Information Security Risk Assessment for a Distribution Company
Table of Contents
1. Executive Summary
2. Introduction
3. Background
4. Risk Assessment
4.1. Organizational Assets
4.2. Assessment of Organizational Risk
4.3. Current Organizational Security Posture
4.4. Problems at GDI
4.5. Recommended Mitigation Strategy
5. Conclusion
6. References
1. Executive Summary
At this time the measures available to ensure information security include organizational controls such as limiting access to data, firewalls, antivirus systems, encryption, and application controls. When the security of the business fails and the private information of individuals is compromised the company faces many legal actions that can ruin the success of the organization. One way companies use information security that I find to be very helpful is encrypting (Rainer & Turban, 2009). Encrypting ensures that information is protected which is very important to me. Even if a cybercriminal is able to enter into a business’s network and collect information, the information will be encrypted and difficult for a hacker to use to his or her advantage. In this day and age I also think that antivirus systems are essential. The threat of viruses is everywhere and with more than one person working for a business; the network is under a huge threat for viruses which would leave the company susceptible to hackers and the unethical act of not protecting personal information.
2. Introduction
The Information Security Risk Assessment will provide Global Distribution, Inc. (GDI) with the necessary guidance information for understanding current vulnerabilities within the information security. As information technology continues t...
... middle of paper ...
.... In addition, data transmission must involve encryption and decryption with all transmissions being tracked. Through this mitigation strategy, the company can reduce costs and use the internal IT department to ensure that all information is being protected under methods that are superior and based on the company needs and not a third parties simple options for stating security.
References
Computer Security Case Study. (n.d.). Global Distribution, Inc. Retrieved from Classroom Material.
Merkow, M. & Breithaupt, J. (2006) Information Security: Principles and Practices. Upper Saddle River, NJ: Pearson/Prentice Hall
Palmer, M. (2003). Guide to Operating Systems Security. New York: NY. McGraw Hill.
Shinn, L. (2008). Slouching? Measure Your Security Posture. Retrieved from http://technology.inc.com/2008/05/01/slouching-measure-your-security-posture/
During the process of analyzing an organizations effectiveness to manage cybersecurity risks, there are ranges of security policies that need to be implemented. A prime example of this concept is the cybersecurity policies developed for consulting firm Booz Allen Hamilton. The direct division formed to address the firm’s requirements within cyberspace is the Cyber Solution Network (CSN). The CSN division within Booz Allen Hamilton has a range of policies used to ensure the firm is protected against risk.
Whitman, M. E. & Mattord, H. J. (2011) Principles of Information Security. Boston: Course Technology. (Whitman & Mattord, 2011)
Whitman, M., & Mattord, H. (2010). Management of information security. (3rd ed., p. 6). Boston, MA: Cengage Learning.
Security helps the organization meet its business objectives or mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets through the selection and application of appropriate safeguards. Businesses should establish roles and responsibilities of all personnel and staff members. However, a Chief Information Officer should be appointed to direct an organization’s day to day management of information assets. Supporting roles are performed by the service providers and include systems operations, whose personnel design and operate the computer systems. Each team member must be held accountable in ensuring all of the rules and policies are being followed, as well as, understanding their roles, responsibilities and functions. Organizations information processing systems are vulnerable to many threats that can inflict various types of damage that can result in significant losses (Harris, 2014). Losses can come from actions from trusted employees that defraud the system, outside hackers, or from careless data entry. The major threat to information protection is error and omissions that data entry personnel, users, system operators and programmers make. To better protect business information resources, organizations should conduct a risk analysis to see what
Whitman, M. E., & Mattord, H. J. (2009). Principles of Information Security 3rd Ed. Boston: Course Technology.
Data breaches have gone up significantly and hackers are coming up with innovative techniques of breaching the data security network. There are several challenges associated with cybersecurity management as there are a multitude of threats arising from various sources. Cybersecurity threat can have different levels of impact on an organization or a business and varies based on the industry type. According to the Securitas USA survey, manufacturing, healthcare and insurance, finance, information, and utilities saw cybersecurity as the topmost threat for their businesses (Securitas USA,
Every organization, big or small, should have some level of security policy to protect their proprietary information. While the intensity and depth of an organization's security policy depends heavily on the nature of their business, common guidelines are mentioned in this paper that apply to all policies. One of the most important things to remember is that employees are a critical component to a successful security policy. It is the organization's job to ensure that their security policy is widely distributed and understood.
As threats evolve and change with each new technology introduced organizations will also have to strive to improve the techniques used to protect their critical Information Technology (IT) assets. Gartner's IT Key Metrics Data for 2010 which was based on a survey of companies worldwide found that a company spent 5% of their IT budget on IT Security (Kirk, 2010). Connie Guglielmo, a Forbes staff member noted that IT spending will hit $2 Trillion in 2013 and Worldwide IT spending will rise 4.6 percent this year (Guglielmo, 2013).
Risk Management Theory. The Risk Management Theory has been around for quite some time. According to Hong, Chi, Chao, and Tang (2003), risks pertaining to IT security can be measured and evaluated by means of assessing potential attack vectors, and susceptibilities to the organization’s systems and processes. The authors suggest that the outcome of this evaluation allows for the identification of essential security programs and the employment of IT security controls to mitigate these risks. The intended outcome of utilizing this theory is to manage risks until they are at a permissible state. The Risk Management Theory, while broad in nature, does not encompass enough of the information security and risk...
In a company, a senior management needs to address management tasks and have an information security governance. The information security governance (ISG) is a way for a company to protect information in the information systems. According to Grama, the responsibility of the ISG falls on the executive management team to protect the information assets, (p. 373, 2011). The company will need to have its information security goals align with its business needs to help protect information. For example, a company needs to make a profit to stay in business and it should include goals to protect information from hackers. If a company gets a reputation of having security breaches, people would not want to do business with the company and they would lose profits. The CIA triad of confidentiality, integrity, and availability can be used by the ISG to meet the goals. Confidentiality is to protect information by allowing the correct people to have the permissions to access and use information. Integrity makes for the information is accurate and changes cannot be made to the information without the correct permission. Availability is making sure the information systems are always up and that information can be accessed. There are many tasks that senior management needs to address such as to make sure everyone understands the needs for the security of information to be governed. This can be done by informing the board and other senior management who may not be as familiar with information systems, how the threats and damage form the threats can disrupt operations and profits in the company. Another task for senior management to help with the development of the security framework by creating policies, standards, procedures, and guidelines. Thes...
According to the information security governance, success is often less, due to inability to value the the organisation 's information and data. This creates the discussion on the needs for security and the resources to be assigned to this.
Whitman, M. E. & Mattord, H. J. (2011). Principles of information security. Boston, MA: Cengage Learning.
The first thing that we must consider about Information Security is that there is not a final destination at which we can arrive. IT Security is an ongoing set of processes and activities that requires attention and expertise on a daily basis. It is important to understand that systems are not secured by themselves and it is our responsibility to maintain and improve them periodically as required. It is of vital importance to establish the appropriate mechanisms and requirements in order to support the company’s CIA triad. The following report will provide you guidance about auditing and hardening techniques applied though the 7 Domains by utilizing IT Security Best Practices.
Essentially the role of the Information Technology (IT) Security is to guarantee confidentiality, integrity, and availability by putting in place all of those instruments, tools, methodologies, resources, standards, policies, procedures, guidelines, risk assessment, annual internal audit, incident management, and change management inside the organization in order to mitigate risk. In other words, depending on the dimension, type of business, number of employees, type of information created by
Nowadays, the information is the most treasured asset in an organization, due to it along with the experience represents the input necessary to take appropriate decisions and consequently to have success in the business. Almost all the information and knowledge related with the processes business, goods and services offered by a company, is processed, managed and stored through technology and information systems, thus the security of information has become increasingly important and plays a critical role in the enterprise government.