Messages
Proposals
Get Urgent Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework Writing
100% Plagiarism Free Writing - Free Turnitin Report - Professional And Experienced Writers - 24/7 Online Support
|
Affected
Business unit: CISO or Chief Information Security Officer |
|
Business
process that is under risk, software or logical part of the information store
of organization. |
|
Brief explanation of the threat of Business process that is under
risk, software or logical part of the information store of organization. Malware or Malicious Software It is quite a broad term which
refers to all types of programs which are designed specifically for damaging
or disrupting a computer system or spreading across different systems at the
same time over a storage device or use of the network. Its common types
include worms, viruses, Trojan horses, spyware, rootkits, bugs, bots, and
adware etc. Phishing Attack It is actually a fraudulent
attempt of acquiring confidential information like details of credit cards,
passwords, and usernames by disguising as a familiar and trustworthy source.
Different tactics are used by phishers for deceiving their victims and
sometimes attackers go to such extents that they develop scam sites for
making them more trustworthy and believable for increasing the likelihood of
its success and effectiveness. |
|
Effect if
threat occurs of Business process that is under risk, software or logical
part of the information store of organization. A computer can be infected by malware which
offers control to the attacker of system resources. This software is able to
hijack browser sessions which can even lead to theft of identity for
gathering personal data or information from the computer. What is worst is
that it is not noticeable and even the computer will function normally In addition,
spoofed emails which are created for looking like messages from familiar
sources urge users to carry out a specific action like authenticating account
information. The financial industry is one of the prime victims and this
stolen data can be used by phishers for gaining access to the account of
victim and withdrawing money or purchasing services or merchandise. Thus, a
significant institutional risk is posed by this attack and reputational
damage can be led by it. |
|
Explanation of the
countermeasures of Business process that is under risk, software or logical
part of the information store of organization.
Antivirus
software and Anti-Spyware: Antivirus and anti-spyware software are
applications which block, remove, and identify spyware – harmful applications
which collect important information without being spotted from the computer
and might change settings, make the computer lag in speed, or even influence
other installed applications. Thus, it is significant to ensure that
antivirus software is not only updated but is also compatible with the system
for supporting the reliable Virus Scanning API. It should be evaluated how
quickly different vendors of antivirus software are releasing updates. They
can scan with the use of genetic signature for identifying new forms of the
virus or by running the infected in another environment to determine whether
it harms the computer or not Firewall:
An inevitable role is played by a firewall in securing networks and
everything in its domain from attacks. For the implementation of an
enterprise wall, the first step is concerned with defining the security level
necessary for the firm. On the basis of this, vendor can be selected for
proceeding with configuration and installation of the firewall. Upgrade,
consistent maintenance, and post-installation must be performed for ensuring
that the firewall is meeting expectations Intrusion
Detection System: It can be said that an IDS is a device or an
application which audits the system or network activities for policy
violations or malignant activities while reporting the same to the station of
management. Although they both seem to relate to the security of the network,
an IDS is different from and should not be considered the same as an IPS or
Intrusion Prevention System, which is capable of blocking malicious traffic
and threats. An IDS seems to keep an eye on intrusions for preventing them
from occurring which might be based on the pattern of past abnormalities or
intrusions observed. It is also able to detect attach which might be present
in a network Multi-Level
authentication: Actually,
multi-level authentication is a mix of present techniques of authentication
into a single environment. But the user will be needed for performing various
authentications for verifying her or him to the system. Techniques of
authentication might involve graphical and textual passwords, biometrics and
token which might be applied according to the availability of technology,
level and feasibility of the desired security Creating
awareness: When it comes to fighting against security threats, educated
and sensible end-users are significant assets. For ensuring that stakeholders
are aware of the involved security risks, security training is very important
for accepting and adopting required security policies and practices. No
policy of security will be serving its purpose if it isn’t applied in an
accurate manner by experts. Unaware of poorly informed workers implemented a
procedure of protection will be having the same impact as having no safety
procedure at all. Thus, the required set of skills in terms of workers must
be ensured by the firm. |
|
|
|
Affected
Business unit: CSO or Chief Information Security Officer |
|
Business
process facing risk: Physical
infrastructure of the information store of organization. |
|
A brief explanation of the threat of Business process that is under
risk, software or logical part of the information store of organization. Actually, the protection of events, data, networks, software programs,
hardware, and human resources from physical conditions, the loss of might be
even lead to catastrophe and severe damage to the company is referred to as
physical security. There are 3 main groups of threats: Environmental conditions and
natural events: It includes damages which are caused fires, tornados, and
hurricanes among other natural calamities (Malatesti 2008). External and internal human
threats (Unintentional/intentional): It concerns damages which are
provoked unintentionally or intentionally by individuals, for instance, an
intruder gaining access to a restricted area, employee error, or a terrorist
attack (Malatesti 2008). Threats related to Supply
system: It concerns harm which is caused by failure or interruption in
any type of supply such as gas, water, and electrical power which might
influence organizational information systems (Malatesti 2008). |
|
Effect if
threat occurs of Business process that is under risk, software or logical
part of the information store of organization. Without eligible physical security, large sums of money
which are invested in systems of intrusion prevention, firewalls, and
anti-virus have no worth. Sensitive information of the firm could be
compromised easily by a casual and careless mistake Loss of data: It
is a condition in systems of information in which information is lost. Malfunction of Systems:
Long or temporary loss of availability by shutting down of systems. It can
negatively influence the service which is offered by the firm. Which leads to
the loss of consumers and might even decrease revenues. Data breach: It
is actually an incident in which confidential or sensitive information is
used, stolen, or viewed by personnel who are not authorized of doing such Industrial/corporate
espionage: Actually, this is related closely to the previous scenario but
with an addition of dimension. Corporate espionage seems to refer to the
theft of confidential proprietary knowledge, important property information,
for competitor’s visibility. Corporate organizations which contribute to
industries packed with technology are normally related to industrial
espionage. Typically, these firms will spend and invest more revenue on
R&D or research and development |
|
Explanation of the
countermeasures of Business process that is under risk, software or logical
part of the information store of organization.
Programs of physical security must be implemented and planned for both
off-working and regular working hours in an organization. All security and
safety mechanisms in-sync with surveillance and monitoring controls must be
triggered by the personnel of security during the hours of off-working. Dealing
with it will be more complex during hours of office since there is a need to
differentiate between unauthorized users and authorized ones. Monitoring and security
controls should be more restricted on the basis of access controls based on
role (Malatesti 2008).
Delaying controls: It can be said that the key objective of
delaying control is all about slowing down intruders from achieving their
malicious intents. Access of controlled elevator, control cards access, and
locks etc. are actually good examples of delaying controls. Such types of
controls are normally limited to and individual in specific and must be
tapped or swiped for authenticating into a system. A drawback is that they
can be stolen easily and utilized with knowledge of user (Malatesti
2008). Biometrics: Physical
traits are utilized by biometrics like retina scan, face recognition etc. for
identifying a user. Because of the high cost of implementation, lack of
reliability of such devices and other concerns of employee privacy,
biometrics are classified as a measure which is yet to be accepted widely User Awareness: User awareness is the most significant
aspect of any program of security. Employees must be made aware and briefed
that strangers don’t have the authority of accessing workplace unless they
are escorted by a reliable worker all the time. Programs of awareness should
be directed at encouraging and training workers for approaching unidentified
individuals if they need help, if observed or found Laptop Locks: Physically, these cables are connected to
laptops which are attached to the user desk as well. For unlocking the cable,
a key is utilized. Implementation of this measure on mobile and removable
devices is desirable even if they can be cut as well OS Hardening: DVD/CD drives and ports of USB must be
disabled on all desktops and laptops so unauthorized and illegal access to
sensitive information can be prevented. Hence, information cannot be simply
tampered or transferred by an external user Proper Auditing System: It is significant to maintain audit logs
which record areas with physical access restriction. Verification of a
document identification of all workers including contractors, consultants,
and vendors must be practised before access is granted. A person could be
identified uniquely from audit logs in case there is an attempt of fraud or
suspicious activities identified. In addition, these logs could be maintained
and reviewed regularly for determining the accountability for each and every
option, particularly during hours of off-work (Malatesti 2008). Alert & Monitoring Systems: Actually, systems of monitoring will be
useful in early incident detection. Fire and smoke alarms, motion detectors,
and CCTV surveillance are some good example of this system (Malatesti
2008). Procedures and policies: They seem to create a foundational block of
a program of physical security. Security controls are defined by them that
must be in place and thus be utilized as a reference for filling control gaps
which are identified during the assessment of risk. Procedures and policies
must be developed according to the present regulations and law of the corporate
domain. Legal aspects like employee safety and accountability issues must be
also be addressed by it (Malatesti 2008). Separate all critical programs: Critical systems should be stationed
separately from the general systems. It involves prioritizing both software
and hardware components on the basis its part in processing important data. They
should be safeguarded and stored in secured areas
It is critical to make routine checks for evaluating and ensuring the effectiveness
of programs of physical security and control systems. Inefficient periodic
checks would only hinder the aim of applying a physical security layer. |
|
|
Risk to Human Resources
|
Affected
Business unit: CISO or Chief Information Security Officer |
|
Risked business
process: Human Resources at a Risk |
|
Explanation of the threat of Business process that is under risk,
software or logical part of the information store of organization. Internal attacks: Because of
the additional benefit of recognizing existing measures of security
implemented, insiders can be the most harmful attackers. They could be
ex-employees who have a grudge against the organizations with the objective
of gaining access to systems. And being aware of the infrastructure of the organization
including IT applications and systems, they are also capable of accessing the
effect of activities which can cause the required damage level External attacks: Actually,
these are issues posed by external vendors or contractors that be employed
for some specific projects or a certain time, in a firm. Usually, this
personnel are not known well to the firm and it might be unaware of the
necessary security regulations and rules to adhere to. The firm must have
sufficient control over their actions which might increase to a high level of
risk if it is not taken care of properly Human Error: Actually,
attackers are not the only bodies who can harm companies. Human error is
usually ignored and it is a significant threat to data integrity. Omissions
and errors could be made by authentic used which might result in altered
data, damage, or less damage if users don’t care about the influence of
actions which they are carrying out. Such unintentional acts come from
unskilled workers who canoe handle information in a precise manner and are
not aware of related threats of security Social Engineering: We can
say that this is cracking’s common form. Social engineering is a technique
utilized for manipulating and deceiving so to persuade them into revealing
sensitive information. This method is utilized widely among potential
intruders or criminals for obtaining interesting information as it requires
less effort in comparison with a hack attack. For gaining information, they
observe and learn about the personal and social life of a user and utilize it
Exiting employee: At the same time, this scenario can be
complex and simple. If an ex-employee has access to equipment and information
of the organization, it poses a significant threat to the firm. It is
possible that he might use user privileges, accounts, and access codes. |
|
Consequence
if threat occurs of Business process that is under risk, software or logical
part of the information store of organization. Data corruption/loss:
It refers to a condition in IS or information system in which information has
errors which occur during write or read, storage, transmission, and
processing which might introduce some unintended or intended changes in the
actual information. Corruption of data could be undetected or detected. Less
severe issues are produced when they are detected in comparison to when they
are not detected and they can even cause a crash which is unrecoverable Data breach: With
the illegal usage of confidential and sensitive information of a company, the
incident of data breach occurs Industrial /corporate
espionage: It can be said this is related closely to the previous
scenario but with an addition of dimension. Corporate espionage seems to
refer to the theft of confidential proprietary knowledge, important property
information, for competitor’s visibility. Corporate organizations which
contribute to industries packed with technology are normally related to
industrial espionage. Typically, these firms will spend and invest more
revenue on research and development |
|
Explanation of the
countermeasures of Business process that is under risk, software or logical
part of the information store of organization. Incident response controls: Security procedures, mechanisms, and
personnel which assist in responding to malicious activities, assessing, and
identifying incidents are included in these controls. Different aspects of
the response of incident should be addressed by the process like external
consultations, the legal process of enforcement, and emergency process of
response Creating awareness: Other than implementing and formulating
procedures and policies, it has to be made sure that all employees are
educated and awareness is spread regarding the threat. The staff should be
aware of the sensitivity of information and systems which they handle daily. It
must not be ignored as no procedure of protection is effective in the absence
of precise execution. Have a Contingency plan: Actually, it is always wise to have a
general backup of organizational servers and critical systems, according to
the feasibility. It is capable of saving the company if an unknown event
occurs. Background
check and clearance: It is important to carry out complete screening on
potential workers which involve background clearance and check. It has to be
made sure that workers are aware of the procedures and policies, and must
sign the employment contract before they are hired. There must be a process
of employee exit as well which is practised for ensuring that assets of
organization which employees use are properly handed over. |
|
|
|
Affected
Business unit: CISO or Chief Information Security Officer |
|
Business
process that is under risk: Risk
to Processes and Procedures |
|
The requirement of a
well-written and effective organization procedure and policy hasn’t been more
focused upon in corporate culture at present. Although procedures and
policies are not law, they are based on implications and legal rules. Procedures
and policies offer an operational structure with which a company should be
functioning. Procedures and policies clarify and define what is required by
the firm and how it must be done. We can say that policies are
clear and simple statements which explain how the organization will be
initiating its business actions and services. They involve groups of
principles and guidelines for helping in standardizing the process of
decision making in several aspects of the organization. Processes and
procedures will explain how each policy will be implemented with respect to
the firm. Procedures don’t necessarily have to be lengthy paragraphs, they
work better in the form flow chart, checklists, or bullet points
Explanation of the threat of Business process that is under risk,
software or logical part of the information store of organization.
Disclosure of information/unauthorized
access: Actually, such attempts are seemingly made for learning or making
use of assets of information from the system but might influence system
resources. Information of customers and confidential data of finance are
recognized as significant and have to be secured for ensuring that not even a
little information is lost. Inefficient planning of business
continuity: Organizational applications which are mission-critical can go
down anytime. A plan of business continuity involves processes and procedures
for continuing operations of business when different levels of unexpected
events or disasters are encountered by an organization which might have
long-term or short-term effects on it. Specifically, such a scheme seems to
describe how operations of business could be recovered immediately with
minimum effect. Critical units of business can be shifted to a support system
or temporary location for ensuring consistent functioning and minimizing the
aftermath of disastrous events like theft, attacks, and natural disasters
etc. Being inefficient in developing such a plan because a person doesn’t
feel the requirement of doing such could be the worst decision to be ever
taken, considering the importance of information assets and information
integrity. Disorganized/unclear policy: With
insufficient procedure documentation, there is a higher possibility for it to
be available for interpretation. If it is not possible to get a clear answer
to why or how something is being carried out, there are more changes for
assumptions to be developed. This is capable of leading to frustrations and
inefficiencies among operations, management, and staff Employee misuse of resources of IT:
It is actually well-known but is an unspoken problem faced while thinking
about business related to IT. In fact, employee misuse can include
unauthorized file copying to storage devices, downloading of media which is
unauthorized, use of different devices for personal objectives, reckless
surfing on the internet, and downloading of software which is unauthorized.
This significantly influences employee productivity.
|
|
|
|
Explanation of the
countermeasures: Documenting:
Procedures of physical security should be documented on how you will be
protecting all aspects of C-I-A of information concerned with unauthorized physical
access. These documents should state clearly who authorized for accessing
data and audience that it might or might not be available to. Such documented
procedures and policies could serve as materials of training for new staff
that is employed at the organization. Training and
Awareness: Every firm must have a plan of security for ensuring that all
users know the acceptable list of responsibilities and policies. It will
ensure that all staff of IT is involved in applying security policies related
to IT Risk Assessment: This
process is conducted for identifying potential hazards on assets of the organization
and analyze the influence that it might or might not cause, in case of an
unexpected event or a disaster. It states how often we must be reassessing
potential threats to the firm and upgrading the program of security Formulating Specific Standards
of Technology of Business process that is under risk, software or
logical part of the information store of organization. Guidelines for the utilization of email, internet,
telephones, fax machines, printers, and computers along with misuse
consequences Rules for developing a powerful password and different access
levels to networks Rules and guidelines for the recovery of data in case of a
disaster. Guidelines for determining the kind of system, hardware,
software, and application which are approved for being utilized in the firm,
incorporating the list of the ones which are limited because of license and
other concerns related to security Rules about the addition of new workers to the workforce and
granting different levels of permission to employees on the basis of required
visibility and roles Having a proper
Backup/Continuity Plan: Actually, the objective of every program of
Business Continuity Management is concerned with the maintenance of
consistency of service delivery and operations. It is significant for every
company to realize BCP or Business Continuity Planning is more significant
than it sounds and doesn’t just concern recovering from disasters and
emergencies. Always having a detailed BCP will offer a competitive advantage
over other firms, boost the corporate reputation and brand value, increase
acceptance of a customer, offer operational improvement, and keep the firm
stable by cutting costs |
|
|
Discuss your homework for free! Start chat
