Organization
Risks & Threats
Introduction
• On the verge of information technology, the organization must
stay abreast with effective information security mechanisms to
enhance their information.
• Information security breaches have always been a common
phenomenon in many organizations.
• Security leaks , distributed denial of service attacks (DDoS)
• Attacks results to business interruptions, financial loss and the loss
of the company reputation.
• It is vital for companies to ensure adequate information security
mechanisms
By: Zhorzh Bederyan
1
Risks = Threats x Vulnerabilities
Source: Ref: http://simplicable.com/new/the-big-list-of-information-security-vulnerabilities
By: Zhorzh Bederyan
2
Information Security Risks & Threats
Risks typically refer to the potential that a given threat will
exploit the various vulnerabilities of organizational assets thus
causing harm or loss to the organization. The following are some
of the information security risks and threats:
• Lack of proper encryption
• Inadequate system logging
• Intrusion and hacking
By: Zhorzh Bederyan
3
4
• Natural Disasters
•
•
•
•
•
Floods
Hurricanes
Tornados
Earthquakes
Wildfire
• Accidental Damage
• Fire
• Non-Natural Flooding
By: Samuel Holloway
What Can We Do?
1. Backup Data Regularly
2. Utilize Offsite Data Storage
3. Implement Cloud Storage Backup
Regulatory Compliance
A regulatory agency is a public authority or
government agency responsible for exercising
autonomous authority over some area of human
activity in a regulatory or supervisory capacity.
By: Leslie Bruce AKman
5
Regulatory Compliance (cont.)
When you apply regulatory compliance to IT, the
regulations refer to two different aspects of company
operations. These include the internal requirements for
IT and compliance standards. They are set forth by
external entities. Both types of regulatory compliance
affect IT company operations and can potentially restrict
what a company can and cannot do.
By: Leslie Bruce AKman
6
Organization Criminal Risk
• Fraud: When the nature of a company's business involves very complex
transactions, and especially ones involving estimates, it is easier for
employees to manipulate the results of these transactions to report better
results than is really the case.
• Forgery: Many businesses are fortunate to have trusted and competent
bookkeepers, but the more authority you invest in any one person, the
greater the risk to the business if that trust is betrayed. Good accounting
controls protect the honest employee first and foremost. There are few
worse situations in a business than when money has gone missing and
suspicion and accountability for the loss falls on everybody.
• Theft: A hacker's goal at a small business can vary. Retail-facing companies
are often targeted for the personal and credit card information of customers.
Many companies in all industries are hit with a malware attack that initially
does nothing, but it can transform a company's systems into "zombie
computers," which can be used unwittingly in a larger attack.
By: Manuel Cano
7
IT Systems Development
Practices
1
• Use Unique Passwords for Each Account
• Never Write Your Password Down
• Easy for You to Remember – Hard for Others Guess
• Never Share Password with Others
• Combination of Upper & Lowercase Letters
• Must Include Numbers & Special Characters (*!@#-_, etc.)
• Frequent Password Changes Required
• Alerts for Incorrect Passwords & Password Changes
By: Samuel Holloway
Good encryption system
• The system ought to have a good encryption algorithm with the following criteria for a good cipher:
➢ Simple to implement
➢ Enciphering algorithm with no complexity
➢ Ciphering errors should not be propagated
➢ Enciphered text should be of the same length as original text.
2
Updated security software
• The security software compatible with the system in place should have the following characteristics:
➢ Efficient
➢ Easy to use
➢ Reliable
➢ Scalable
➢ flexible
3
Better network protection
• The network & its traffic should be secured by
➢Installing a good firewall
➢Utilizing network segmentation technique
➢Utilizing the VPN.
4
Adequate security settings
• The system’s security settings should include security policies which enable the user to
adjust the level of security of the system
• This include:
➢ Password policy
➢ Audit policy
➢ Account lockout policy
5
Creating Secure
Environment
Introduction
• In most organizations, information has been regarded as a resource as well as
an asset.
• It therefore, has become a necessity to ensure that all the avenues that act
on a given piece of corporate information has been secured.
• Considering the company in context, it is a classic widget producer.
• The overall structure of the company is based on he traditional setting as far
as departments such as manufacturing and human resources among the others
are concerned.
• With different operational offices as well as outlets, it can be concluded that
the company has a lot of avenues that handle the corporate information that
may need securing.
The Need for Information Security
• Information has been regarded as a vital asset. The need to ensure that
the information has been secured is realized due to the fact that there
are various predators that may benefits from such corporate data.
• While considering the organizational structure of the mentioned
company, it can be seen that there may exist numerous loopholes that
may lead to the loss of data integrity.
• As a corrective measure, the need to come up with a plan that would
help in managing the integration of the respective security practices as
well as tools with the overall human behavior is realized.
• The first step is sensitizing the members of the company on the
importance of security.
Sensitizing the Employees of Security
• Since the company is comprised of various types of employees who may
range from the information technology to the sales teams, the approaches
that may be used on one group may differ from the approach used on the
other groups.
• The best way to make security important to each and every member is by
performing a brief sensitization campaign or education that would be
inclined towards giving the employees the basics of security and their
human behavior.
• The possible benefits as well as consequences that are witnessed after the
consideration and upholding or neglecting of security also should be
included within the programs.
The Best Methods to Communicate
Information on Security Related Issues
•
•
•
•
•
•
•
•
Demonstrate the impact of security incidents.
Understand that millions of dollars in revenue could be lost.
Show correct behavior and its impact.
Show that the right behavior can be easy.
Explain responsibilities
Understand how to minimize risks.
Segment your audience then tailor your messages.
Establish and effective IT security help mechanism.
Creating a Secure Environment Diagram
Changing
perception
and behavior
of employees
Company’s environment
Training and
security
campaigns
Conclusion
• Summing up, creating a secure environment may not
necessarily dwell on the technical aspects of information.
• As opposed, the overall employee perception and behavior as
far as information and security is concerned is the key point
to achieving a secure environment.
• Considering the company in context, the diverse pool of
employees may require a differentiated sensitization plan
which may be specifically designed for a given group.
References
•
Farahmand, F., Navathe, S. B., Sharp, G. P., & Enslow, P. H. (2005). A management perspective on risk of security threats to information systems. Information
Technology and Management, 6(2), 203-225.
•
Jesan, J. P. (2006). Information security. Ubiquity, 2006(January), 3.
•
Peltier, T. R. (2005). Information security risk analysis. CRC press.
•
Vanderburg, E. (2017). Information security compliance: which regulations relate to me. Retrieved from https://www.tcdi.com/information-securitycompliance-which-regulations/
•
Policies, standards, and regulatory network. (2017). Asset Leadership Network. Retrieved from http://assetleadership.net/membership/policies-standardsand-regulatory-network/
•
Burnett, M., & Kleiman, D. (2014). Perfect Password. Saint Louis: Elsevier Science.
•
Komando, K. (2015). How to create a strong password. Retrieved from https://www.usatoday.com/story/tech/columnist/komando/2015/05/15/strongpasswords/27240877/
•
Perez, A. (2014). Network Security. London: ISTE.
•
Tanougast, C. Progress in data encryption research.
•
Vranken, H., & Poll, E. (2015). Software security. Heerlen: Open Universiteit.
•
Casmir, R. O. (2015). DETERMINING APPROPRIATE SECURITY PROTECTION FOR ENTERPRISE INFORMATION RESOURCES. Business Education Journal, 1(1).
•
Christoph Ruedt
•
Communication consultant helping organizations and their leaders turn ideas into reality
•
Xu, H., Wang, H., and Teo, H.-H. 2005. “Predicting the usage of P2P sharing software: The role of trust and perceived risk,” in Proceedings of the 38th
Annual.
•
Hawaii International Conference on System Sciences, Hawaii, Big Island. Zainuddin, E. 2012. “Secretly SaaS-ing: Stealth Adoption of Software-as-a-Service
from the Embeddedness Perspective,” in Proceedings of the 33rd International Conference on Information Systems, Orlando.
Purchase answer to see full
attachment