Types of Risks
Discuss About The Community Collaborative Information System.
VitaCrux Pty Ltd or VitaCrux is a mid-sized organization producing and selling health and food supplements. Protection of intellectual property, sensitive customer data and various other business-critical data needs a comprehensive security strategy closely matching business objectives.
In current world, information and protecting information have been complex considerations for businesses. Customers of VitaCrux need to assure that their data is kept secured. As they cannot keep that safe, the organization would be losing their business. There are many clients having sensitive data demands that they have a solid infrastructure for data security in proper place. This must be done before performing business. Vitacrux must determine that with those considerations as the basis, how much confidence they have been possessing as it comes to IT security of the company.
Hacking |
It provides scopes to extract data regarding monetary and political gains. |
Cracking |
Various personnel changes have been taking place along with security policies that are likely to be changed in due time. This leads towards unauthorized access towards sensitive data (Csrc.nist.gov, 2018). |
Malware |
It disrupts computer operations and collects sensitive data, gaining access to computer systems compromising information. |
Data leakage |
This refers to various unauthorized physical and electronic transmission of data within Vitacrux. This is done to external recipients and destinations leaving data in wrong hands (Laudon and Laudon 2016). |
Insider threat |
Here, the partners, contractors and employees are able to commit fraud, theft and espionage of various intellectual properties. |
Social media |
The employees have been often falling victim to various scams or revealing data that is not expected for social media and public media. |
Dumpster diving |
The improper disposal of various sensitive data leads to poor disclosures and different sensitive information. In this way the internal processes while disposing sensitive data has been vital to prevent those types of non-technical vulnerabilities. |
Social engineering |
The attackers have been highly depending in human interactions to access into company networks (Greenberg 2017). |
This has not been obvious that most of the data has needed in short-terms. However, there are troubles lurking in those data archives. In this way VitaCrux has been the victim of silent crisis in this making (Coronel and Morris 2016). There are various chances that the data is turns out to be no longer readable and devices they need to read the media.
A qualitative analysis is needed to be done on various employees of VitaCrux. This is helpful to uncover various trends at opinions and thoughts and then research more into those problems. Here the participant observation is very important. The analysis must be made on the methods to enter the context, role of researcher as participant, storing and collecting field notes and assessment of field data. The participant can requires months or been years of high level research. This is needed to be accepted as the natural part of that culture. This must be helpful to ensure that those observations are of natural phenomenon. The various questions to be asked are the top risks and the extent to which the effect has been likely occurring. Then it must be determined how often has the company been refreshing their analysis of top risks. Further the owner of tip risks and who have been accountable for those results are to be determined. Then questions must be asked regarding how efficient VitaCrux has been in terms of managing its top most risks. Further, it must be found out from the employees whether VitaCrux has understood the primary assumptions underpinning to the IT/IS risky strategy.
Qualitative Analysis
A quantitative analysis is needed to be conducted at VitaCrux. It must consider risks that are to be marked for future analysis in performing qualitative risk analysis process. It comprises of risks that have larger effect on various project objectives. For this a probability distribution is to be made using a project model of cost estimate and schedule along with simulation and mathematical tools for calculating impact and probability. It has predicting the project results in terms of time or money on the basis combined effect of various risks for IS/IT risks for VitaCrux.
The control assessment for VitaCrux is to be basically designed for assisting the business to document and identify various material risks together with various related controls. The level of every risk has been to enable against risk appetite tolerance within VitaCrux. Risk analysis can be increased by VitaCrux through control assessment (Li et al. 2014). Managing security puts emphasis on the necessities of organizations for developing, documenting and implementing effective program, across the organization. Detailed designing of control assessment methods have been depending on the type of organization it has been developed for ad the people involved within it to design (NIST, 2018).
As VitaCrux analyzes the risks of IS/IT in their organization, the identification of vulnerabilities, threats and resources has been the first task. Secondly, it has been no less vital and difficult to calculate how large the risk has been through analyzing consequences (Stark 2015). As the risks get materialized and analyzed how likely the risk might take place with the data, one can easily calculate various risk levels. Hence, it can be said that the risk management in general and particularly risk analysis and assessment has seemed to the best scopes for making things complex. However, VitaCrux can incorporate more elements to make the approach a scientific one.
It involves the following steps:
It provides the information about what is to be included and what not. The various items under consideration are to be protected in terms of cyber security. However, they are needed to be identified at first and the level of sensitivity of what has been guarded must be also defined also through analysis drafters (Van De Walle, Turoff and Hiltz 2014).
VitaCrux compromises of some kind of procedures and policies. These are required to identify for various purposes of compliances. It is also found VitaCrux has failed to meet the various minimum security standards.
Quantitative Analysis
Here the various collected data must be tested to find poyt the level of present exposures (Hammer 2015). Above all, the current defenses have been solid enough in neutralizing data threats as per integrity, confidentially and availability is concerned.
As all the previous steps are finished, the competent security analyst can utilize the corpus of treating data. This is to arrange those groups in active patterns having closer similarity. This also includes attributes of every pattern for particular threat actors, implementing mitigation measures promptly and anticipating the rise of same kind of cyber attacks for future (Peltier 2016).
Vulnerability analysis:
The vulnerability analysis is the process to define, identify, classify and prioritize vulnerabilities within computer systems, network infrastructures and applications. This is helpful for VitaCrux in performing the analysis with risk background, awareness and necessary knowledge for understanding threats to the scenario and respond to that properly (Cherry and Jacob 2016).
It must be done for understanding various possible outcomes to implement the changes. Induction of too much functionality to products reduces the overall performances of products. It is helpful to recognize all kind of files, models and documents that can be modified as team decides to implement that change within the product (Ross 2017). Further, they can estimate efforts needed behind implementation of the changes. Further, they can recognize tasks needed to implement those changes. This has been listing the dependencies on particular elements. In impact analysis, the information to be incorporated is the brief descriptions of problems. They must show and explain examples how to defect the cause of failures and includes estimation of complexities. It has included time and costs for fixed times. Further, various functionalities are also needed to be tested here. This can be done through providing generic guidelines and principles over risk management (Iso.org, 2018).
The risk assessments through likelihood have been involving assigning of overall risk rating for every risk events recognized through various steps. They are analyzing inherent risks including consequences and likelihoods of risk events as they are needed to take place in any uncontrolled scenario. Then various controls are needed to be evaluated and identified (Stair and Reynolds 2017). The various existing controls have been put in place to address the identified risks and determine how effective the controls has been in operation and designing. The last step is analyzing residual risks. Here the consequences and likelihoods of risk events are to be determined whether they have been occurring in present control environments. Damaging brand reputation, cyber crimes, terrorisms, political risks can be faced by VitaCrux as the likelihood analysis is not properly implemented (ISO, 2018).
Control Assessment
Step 1: Identifying the hazards:
Here the first step in risk analysis has been to recognize potential hazards. This has been negatively influencing the ability of VitaCrux.
Step 2: Determining who and what has been harmed:
As the hazards are identified, the following step is to find out what business resources have been negatively influenced as the risks originates (Fang et al. 2014).
Step 3: Evaluation of risks and developing control measures:
Risk analysis has been helpful to identify how the hazards have been impacting business resources and has been measuring that it can be put in place for minimizing or eliminating the impact those hazards over resources of VitaCrux.
Step 4: Recording the findings:
Here, the risk analysis findings has been recorded by the company and is needed to be easily accessible with official documents (Kavanagh and Johnson 2017).
Thus the above discussion has showed various ranges of risks that VitaCrux can be exposed to. The study is useful to understand the procedures of risk management that is needed to be included in VitaCrux. The analysis provides the structure to investigate various kinds of IT/IS risks for the organization (IEEE Spectrum: Technology, Engineering, and Science News, 2018).
References:
Chang, J.F., 2016. Business process management systems: strategy and implementation. CRC Press.
Cherry, B. and Jacob, S.R., 2016. Contemporary nursing: Issues, trends, & management. Elsevier Health Sciences.
Coronel, C. and Morris, S., 2016. Database systems: design, implementation, & management. Cengage Learning.
Csrc.nist.gov. (2018). SP 800-30, Risk Management Guide for Information Technology Systems | CSRC. [online] Available at: https://csrc.nist.gov/publications/detail/sp/800-30/archive/2002-07-01 [Accessed 9 May 2018].
Fang, S., Da Xu, L., Zhu, Y., Ahati, J., Pei, H., Yan, J. and Liu, Z., 2014. An integrated system for regional environmental monitoring and management based on internet of things. IEEE Transactions on Industrial Informatics, 10(2), pp.1596-1605.
Greenberg, J.S., 2017. Comprehensive stress management. McGraw-Hill Education.
Hammer, M., 2015. What is business process management?. In Handbook on Business Process Management 1 (pp. 3-16). Springer, Berlin, Heidelberg.
IEEE Spectrum: Technology, Engineering, and Science News. (2018). Whose Risk? Whose Responsibility?. [online] Available at: https://spectrum.ieee.org/at-work/tech-careers/whose-risk-whose-responsibility [Accessed 9 May 2018].
ISO. (2018). The new ISO 31000 keeps risk management simple. [online] Available at: https://www.iso.org/news/ref2263.html [Accessed 9 May 2018].
Iso.org. (2018). ISO 31000 Risk management. [online] Available at: https://www.iso.org/iso-31000-risk-management.html [Accessed 9 May 2018].
Kavanagh, M.J. and Johnson, R.D. eds., 2017. Human resource information systems: Basics, applications, and future directions. Sage Publications.
Laudon, K.C. and Laudon, J.P., 2016. Management information system. Pearson Education India.
Li, J., Li, Q., Liu, C., Khan, S. U., & Ghani, N. (2014). Community-based collaborative information system for emergency management. Computers & operations research, 42, 116-124.
NIST. (2018). Two Publications Recommend Organization-Wide IT Security Risk Management. [online] Available at: https://www.nist.gov/news-events/news/2011/01/two-publications-recommend-organization-wide-it-security-risk-management [Accessed 9 May 2018].
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.
Ross, J.E., 2017. Total quality management: Text, cases, and readings. Routledge.
Stair, R. and Reynolds, G., 2017. Fundamentals of information systems. Cengage Learning.
Stark, J., 2015. Product lifecycle management. In Product Lifecycle Management (Volume 1) (pp. 1-29). Springer, Cham.
Van De Walle, B., Turoff, M. and Hiltz, S.R., 2014. Information systems for emergency management. Routledge.