Information Security Risk Assessment for a Distribution Company
Table of Contents
1. Executive Summary
2. Introduction
3. Background
4. Risk Assessment
4.1. Organizational Assets
4.2. Assessment of Organizational Risk
4.3. Current Organizational Security Posture
4.4. Problems at GDI
4.5. Recommended Mitigation Strategy
5. Conclusion
6. References
1. Executive Summary At this time the measures available to ensure information security include organizational controls such as limiting access to data, firewalls, antivirus systems, encryption, and application controls. When the security of the business fails and the private information of individuals is compromised the company faces many legal actions that can
…show more content…
Reliance on information systems to store information pertaining to thousands of accounts across Canada, the United States, and Mexico along with internal documents provides GDI with many benefits along with some risk. While this process allowed GDI to scale operational performance through automation to propel the company into the big leagues, there is always the risk of intrusion, fraud, and disruption. Information systems are known to be at risk from malicious attacks, user error, and from other disasters. As technology is relied upon more heavily and computer systems become interdependent and accessible by more individuals, the susceptibility to threats increases. In addition, individuals are developing high levels of computer skills that results in an increased risk of intrusion from outsiders. The Information Security Risk Assessment will determine the assets of the company, organizational risks, the current security posture, any areas of risk for GDI, and recommend a mitigation strategy for reducing information security risks and implementing strategies to reduce these risks. Through the Information Security Risk Assessment, GDI is taking steps to ensure that the organization identifies significant risks and determines the best method to mitigate the risks.
3. Background Global Distribution, Inc. is a distribution company managing accounts from Canada, the United States, and Mexico. The company
The departments of a company that are holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organisational measures (such as staff training).
In today’s IT world every organization has a responsibility to protect the information and sensitive data they have. Protecting data is not only responsibility of security and IT staff but every individual is involved in protecting the information. The risks to information security are not digital only, but it involves technology, people and process that an organization may have. These threats may represent the problems that are associated to complex and expensive solution, but doing nothing about these risks is not the solution.
Every organization must have adequate control mechanisms in place to help protect sensitive information from the distribution or transmission outside the organization, inappropriate disclosure, and control of how the information accessed is used. Companies should have policies in place that outline the course of action to take should inappropriate usage or disclosure of data be
Any enterprise has to pay special attention to computer security. Computer security is a field that is concerned with the control of risks related to computer use. A primary focus should be on the external threats to the computing environment. In enterprise with branches cross country, it is important to allow information from "trusted" external sources, and disallow intrusion from anonymous or non-trusted sources. In a secure system, the authorized users of that system are still
Information technology can be very costly, and it is imperative for organizations not to overspend when it comes to their IT budget. However, it is vital for organizations to understand the risks associated with information technology. As we saw in the TJX case, TJX’s senior management did not update their systems and had very little IT knowledge. This led to multiple risks involving several security breaches which could have been contained by improving their information systems more efficiently. It is not just developing and implementing information technology; it is also understanding risks and formulating solutions to issues associated with IT. In Adventures of an IT Leader, Barton faced many challenges when it came to the budget of IVK. He assumed full responsibility for all the risks associated with the technology used and the IT budget. When the power shut off at IVK, Barton was faced with many challenges including possible customer records compromised, IVK’s systems infected, and deciphering solutions to secure the system. Barton suggested that IVK shut down operations to build a new and secure system to ensure IVK’s systems could identify where the infection originated and repairing the system for future
The security plan is formulated to protect the information and important resources from a wide variety of potential threats. This will promote business continuity, reduce business risks and increase the return on investment together with business opportunities. The security of information technology is attained by executing a suitable set of control, efficient policies, processes, organization structures, software and the hardware. These given controls ought to be formulated, put into action, assessed, analyzed and developed for productivity, where necessary. This will allow the explicit security and business objectives of the United States Department of health and Human Services to be accomplished (Easttom, 2006, p.32).
An effective information security program should include, periodic assessments of risk, including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization. Policies and procedures should be based on risk assessments, cost effective reduced information security risk, and it should ensure that the information security is addressed throughout the entire life cycle of each and every organizational information system. Subordinate plans for providing sufficient information security for groups of the information system, facilities, networks, or information systems.
For example a clerk will only be able to access a limited amount of information, such as inventory at each store. The limitations will be different for an accountant or the mangers. All information will be protected with several different layers of security. The first layers will be simple hardware protection for access to the network; from there the security will increase with password protection and restrictions to users. (Merkow & Breithaupt 2006)
After the information system is installed, the IS security controls must be monitored and assessed on a continuous basis. Continuous monitoring ensures the security controls in place are effective. In this step, there are five tasks. The first task requires managers to determine the security impact based on the threat environment. The second task is conducting assessments on certain security controls as outlined in their Continuous Monitoring Strategy. The third task is correcting discrepancies found in the assessment. The fourth task requires updating the Security Authorization package based on the previous results. The fifth task requires the appropriate officials to make a risk determination and acceptance by reviewing the reported security
While all of these technologies have enabled exciting changes and opportunities for businesses, they have also created a unique set of challenges for business managers. Chief among all concerns about technology is the issue of information security. It seems to be almost a weekly occurrence to see a news article about yet another breach of security and loss of sensitive data. Many people will remember high profile data breaches from companies such as T.J Maxx, Boston Market, Sports Authority, and OfficeMax. In the case of T.J. Maxx, a data breach resulted in the loss of more than 45 million credit and debit card numbers. In many of these incidents, the root cause is a lack of adequate security practices within the company. The same technologies that enable managers can also be used against them. Because of this, businesses must take appropriate steps to ensure their data remains secure and their communications remain
Moreover, information security policies are important in a way that they help reduce the risks associated with employees' acceptable and unacceptable use of the company's information resources. As would confirm Danchev of Windows Security, the first step towards enhancing a company's security is the introduction of a precise yet enforceable security policy, informing staff on the various aspects of their responsibilities, general use of company resources and explaining how sensitive information must be handled and by also describing in detail the meaning of acceptable use, as well as listing prohibited activities (Danchev, 2003). By the same source, a good and well developed security policy should address how sensitive information must be handled, how to properly maintain your ID(s) and password(s), as well as any other accounting data, how to respond to a potential security incident, intrusion attempt, how to use workstations and Internet connectivity in a secure manner, how to properly use the corporate e-mail system (Danchev, 2003).
The security plan is formulated to protect the information and important resources from a wide variety of potential threats. This will promote business continuity, reduce business risks and increase the return on investment together with business opportunities. The security of information technology is attained by executing a suitable set of control, efficient policies, processes, organization structures, software and the hardware. These given controls ought to be formulated, put into action, assessed, analyzed and developed for productivity, where necessary. This will allow the explicit security and business objectives of the United States Department of health and Human Services to be accomplished (Easttom, 2006, p.32).
Furthermore, this paper will provide a general explanation of the business need for information security programs/policies to protect against the loss of profit, damage to the company’s reputation, and cost of litigation. The discussion will provide key concepts in regards to threats and vulnerabilities along with recommended technology solutions that will help manage or mitigate possible impacts and results you implement into your small business.
Information security professional’s job is to deploy the right safeguards, evaluating risks against critical assets and to mitigate those threats and vulnerabilities. Management can ensure their company’s assets, such as data, remain intact by finding the latest technology and implementing the right policies. Risk management focuses on analyzing risk and mitigating actions to reduce that risk. Successful implementation of security safeguards depends on the knowledge and experience of information security staff. This paper addresses the methods and fundamentals on how to systematically conduct risk assessments on the security risks of information systems.
Security policies are rules and guidelines formulated by an organization to manage access to information systems and/or computer networks. Simply put, these policies exist to govern employees, business partners, and third-party contractors with access to company assets. Furthermore, some policies exist to comply with laws and regulatory requirements. These policies are part of the company information security management system (ISMS), and are usually administered to employees by Human Resources or distributed to business partners and contractors via the Technology department. In sum, security policies protect assets from illegal or damaging actions of individuals. Of course, many security policies exist, but this review will focus on the