LEAF and in the external operations and activities as well to put a check on the risks and vulnerabilities associated with the security of the organization, its stakeholders and the information.

Table 4

Administrative Controls

LEAF deals with huge clusters of information on a daily basis and this information can be classified in different categories and types such as sensitive pieces of information, information only for office use, confidential information, information for public use, private data and likewise. There are different laws, regulatory policies and guidelines that guard and regulate these different classes and categories of information. Administrative controls are the controls that come under the process of risk management and may be applied to the security risks and vulnerabilities to prevent and control them. Many of the security risks and vulnerabilities are given shape by the internal employees of the organizations and these risks would be avoided by the application of administrative controls such as execution of reviews and inspections by the administrative department (Ishandbook, 2016).

Logical set of Controls

Apart from the administrative controls, there are a number of logical controls that may also be applied to detect and prevent the security risks and attacks. Information that is associated with LEAF is handled and transferred to a number of different entities. There are also a number of parties and access points through which this information goes through. Technical and logical controls are the types of controls that are applied to prevent the attacks through technological measures and actions. There is a lot of information that is stored in the data repositories and the logical controls are also applied on these repositories to make sure that the security occurrences are avoided.

Safety of the Devices

It would be necessary to install monitoring and tracking applications on the devices of the employees that they bring in to the organization for professional activities. Also, it shall be made sure that there are anti-malware and security mechanisms installed in all of the devices that are used to make sure that the security risks and attacks are not executed.

Application and installation of anti-malware packages

Malware attacks on the information are a common practice that has been observed in association with LEAF along with other systems and organizations as well. A number of different types of malware have been created such as viruses, Trojan horses, Logic Bombs, wors, ransomware, adware, spyware and many more. These malware are the software packages that are exclusively created in order to cause damage to the system and are therefore designed to have a negative impact which may fall in the range of low to severe impacts. Anti-malware packages would prevent the entry and functioning of the malware packages that would be installed on the system.

Application and installation of Firewalls

Firewall refers to the boundary that exists in between the network and the system. The installation of firewalls in every component of the network associated with iPixel would ensure that the malevolent entities do not gain access to the system.

Intrusion Detection and Prevention

Some of major security attacks that take place are in the form of network security attacks. These attacks include phishing attacks, spoofing attacks, DoS attacks, Man in the middle attacks and many others. Technical controls shall therefore be applied on the networks as well to make sure that malevolent activities on the networks are prevented in all the cases. Intrusion detection systems and intrusion prevention systems are the automated tools that have been designed for the analysis and authorized monitoring of the network. These tools generate alerts on the system regarding the attempt to cause malevolent activities and also give out the reports associated with the same (O’Neil, 2015).

Encryption of Information

There are administrative as well as logical steps that are taken to avoid the security occurrences. In spite of all the efforts, there are often scenarios that have been observed in which the attackers succeed in giving shape to the security risks and attacks. Application of cryptography and encryption is an effective measure that ensures the security even in case of the successful attempts by the attackers to hamper the same. Once the information is encrypted then it requires a security key for its decryption and the same leads to the inability of the attacker to get hold of the information.

Identity and Access Management

It is extremely necessary to ensure that only the authenticated individuals and users succeed in gaining access to the systems and the information and the application of access control, identity control and their management proves to be extremely effective in such cases. Concepts and methods such as authentication at several layers, one time passwords, single sign on and many more are some of the measures that shall be implemented (Lozito, 2011). 

Set of Physical Controls

Another major form of security controls that may be implemented for the management of risks includes physical security. There are several physical entry points that are present in LEAF along with the access to its employee and stakeholder information. There is a lot of information that is kept in the database of the organization and locations which may be hampered by the violation of security (Keung, 2016).

Some of the security measures that shall be implemented in the area of physical security include identity control and management, access control and management, presence of vigilant guards and likewise.

Risk Assessment Results

Table 5

Risk Mitigation

Mitigation strategy would play a significant role in preventing and controlling the security risks and vulnerabilities that are associated with LEAF and LEAF-ONE.

Risk Mitigation Strategies

The approach and strategy shall be developed according to the nature and type of information that may be impacted or may be put at risk.

• Confidentiality: The property of the information shall be maintained in all the business processes to make sure there are no violations and unauthorized entries involved.
• Integrity: The modifications, changes, deletions, updates and additions shall be performed in authorized manner only.
• Availability: Accessibility to the information shall be provided to the users at all times and from all the locations (Arcs, 2016).

Security Policies

List of Security Goals

• LEAF-ONE shall be replaced with an advanced corporate system efficient to deal with the information management and organization required for LEAF along with the application of security mechanisms.
• The business processes, business operations and business activities must comply completely to the security policies, security laws and set of regulations that guard the same.
• The security mechanisms that are developed must ensure that the properties such as confidentiality, privacy, availability and integrity are safeguarded.
• There shall never be occurrences in which there is a complete breakdown in terms of business continuity.
• The time required to recover the services and applications to their regular functioning shall be kept very low.
• Application of security mechanisms in third party dealings shall fulfill the norms of all the parties that are associated.
• There shall be regular up-gradation and maintenance of the security frameworks (Hostalnd, 2010)

Phase of Security Policies

Changes are common in association with the technology, innovation, methodologies and processes that are associated with LEAF. There may be changes in terms of mobile or web technology that is followed or in the form of development approach that is adapted and likewise. Also, there are scenarios in which one of the technologies becomes obsolete with the passage of time. These changes also lead to a number of risks and shall therefore be effectively managed (Anderson, 2016).

Following are the steps that have been suggested to make sure that the management and implementation of the changes is adequately done.

Planning for the change: Planning is an activity that is the base for any process and the same holds true in this case as well. The changes associated with the organization and its processes will be required to be identified and analyzed before their application and implementation.

Execution and Management: Once the changes are carefully identified and analyzed, they shall be executed as per their defined method. These changes shall then be managed by carrying out several verification and validation processes on the same to avoid any of the underlying deviations (Saint-Germain, 2005).

Reinforcement of the changes: Changes shall be reinforced at the end for the verification of the same.

Regulations affecting Information Security

Ethical Regulations

Violation of ethics is often seen in any of the security threat, attack, risk or vulnerability that is given shape. There are various ethical theories such as Deontology ethics, Virtue Ethics, Theory of Consequentialism and many more that have been applied to these occurrences and there is ethical incorrectness observed in all the cases. It is therefore essential to make sure that LEAF adheres to the ethical codes and the professional codes of conduct as well.   

Some of the guidelines from these ethical codes and policies to avoid the vulnerabilities and attacks have been listed below.

• Ethical principles and guidelines shall be distributed to all with the aid of training sessions and activities to avoid any violation associated with them.
• Best practices shall always be used and applied in all the processes and business activities.
• The properties of information such as its confidentiality, integrity and privacy shall be managed and maintained in all the cases.
• Security policies, mechanisms and guidelines shall be implemented in all cases in order to avoid the risks and vulnerabilities (Cengage, 2016)
• Conflict of interest along with the avoidance of disputes shall also be maintained in all the activities.
• Deliberate actions and steps to cause harm to the resources and the business activities shall be avoided.

Ethical dilemmas are often observed during the business processes and activities that are associated with LEAF. It is because of the reason that there is a variety of information that the organization deals with. This information varies in terms of type, structure, contents and privileges to the users. Also, the regulatory and legal policies that guard and define these information sets also vary from one to the other (Whitman, 2016).

Legal Regulations

Apart from the ethical policies and guidelines, there are also various legal and regulatory frameworks that are related with the security. LEAF also has its own set of applicable policies and guidelines. Similarly, all the other organizations and third parties also have their respective legal and regulatory policies. It is very essential to make sure that all of the guidelines and policies are followed (Smedinghoff, 2016).

There are many of the legal obligations that result with the violation of the legal policies and guidelines. The organization must therefore make attentive and careful attempts to safeguard the information and security of the assets such as the devices and resources.

Conclusion

Information is the key asset for all the organizations and it becomes a prime topic of concern for the organizations to effectively manage the information and data sets that are associated with them. There are various categories of information such as sensitive information, internal information, information only for office use, public information, private information and a lot more. Lifeskills Engagements and Activities Foundations (LEAF) is a not-for-profit tier-2 organization. The aim of the organization is to provide every child in the society with the ability to acquire their dreams. Community development is the primary goal of LEAF. LEAF is the organization that has introduced Community Based Improvement Programme (CBIP) for the community development and improvement. There are also several third parties that are associated with LEAF such as other organizations, donors, volunteers and many more. LEAF-ONE is a corporate system for LEAF that was in use since long and was designed as a robust system; however, with the expansion of the organization and increase in the number of partners and vendors, the performance of LEAF-ONE has come down and it has become essential to replace the same with a new system. There are numerous security risks and attacks that are associated with this organization in terms of security risks, threats and vulnerabilities. These can be prevented and controlled with the aid of applicable countermeasures and policies.

References

Alnatheer, M. (2014). A Conceptual Model to Understand Information Security Culture. [online] Available at: https://www.ijssh.org/papers/327-A00013.pdf [Accessed 25 Nov. 2016].

Anderson, R. (2016). Why Information Security is Hard. [online] Available at: https://www.acsac.org/2001/papers/110.pdf [Accessed 25 Nov. 2016].

Arcs, (2016). Information Security Policies. [online] Available at: https://www.arcs.qmul.ac.uk/policy_zone/information_security_policy.pdf [Accessed 25 Nov. 2016].

Cengage, (2016). Legal, Ethical, and Professional Issues in Information Security. [online] Available at: https://www.cengage.com/resource_uploads/downloads/1111138214_259148.pdf [Accessed 25 Nov. 2016].

Chakrabarti, P. (2009). Information Security: An Artificial Intelligence and Data Mining Based Approach. International Journal of Engineering and Technology, 1(5), pp.448-453.

Feng, N. and Yu, X. (2012). A Data-driven Assessment Model for Information Systems Security Risk Management. Journal of Computers, 7(12).

Hostland, K. (2010). Information Security Policy. [online] Available at: https://services.geant.net/cbp/Knowledge_Base/Security/Documents/gn3-na3-t4-ufs126.pdf [Accessed 25 Nov. 2016].

Humphreys, E. (2008). Information security management standards: Compliance, governance and risk management. Information Security Technical Report, 13(4), pp.247-255.

Ipa, (2009). 10 Major Security Threats. [online] Available at: https://www.ipa.go.jp/files/000016942.pdf [Accessed 25 Nov. 2016].

Ishandbook, (2016). Types of Controls. [online] Ishandbook.bsewall.com. Available at: https://ishandbook.bsewall.com/risk/Assess/Risk/control_types.html [Accessed 25 Nov. 2016].

Keung, Y. (2016). Information Security Controls. [online] Available at: https://www.omicsgroup.org/journals/information-security-controls-2168-9695.1000e118.php?aid=23716 [Accessed 25 Nov. 2016].

Lopez, D. and Pastor, O. (2013). Comprehensive Approach to Security Risk Management in Critical Infrastructures and Supply Chains. Information & Security: An International Journal, 29, pp.69-76.

Lozito, K. (2011). Mitigating Risk. International Journal of Business Intelligence Research, 2(2), pp.67-75.

Michael, K. (2012). Security Risk Management: Building an Information Security Risk Management Program from the Ground Up. Computers & Security, 31(2), pp.249-250.

Ngoma, S. (2012). Vulnerability of IT Infrastructures: Internal and External Threats. [online] Available at: https://www.congovision.com/IT-Security-Pub.pdf [Accessed 25 Nov. 2016].

O'Neil, L. (2015). How to Implement Security Controls for an Information Security Program at CBRN Facilities. [online] Available at: https://www.pnnl.gov/main/publications/external/technical_reports/PNNL-25112.pdf [Accessed 25 Nov. 2016].

Saint-Germain, R. (2005). Information Security Management Best Practice Based on ISO/IEC 17799. [online] Available at: https://www.arma.org/bookstore/files/Saint_Germain.pdf [Accessed 25 Nov. 2016].

Smedinghoff, T. (2016). The State of Information Security Law. [online] Available at: https://resources.sei.cmu.edu/asset_files/WhitePaper/2007_019_001_52931.pdf [Accessed 25 Nov. 2016].

Tsoumas, V. and Tryfonas, T. (2004). From risk analysis to effective security management: towards an automated approach. Information Management & Computer Security, 12(1), pp.91-101.

Webb, J., Maynard, S., Ahmad, A. and Shanks, G. (2014). Information Security Risk Management: An Intelligence-Driven Approach. Australasian Journal of Information Systems, 18(3).

Whitman, M. (2016). Readings & Cases in Information Security: Law & Ethics. [online] Google Books. Available at: https://books.google.co.in/books?id=nTMIAAAAQBAJ&pg=PA272&lpg=PA272&dq=information+security+ethical+compliance+pdf&source=bl&ots=flbySXXdj1&sig=i6XDp71lCjObz40ugSYyDZl4AEc&hl=en&sa=X&ved=0ahUKEwi39fzQ0MDQAhWLV7wKHUeCD804ChDoAQgqMAE#v=onepage&q=information%20security%20ethical%20compliance%20pdf&f=false [Accessed 25 Nov. 2016].