Information Security Policy – Access Controls, Authorization, and Authentication
shabai
RiskAssessmentPresentation.ppt
Nathan Bailey
CMGT/245
Prof. Michael Geoffreda
November 5, 2018
RISK ASSESSMENT PRESENTATION
THE MAIN USES FOR AN IT SYSTEM
Communication purposes-in collecting and distributing information, and the IT system can make the process to be more efficient
Operations Management-IT system offers more complete and more recent information.
Communication purposes
Part of management is gathering and distributing information, and the IT system can make this process more efficient by allowing Ben to communicate efficiently
Operations Management
IT system offers more complete and more recent information, allowing Ben to operate the company more efficiently. Ben can use information systems to gain a cost advantage over competitors or to differentiate himself by offering better customer service. Sales data give Ben insights about what customers are buying and let him provide better services that are selling well. With guidance from the information system, Ben can streamline his operations.
*
THE MAIN USES FOR AN IT SYSTEM
Decision-Making- the IT system can help Ben make better decisions by providing all the needed information
Record-Keeping- the shop requires records of its operations for financial and regulatory functions
Decision-Making
The company information system can help Ben make better decisions by delivering all the information he needs and by modeling the results of his decisions. When Ben has accurate, up-to-date information, he can make the choices with confidence
Record-Keeping
Your company needs records of its activities for financial and regulatory purposes as well as for finding the causes of problems and taking corrective action. The information system stores documents and revision histories, communication records and operational data
*
DATA TYPES AND RISKS
All data should be classified into either one of the following
Restricted Data-Data whose unauthorized disclosure, modification or destruction could lead to high level of risk to the business e.g. data protected by state
Data classification based on its level of sensitivity and the impact to the business should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All data should be classified into one of three classifications:
Restricted Data
Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the business or its affiliates. Examples of Restricted data include data protected by state or federal privacy regulations and data protected by confidentiality agreements.
*
DATA TYPES AND RISKS
Private Data-Data whose unauthorized disclosure, modification or destruction could lead to moderate level of risk to the business .
Public Data-Data whose unauthorized disclosure, modification or destruction could lead to little or no risk to the business
Private Data
Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the business or its affiliates.
Public Data
Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would results in little or no risk to the business and its affiliates. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.
*
EXAMPLES OF DATA RISKS ASSOCIATED WITH THE SYSTEM
Low Risk-Information available on the business website and Business contact information not designated as "private"
Moderate Risk-Customer records and purchase orders, Personnel files and personal contact information
High Risk-Social Security Numbers and Credit card numbers
Low Risk
• Research data
• Information available on the business website
• Policy and procedure manuals
• Job postings
• Business contact information not designated as "private"
• Information in the public domain
Moderate Risk
• customer records and purchase orders
• Staff personnel files, benefits, salary, birth date, personal contact information
• Non-public business policies and policy manuals
• Non-public contracts
• Business internal memos and email, non-public reports, budgets, plans, financial info
• Business employee ID numbers
High Risk
• Social Security Numbers
• Credit card numbers
• Financial account numbers
• Driver's license numbers
• Passport and visa numbers
Data leakage or unintentional sharing of private data as a result of inappropriately classified data
Fraud and misuse of data or theft due to unclear or improper access to customer and suppliers’ resources
Social engineering attacks and phishing
Loss of reputation or legal Implications due to inappropriate e-mail handling and inappropriate utilization of utilities such as messengers or Skype
*
COMMON RISKS ASSOCIATED WITH THE SYSTEM
Inappropriate data access, virus infection, fraud and misuse of the system
Data theft from non-limited access to BYOD devices by employees
Data leakage or unintentional sharing of private
Social engineering attacks and phishing
Loss of reputation or legal Implications
Inappropriate data access due to improperly defined or applied authentication and authorization causing
Virus infection and misuse of the system as a result of non-limited administrative access to physical infrastructure
Data theft from non-limited access to BYOD devices by employees
Unapproved access and data misuse due to weak user passwords in system and applications
Data leakage or unintentional sharing of private data as a result of inappropriately classified data
Fraud and misuse of data or theft due to unclear or improper access to customer and suppliers’ resources
Social engineering attacks and phishing
Loss of reputation or legal Implications due to inappropriate e-mail handling and inappropriate utilization of utilities such as messengers or Skype
*
PRIORITIZED LIST OF THE RISKS IDENTIFIED
| Risk | Likelihood | Low Risk | Moderate Risk | High Risk | Very High Risk |
| Inappropriate data access in secure file storage | Moderate | ✔ | ✔ | ✔ | |
| Virus infection of business network infrastructure | High | ✔ | ✔ | ||
| Fraud | High | ✔ | ✔ | ✔ | |
| Misuse of the system | Moderate | ✔ | ✔ | ||
| Data theft | ✔ | ✔ | |||
| Data leakage or unintentional sharing | High | ✔ | ✔ | ✔ | |
| Loss of reputation or legal Implications | Low | ✔ |
Inappropriate data access due to improperly defined or applied authentication and authorization causing
Virus infection and misuse of the system as a result of non-limited administrative access to physical infrastructure
Data theft from non-limited access to BYOD devices by employees
Unapproved access and data misuse due to weak user passwords in system and applications
Data leakage or unintentional sharing of private data as a result of inappropriately classified data
Fraud and misuse of data or theft due to unclear or improper access to customer and suppliers’ resources
Social engineering attacks and phishing
Loss of reputation or legal Implications due to inappropriate e-mail handling and inappropriate utilization of utilities such as messengers or Skype
*
RISKS MITIGATION
The installation of reliable antivirus software
Utilization of complex passwords in each of the computers and Web-based applications
Provision of guidelines through employee training on dos and don’ts of utilizing systems and Internet.
Creation of security policy to addresses the responsibilities, rights and duties of employees
Risks Mitigation
The installation of reliable antivirus software which acts as the final line of defense from unwanted attacks. The antivirus program detects and removes virus and malware as well as filter possibly malicious downloads or emails.
All employees must utilize complex passwords in each of the computers and Web-based applications that require key for access. Complex passwords make it hard for hackers to crack them.
Installation of encryption software that protects data related to credit cards and bank accounts. Strong encryption algorithms transform readable data into unreadable codes that make altering of information difficult to accomplish. Even when data is lost it becomes obsolete without the keys used to encrypt the data.
Provision of guidelines through employee training on dos and don’ts of utilizing systems and Internet. For example, on how to handle suspicious emails. A security policy provides guidelines on putting limited access to critical data, taking of regular back-ups and the securing of Wi-Fi Networks that are highly vulnerable to attacks.
The security policy to addresses the responsibilities, rights and duties of employees
*
REFERENCES
Berson, A., & Dubov, L. (2011). Master data management and data governance. New York: McGraw-Hill.
DeLuccia, J. J. (2008). IT compliance and controls: Best practices for implementation. Hoboken, N.J: John Wiley & Sons.
Dufey, G., In Frenkel, M., Hommel, U., & Rudolf, M. (2005). Risk management: Challenge and opportunity. Berlin: Springer.
