The objective of this risk assessment is to evaluate the adequacy of Wells Fargo's security and network. A risk assessment should provide a structured assessment of the business environment from both a qualitative and quantitative point of view. A proper risk assessment should address risks, safeguards, threats, and vulnerabilities the company might face in the future. A proper assessment should also recommend safeguards that are cost-effective in the mitigation (Haimes, 2015). The scope of the risk assessment evaluated the use of controls and resources by the company's system. The controls should be categorized into the planned controls and the ones that have been implemented in the elimination or management of vulnerabilities that can be exploited by threats that might be external or internal to the Wells Fargo system. The risk assessment should combine an evaluation of the confidentiality, integrity, and availability of the system. Availability is assumed to be any loss of the system access, integrity, on the other hand, is considered the protection from any improper and unauthorized modification of company information (Haimes, 2015). Ultimately the study assumes confidentiality to be protected from any disclosure of the company's network information to unauthorized entities. The study is supposed to develop a risk assessment methodology that can applies to the Wells Fargo company setting.
Methodology
A risk assessment process is meant to identify potential risk factors and hazards that might cause harm in the future. Having that in mind, the study will use that line of thought in proposing a suitable risk assessment methodology for Wells Fargo. The process should apply a standard framework in the analysis procedure that identifies potential risks that the company might face. The initial step, to begin with, is the definition of risk in the present context. This research identifies risk as any potential loss or damage Wells Fargo might experience based on the probability that a threat the posed on the company manages to exploit a vulnerability. Potential risks this company might face include privacy problems, financial losses that cause business disruptions, legal crises and damage to the company’s brand and reputation (Aagedal, Den Braber & Dimitrakos, 2018). Based on the outlined definitions identified, the methodology approach assumed by the study can be summarized in the form of; Potential Risk = Threat X Vulnerability.
Threat
A threat is described as an incident that can be defined from two standing points. It can be a new incident one hand, or it can be an incident that has only been newly discovered and can cause harm to the company network, leading to implications that affect normal company operations. Threats are categorized into three broad categories. The first category identifies threats from a natural perspective where in this case human abilities have no control over the incident (Aagedal, Den Braber & Dimitrakos, 2018). Natural threats can be identified as floods, tornados, hurricanes or other calamities that have the potential to cause harm to the infrastructure of the company such as offices, network systems. The second category can be defined as unintentional threats (Aagedal, Den Braber & Dimitrakos, 2018). This form of threat is posed accidentally by persons of good faith. A good example of this kind of threat is the unauthorized access of information that is considered classified by employees or a case where an employee accidentally lands on the wrong information other than the one originally intended. The final kind of threat is the intentional kind that is considered to be a major challenge to modern companies especially with the advancements in technology (Aagedal, Den Braber & Dimitrakos, 2018). Such threats that Wells Fargo is likely to face include malware attacks, spyware or even adware. Another significant current trend in security risk management is the threat posed by disgruntled employees who commit malicious acts in acts of revenge to the firms either secretly or publicly in the event they have security clearance or have the means to access the required clearance. Since the algorithm is based on the internet, it can get attacked by different malware which would affect its performance giving the wrong results (Willcocks, 2013). Due to the nature of company operations surrounding financial management and security, potential threats the company might face are mostly IT related. The problems include data interference, illegal access, misuse of the devices in the company, identity theft and forgery, system interference, electronic fraud and an ultimately illegal interception (Aagedal, Den Braber & Dimitrakos, 2018).
Vulnerability
The other component of risk applied in the methodology for risk assessment in this project is vulnerability. It is easy to confuse threats and vulnerabilities and identify them as one. The two are however very different, especially in application. A vulnerability is considered to be the potential weakness of a resource utilized within an organization that an attacker can exploit in the attempt of fulfilling the satisfaction of their demeanors (Landoll & Landoll, 2015). A good example that can be identified in the Wells Fargo case that is applicable in expounding the concept is a case where a Wells Fargo employee that has high-level security clearance decides to retire. In most cases, when a key worker decides to retire voluntarily, the company is ill-prepared, and amidst all the chaos, the organization might act slowly in the transition process that disables the employee’s access to all possible accounts both internal and external. This transition will also involve the process of removing the names of the particular employee from the organization’s networks and systems including the login credentials they previously used or the credit card authorizations. The transition means that all these items might fail to be changed in good time which presents a vulnerability point for the company. This means that the company is vulnerable to both intentional and unintentional threats (Landoll & Landoll, 2015).
Research however in the recent past, has proved that majority of the cases of vulnerabilities organizations and companies face especially in the financial sector, are carried out by automated systems that are purposely created to perform attacks (Aagedal, Den Braber & Dimitrakos, 2018). A recent case of Facebook shows an example of vulnerability, where the company could not guarantee the security of the data of its clients despite handling personal and confidential information from users. A company by the name Cambridge Analytica managed to gain access to the information of more than 50 million users after it compromised the security of Facebook’s networks (Aagedal, Den Braber & Dimitrakos, 2018).
The study will hence conduct a test for vulnerabilities, and in the case for Wells Fargo, specific criteria will be used using a set of questions to find out the vulnerabilities that the company might be facing. The first question that the risk management team should ask in the assessment is whether a backup system is in existence together with a storage facility located securely from an external off-site location. The second problem to be questioned is whether the company has cloud storage. If one exists, the team should determine the ways being applied in the security setup to protect the stored information from any potential vulnerabilities. The security network used by the company should also be put into question to ensure that only the cleared personnel have access to company data. Also on clearance, the management team should assess on the measures used to control who can modify the information or delete data from within the company network or externally (Haimes, 2015). The final and most important item to be considered is whether the company has a data recovery plan set up if a vulnerability has been exploited.
References
Aagedal, J. O., Den Braber, F., Dimitrakos, T., Gran, B. A., Raptis, D., & Stolen, K. (2018). Model-based risk assessment to improve enterprise security. In Enterprise Distributed Object Computing Conference, 2018. EDOC'02. Proceedings. Sixth International (pp. 51-62). IEEE.
Haimes, Y. Y. (2015). Risk modeling, assessment, and management. John Wiley & Sons.
Landoll, D. J., & Landoll, D. (2015). The security risk assessment handbook: A complete guide for performing security risk assessments. CRC Press.
Willcocks, L. (2013). Information management: the evaluation of information systems investments. Springer.