[ Vulnerability Analysis] Certification and Accreditation of Information Systems

[Year]

Your Details

Date

Vulnerability: - Vulnerability is a weakness of a system which allows the intruders to reduce

a systems information assurance. It includes three parts first is flaw, intruder’s access to the

flaws, and intruder’s capability to exploit the flaw. An intruder to be vulnerable should have

at least one technique which connects to the systems weakness. They are classified according

to the asset class which are

Hardware

Software

Network

Personnel

Site

Organizational

As a part of a formal risk assessment of desktop systems in a small accounting firm with

limited IT Support, you have identified the asset “integrity of customer and financial data

files on desktop systems” and the threat “corruption of these files due to import of a

worm/virus onto system.” Suggest reasonable values for the items in the risk register for this

asset and threat, and provide justifications for your choices 

The Risk Register is shown below

Assets Threat Controls Likelihood Consequences Level of

Risk

Risk

Priority

Integrity of

customer

and

financial

data files

on desktop

systems

Corruption

of these

files due to

import of a

worm/virus

onto system

Firewall,

Antivirus,

e-mails,

downloading

files

Almost

Certain

Major Extreme 2

The three strategies of managing risk are:

(1) Reduce the probability of an unfavourable event: - These can be accomplished by

effective strategic planning. Management skills and knowledge of managers can be

developed either directly through self improvement or indirectly by outside advisors.

(2) Self-insure and accept the impact if an unfavourable event occurs: - Following options are

included:

Modification of revenue-related risks by diversifying the enterprise mix. The

outcome can be lower average revenue or added costs in the course of a loss of

efficiency.

Reduction of production risk due to spread of production geographically. This can

result in increase of cost of production.

Building net worth will help a business to survive in adverse events.

Building excess production capacity which will reduce the likelihood of delay of

production-related activities

(3) Reduce the impact on the business if an unfavourable event occurs by shifting risk to

others: - Costs are incurred in the form of Insurance premiums.

Qualitative risk analysis: - An analysis that adjudicators an organization’s risks to pressure,

which is based on decision, perception, and the knowledge versus transmission real numbers

to this possible risks and their potentials loss margins.

Quantitative risk analysis: - A process that attempts to allocate real numbers to the costs of

countermeasures and the quantity of harm that can take place.

Differences between these two are

S No. Quantitative Risk Analysis Qualitative Risk Analysis

1. Results are expressed in management

specific terminology

They do not determine financial values

of assets.

2. Risks are analyzed in financial terms Risks are analyzed in terms of quality

of risk that is ranking the risks.

Quantitative Risk Analysis is more effective as it tells the monetary value of the Risk.

The two models are

Security Steering Group (Leverage Model)

Maintaining the information of the industry, sustaining technology, and security model is not

a part-time plan. Developing an useful security architecture that is built on the inclusive

familiarity of the business is a non-trivial activity that requires active advertising to multiple

resources that can sufficiently characterize the business objectives and/or needs of the

organization. The organization of an Internal Security Steering Group will help ease the

measures necessary to design, build, implement and maintain a pragmatic security

architecture model.

This leverage model can successfully decrease the overall level of effort in scheming,

implementing, and managing all of the serious mechanism that an venture security

architecture is comprised of thus increasing the Return On Investment (ROI), reducing the

Total Cost of Ownership (TCO), and effectively managing risks.

Basic Security Requirement Model

An incorporated risk management program is serious in securing business objectives

requiring the enforcement of secrecy, reliability, accessibility, and liability.

Secrecy

Secrecy ensures the safety of data from illegal access throughout an organization’s

information planning, which extends to all data directly linked with the architecture’s

applications, data stores, communication links and/or processes.

Reliability

Reliability ensures that data, services, and other restricted resources are not altered and/or

destroyed in an unlawful manner. Reliability based controls provide safeguards against

unplanned, unlawful, or nasty actions that could result in the change of security defense

mechanisms, security sorting levels, addressing or steering information, and/or audit

information.

Accessibility

Accessibility ensures the trustworthy and right process of information and system capital for

which the loss of information and/or resource access would cause unfavorable results.

Accessibility based security necessities include controls to stop, sense, and/or monitor

unintended, unlawful, and/or nasty activities that could negatively impact the accessibility of

serious information.

Liability

Liability requirements ensure that events can be linked to exact users and/or processes

accountable for those actions. The largely goal is to be able to confirm, with 100% certainty,

that a picky electronic message can be associated with a particular individual, just as a

handwritten signature on a blank check is tied back to the account owner. Liability based

controls include detection and validation mechanisms, and access control.

The steps are:-

Knowledge base: A good tool will come with letter templates, appeals strategies, and

other content to arm providers with the information that only experience can provide.

Workflows: MAC appeals can involve many departments and individuals

collaborating to meet deadlines. Look for tools that have both prebuilt workflows as

well as the flexibility to modify or design processes to fit an organization’s specific

needs.

Hosted software-as-a-service model: Keeping up with changing requirements and

incorporating new best practices is difficult with software that arrives on CD. Hosted

applications offer frequent content and functionality updates as well as fully

functional remote access.

Easy-to-use streamlined interface: Good tools must be fast and easy to use, with

controls that are intuitive enough that even the technologically handicapped can use

them.

The three steps in the security process are:

1) Plan: - The first step is to plan the whole structure of the requirements. Nothing can

be done without planning so the first step is to plan what all is there and how to work

on the security of the required data. Security process is to be followed according to

the plan made.

2) Delegate: - This is the step which lets the plan made to be followed in reality.

Implementation of the security plan is done in this step.

3) Audit: - This is the step in which all the security measures are tested and if any loop

wholes are found they are rectified to provide the correct security measures.

The steps involved in conducting an assessment are

1. Define Extent of the Change: - The assessment being done is laid down in detail and

all the procedure required are defined in this step.

2. Determine Key Differences: - All the key differences are determined in this step,

where all the requirements are laid down and separated from each other.

3. Focus on Effects: - This step lays down the processes and main focus is laid down in

implementing them.

4. Sort and Prioritize: - The main processes are first listed and all those who have higher

priorities are dealt first.

5. Make a Decision: - This is the step which lets the user make the effective decision of

his assessment.

Mobile devices though being portable and have the dual facility to access calls and e-mails

(internet) have some risks which are as follows.

Due to their small sizes they can be easily stolen or lost which leads to loss of the

complete data.

The files still exist on the cells memory which can be misused.

If the mobile software’s or any download is virus stuck, they can harm the handset

itself.

The handsets are prone to many malwares which come due to different downloads

being done over the mobiles.

There can be excessive spams which come in the mobile devices.

Thus using official information over mobile phones should be minimized only when its

actually and increasing necessary as this can lead to leakage and misuse of information of the

organization which can be a risk factor for them.

The main benefits associated with the approach to IT planning are

Releasing the possessions for improved operation

The capability to nurture the business devoid of considerable increase to

workforce all the way through improved and large efficiency and output

Concentrated delays in vocation stream process

Concentrated delivery rejoinder instance

Concentrated records

A risk is any happening and occurrence of actions, which can be internally or

externally generated, which prevents an association from achieving its objectives

and goals. Risk assessment will aid in planning decisions such as:

The character, degree, and timing of review measures

The business functions to be audited.

The quantity of time and capital to be owed to a review

With the information Eric Raffin had at that time, the other alternatives could he have

considered are

Developing a database to record the actions which can be referred to at the

time of need

Taking timely backup which can help store the data which can be useful in

days to come

Forming a system which stores every minute details so that without any

missing information the process can be followed.

Taking into account the possible system working time which would have

increased its working and efficiency.

The bowtie analysis is a popular structured method which helps in assessing risk, in this

methodology qualitative approach is not enviable. The achievement and accomplishment of

using the diagram is its uncomplicated and trouble-free method for any non- expert to

comprehend. The design is an easy one to combine the reason (fault tree) and the result

(event tree). The fault tree is wan on the left side and the event tree is wan on the right side

and the risk is wan as a "knot" in the centre, the diagram appears like a bowtie. An example

of the same is shown below:

To create a bowtie diagram following needs to be defined:

Events which needs to be prevented.

Threats that might root the event to take place.

Consequences which occur due to the event.

Controls required avoiding the event from being occurred.

Controls to moderate alongside the consequences.

Hazard 1

Hazard 2

Prevention 1

Prevention 2

Incident

Mitigation 1

Mitigation 2

Consequence 1

Consequence 2

The bowtie methodology is used for every kind of risk examination and investigation, from

major accidents, all the way through work-related and ecological to industry, IT and safety

risks.

Using web as a medium of exchange either associated with buying or selling of goods and

services involve transactions of money from an account to the other. The customers are on a

very high risk undertaking these shopping’s over net, the risks are

1. The customer is not sure whether the web page which he is trying to do over net

shopping is a valid one or not. Generally people make fake web pages and just try to

cheat on general public and take lots of money from them and don’t deliver the

products.

2. They can risk their money which they are giving in exchange of the commodity.

3. They can risk their bank account details or their credit card details.

4. They are not sure of even getting their desired product which they have purchased

over net.

5. They cannot fight for the quality of product which was sent to them or if a product is

broken.

So there are various risks involved in shopping over net, thus it should be avoided to a great

extent.

Outsourcing is forming a contract with another company or person to do a particular task or

provide some service. Naturally, the purpose being outsourced is measured non-core to the

business. Today almost every organization outsources in some way or the other.

Following are some positive effects of outsourcing on an organization are

Growth

Offshore Expansion

Variety of Options

Reduced Risks

Competitive Spirit

Fulfill Business Objectives

Better Results

Resource Utilization

Flexibility

Share Business Risks

Fast Turnaround Time

Following are some negative effects of outsourcing on an organization

Loss of jobs in developed counties

Huge lay-offs by companies

Risk of heavy losses to companies who outsource without proper planning

Rise of fear and dissatisfaction among employees in companies that outsource

Risk of the outsourcing company stopping its operations

The project may not be completed well in time. As the whole group has not worked over this

technology and we have no documentation to refer for this technology we face real

difficulties in estimating the time required to complete the project. We can even go wrong in

the people required for completing this project. Doing this project is like “Aiming in the

Dark”. We are in this situation that we have put our foot forward without even know where is

our goal and how much time we need to reach our goal. There is the biggest problem here

that will be deliver the project well in time because the organization is waiting for the new

deliverable and things and the processes currently in the organization are being done hoping

of getting the deliverable well in time. As we know every step undertaken within an

organization are interdependent, so the dependency of work on this new technology is also

expected.

The development of this technology may lead to losses in shares of the company for which

the technology is being made. Now when the organizations is expecting a new technology

after six months they might have started managing their work in the hope to get the new

technology well in time but if this does not happen obviously the company is going to be

struck hard in losses and if a company goes in loss it for sure to have a depreciation in the

shares. The probability of this risk is very high it’s like more than 50%. The risk exposure is

high because it directly affects the stake of the company. The best way to avoid this risk is to

take as long time period for its completion but it should be adequate and within reach.

Another risk is will the deliverable be efficient enough to provide what’s required out of it.

Here is the biggest risk, whether we will be able to provide the project in the way it’s

required. Even if we take long time to do the project we are not sure of its success as the

system takes data from three systems which no one is aware of except one of the team

members. This situation is like being lead by one who is also not sure about the things. We

are just doing a process of hit and try. If it works out its well and good, else all in vain.

The risk here is very high as taking this technology for development we are not sure to give

the desired deliverable because it’s a new technology and new systems are involved which

has no reference to be taken help from. Now if this thing happens the company can face a

situation to stop its work because they might have started their processing according to the

new technology hoping to let it work fine. The probability to this risk is maximum because

it’s what the exact system is all about. The best way to avoid or risk this down is to do a

thorough study and analysis of the systems required. Every possible data and information

should be gathered and should be considered to help make a productive deliverable.

The next risk is about the inflow required in this project. As I told you that we are working on

the bases of hit and try we may require more inflow in the project as what was planned or

estimated. This is really a thing to worry because an organization can only spent a particular

amount on a project. And here is the case that even if they spent more they are not sure of the

final deliverable.

If this is the thing it’s for sure that the company can go in losses. The risk exposure is high

because if the company will utilize its funds here and that also without even having a budget

for that they will go in huge losses which might create a situation for the company to shut

down its business. The best way to avoid this risk is to first clearly discuss with the

developers how much capital is required and will they be able to give the desired deliverable

within that budget. And what will be the maximum expenditure for this. A through planning

should be done and only then the decision should be taken for undertaking such a new

project.

The risks involved in this project are high and it’s really not feasible and ethical to undertake

such a project because it do not gives a desired deliverable, it also harms the managers/

companies goodwill. It can make the company a loss too, which is not right. If the company

goes in loss it will affect the market of the company, which will lead to fall in the share rates,

loss of customers of the company which is not good at all. On the part of the organization

they should also take care of what they are expecting from a project is approachable and

valid.

References

Academic

Journal

http://www.drj.com/new2dr/w3_030.htm

Journal

http://www.blackwellpublishing.com/journal.asp?ref=0272-4332

eBook

http://www.acrobatplanet.com/non-fictions-ebook/ebook-risk-assessment-models-establishment-exotic-vertebrates-australia-and-new-z

ebook

FIRE SAFETY RISK ASSESSMENT http://www.communities.gov.uk/documents/fire/pdf/151102.pdf

Website

http://www.mindtools.com/pages/article/newTMC_07.htm