Risk Management Analysis at Woltech Company

IntroductionInformation security is the collection of all the measures that an organization takes to keep information at its disposal secure. These measures involve the use of technology, policies, and procedures, and the set standards to ensure that the company's information systems are not accessed by unauthorized persons who may destroy them or modify the information contained. Conversely, information security can be defined as the wide range of security measures undertaken by an institution to protect its crucial information against a wide range of internal and external threats to ensure continuity of the business, minimize businesses' risks, and maximize returns on the investments made (Farn, Lin & Fung, 2004).

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Order now

Information is very important for any organization as it offers the marketing and the operation strategy of a company. When this information is accessed by an unauthorized person, it may lead to exposure of confidential information, leaking essential information to the competition, and or theft through disclosure of information to dishonest people. According to Cerullo, V. and Cerullo, M. (2004), information security is very crucial in a firm for the following reasons: firstly it provides confidentiality which means protecting personal privacy and other proprietary information. Secondly, it guards information against any improper modification and destruction thereby ensuring the integrity of information. Lastly, it ensures that the information is well kept for reliable and timely retrieval.

General Risks Faced by Any OrganisationInformation risks are faced by organization regardless of whether it is a company involved with technology or a technological company. Whenever information is involved, there are always security risks involved. Some of them are listed below:

Cyber threats cyber crimes have become very common, and without effective measures, criminals could hack into the systems of an organization and steal sensitive information, mostly for malicious purposes.

Backup failures some organizations fail to create an effective information backup plan which is risky in case of a disaster.

Malware attacks they do malicious activities to information of an organization.

Inappropriate data classification and authentication some organization do not effectively state the people who are allowed to access sensitive data and when they are allowed to access the data. Such cases weaken information security since sensitive information might get into the wrong hands causing damage to the organization.

Remote backup stations some organizations do not have secure remote backup stations. Cases like this cause havoc when the main information servers fail.

Section A

Company Overview

This question will focus on a service industry-related company dealing in petroleum and other energy-related products. The company to be used will be called Woltech Energy Inc. based in the UK and with subsidiaries in China and Eastern Europe. The company is compliant with information and technology related risks as required by the ISO27001 requirements. The paragraph below gives a brief description of the hypothetical company to be used in this question.

Woltech Energy is a company that deals in Energy sector in the UK, Eastern Europe, and China. The company headquarters is based in Wolverhampton. The company has various security gaps including operating in an area considered as a dangerous environment to running computers with different specification. Many of the senior officials use different devices such as mobile phones, laptops, and ipads. There is also neglect on the side of the manager as he is not aware of any additional security used with mobile phones and believes that employees use their phones or the company's phones while on duty

Although the company has various subsidiaries in different parts of the world, the server system is located in Wolverhampton. The company has various backup systems which are taken by removable hard disks and other transfer devices. Another security breach is that the company's website is hosted by an external hosting company. The company's financial system has also been mixed up whereby the main accounting system, Sage 50 Accounts Professional is linked together with the Sage 50 Forecasting package.

A third party is used to run the company's problem while there has been an even bigger problem of late where emails were sent to the wrong accounts. There is also another confidentiality problem where the passwords of the company's managing director are kept by his PA. The MD further did not seem to understand what encryption means in IT.

Risk Register

A risk register is a document that is kept by the risk manager and is used in recording risks regarding their vulnerability and the impacts they have on the operations of the company. The risk register is important in managing the risks associated with a company. In this question the article will identify eight risks faced by the company and look for ways in which to address them.

The risks identified as shown in the table below, are the major ones faced by the organization at large. In summary, they affect the organizations performance in various ways depending on their impacts. The threats and vulnerabilities identified in the case study have been assessed to compromise the security of information of Woltech organization.

Therefore, this section will assess the risks and their impacts to the organization. Each risk is given priority depending on how threatening it is to the organization. The level of vulnerability a risk will cause will also determine the priority score an impact will be given. There are twenty risks identified that affect Woltech organizations information security. Most of the risks identified are technological, physical, and human risks.

The table below represents the risks identified as either a vulnerability or threat to information. It also describes the vulnerabilities or threats a risk poses to information of the organization.

Risk Number Risk description Source Likely hood Severity of impact Controllability

1 Different variety of devices One device can be vulnerable to information access. When one device fails to be secured, the information of the whole organization can be accessed through it 2 Unsupported OS and Security Update Hackers may notice the weak points of the system and penetrate the system and access information Different operating system cause weak points where information may be accessed through 3 Antivirus and anti-malware software The viruses send to the system may spy on information and intercept data send through the network Viruses and malware spy on data and corrupt files. 4 Company devices and personal devices Malicious codes may be sent through personal devices which will give attackers access to the organization information. Insider threats also come from the use of personal devices. All avenues of personal devices are a source of information leak. Information is leaked through interception of calls and messages send through personal devices 5 Server location, backups and encryption Poor data backup and encryption exposes information to unauthorized persons. Server failure or damage leads to loss of sensitive information. Unencrypted data can be easily intercepted. 6 System administrator relatability dependency capability Unavailability of an administrator means security updates will not be done and information security policies may not be adhered to. Insider threats also come from use of personal devices. All avenues of personal devices are a source of information leak. Administrators control information flow in an organization. When not reliable, backup and security update will be ineffective. 7 Plan for server loss Information send or being retrieved over the network may be intercepted Server loss may result in freezing of ongoing activities which may not be recovered In cases of server loss, some sensitive data may not be recovered. 8 Bespoke back office system Sensitive information may be accessed illegally through bespoke web-based penetration Administrators control and monitor activities regarding information security. If they are not reliable, security of information is put at risk. The ease of accessibility of a bespoke back office is a threat to information Table 1

Various impacts result from poor management of the company's security system. These impacts can be categorized according to file corruption and deletion.

Malware monitors information in the system and sends it to attacker for malicious activities through transfer of backups using removable disks.

Unsecured information is accessed through one device and used against the whole company, and this can be done through hacking and cyber attack mechanisms.

Poor operating efficiency and inaccuracy at work increases the vulnerability and security threats to information system due to sharing of passwords and the use of home devices for office work.

The table below shows a reference of the global activities in relation to risks using Woltech Company Case Study.

Risk Number Risk description Risk Impact The Impact Rating

1 Email to wrong address Wrong people accessing sensitive data. Information used against the company might cause a ruin in sustainability 100 2 Cyber security issue Hackers will attack the system and steal information. Hackers might also enter false records into the system like ghost workers 100 3 Implement and maintain an information security policy Sharing of sensitive information with wrong people. Also, having solid evidence of information when not allowed to 80 4 Logging and Id card Unauthorized access and information can be doctored. 100 5 Disposing of redundant equipment Data will be viewed by the wrong people. Malicious acts can be done 60 6 Equipment from China Malicious attacks can be done. Devices are easily penetrated to obtain important information. Similarly, they are not safe as they may catch fire (Orchier, J, et. Al, 2000).

80 7 Encrypted passwords, strong passwords ,password expiry and encrypted connection Unauthorized access to sensitive information. Manipulation of records will also be done illegally to obtain false records about different variables 100 8 Power backup electrical failure When power is lost all unsaved information will be lost. Also, there will be no activity in the organization when power is lost 80 Table 2

Comparison of impacts

Underneath is a table that explains how the impact is rated and described (See Table 2)

Title Mark Description

Very Little 20 . Unimportant impact to the company. minimal

Low 40 Disclosure of Personally Identifiable Information (PII)

Hundreds of people (5),

Thousands of people (7),

Millions of people (9) The impact is minor < 5%

Medium 60 Non-compliance Minor violation (2),

Clear violation (5),

High profile violation (7) Measurable impact 5-10%

High 80 Reputational damage Loss of major accounts (4),

Clear violation (5),

Loss of goodwill (5),

Hundreds of people (5),

Minor effect on annual profit (3),

Significant impact 10-25%

Very High 100 Economical damage Minor effect on annual profit (3),

Significant effect on annual profit (7),

Bankruptcy (9) The impact is Major. >25%

Section B

Risk Responses

Information security risk assessment is the process in which discovery, correcting, and analysis of security problems is done. The process is ongoing and forms an integral part of the security management as required by the International Security Policy (Agbabian, Symantec Corporation, 2008). For an existing company, the risk assessment should be conducted on the regular basis as required by System Development Life Cycle (SDLC).

In undertaking Information security risk assessment for Woltech Company, the followin...