Information Technology and Security Risk Management

Question: Discuss about the Information Technology and Security Risk Management. Answer: Introduction As per the present scenario, NSW Government harbors numerous security risks and threats. ICR tactic has been created so that information can be secured and kept safe from all of these risks. The documentation encompasses a diagram of security risks which highlights the critical security risks which the NSW government is tackling. A critical analysis of probable risks has been performed, and in addition, some suggestions for countermeasures has been provided. Security Risk Diagram The risks related to NSW Government and the architecture has been analyzed from the perspective of the category of information which are being affected. The information being dealt with by the NSW Government has been divided according to number of categories Office Use It is the information category which might be utilized in addition to unclassified data. Generally, it is the data given by the state agencies to be utilized by the officials only. Sensitive data This is the kind of data which has security declassified or classified. This is the place where provisions of security should be maximum and disclosure should at minimum level. Sensitive: Personal This type of information which comprises of personal information regarding the individuals, state agencies, and other organization linked with the NSW Government is a part of this category. Sensitive: Legal This category covers the information related to legal professional privileges. Sensitive: Cabinet This category consists of information linked the cabinet of the Australian Government and comprises of details like official records, proposals, submissions to the cabinet, documentation of decisions made by the cabinet, etc. Sensitive: Law Enforcement This category consists of information that are linked with or might have an influence of the law enforcement actions. The information includes law enforcement training, information from confidential sources, etc. Sensitive: Health Information This category consists of information which is bound by various regulatory and legal policies. Sensitive: NSW Cabinet This category consists of the official records which are linked with the NSW Government like minutes, submission, cabinet agendas, etc. The risks shown in the above diagram are recognized on the basis of the impacted category of information Data Integrity Risks The data is internally transferred from one NSW Government component to another. The same information is externally shared too. These risks are primarily executed while data transfer and sharing. These permit unofficial editing of information which might be sensitive or confidential in nature. Network Threats This category of risks consists of threats like sniffing, man-in-the-middle attacks, network monitoring, etc. Malware Threats Frequently, malwares are developed which might attack the availability, integrity, and confidentiality of information. These malwares include worms, logic bombs, Trojans, etc. Application Vulnerabilities NSW Government consists of various APIs and interfaces. This opens up paths for various vulnerabilities. Operations Risks These risks happen due to failed or insufficient systems and/or sub-systems which might be external or internal. Business Risks These risks might comprise of vents which have the capability to diminish the profits of the NSW Government . (NSW Government Digital Information Security Policy | NSW ICT STRATEGY, 2015). Legal Risks These risks cause legal policies violation, and terms and conditions violations of the NSW Government and are linked with the corresponding components, also Risk Register Risk ID Risk Possibility Impact Level Risk Ranking R1 Network Threats M H H R2 Integrity of data M H H R3 Implementation of vulnerabilities H L M R4 Malware Threats H L M R5 Legal Risks M M M R6 Operation Risks L H H R7 Business Risks L H H M: MEDIUM H: HIGH L: LOW Deliberate and Accidental Threats The threats which are performed by an individual via human-human or human-machine interaction are known as deliberate threats. These are done on the basis of malicious intent. As suggested by the name, these are deliberately executed to harm the affected party and reap some benefits (Vavoulas, 2016). The threats which happen unintentionally are known as accidental threats. Usually, these happen due to insufficient knowledge or negligence. The threats explained above consist of both accidental and deliberate threats. Deliberate threats include network threats such as data integrity threats, and malicious threats. These are performed to have unofficial access to information and mis-utilize them to cause harm. The impact of these threats might be low-to-high, since it depends upon the exposed information. Accidental threats include business risks and application vulnerability. These might happen due to mismanagement of operations or procedure or because of negligence, too (Cole, 2012). Operations Risks and Legal Risks are both accidental and deliberate. The nature depends upon the involved procedures and occurrence. There might be cases in which negligence might happen or some cases where deliberate acts might be performed and selfish gains might be reaped. Challenges Organizational Factors NSW Government comprises of external users, senior level officials, top management, policy makers, and various other individuals. There might be an absence of communication between the decisive level officials and the implementation level officials. Human criterias NSW Government comprises of large number of both external and internal individuals. These might be cases of disputes and conflicts among individuals, particularly, among external and internal entities. Another problem might be availability of necessary individuals and effective communication at a common time. This might delay the procedures for implementation (Information Technology and Security Risk Management Top 12 Risks What are the risks? What are the solutions? 2012). Technological Factors This is a critical issue that will arise for the NSW Government while implementation of risk or policies of security managemen. Current technological architecture and infrastructure is as per the suggestion. Additionally, NSW Government components are present across such a large area, all over the geographical area so that a small modification within the area will have a chain of modification within the whole architecture Risk Risk can be defined as an event which is always associated with chances of losing or winning something valuable. Uncertainties are cases in which the future is unknown and unpredictable. Risks can be controlled and measured while uncertainties cannot be. In NSW Governments case, risks are described and highlighted, above. There are some uncertainties linked with the cases like the unpredictable failures of 3rd parties, hazards from the present business activities, and the effect of natural disasters. These uncertainties are unpredictable and unmeasurable and therefore, uncontrollable. They are unrecognizable and therefore, tactics to avoid or mitigate them cannot be taken up. Risks can be controlled and assessed with a proper plan for risk management (Information Technology and Security Risk Management Top 12 Risks What are the risks? What are the solutions? 2012). Risk Control and Mitigation Network Controls There are various low-to-high affects of network threats that are controllable via high-level measures of security like intrusion detection, dedicated networking teams, network and traffic scans, etc. Malware Controls Utilization of latest ad updated anti-virus programs, in addition to internet security will stop all malware categories from infecting the system. Legal and Regulatory Compliance Each internal and external party needs to conform to the regulatory and legal policies for handling information, so that information integrity, availability, and safety can be maintained at all times. (ISO IEC 27000, 2014 Information Security Definitions, 2013). Advanced Identity and Access Management Utilization of single sign-in and sign-out within the web portals, increased physical security, secure passwords, OTPs (One-Time Passwords), and exclusive regonition of handling and tracking needs to be ensured Increased Disaster Recovery Implementation of NSWs Digital Information Security Policy can be performed for a robust plan and policy of disaster recovery. It will confirm smooth continuity of business and delivery of services. Additionally, it will offer recovery plans for each individual components and applications linked with the NSW Government. Conclusions NSW Government handles huge amount of information, daily. For maintaining availability, integrity, and confidentiality of information and protecting and securing them at all times is critical for all entities. There are various risks linked with the NSW Government. These have been divided into various categories on the perspective of the information being impacted by them. There might be various challenges which might take place during the implementation of a robust risk/security management policy. Risks might be mitigated via a various malware, network, legal, and additional tactics and control. References Cole, E. (2012). Accidental insider threats and four ways to prevent them. SearchSecurity. Retrieved 18 August 2016, from https://searchsecurity.techtarget.com/tip/Accidental-insider-threats-and-four-ways-to-prevent-them Surbhi, S. (2016). Difference Between Risk and Uncertainty - Key Differences. Key Differences. Retrieved 16 August 2016, from https://keydifferences.com/difference-between-risk-and-uncertainty.html Vavoulas, N. (2016). A Quantitative Risk Analysis Approach for Deliberate Threats. Retrieved 16 August 2016, from https://cgi.di.uoa.gr/~xenakis/Published/39-CRITIS-2010/CRITIS2010-RiskAnalysisDeliberateThreats.pdf Information Technology and Security Risk Management Top 12 Risks What are the risks? What are the solutions?. (2012) (1st ed., pp. 11-14). Australia. Retrieved from https://www.amsro.com.au/amsroresp/wp-content/uploads/2010/12/AMSRO-TOP-12-Information-Technology-Security-Risk-Management-1.pdf NSW Government Digital Information Security Policy | NSW ICT STRATEGY. (2015). Finance.nsw.gov.au. Retrieved 18 August 2016, from https://www.finance.nsw.gov.au/ict/resources/nsw-government-digital-information-security-policy ISO IEC 27000 2014 Information Security Definitions. (2013). Praxiom.com. Retrieved 18 August 2016, from https://www.praxiom.com/iso-27000-definitions.htm