Information Risk Management Paper

Introduction
Businesses have now realized that the security of their information could make or break their organization. For this particular paper, the discussion will be limited to the security threats and risk factors associated with baby products production

Potential of external and internal threats

Information systems have become highly complicated. Consequently, there is a need to establish a comprehensive approach to deal with external threats. One of the most common yet dangerous external threats is the issue of hacking. Since the company places considerable information about its clients and itself in its information system, then chances are unauthorized persons may gain access to these pieces of information. (Borodzicz, 2005)

External threats may occur in the form of domestic or foreign competitors to the baby products company who may be interested in finding out trade secrets that would enable them to get ahead of the baby products company. In other circumstances, information brokers who operate on a freelance level may do this kind of thing in order to benefit financially from the endeavor. In other circumstances, it may be that there are hackers who engage in unauthorized entry of computer system for fun. In certain incidences, this may be out of malice from persons with some psychological problems. Common thieves may also break into the company's information systems to as to steal laptops or computers and sell them for profit.

External threats require a lot of attention owing to the fact that the internet brings with it a lot of opportunities for hacking. In this regard, the internet was created in such a manner that it did not consider the issue of security. There are intricate networks that are connected and there are numerous ways in which these systems can be interjected. Matters are also made worse by the fact that intruders can remain anonymous while doing some of the things that are related to information systems. It should also be noted that due to automation of systems, it is now possible for hackers to get into the baby products system without possessing serious knowledge about it. Consequently, care should be taken by this company to guard against unauthorized entry because it provides hackers with low cost and low risk activities that have the potential to provide high gains to the affected person. The Baby products company should therefore watch out for this type of risk. (Gorrod, 2004)

While internal threats receive little if any attention, research has shown that their occurrence has the potential to create greater losses to companies owing to the position of the offenders. Consequently, the same thing can happen to this particular company. Internal threats to security may emanate from disgruntled employees who may want to get back to leaders of the organization. In other circumstances, employees may simply be dishonest and may be interested in advancing their financial or career positions thr

Publish Post

ough unscrupulous means. It should be noted that this kind of security threat to information systems may be done through authorized access. The baby products company is in danger of dealing with any of the following forms of internal attacks

Source: http://www.articlesbase.com/business-articles/information-risk-management-paper-1924847.html

Risk assessment in an information security management system

More and more nowadays, businesses of all sizes are opting to implement an information security management system (ISMS). This is the set of policies to manage the security of an organisation's information assets. Central to any such system is a risk assessment. This is a formal evaluation of all the risks applying to the organisation's information assets, together with a ranking of those risks according to the probability and estimated impact on the business. An example of a risk assessment procedure for information security is as follows:

• Create a list of all the information assets and assess their value to the organisation
• Brainstorm all the possible threats that could apply to the assets: e.g. contact details could be destroyed by a catastrophic disk failure on the PC where it is stored.
• For each asset, outline its vulnerability to each threat (e.g. the information stored in on a PC is more vulnerable to a disk failure than stored on a server.
• Evaluate the impact on the business: e.g. loss of client contact details could lead to termination of a contract or the business. The impact can be estimated quantitatively (in terms of e.g. money lost) or qualitatively (in terms of e.g. broad categories such as "negligible", "moderate", "catastrophic").
• Assign a probability to this risk (fairly high, in this case).

Map these findings into a risk matrix, showing the probability graphed against the impact, for each risk. The set of all risk matrices is the "risk register", which is the outcome of the risk assessment process.

The outcome of the risk assessment will then drive the subsequent process of risk treatment, whereby each risk identified is either treated (in order to reduce it) or ignored but noted (if it is small enough to be acceptable). Most risks will be treated in some way, using so-called "countermeasures" to do one or more of the following:

• Decrease the probability of the threat materialising in the first place.
• Decrease the potential impact on the business in case the threat does materialise,
• Minimise the time and resources needed to recover from the situation

The countermeasures (or "controls") are measures or equipment installed to pre-emptively reduce the risk. For example, a business might implement a regular backup of all data, and would specify a new operating procedure to cover this, together with the necessary technology to carry out the backup.

This was a very simple example of what might be involved in a risk assessment for information security. However, it is not only data or equipment that might be compromised: people as well can be seen as relevant assets. For example, if your systems administrator is lured away to a rival company, you might find the business no longer has anyone who knows how to configure the computer system. This type of risk also needs to be managed.

Source: http://www.articlesbase.com/security-articles/risk-assessment-in-an-information-security-management-system-3061301.html

Information Security Management Risks

Of course, it is always clear that "risk" is a possibility that something unsuitable happens. What is not clear is how probable it is, what nature it has, and what harm it can do to an organization.

Betting on some event means the chance of financial loss: the unsuitable outcome. To decide if we want to take on this risk means calculating the chances of winning or the odds of losing. We can implement measures to reduce the chance of the danger, and put strategies in place to handle possible unpleasant outcomes.

Information security management is being aware of all elements involved in a specific risk and their relationship with your enterprise (company, web presence, etc). This is an essential basis for calculating the risk. Knowing about the threat means being able to assess it: we can choose if we want to accept it, wait and see, or plainly avoid taking it at all.

In the field of information security management, professionals should answer four main questions:

1. What can happen (threat)? Client private information (especially, but not only, credit card numbers) can be stolen through an insecure network, through cracked passwords, through flawed cryptography or through non-dependable employees.

Web-pages can be hacked and inappropriate content could be displayed. Business processes could be disrupted through web-attacks, blocking the normal operations of the company.

Identifying risk spots is the primary task for information security management professionals. Normally, due to the technical background of most professionals, there is a bias for focusing on technical problems. In fact, there are often a myriad of possibilities of attacking a computer system.

2. How bad can it get (impact)? Companies are responsible for keeping private information secure. Negligence in keeping this information secure can result in costly claims. Revealing intellectual property through negligence in security can result in an unduly competitive disadvantage.

The company's reputation can be seriously damaged. Cash-flow can drop the entire time of a web-attack on the servers of the company and usually, for some time after the fact.

3. How often can it happen (frequency)? The short answer is: much more often than you believe. The absence of bad news in the newspapers should not allow you to a false sense of security.

Sometimes the victim doesn't know that the company has been hacked. Of course, if some credit card has been charged without authorization, the holder will demand a refund. However, it is not always clear where the flaw in the security exists.

In some further cases, intellectual property of a company has been illegally copied and is used without consent. The lawful owner will in many cases not even have a hint of this problem.

4. How dependable are the answers to these three questions (uncertainty)? Although you can be sure that the risk exists, there is no simple way of calculating how often it happens. You can be sure that it happens, you cannot know when and where.

Consider the safety of your company's virtual data, and have the flaws assessed by an information security management professional. If you take a "wait and see" approach, you risk an attack on your company's documentation, private information databases, and perhaps, intellectual property.

Source: http://www.articlesbase.com/management-articles/information-security-management-risks-208445.html