IT Risk Management Applications and Sub-Systems

Question: Discuss about theIT Risk Management forApplications and Sub-Systems. Answer: Introduction: NSW Government is composed of a number of components, applications and sub-systems. There is a massive exchange and storage of information on a daily basis in every single operation. With the expansion of operations, there are a number of security risks that have emerged and the document describes the same with the help of a diagram and also suggests the measures to overcome the same. Security Risk Diagram Security Risk Diagram (www.finance.nsw.gov.au, 2016) The risks that have been displayed above have been classified in a number of different categories on the basis of the information that they impact. Information Types in NSW Government (www.finance.nsw.gov.au, 2016) For Office Use Only This is the category of information that is allowed to be used specifically by the officials of NSW Government. Protected The information that must be kept secure and authenticated at all times such that only authorized users are allowed to access the same. Confidential This is the information that is critical in nature and comprises of the details that cannot be revealed without proper authentication. Private The information associated with NSW Government that must be kept private without authorized permission of disclosure. Public This is the information that is okay to be disclosed to the entire public. Sensitive Information The disclosure must be least in the case of this information category and the security that is applied must be extremely high. Sensitive: Personal The information that contains the personal details about the resources those are associated with NSW Government along with the users and the organizations. Sensitive: Legal This information qualifies for the legal professional privilege related to NSW Government and its various sub-systems and components. Sensitive: Cabinet The information that is contained under this category includes official documents and records of the cabinet and the decisions that are taken by the same. Sensitive: NSW Cabinet The records that are related to the NSW cabinet come under this category of information. It may include official records, policies, and decisions and may others. Sensitive: NSW Government This information if revealed without proper authorization can cause huge damage to the internal and external stakeholders Sensitive: Law Enforcement This is the information that is related to the law enforcement activities of the NSW Government. Sensitive: Health Information Health information is the category of information that is bound by a number of legal and regulatory policies The risks can now be explained on the basis of their category. Data Integrity Risks: It is important for every entity to maintain the integrity of the data such that unauthorized modifications are not allowed. These risks are caused mainly during the transfer of data from source to destination. Network Threats: The threats and risks that occur with network as the medium of execution fall under this particular category of risks. Malware Threats: Software that are developed with a malicious intent such as anti-virus and worms can be fatal for an application or a product and the same occurrences are included in this category. Application Vulnerabilities: Risks such as account hijacking or unsecure APIs and likewise occur due to the external APIs. Operations Risks: The fault or deviation due to operations that are involved in NSW Government and its applications come under this category. These may be caused due to insufficient knowledge or experience. Business Risks: These are the risks that may lower down the profits that are associated with NSW Government. Legal Risks: These risks are the ones that occur due to inability to adhere to the legal compliance and regulatory policies that are defined for a particular activity. RiskRegister Risk ID Risk Likelihood Impact Risk Ranking RS1 Data Integrity High Medium/High High RS2 Network Threats Medium High High RS3 Malware Threats High Medium-Low Medium RS4 Application Vulnerabilities High Medium Medium RS5 Operations Risks Medium Medium Medium RS6 Business Risks Low High High RS7 Legal Risks Low High High Risks Register NSW Government Deliberate and Accidental Threats Deliberate threats or attacks are defined as the category of threats that are caused due to malicious intent (Vavoulas, 2016). Accidental threats are the ones that occur by chance or by mistake and do not involve the presence of malicious intent behind the same. There are a number of threats that can cause substantial amount of damage to NSW Government. Out of all the probable risks and threats, there are some which qualify as deliberate attacks and some which come under accidental threats. Malware threats, network threats and data integrity threats are the ones that are always deliberate in nature as they come coupled with a malicious intent behind the same. Business risks and application vulnerabilities are often accidental in nature which is generally caused due to the involvement of external parties (searchsecurity.techtarget.com, 2016). There are also a few categories of risks which may be deliberate or accidental in nature depending upon the procedure of attack. Legal risks and operations risks are the two examples of such threats which may either be deliberate or accidental as well. Challenges to Implement Security/Risk Management Policies Human Factors Workforce and clients that are a part of the world of NSW Government is massive. Conflicts and disputes are common occurrences due to the same which may prove to be a big hindrance in the implementation of an improved security/risk management policy. Organizational Factors At the organizational level, there can be a number of factors which may emerge as a barrier to the implementation of security policy such as existing infrastructure or capacity. Technological Factors Technology is something that is changing at a lightning speed. There are technological trends that come and go and the same can contribute to the factors that may disturb the implementation of security policy. There can also be compatibility issues between the existing infrastructure and the required infrastructure to implement the policy. Risks and Uncertainties Risk Uncertainty Comprises of the probability to either win or loose Future is never known and cannot be predicted as well Measureable and Controllable Cannot be measured or controlled Can be determined through a defined procedure Cannot be determined through any means Difference between Risks and Uncertainties (Surbhi, 2016) The risks that may occur in case of NSW Government have been listed above. There can also be a few uncertainties associated with the same which cannot be predicted well in advance. One of the examples of an uncertainty is the natural hazards and disasters that may occur any time without certainty but have the potential to cause some serious damage. Approaches to Risk Control and Mitigation Enhanced Disaster Recovery Disaster Recovery can be improved and applied in the architecture of the NSW Government so that there may be a back-up plan ready in advance in case of an attack. Network Controls Network is one of the prime mediums of risks and threats and the controls that are put up on the same are extremely essential. These include network scans and networking and many more. Malware Controls These controls will compel the malware to stop the attack on the target system and will also enhance the system security. Legal and Regulatory Compliance Legal and regulatory compliance is essential to maintain the desired level of quality of the product. Also, these controls will put a check on the validation and verification of the processes as per the defined rules. Advanced Identity and Access Management There are a number of measures that must be included to form an accurate identity and access management schemes. Use of One Time Passwords (OTPs), Single Sign On and single sign offs, physical security and display of ID cards at every exit and entry point is a must. Conclusions NSW Government is composed of a number of applications and sub-systems. Risks such as legal risks, operations risks, business risks, malware threats, network threats and data integrity threats are some of the examples of the same. Some of these risks are deliberate in nature whereas some are accidental. The challenges to overcome these risks include human factors, organizational factors and technological factors. There are also certain mechanisms and practices which if followed can reduce the probability of occurrence. References searchsecurity.techtarget.com,. (2016). Accidental insider threats and four ways to prevent them. SearchSecurity. Retrieved 16 August 2016, from https://searchsecurity.techtarget.com/tip/Accidental-insider-threats-and-four-ways-to-prevent-them Surbhi, S. (2016). Difference Between Risk and Uncertainty - Key Differences. Key Differences. Retrieved 16 August 2016, from https://keydifferences.com/difference-between-risk-and-uncertainty.html Vavoulas, N. (2016). A Quantitative Risk Analysis Approach for Deliberate Threats. Retrieved 16 August 2016, from https://cgi.di.uoa.gr/~xenakis/Published/39-CRITIS-2010/CRITIS2010-RiskAnalysisDeliberateThreats.pdf www.amsro.com.au,. (2016). Information Technology and Security Risk Management Top 12 Risks What are the risks? What are the solutions?. Retrieved 16 August 2016, from https://www.amsro.com.au/amsroresp/wp-content/uploads/2010/12/AMSRO-TOP-12-Information-Technology-Security-Risk-Management-1.pdf www.finance.nsw.gov.au,. (2016). NSW Government Digital Information Security Policy | NSW ICT STRATEGY. Finance.nsw.gov.au. Retrieved 16 August 2016, from https://www.finance.nsw.gov.au/ict/resources/nsw-government-digital-information-security-policy www.praxiom.com,. (2016). ISO IEC 27000 2014 Information Security Definitions. Praxiom.com. Retrieved 16 August 2016, from https://www.praxiom.com/iso-27000-definitions.htm