IT Risk Management Robust Economy

Question: Describe about the IT Risk Management for Robust Economy. Answer: Introduction: New South Wales is the most preferred site in the region of Asia-Pacific because it had a robust economy. NSW government is working on securing property and personal. It also focuses on risk management program. It works on providing structure to the on-going risk management Mark, 2014). The activities like documentation and record keeping are also generated with the development of risk management program. The most important step correspondent to the security purposes is the regular monitoring of the activities and evaluation. The activities which are associated with the risk management program are divided into four sections which are named as framework for security risk management, control for core security risk, control for security risk should be provided in priority areas, and control for security risk should be provided in unplanned activities (Moodley, 2011). Objective: The objectives of the government of NSW are summarized below: Confidentiality of the information: It restricts the unauthorized access and the disclosure of the information (Taylor, 2008). Integrity of the information: it helps in protecting the information for unauthorized alteration of the data and prevents it from challenges faced in providing authenticity. Availability: The authorized user of the information should be provided reliable and timely access of the information and data. Compliance: The security controls should comply with the applicable regulations, policies, legislation, and contractual obligation which are essential for the information to be lawfully available to the users (Jin, 2011). Assurance: The assurance should be provided to the government for accessing the confidential information. Diagram: Explanation of the Diagram: Identification of Hazard for Security: The nature of work should be observed Proper review should be carried out of incident reports, hazard reports, and any other relevant data. Proper review should be carried out of results of the recent security incident Proper review should be carried out of the operational reviews. Consultation should be done with staff to predict the data which they consider as the hazards (Taylor, 2008) Consultation should be done with the stakeholders to predict the external agencies data which they consider as the hazards Inspection and audits should be done of the workplace Development of the scenarios which can be predict as the consequence of the incident which is relevant to the security (Richard, 2011) Proper analysis of the breaches and the incidents Establishing of the risk factors which are associated with the information. Factors responsible for the security risk: Frequency and exposure of the hazard The potential of the loss which is associated with the risk Occurrence of the damage or loss Risk associated with the property Control strategies which are taken into consideration. Process of Risk assessment: Consultation with the staff members Experience at the workplace should be examined Reviewing of the incident Reviewing of the guiding material Security Risk Analysis: Source of the risk Action associated with it Cracker Profiling of the system Social engineering concept Intrusion in the system Accessing of the unauthorized system Computer criminals Cyber crime Act of frauds Bribery of the information Spoofing of the system Intrusion in the system Botnets Spam Activity of phishing Terrorist Penetration of the system Tampering of the system Espionage of the industries Exploitation of the economy Theft of the information Penetration of the system Social engineering Unauthorized access of the system Insiders Blackmailing Computer abuse Theft and the fraud Loss of personal information Misuse of personal information Creation of the system bugs Creation of the system intrusion The magnitude of the risk can be categorized as high, low, and medium which are summarized in the table below: Impact of the Risk Explanation High The costly loss of Assets is categorized as High Medium The risks which are associated with violating and harming operational activities are categorized as medium Low Some Loss of assets and operational activities are categorized as low The table below shows scaling of the risk: Portability of the Risk Low Medium High High (1.0) Medium 10 * (10 * 0.1) Medium 20 (20 * 0.1) High 30 * (30 * 0.1) Medium (0.5) Low 10 * (10 * 0.5) Medium 10 (20 * 0.5) Medium 15 (30 * 0.5) Low (0.1) Low 1 (10 * 0.1) Low 2 (20 * 0.1) Low 3 (30 * 0.1) Comparative Analysis of Deliberate and Accidental threats Deliberate threats are the threats which are caused to the sensitive data by unauthorized accessing of the data (Gordon, 2015). Failure of the equipment and software etc are come under the category of accidental threats. Sequential order of the threats is given below: Failure due to power Failure of errors in network infrastructure Obsolescence in technology Errors or failure in the hardware Errors or failure in the software Issues in operation Interception in communication Repudiation Espionage of the communication Attacks of Social engineering Deliberation attack of data Misusing of the system Unauthorized accessing of the resources Shortage of the staff Threats due to environment Reduction in the quality of service Misusing of the web application Incomplete policies or planning for the organization Fraud in finance Unauthorized access of information Equipment theft The difference between the concepts of Risk and Uncertainty: NSW government works on providing structure to the on-going risk management. The risk associated with the information security is amalgamation of the likelihood and the result associated with the incident (Brightwell, 2014). The risks are associated with the threats and threat can exploit the vulnerabilities of the information system. The situation which arises from imperfect and unknown information is known as uncertainty (Mahmood, 2015). It may arise due to the internal or external accidental loss of data. Evaluation of Risk Control: Economic Appraisal Management of the risk Management of the values Objective specification Identification of the option Modification of the option according to the reviewing of the risks Evaluation of the option Selection of the option For each option available: Establishment of the content of risk Identification of the risk associated with each option Assessment of the magnitude Development of the strategies Development of the option Identification and evaluation of the risk Evaluation of the option Preparation of the report Process of Risk Management: Familiarization of the proposal: Objective Definition Identification of the criteria Definition of the key elements Analysis of the risk Identification of the risk Assessment of the risk Ranking of the risk Risk associated with screen minor Planning of the response: Identification of the responses Selection of the best response Development and management of action Report Generation Management of the schedules and measures Implementation: Schedule management effect Monitoring and reviewing of the plan Security risk controls: Substitution of the hazard which can give rise to the hazard Isolation of the hazard by putting it on the risk Minimization of the risk by using the engineering process Minimization of the risk by using the administrative process Equipments should be used for personnel protection Inspection and audits should be done of the workplace Development of the scenarios which can be predict as the consequence of the incident which is relevant to the security Proper development of the hazard report, incident report, incident management report, incident investigation report, injury management report, and others. Principles: The key principles on which the policies are based are as follows: The objective is to provide services which are in the welfare of the people. The information related to the person should be securely managed so that the privacy and confidentiality of the data can be preserved Security should be provided to the critical and sensitive information The level of security should be determined for securing the information Policy for digital information security is classified as M2012-15 Awareness program should be organized for educating the people about the security to the digital information The information which is released should be comply with the current state of the legislation The controls for securing the information should be implemented to mitigate from the risk associated with the sensitive information. Eight Rules of Information Security: Least privileged rule: For example; creation of the security policies Change rule: For example; Backup of the test server Trust rule: For example; accuracy in the perception Weakest link rule: For example; Identification of the environment weakest link Separation rule: Isolation of services and data Three fold process rule: It is the combination of implementation, monitoring, and maintenance Preventative action rule: Awareness of security issues Immediate and proper response rule: Quick reaction References: Mark, S. (2014). Regulation of the legal services in the E-world (1st ed.). Retrieved from https://www.olsc.nsw.gov.au/Documents/regulation_of_legal-services_working_paper_oct2011_part1.pdf Moodley, K. (2011). Electronic Information Security Policy - NSW Health s (1st ed.). Retrieved from https://www0.health.nsw.gov.au/policies/pd/2013/pdf/PD2013_033.pdf Gordon, T. (2015). Useful Security Information for Business (1st ed.). Retrieved from https://www.secure.nsw.gov.au/what-you-can-do/useful-security-information-for-business/ Brightwell, L. (2014). NSW Electoral Commission (1st ed.). Retrieved from https://www.elections.nsw.gov.au/__data/assets/pdf_file/0007/193219/iVote-Security_Implementation_Statement-Mar2015.pdf Mahmood, F. (2015). Eight Rules of Information System Security (1st ed.). Iversion. Retrieved from https://blog.iversion.com.au/eight-rules-of-information-system-security/ Taylor, A. (2008). Information Security Management Principles (1st ed.). BCS. Retrieved from https://www.bcs.org/upload/pdf/infosec-mgt-principles.pdf Richard, M. (2011). Risk Management Guideline (1st ed.). Retrieved from https://www.treasury.nsw.gov.au/__data/assets/pdf_file/0009/5103/risk_management.pdf Jin, Z. (2011). Vulnerability Analysis Approach To Capturing Information System Safety Threats and Requirements (1st ed.). Retrieved from https://www.sersc.org/journals/IJSEIA/vol5_no4_2011/7.pdf