Risk or potential threat Essay

Free Articles

Every organisation is faced with some hazard or possible menace that could do an break to the organization’s operations. These hazards and menaces can come from within or outside of the organisation. To fix for the worst that could go on. organisations must concentrate their attending on how to measure different types of hazards to protect the organisation from the possible negative effects to the day-to-day operations. Performing a hazard appraisal is one of the most of import stairss in the hazard direction procedure ( eHow. 2011 ) .

A Risk Assessment is periodic appraisal of the hazard and magnitude of the injury that could ensue from the unauthorised entree. usage. revelation. break. alteration. or devastation of information and information systems that support the operations and assets of the organisation. A hazard appraisal should include a consideration of the major factors in hazard direction: the value of the system or application. menaces. exposures. and the effectivity of current or proposed precautions.

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

Many organisations perform hazard appraisals to mensurate the sum of hazards that could impact their organisation. and place ways to minimise these hazards before a major catastrophe occurs. Department of Defense Information Systems Agency ( DISA ) follows guidelines and policies governed by procedures by which the organisation buttockss and manages exposure to hazards. In this paper the topic to place is the hazards and possible effects associated with the countries of the organisation refering to security. auditing. and disaster recovery.

Security is divided in three major countries: Physical security includes entree to the edifice. offices. and the suites lodging the organization’s waiters and other critical computer science devices. External menaces to the organization’s calculating web such as hackers and malicious package. Access and permission to authorise users of the system every bit good as to the information.

Physical security of the DISA field office involves procuring assets by agencies of locked doors and an dismay system for non responsibility hours. Employees are required to have on designation badges at all times while inside the organization’s installation. Visiting invitees will be logged into the visitants log at the response country by the single hosting the invitee. The invitee will be escorted at all times while in the installation. DISA users are non authorized to take assigned laptop place unless they are protected by sanctioned difficult thrust encoding package. Downloading organisational information onto diskettes. Cadmium. thumb/flash/memory thrusts and other portable media is non authorized without proper mandate and proper security steps are in topographic point to protect that information.

To extenuate the menaces and protect the organization’s assets and proprietary information every bit secure as possible a comprehensive defense-in-depth scheme has been put in topographic point. The defence in depth scheme includes people. web. host. and application. Each of these classs contains three constituents when combined provide more strength to the organization’s security position that any one constituent entirely. Using this defense-in-depth scheme and applying tools. techniques. and methodological analysis from all 12 constituents maximizes the organization’s overall security position ( Hazelwood. 2006 ) .

Peoples are the first line of defence for the organization’s security scheme. The organisation has good defined policies and occupation descriptions that define functions and duties of assigned forces as related to security. The organisation besides has a good written security consciousness preparation plan and documented one-year preparation by assigned forces. The organisation keeps the accomplishments for the forces responsible for information confidence substructure current with a budget for preparation. The organisation has a good documented policy on incident response.

The web is the 2nd line of defence. The organisation has a good configured and approved firewall to protect the web architecture. The organisation besides employs an invasion bar system ( IPS ) to supervise traffic on the organization’s web. Virtual private webs ( VPN ) allow distant connexion to the organization’s web when users are off from the primary installation. The organisation does non use compartmentalizing of internal waiters. workstation. and wireless webs onto separate webs. This could set the organization’s full web at hazard should portion of the web become compromised from a trusted beginning.

The 3rd line of defence for the organization’s web is the calculating host. This includes the organization’s routers. workstations. waiters. and automated control systems. If an interloper breaches the first two lines of defence it is possible that security steps enabled on the host can observe and perchance forestall an incident from happening. The DISA field office has deployed a host invasion sensing system ( HIDS ) that is wholly separate from the web IPS.

The DISA field office performs repeating web and host audits as an of import portion of the organization’s security scheme. By supplying elaborate audit trails and file awaying these audits are of import edifice blocks for web invasion analysis. web statistical analysis and supplying historical grounds for future web audits and incidents. These audits can assist the organisation happen exposures in the organisations web before an interloper does.

How rapidly an organisation can return to operational position after a catastrophe. fire or inundation frequently depends on exigency be aftering done today. The longer an organisation is non runing. the less opportunity the organisation will last every bit good as lifting costs in the manner of pecuniary losingss of client losingss. Continuity of Operations Plan ( COOP ) is an attempt to guarantee an organization’s continued public presentation of its most indispensable maps during a scope of possible exigencies. To be successful. a COOP program incorporates the development of programs. processs. and commissariats for people. resources. and processes.

The DISA field office has a Continuity of Operations Plan identifies which forces. stuffs. processs. and equipment are necessary to maintain the organisation operating after a catastrophe. This program besides identifies the surrogate site where the needed forces should describe should the primary site non be habitable. Several lacks in the organization’s program need to be addressed. First the field office does non hold programs for alternate information engineering ( IT ) resources.

This could detain the field office from executing of its most indispensable maps of back uping the telecommunication demands of the combatant bid. The 2nd major issue that was noted during the hazard appraisal is deficiency of proving of tape backups and offsite storage. Without proving backups to verify that the organisation can reconstruct the stored organisation informations there is a possibility that the informations could be lost everlastingly. This could be the organisation 100s or 1000s of adult male hours to animate mission indispensable informations from other records. Along this same premiss if there is non a set of backup tapes stored offsite if the primary site is destroyed there will be no backups to reconstruct the organization’s informations.

In decision. hazard appraisal and hazard directions are countries that need to be carefully documented. The DISA field office has conducted a comprehensive attempt to guarantee the organisation has made programs to extenuate hazards and menaces to the organization’s web and to guarantee concern continuity should a catastrophe work stoppage. Except for those lacks noted policies and processs have been formulated and documented with buy-ins from each organisational degree on the needed stairss to avoid and extenuate hazards. Necessary preparation and testing of forces involved in hazard direction have been implemented to guarantee a successful result in instance of catastrophe.

Mentions

eHow. ( 2011 ) . How to Make a Risk Assessment. Retrieved September 24. 2011 from hypertext transfer protocol: //www. ehow. com/how_2154600_do-risk-assessment. hypertext markup language

Hazelwood. V. ( 2006 ) . Defense In Depth. An Information Assurance Strategy for the Enterprise. Retrieved on September 24. 2011 from hypertext transfer protocol: //www. sdsc. edu/~victor/DefenseInDepthWhitePaper. pdf

Paper 2
Situation

Global Finance Inc. has grown quickly in the past old ages. and due to this they have gained a immense client base. The company invested in the web designed it to be fault tolerant and resilient from any other web failures. However. although the company’s fiscal position has matured and its web has expanded at a rapid gait. its web security has non kept up with company growing ( NIST. 2012 ) .

GFI’s web is reasonably stable as it has non experienced many outages due to web failures. Global Finance Inc. has hired three web applied scientists to maintain up with the web growing and bandwidth demand by the company employees and the clients. However. this company has non hired any security forces who can take attention of the operational security duty.

The sure calculating base internal web in the Global Finance Inc. hosts the company’s mission critical systems without which the company’s operation and fiscal state of affairs would endure. The Oracle database and email systems are among the most intensively used application waiters in the company. Global Finance Inc. can non afford system outages because its hard currency flow and fiscal systems to a great extent depend on the web stableness. This company has experienced denial of service onslaughts ( DOS ) twice this twelvemonth and its Oracle database and electronic mail waiters has been down at one point for over a hebdomad. Concern at manus is the recovery procedure required Global Finance Inc. to utilize $ 25. 000 to reconstruct its operations back to normal. Global Finance Inc. estimated the loss from these web onslaughts at more than $ 100. 000 including lost client assurance.

Hezman Technologies has been tasked to carry on a hazard appraisal of Global Finance Inc. for the intent of enfranchisement. and accreditation. The Risk Assessment Report. in concurrence with the System Security Plan. assesses the usage of resources and controls to extinguish and/or manage exposures that are exploitable by menaces internal and external to Global Finance Inc. ( NIST. 2012 ) . The Global Finance Inc. hazard appraisal was conducted in conformity with the standards described in the National Institute of Standards and Technology ( NIST ) and the Risk Management Guide for Information Technology Systems. The method used to carry on this hazard appraisal is qualitative ( NIST. 2012 ) .

Aim

The intent of this hazard appraisal is to measure the efficiency of the Global Finance security. This hazard appraisal will turn to hazards. menaces. exposures. and precautions ( NIST. 2012 ) . This Risk Assessment Report will measure the confidentiality. unity. and handiness of the Global Finance Inc. web architecture. Hezman Technologies will urge security precautions that will enable the Global Finance Inc. to do determinations about web security.

Mission

The overall mission of the Global Finance web is to host mission critical web systems. The web critical substructure includes support to the undermentioned clients and web devices:

* Accounting Department – Consists of 63 workstations and 7 pressmans.

* Loan Department- Consists of 25 workstations and 5 pressmans.

* Customer Service- Consists of 12 workstations and 12 pressmans.

* Management – Consists of 5 workstations and 3 pressmans.

* Credit Department- Consists of 10 workstations and 3 pressmans.

* Finance Department- Consists of 49 workstations and 5 pressmans.

The Global Finance Inc. has a demand to supply uninterrupted services on site and remotely to employees and clients. It is the purpose of Hezman Technologies to place in item the current hazards. and exposures maintaining while maintaining within the criterions of confidentiality. unity. and handiness.

Assess Risk & A ;

Determine Needs

Assess Risk & A ;

Determine Needs

Although all elements of the hazard direction are of import. hazard appraisals provide the foundation for other elements of the rhythm ( Office. 1999 ) . Hazard appraisals behavior by Hezman Technologies provide a footing for set uping policies and choosing cost effectual techniques to implement these policies. Since hazards and menaces change over clip. it is of import that Global Finance Inc. sporadically reassess hazards and reconsider the effectivity of their policies and controls that direction has selected ( Office. 1999 ) . This rhythm of activity. including hazard appraisal. is described below in an illustration of the hazard direction rhythm:

Implement Policies & A ; Controls

Implement Policies & A ; Controls

Promote Awareness

Promote Awareness

Monitor and Evaluate

Monitor and Evaluate

Global Finance Inc.

Global Finance Inc.

Hezman Technologies will supply an overall rating of Global Finance’s web. This will supply a agencies so determination shapers can take these consequences and understand factors that can negatively act upon operations and results and do informed judgements. As trust on computing machine systems and electronic information has grown. information security hazard has joined the array of hazards that concerns must pull off ( Office. 1999 ) . Regardless of the types of hazard being considered. all hazard appraisals by and large include the undermentioned elements:

* Identifying menaces that could harm Global Finance and impact critical operations. Menaces could include things like interlopers. felons. disgruntled employees. and natural catastrophes.

* Hezman Technologies will gauge the likeliness that such menaces will maturate based on historical Global Finance information and judgement from knowing employees.

* Hezman Technologies will place and rank the value. sensitiveness of operations.

* Besides provide an estimation for the most critical and sensitive assets. The possible loss or harm that could happen if a specific menace materializes ( Office. 1999 ) .

* Document consequences and develop an action program.

Target Audience

Hezman Technologies will be after to measure. mark. and document the full concatenation of leading at Global Finance Inc. to include employees. Some cardinal notes to pay attending to would be:

* Global Finance Sr. Leadership. proprietors. and anyone who could do determinations about IT security.

* Anyone who is responsible for doing concluding determinations on leting operations of an IT system.

* IT plan director. and anyone “acting” as the security plan director.

* Technical support forces

* IT application directors ( Stonebumer. Goguen. & A ; Feringa. 2002 )

Related Mentions

Once on site and analysis Begins. Hezman Technologies will utilize the undermentioned beginnings and mentions to back up hazard appraisal recommendations on behalf of Global Finance Inc. ( NOTE: These are non the mentions this author is mentioning to for back uping this paper ) :

* ( NIST ) National Institute of Standards and Technology Special Programs ( SP ) 800-27

* Engineering Principles for IT Security

* Principles and patterns in NIST SP 800-14

* By and large Accepted Principles and Practices for Procuring Information Technology Systems.

* Security of Federal Automated Information Resources

* Computer Security Act of 1987

* Government Information Security Reform Act of October 2000 ( Stonebumer. Goguen. & A ; Feringa. 2002 ) .

Risk Assessment Activities Conducted by Hezman Technologies

InputRisk Assessment Activity Output

Measure 1

System Characterization

Measure 1

System Characterization

Related posts:

  1. Risk Management on a Satellite Development Project Essay
  2. Security risk management Essay
  3. Audit Risk Model Essay Research Paper This
  4. Evaluating Internal Controls Essay
  5. The Risk Associated with Business: a Review of Literature Essay Sample
  6. Pros and Cons of Risk Management Essay
  7. Workplace Risk Assessment
  8. Credit Risk Assessment in Consumer Lending Essay Sample
  9. Assignment Executive Summary on Risk Analysis Essay

Post a Comment

Your email address will not be published. Required fields are marked *

*

x

Hi!
I'm Katy

Would you like to get such a paper? How about receiving a customized one?

Check it out