Question You are to choose a high level system or process within the IT realm of

Question

Question

You are to choose a high level system or process within the IT realm of an organization. This can be an email system, web server system, network infrastructure (physical included) or ERP system. (Notice I use the word system, which includes all 7 domains such as user, LAN, workstations and servers/application domains.)

Question Outcomes:
1. Identify and define risk and risk management techniques.
2. Summarize compliance laws relevant to IT within a given industry.
3. Develop a risk management plan.
4. Perform a risk assessment.
5. Identify and evaluate threats, vulnerabilities, countermeasures, and mitigation recommendations.
6. Identify administrative, technical, and physical controls to reduce risk.
7. Perform a business impact analysis.
8. Create a business continuity and disaster recovery plan.

Explanation / Answer

Answers:

1.

Risk in IT realm:

In general, Risk is defined as the probability of damage that is caused by external or internal properties or resources. The following are different types of risks for Information Technology systems such as Networks, Computers etc.

The different types of risks in IT system are:

Hardware failure and software failure for a network or system resulting in data corruption, which is defined as errors (unexpected changes) that occurs to the original data.

Malware: It is malicious software that is developed to disturb the operations of a computer or a network.

Viruses: It is defined as software code which can replicate itself. It can be transmitted from one system to another system, which results in creating damage to the operations of the computer.

Risk management:

Risk management is the procedure of finding susceptibilities (vulnerabilities) and controlling the risks in an organizations information system

It is a structured process, which involves a series of actions that are designed to identify, assess and mitigate the risks of the system.

It helps in developing the response plans and conduct reviews of risk management process.

The security policies and procedures to manage IT risks are:

A secure usage of emails by using user id’s and passwords and avoiding the un-asked emails or spam messages.

Maintaining firewalls in order to avoid the attacks from malwares, Trojan horse etc. to the server or a computer.

Using a well-established antivirus in order to avoid the attacks from viruses.

Developing the processes in order to perform the common activities or tasks.

2.

Compliance laws relevant to Information security governance:

Information security governance is the process of handling various security measures.

It involves safeguarding the information and providing security to information by applying various policies and procedures.

It includes ensuring the security. The respective tasks must be monitored and should ensure security.

The top management involving executives or managers of the organization must plan for information security governance.

The users must have a valid username and a password to use the resources of the organization.

3.

The following are the steps to develop a risk management plan:

Identifying various factors that affect the system and analyzing them.

Identify the risk and its impact on the system to be developed. Conduct review on the risk and its impact and request for open suggestions from different users.

Identify the results or impacts for each risk and eliminate the unrelated issues that occur to the system.

Develop a list of all identified risk elements and assign probability and impacts for the risks.

Determine the risk elements such as High, Low and Medium and rank the risks based on the elements from high risk to low risk.

Compute the total risk of the system and reduce the risk element up to possible extent for the complete system by developing a number of strategies and plans that are unpredictable.

Analyze the effectiveness of the developed strategies.

Again compute the effective risk for the complete system which leads to better result than previous computation of total risk element.

Monitor your risks by replacing the contingency plans and strategies in the system.

6.

Administrative, Technical, and Physical Controls:

Administrative controls:

Administrative controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization.

These include setting the direction and scope of the security processes and provide detailed instruction for its conduct.

Technical controls:

Technical controls address the tactical and technical issues related to designing and implementing security in the organization, as well as issues related to examining and selecting the technologies appropriate to protecting information.

These also include logical access controls, such as identification, authentication, authorization and accountability.

Physical controls:

Physical controls deal with the operational functionality of security in the organization including disaster recovery and incident response planning.

These also include address personal security, physical security, and the protection of production inputs and outputs.

Related Questions

Navigate

• Browse (All)
• Browse Q
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.