View
225
Download
2
Category
Preview:
Citation preview
[ Vulnerability Analysis] Certification and Accreditation of Information Systems
[Year]
Your Details
Date
Vulnerability: - Vulnerability is a weakness of a system which allows the intruders to reduce
a systems information assurance. It includes three parts first is flaw, intruder’s access to the
flaws, and intruder’s capability to exploit the flaw. An intruder to be vulnerable should have
at least one technique which connects to the systems weakness. They are classified according
to the asset class which are
Hardware
Software
Network
Personnel
Site
Organizational
As a part of a formal risk assessment of desktop systems in a small accounting firm with
limited IT Support, you have identified the asset “integrity of customer and financial data
files on desktop systems” and the threat “corruption of these files due to import of a
worm/virus onto system.” Suggest reasonable values for the items in the risk register for this
asset and threat, and provide justifications for your choices
The Risk Register is shown below
Assets Threat Controls Likelihood Consequences Level of
Risk
Risk
Priority
Integrity of
customer
and
financial
data files
on desktop
systems
Corruption
of these
files due to
import of a
worm/virus
onto system
Firewall,
Antivirus,
e-mails,
downloading
files
Almost
Certain
Major Extreme 2
The three strategies of managing risk are:
(1) Reduce the probability of an unfavourable event: - These can be accomplished by
effective strategic planning. Management skills and knowledge of managers can be
developed either directly through self improvement or indirectly by outside advisors.
(2) Self-insure and accept the impact if an unfavourable event occurs: - Following options are
included:
Modification of revenue-related risks by diversifying the enterprise mix. The
outcome can be lower average revenue or added costs in the course of a loss of
efficiency.
Reduction of production risk due to spread of production geographically. This can
result in increase of cost of production.
Building net worth will help a business to survive in adverse events.
Building excess production capacity which will reduce the likelihood of delay of
production-related activities
(3) Reduce the impact on the business if an unfavourable event occurs by shifting risk to
others: - Costs are incurred in the form of Insurance premiums.
Qualitative risk analysis: - An analysis that adjudicators an organization’s risks to pressure,
which is based on decision, perception, and the knowledge versus transmission real numbers
to this possible risks and their potentials loss margins.
Quantitative risk analysis: - A process that attempts to allocate real numbers to the costs of
countermeasures and the quantity of harm that can take place.
Differences between these two are
S No. Quantitative Risk Analysis Qualitative Risk Analysis
1. Results are expressed in management
specific terminology
They do not determine financial values
of assets.
2. Risks are analyzed in financial terms Risks are analyzed in terms of quality
of risk that is ranking the risks.
Quantitative Risk Analysis is more effective as it tells the monetary value of the Risk.
The two models are
Security Steering Group (Leverage Model)
Maintaining the information of the industry, sustaining technology, and security model is not
a part-time plan. Developing an useful security architecture that is built on the inclusive
familiarity of the business is a non-trivial activity that requires active advertising to multiple
resources that can sufficiently characterize the business objectives and/or needs of the
organization. The organization of an Internal Security Steering Group will help ease the
measures necessary to design, build, implement and maintain a pragmatic security
architecture model.
This leverage model can successfully decrease the overall level of effort in scheming,
implementing, and managing all of the serious mechanism that an venture security
architecture is comprised of thus increasing the Return On Investment (ROI), reducing the
Total Cost of Ownership (TCO), and effectively managing risks.
Basic Security Requirement Model
An incorporated risk management program is serious in securing business objectives
requiring the enforcement of secrecy, reliability, accessibility, and liability.
Secrecy
Secrecy ensures the safety of data from illegal access throughout an organization’s
information planning, which extends to all data directly linked with the architecture’s
applications, data stores, communication links and/or processes.
Reliability
Reliability ensures that data, services, and other restricted resources are not altered and/or
destroyed in an unlawful manner. Reliability based controls provide safeguards against
unplanned, unlawful, or nasty actions that could result in the change of security defense
mechanisms, security sorting levels, addressing or steering information, and/or audit
information.
Accessibility
Accessibility ensures the trustworthy and right process of information and system capital for
which the loss of information and/or resource access would cause unfavorable results.
Accessibility based security necessities include controls to stop, sense, and/or monitor
unintended, unlawful, and/or nasty activities that could negatively impact the accessibility of
serious information.
Liability
Liability requirements ensure that events can be linked to exact users and/or processes
accountable for those actions. The largely goal is to be able to confirm, with 100% certainty,
that a picky electronic message can be associated with a particular individual, just as a
handwritten signature on a blank check is tied back to the account owner. Liability based
controls include detection and validation mechanisms, and access control.
The steps are:-
Knowledge base: A good tool will come with letter templates, appeals strategies, and
other content to arm providers with the information that only experience can provide.
Workflows: MAC appeals can involve many departments and individuals
collaborating to meet deadlines. Look for tools that have both prebuilt workflows as
well as the flexibility to modify or design processes to fit an organization’s specific
needs.
Hosted software-as-a-service model: Keeping up with changing requirements and
incorporating new best practices is difficult with software that arrives on CD. Hosted
applications offer frequent content and functionality updates as well as fully
functional remote access.
Easy-to-use streamlined interface: Good tools must be fast and easy to use, with
controls that are intuitive enough that even the technologically handicapped can use
them.
The three steps in the security process are:
1) Plan: - The first step is to plan the whole structure of the requirements. Nothing can
be done without planning so the first step is to plan what all is there and how to work
on the security of the required data. Security process is to be followed according to
the plan made.
2) Delegate: - This is the step which lets the plan made to be followed in reality.
Implementation of the security plan is done in this step.
3) Audit: - This is the step in which all the security measures are tested and if any loop
wholes are found they are rectified to provide the correct security measures.
The steps involved in conducting an assessment are
1. Define Extent of the Change: - The assessment being done is laid down in detail and
all the procedure required are defined in this step.
2. Determine Key Differences: - All the key differences are determined in this step,
where all the requirements are laid down and separated from each other.
3. Focus on Effects: - This step lays down the processes and main focus is laid down in
implementing them.
4. Sort and Prioritize: - The main processes are first listed and all those who have higher
priorities are dealt first.
5. Make a Decision: - This is the step which lets the user make the effective decision of
his assessment.
Mobile devices though being portable and have the dual facility to access calls and e-mails
(internet) have some risks which are as follows.
Due to their small sizes they can be easily stolen or lost which leads to loss of the
complete data.
The files still exist on the cells memory which can be misused.
If the mobile software’s or any download is virus stuck, they can harm the handset
itself.
The handsets are prone to many malwares which come due to different downloads
being done over the mobiles.
There can be excessive spams which come in the mobile devices.
Thus using official information over mobile phones should be minimized only when its
actually and increasing necessary as this can lead to leakage and misuse of information of the
organization which can be a risk factor for them.
The main benefits associated with the approach to IT planning are
Releasing the possessions for improved operation
The capability to nurture the business devoid of considerable increase to
workforce all the way through improved and large efficiency and output
Concentrated delays in vocation stream process
Concentrated delivery rejoinder instance
Concentrated records
A risk is any happening and occurrence of actions, which can be internally or
externally generated, which prevents an association from achieving its objectives
and goals. Risk assessment will aid in planning decisions such as:
The character, degree, and timing of review measures
The business functions to be audited.
The quantity of time and capital to be owed to a review
With the information Eric Raffin had at that time, the other alternatives could he have
considered are
Developing a database to record the actions which can be referred to at the
time of need
Taking timely backup which can help store the data which can be useful in
days to come
Forming a system which stores every minute details so that without any
missing information the process can be followed.
Taking into account the possible system working time which would have
increased its working and efficiency.
The bowtie analysis is a popular structured method which helps in assessing risk, in this
methodology qualitative approach is not enviable. The achievement and accomplishment of
using the diagram is its uncomplicated and trouble-free method for any non- expert to
comprehend. The design is an easy one to combine the reason (fault tree) and the result
(event tree). The fault tree is wan on the left side and the event tree is wan on the right side
and the risk is wan as a "knot" in the centre, the diagram appears like a bowtie. An example
of the same is shown below:
To create a bowtie diagram following needs to be defined:
Events which needs to be prevented.
Threats that might root the event to take place.
Consequences which occur due to the event.
Controls required avoiding the event from being occurred.
Controls to moderate alongside the consequences.
Hazard 1
Hazard 2
Prevention 1
Prevention 2
Incident
Mitigation 1
Mitigation 2
Consequence 1
Consequence 2
The bowtie methodology is used for every kind of risk examination and investigation, from
major accidents, all the way through work-related and ecological to industry, IT and safety
risks.
Using web as a medium of exchange either associated with buying or selling of goods and
services involve transactions of money from an account to the other. The customers are on a
very high risk undertaking these shopping’s over net, the risks are
1. The customer is not sure whether the web page which he is trying to do over net
shopping is a valid one or not. Generally people make fake web pages and just try to
cheat on general public and take lots of money from them and don’t deliver the
products.
2. They can risk their money which they are giving in exchange of the commodity.
3. They can risk their bank account details or their credit card details.
4. They are not sure of even getting their desired product which they have purchased
over net.
5. They cannot fight for the quality of product which was sent to them or if a product is
broken.
So there are various risks involved in shopping over net, thus it should be avoided to a great
extent.
Outsourcing is forming a contract with another company or person to do a particular task or
provide some service. Naturally, the purpose being outsourced is measured non-core to the
business. Today almost every organization outsources in some way or the other.
Following are some positive effects of outsourcing on an organization are
Growth
Offshore Expansion
Variety of Options
Reduced Risks
Competitive Spirit
Fulfill Business Objectives
Better Results
Resource Utilization
Flexibility
Share Business Risks
Fast Turnaround Time
Following are some negative effects of outsourcing on an organization
Loss of jobs in developed counties
Huge lay-offs by companies
Risk of heavy losses to companies who outsource without proper planning
Rise of fear and dissatisfaction among employees in companies that outsource
Risk of the outsourcing company stopping its operations
The project may not be completed well in time. As the whole group has not worked over this
technology and we have no documentation to refer for this technology we face real
difficulties in estimating the time required to complete the project. We can even go wrong in
the people required for completing this project. Doing this project is like “Aiming in the
Dark”. We are in this situation that we have put our foot forward without even know where is
our goal and how much time we need to reach our goal. There is the biggest problem here
that will be deliver the project well in time because the organization is waiting for the new
deliverable and things and the processes currently in the organization are being done hoping
of getting the deliverable well in time. As we know every step undertaken within an
organization are interdependent, so the dependency of work on this new technology is also
expected.
The development of this technology may lead to losses in shares of the company for which
the technology is being made. Now when the organizations is expecting a new technology
after six months they might have started managing their work in the hope to get the new
technology well in time but if this does not happen obviously the company is going to be
struck hard in losses and if a company goes in loss it for sure to have a depreciation in the
shares. The probability of this risk is very high it’s like more than 50%. The risk exposure is
high because it directly affects the stake of the company. The best way to avoid this risk is to
take as long time period for its completion but it should be adequate and within reach.
Another risk is will the deliverable be efficient enough to provide what’s required out of it.
Here is the biggest risk, whether we will be able to provide the project in the way it’s
required. Even if we take long time to do the project we are not sure of its success as the
system takes data from three systems which no one is aware of except one of the team
members. This situation is like being lead by one who is also not sure about the things. We
are just doing a process of hit and try. If it works out its well and good, else all in vain.
The risk here is very high as taking this technology for development we are not sure to give
the desired deliverable because it’s a new technology and new systems are involved which
has no reference to be taken help from. Now if this thing happens the company can face a
situation to stop its work because they might have started their processing according to the
new technology hoping to let it work fine. The probability to this risk is maximum because
it’s what the exact system is all about. The best way to avoid or risk this down is to do a
thorough study and analysis of the systems required. Every possible data and information
should be gathered and should be considered to help make a productive deliverable.
The next risk is about the inflow required in this project. As I told you that we are working on
the bases of hit and try we may require more inflow in the project as what was planned or
estimated. This is really a thing to worry because an organization can only spent a particular
amount on a project. And here is the case that even if they spent more they are not sure of the
final deliverable.
If this is the thing it’s for sure that the company can go in losses. The risk exposure is high
because if the company will utilize its funds here and that also without even having a budget
for that they will go in huge losses which might create a situation for the company to shut
down its business. The best way to avoid this risk is to first clearly discuss with the
developers how much capital is required and will they be able to give the desired deliverable
within that budget. And what will be the maximum expenditure for this. A through planning
should be done and only then the decision should be taken for undertaking such a new
project.
The risks involved in this project are high and it’s really not feasible and ethical to undertake
such a project because it do not gives a desired deliverable, it also harms the managers/
companies goodwill. It can make the company a loss too, which is not right. If the company
goes in loss it will affect the market of the company, which will lead to fall in the share rates,
loss of customers of the company which is not good at all. On the part of the organization
they should also take care of what they are expecting from a project is approachable and
valid.
References
Academic
Journal
http://www.drj.com/new2dr/w3_030.htm
Journal
http://www.blackwellpublishing.com/journal.asp?ref=0272-4332
eBook
http://www.acrobatplanet.com/non-fictions-ebook/ebook-risk-assessment-models-establishment-exotic-vertebrates-australia-and-new-z
ebook
FIRE SAFETY RISK ASSESSMENT http://www.communities.gov.uk/documents/fire/pdf/151102.pdf
Website
http://www.mindtools.com/pages/article/newTMC_07.htm
Recommended