Methods for Risk Assessment - Case Study Example

Method for Risk Assessment Introduction In any sector within the contemporary scenario, the aspect of risk relevant to security is deemed to be quiteprevalent. Confidentiality of information is an important constituent of business and other sectors owing to the aspect that it influences the operations of any sector in a considerable manner altogether. In this regard, proper assessment of risk is the only through which companies and other sectors can analyze the risks involved and likewise could be able to develop a better business environment. Notably, in the domain of information technology (IT), the aspects of risk assessment and risk management are also deemed to be vital. There are various tools and techniques that exist in this particular sector which can be beneficial to analyze to depict a better comprehension of risk management. OCTAVE is one of such risk assessment tools that has been used extensively in the domain of IT and computer science. OCTAVE which stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation includes a bunch of tools and techniques used towards analyzing and evaluating security related aspects in the field of strategic assessment and planning. The methods are considered to be effective owing to their characteristics of flexibility which is ascertained as effective in dealing with varied situations (Reddick, 2011). This particular study will focus on performing a four step risk assessment for a particular scenario on the basis of a four step process with the help of a chosen OCTAVE method. Overview of the Scenario The provided case scenario is for Becoming Company. The company offers products and services including training and inspirational materials such as videos, music and others to the customers within the sector it operates in. The vision of the business is to provide quality products and services to the customers or clients. The company intends to operate efficiently within the dynamic business environment with the help of the deliverance of diversified products and services. The idea of starting the business emerges from the personal experience and interest of the founder i.e. Ann Roger’s who was a victim of anxiety and disorder. Research conducted by her on the aforementioned illness has yielded certain positive results with which she emerged with a therapy of changing the thoughts and behaviroal habits of people. The therapy was developed with the use of electronic materials such as videos and music which was again a potential treatment for behaviroal disorder. Owing to the aspect that the therapy was effective for her to deal with her stress and disorder, she was further focused on sharing the same with other to help them with their medical and psychological conditions. Contextually, the company was established as a private cooperation. She also hired/ purchased the necessary equipment as well as recruited the staff to run the business in an effective manner. She also purchased a computer of Dell with Windows 7 configurations to keep records of each and every aspect of the business. With regard to protection of the confidential data, Ann was implementing a login password offered or installed by Windows. However, owing to certain limitations of the security measures of Ann within her computer system, it can further depict certain security related risks against the information and data presented within the system and other networking computers. In this context, proper evaluation of the risks involved in the computer system of Ann and her business would be regarded as vital. This risk assessment can be conducted on the basis of several steps of risk management along with evaluating with the assistance of a specific method which in this case is OCTAVE. Risk Assessment and Evaluation Method of Risk Assessment Use The risk assessment method used for this particular study includes OCTAVE. OCTAVE which stands for (Operationally Critical Threat, Asset, and Vulnerability Evaluation) includes a set of tools and techniques that can be used for the purpose of assessing risk in risk management. Some of the notable assistance of this particular method in risk assessment includes evaluating of the risk criteria tolerating by business units, identifying the threats to the assets and defining the corrective actions among others. Assessments of the Assets Risk management is a particular process of recurrent activity that involves analysis, planning, along with control of implemented measurements within any sector. However, the aspect of risk assessment includes analyzing the risk well in advance in the form of forecast. This particular approach is deemed to be widely prevalent in the domain of information technology (IT) as well. Notably, OCTAVE is used to assess the risk faced by Ann and her start up business with regard to the use of computer and other software within the operations of the business. Risk assessment is a particular process in any business that is primarily conducted in a particular time and not throughout the year. This is because of the fact that the process involves certain complexity and the cost is also considerable owing to which it cannot take place all around the year (Wheeler, 2011). Risk is assessed in any business on the basis of certain parameters which are vital to gain accurate and appropriate results. OCTAVE includes suitable tools and techniques used primarily with the intention to analyze an organizations information security and various requirements to make the same efficient and strong (Kouns & Minoli, 2011). Certain specific steps are being followed while analyzing the risk of any IT infrastructure in any sector. These steps mainly include characterization of the system used by a particular business, identification of the threats involved, along with identifying the vulnerability associated with the same and analyzing the long-term impact of the same among others. It has been noted that the business of Ann is using a computer of Dell that has the basic Windows 7 configuration. The company is also using the password protection provided by Windows to protect the confidential and business data associated with the company and its day-to-day operations. The model of the computer is Dell Opti Plex 390 computer and it has certain specific applications that ensure protection of data and confidential information within the systems. The computer has been used to keep all the business related records ranging from sales, purchase and employee related information among others. However, it must be mentioned that the basic level protection provided by Windows configuration within the model used by Ann in her business will only be effective towards mitigation of problems which are minor. The configuration might act as vulnerable towards any external threats that are major or stern. Nonetheless, she is using separate software for keeping and managing the financial records of the business which was designed by one of her relatives studying at Boston University. The application or the software is titled as NET (VB.NET) which is further written in the Microsoft Visual Basic. It must be mentioned that Ann uses basic Microsoft Word documents to keep purchase and sales invoices within the computer system (Kouns & Minoli, 2011). It must be apparently asserted that in most of her record keeping and financial data management, Ann does not use any encryption for protection of files and folders. It has been observed that encryption of file and folders is one of the most vital and important processes followed while ensuring security for data and confidential information. Nevertheless, the approach of Ann in her business of not using encryption in data storage might further act negatively, threatening the aspect of confidentiality for the overall business data. In the absence of encryption, files and folders will be easily accessible by any third party without proper information, further keeping the entire confidentiality of the business data at stake. This aspect will act as a potential risk to her business to a considerable extent. Furthermore, since she is not using any specialized software in the process of protecting the data, it is highly probable that the business data will be vulnerable towards major to minor external data threats. Vulnerability of the Assets It has been comprehended from the above analysis that business units irrespective of their size will be vulnerable towards external threats especially in the domain of information technology along with the confidential business data and information that can be used against the business by the competitors and the employees. Likewise, for the business purposed and developed by Ann on the basis of her personal experience for a particular health issue, the aspects of data vulnerability and confidentiality will be higher. This is because of the aspect that the software and the computer system that she is using in her business provided only basic level of security to the data and information which is again a major long-term threat for the business concern. As per the analysis conducted adhering to the norms and methods of OCTAVE, certain key results have been depicted relevant to the business of Ann and its vulnerability towards information technology. Notably, owing to the vulnerability of the business of Ann towards external theft and other threat, there are certain specific risks that emerge against the assets of the business in a comprehensive manner. Assets risk for the business of Ann primarily refers to the threat towards the confidential business data that is also the key performance related aspect of the business. In the business operations of Ann, the primary threat upon the assets owing to security risks will mainly be one the information and data assets of the company. It must be mentioned that in the domain of business in any particular sector, the aspect of confidentiality is quite vital. It ensures competitive advantage and sustainability for business units in the longer. Furthermore, information relevant to the products and services, partners and clients of companies are also certain kind of assets that need to be protected in an extensive manner to ensure that the business operates in an efficiently through protecting it from any internal and external threats such as competitors and employees among others. However, in the business established by Ann, where the security measures is quite basic, threats upon information assets relevant to customers, clients and partners will be higher. This shows that business related information and data which are also among the major assets for business units in the present day environment will be under severe threat in the business established by Ann. Loss Analysis of the Business Due to Information and Data Threats Owing to the information and data related threats that are associated with the business of Ann, certain loss of assets and business data can be forecasted with consideration to the present IT systems implemented by the newly established company. Threat to information and data assets within the operations of the business of Ann will mainly impact the overall vision, missions and short and long-term goals of the company. Notably, since the business of Ann is using a single system for storing various business related information, it faces high chances of data loss owing to complexity in the process and lack of capacity of the system used. Due to the fact that the network security of the business of Ann is quite vulnerable, there is every chance of malicious attacks, unauthorized access and errors and omission of data. These aspects will certainly result in loss of confidential business data which is a threat to the overall well-being of the business of Ann in the long run. Furthermore, it has also been comprehended that file encryption is an important process that could not be depicted in the IT operations of the business established by Ann. It protects all the data and information present in the hard drive. In the absence of the practice of encryption by Ann in her business, information of the company can get disclosed to any unauthorized third person. Data breaches can also be a potential loss that can be encountered by Ann within her business owing to weaknesses present in the security control of the company. Analysis of the current security control of the business with the help of OCTAVE depicted that loss integrity and confidentiality of the business will also be a potential harm that can be caused from IT threats within the operations of Ann’s newly established business (NIST, 2002). Countermeasures The risks and loss of information related assets of the business which were illustrated with the help of OCTAVE can further be contemplated with the help of certain key measures. Risk mitigation of the business of Ann must be primarily focused towards identifying the potential options that are prevalent to be used in the present scenario. Since the risk factors are known to Ann with regard to information security, measures of lowering the risks should be foremost and the most prominent step. In this regard, there is a prudent need to use encryption while saving the data so that the risk of data theft and disclosure of key business information can be minimized to a considerable extent. She should also imply the option of risk avoidance with the implementation of proper and strong IT security control in her business operations. The risks can also be tackled with the help of setting up measures well in advance with regard to transference of risk. This can be in the form of patenting intellectual security of the business for avoiding any threat of theft. These measures are mostly taken in advance and involve less cost as compared to the benefits they provide in the long run. On the other hand, ignoring these measures on the basis of cost will certainly impact the business negatively in the long run (NIST, 2012). Cost and Benefits of the Recommended Countermeasures The countermeasure that has been provided in the above discussion has its own advantages and disadvantages, which the company might need to deal with in the future context. The primary intention of the recommended countermeasures is that the business would be able to abstain itself from any sort of future or present threats relevant to IT threats for the confidential information of the business. Furthermore, the countermeasures will also enable the business of Ann to get a better comprehension of the IT threats to the confidential information and likewise take measures well in advance to mitigate the same. However, the negatives of the counter measures can be in the form of the cost that the company will have to spend in implementing the measures. Since, the results and effectiveness of the measures is uncertain, the risk associated with the measures in quite high. Implementation Plan Based on OCTAVE Method Proper implementation of the measures is one of the most vital aspects towards ensuring utmost success for the same in the business of Ann. Notably; the measures that were recommended to the business of Ann mainly include predetermined steps that must be executed well in advance to leverage maximum benefits. It has been comprehended that the measures that were recommended in the above section of the paper involve a considerable cost which can further augment the cost and expenses of the overall IT operations of the business of Ann. However, at the same time, it must be mentioned that this cost will certainly yield positive results for the business in the long run with regard to its security control. The measures must be implemented through a systematic approach. For example, implementation of measures such as strengthening the computer system of the company must be done in the initial phases so that the system and the data saved in it can be protected. Furthermore, measures such as patenting of intellectual security must also be completed in the initial phases of starting the business. This will also be beneficial for the business of Ann. Conclusion From the overall analysis, several key aspects can be compiled. Notably, in the present day scenario, threats to information and data of business have been quite wide. Companies have the need to ensure sustainable security control measures so that confidential data of the business can be protected. Contextually, in this particular study a particular scenario of new business establishment has been taken into consideration. In the given scenario, a new business was established through acquiring basic business needs such as staff, equipments and others. The business used a computer system with limited security control which has further made the data and confidential information of the business to be more vulnerable towards external threat. Subsequently, OCTAVE method has been used to identify the potential risk of the business owing to the prevailing problems in the security control of the business. Several measures have also been identified to be implemented in the business of Ann so that the potential problems can be mitigated. ` References Kouns, J., & Minoli, D. (2011). Information technology risk management in enterprise environments: a review of industry practices and a practical guide to risk management teams. US: John Wiley & Sons. NIST. (2012). Information security. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf NIST. (2002). Risk Management guide for information technology systems. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf Reddick, C. (2011). Public Administration and Information Technology. US: Jones & Bartlett Publishers. Wheeler, E. (2011). Security risk management: building an information security risk management program from the ground up (Google eBook). UK: Elsevier. Whitman, M. E., & Mattord, H.J. (2014). Management of information security, 4th Edition. US: Cengage. Read More