IT Risk Management Threats and Risks

Question: Discuss about the Report for IT Risk Management of Threats and Risks. Answer: Introduction NSW Government is home to a number of security threats and risks as per the current scenario. ICR strategy has been developed in order to keep the information safe and secure from all such risks. The document covers a security risk diagram highlighting the major security risks that the NSW government goes through. A detailed analysis of the potential risks is done along with the countermeasures suggested for the same. Security Risk Diagram The risks that are associated with NSW Government and its architecture are assessed on the basis of the information category that is affected by the same. The information that NSW Government deals with has been classified on the basis of a number of categories as described below: For Office Use Only This is the category of information that may be used along with the unclassified information only. It is usually the information that is provided by the state agencies and is used by the officials only. Sensitive Information This is the information that has security classified or unclassified where the security provisions must be applicable and the disclosure must be minimum. Sensitive: Personal The information type that includes the personal information about the individuals that are associated with NSQ Government or the state agencies or other organizations is covered under this category. Sensitive: Legal The information or data that is subjected to legal professional privilege is covered under this category. Sensitive: Cabinet The information that is associated with the Australian Government Cabinet and includes details such as official records of the cabinet, documents containing proposals and submissions related to the cabinet, documents that may reveal decisions taken by the cabinet and likewise. Sensitive: NSW Cabinet All the official records those are associated with the NSW Government such as cabinet agendas, submissions, minutes etc. Sensitive: NSW Government This category covers the information that includes details which if revealed may endanger individual or private entities and likewise. Sensitive: Law Enforcement The information that is associated with or may have an impact on all the law enforcement activities such as information provided by confidential source, training information on enforcement of law and many more. Sensitive: Health Information Health information is the category of information that is bound by a number of legal and regulatory policies The risks that are displayed in the diagram above have been identified as per the impacted information category: Data Integrity Risks: The information flows from one component of NSW Government to another component internally. The same is shared externally as well and these risks are executed primarily during data sharing and data transfer. These allow the unauthorized modification of information that may be sensitive or confidential in nature. Network Threats: Network threats such as unauthorized network monitoring, man-in-the-middle attacks, sniffing and likewise fall under this category of risks. Malware Threats: A number of malware is developed on a frequent basis that may affect the confidentiality, integrity and availability of information such as anti-virus, Trojans, logic bombs and worms. Application Vulnerabilities: NSW Government is composed of a number of interfaces and APIs and the same opens the path for a number of vulnerabilities associated with the same. Operations Risks: These are the risks that may result from inadequate or failed system or sub-systems that may be internal or external in nature. Business Risks: These are the risks that may include the vents that would have the potential to bring down the profits associated with the NSW Government. Legal Risks: These are the risks that may result in the violation of the legal policies, terms and conditions that are associated with NSW Government and the corresponding components of the same ("NSW Government Digital Information Security Policy | NSW ICT STRATEGY", 2015) Risk Register Risk ID Risk Likelihood Impact Risk Ranking RS1 Data Integrity Medium High High RS2 Network Threats Medium High High RS3 Malware Threats High Medium-Low Medium RS4 Application Vulnerabilities High Medium-Low Medium RS5 Operations Risks Medium Medium Medium RS6 Business Risks Low High High RS7 Legal Risks Low High High Deliberate and Accidental Threats Deliberate threats are defined as the threats that are executed by humans through human-machine or human-human interaction that is based on a malicious intent. As the name suggests, these threats are executed deliberately to cause harm to the affected party and to gain benefit out of the same (Vavoulas, 2016). Accidental threats on the other hand are the threats that are caused unintentionally. These are usually occurred in case of negligence or inadequate knowledge. The threats that are described above comprise of some of the deliberate and a few accidental threats. Malicious threats, data integrity threats are network threats are the ones that are always deliberate in nature. These threats are executed to gain unauthorized access to the information and misuse the same piece of information to cause harm to the victim. The impact of the same may be low to high in nature depending upon the information that is exposed. Application vulnerabilities and business risks are the ones that are mostly accidental in nature and are caused due to mishandling of the procedure or operations or due to negligence as well (Cole, 2012). Legal risks and operations risks are both deliberate and accidental in nature and the same depends upon the occurrence and procedure involved in it. There may be scenarios wherein negligence may be involved or some events wherein selfish benefits and deliberate acts are involved. Challenges to implement security/risk management policies Human Factors NSW Government is composed of a massive number of humans, both internally and externally. There will be scenarios of conflicts and disputes between the human entities especially between the parties wherein one is internal and the other is external. Another challenge may be effective communication and availability of the required parties at a common time which may delay the implementation procedure. Organizational Factors NSW Government is composed of policy makers, top management, senior level officials, external users and many more. There may be a lack of communication between the officials at the decisive level and the ones at the implementation level. Technological Factors This is one of the major challenges that will emerge before the NSW government while implementing the security/risk management policies. Existing technological infrastructure and architecture will not be compatible with all of the suggested solutions. Also, the components of NSW government is spread to such a huge area all across the geographical location such that a minor change in the architecture will impact a chain of changes in the entire architecture (Information Technology and Security Risk Management Top 12 Risks What are the risks? What are the solutions?, 2012). Risks and Uncertainties A risk is defined as an event that is always associated with the probability of either winning or losing something that is worthy in nature. Uncertainties are the situations where the future is not known and cannot be predicted as well. Risks are measurable and controllable whereas the same is not the case with the uncertainties (Surbhi, 2016). In case of NSW Government, the risks have been highlighted and described above. There are also a number of uncertainties that are associated such as impact of the natural disasters and hazards on the ongoing business activities or the failures that happen at the end of the third parties which could not be predicted earlier. These uncertainties cannot be measured or predicted and hence, cannot be controlled as well. They can never be identified well in advance to form strategies to mitigate or avoid the same. The risks on the other hand can be assessed and controlled with a proper risks management plan. Approaches to Risk Control and Mitigation Enhanced Disaster Recovery NSW Digital Information Security Policy (DISP) can be implemented with a strong disaster recovery policy and plan. It will ensure smooth business continuity and service delivery and will provide recovery plan for every single component and application that is associated with NSW Government. Network Controls There are a number of low to high impacting network threats which can be controlled through advanced network security measures such as network scans, traffic scans, dedicated networking team, intrusion detection and likewise. Malware Controls Use of the latest anti-virus software along with internet security will keep all the categories of malware away from the system. Legal and Regulatory Compliance Every party, whether internal or external must abide by the legal and regulatory policies that are defined for the information handling to keep the confidentiality, integrity and availability of the information safe and secure at all times. Advanced identity and access management Use of Single Sign on and sign off on the web portals, improved physical security, stronger passwords, One Time Passwords and unique identification tracking and handling must be ensured ("ISO IEC 27000 2014 Information Security Definitions", 2013). Conclusions NSW Government deals with massive information on a daily basis. In order to keep the confidentiality, integrity and availability of the information protected and secure at all time is must for the entity. There are a number of risks that are associated with NSW Government which are classified in a number of categories on the basis of the information that they impact. There can be a number of challenges that may appear while implementing a strong security/risk management policy and the risks can be mitigated through a number of legal, network, malware and other controls and strategies. References Cole, E. (2012). Accidental insider threats and four ways to prevent them. SearchSecurity. Retrieved 18 August 2016, from https://searchsecurity.techtarget.com/tip/Accidental-insider-threats-and-four-ways-to-prevent-them Surbhi, S. (2016). Difference Between Risk and Uncertainty - Key Differences. Key Differences. Retrieved 16 August 2016, from https://keydifferences.com/difference-between-risk-and-uncertainty.html Vavoulas, N. (2016). A Quantitative Risk Analysis Approach for Deliberate Threats. Retrieved 16 August 2016, from https://cgi.di.uoa.gr/~xenakis/Published/39-CRITIS-2010/CRITIS2010-RiskAnalysisDeliberateThreats.pdf Information Technology and Security Risk Management Top 12 Risks What are the risks? What are the solutions?. (2012) (1st ed., pp. 11-14). Australia. Retrieved from https://www.amsro.com.au/amsroresp/wp-content/uploads/2010/12/AMSRO-TOP-12-Information-Technology-Security-Risk-Management-1.pdf NSW Government Digital Information Security Policy | NSW ICT STRATEGY. (2015). Finance.nsw.gov.au. Retrieved 18 August 2016, from https://www.finance.nsw.gov.au/ict/resources/nsw-government-digital-information-security-policy ISO IEC 27000 2014 Information Security Definitions. (2013). Praxiom.com. Retrieved 18 August 2016, from https://www.praxiom.com/iso-27000-definitions.htm