Evaluating and Mitigating the Security Risks of TrainTech Inc Essay Example
Evaluating and Mitigating the Security Risks of TrainTech Inc Essay Example

Evaluating and Mitigating the Security Risks of TrainTech Inc Essay Example

Available Only on StudyHippo
  • Pages: 10 (2636 words)
  • Published: February 25, 2017
  • Type: Essay
View Entire Sample
Text preview

Information security, as the responsibility of information technology (IT) departments, is a business issue as well as a technological one. This study seeks to evaluate and mitigate organisational risks faced by the TrainTech Inc. in terms of information security based on BS International Organisation for Standardisation (ISO)/International Electrotechnical Commission (IEC) 17799:2005 of the British Standard.

This report serves the Chief Executive Officer (CEO) of TrainTech Inc. in ensuring the company’s information security. In particular, it attempts to answer the following questions: (a) What are the information assets in TrainTech Inc.? (b) What are the threats and vulnerabilities for each information asset in TrainTech Inc.? (c) What mitigating actions can be applied to the identified risks of the company?

Information Security and Risk Management The issue

...

on information security critically addresses the approach of organisations in operating safely in the internet economy. The failure or lack of information security is one of the great challenges of most IT companies and it even caused others to suffer even if they have the right security products, competent in-house security staff, and a compelling business need for good information security. In 2001, for example, businesses in the United States reported 53 thousand cases of system break-ins, a 150% increase over 2000.

The reason behind this devastating incident is because security in the internet economy has become too complex and dynamic for most companies to deal with (O'Neill & Tippett, 2001, p. 74). Thus, in order for companies to safeguard their assets and to have a more competitive advantage, they need a properly implemented security infrastructure innovation (Andress, 2003, p. 12). Competitive advantage enables firm

View entire sample
Join StudyHippo to see entire essay

to continuously and successfully operate in the economy where intangible assets are more important than the tangible ones. It is usually attained if a company has well researched and managed intellectual assets (Means & Schneider, 2000; Leadbeater, 2000; Winter, 2000 quoted in Beal, Brent & Thomas 2004, p. 4).

The process by which organisations manage information and knowledge has been articulated by Boisot (1995) and summarized by McGaughey (2002). They stated that the value of information good is derived from its utility and scarcity which are of three functional characteristics: codification, abstraction and diffusion (Beal, Brent & Thomas 2004, p. 4). As corporations rely ever more on technology to run their businesses, security is becoming a major concern rather than an afterthought (Kruger & Kearney, 2006, p. 289). Hackers, terrorists, disgruntled employees and business competitors are always on the lookout for any weakness in the information system (IS) of organisations and may seek to exploit found weaknesses for psychological, political or economic advantage.

These entities pose a serious threat to organisations’ IT infrastructure which often result in negative financial and other repercussions (Gupta et al., 2006, p. 599). Over the last few years, trends in information security have emerged like the growing number of computer crime for profit, infrastructure-targeting attacks, sophistication of malicious ware and compliance and assurance considerations, and the bifurcation of information security practices. Other emerging trends in this arena include, but not limited to lack of security in mobile technology and diminishing reliance on security perimeters (Schultz, 2006, p. 315). Information is very crucial to the success of the organisation and will be accountable for a significant share of the

business’s various indicators of success, including its cash flow and market value.

Therefore, organisations should have effective management of information security with technical and procedural control skills to manage information risk (Kruger & Kearney, 2006, p. 292). Strategic information systems planning (SISP) has an important role in helping to avoid lost opportunities, duplicated effort, incompatible systems, and wasted resources. The process of formulating IS plan helps to explicitly focus the planners' attention on “major opportunities for exploiting information” (Ward & Peppard, 2002, p. 468).

While a key objective of strategic information systems planning is to identify opportunities to exploit information, Ward & Peppard (2002, p. 468) note that they should ensure that this information is of the highest quality possible, particularly in terms of timeliness, accuracy, completeness, confidence in source, reliability and appropriateness’. In practice, however, many organisations fail to consistently provide the high quality information resources that their managers require, because of unacceptably high levels of security breaches experienced (i.e., Information security breaches survey (2004) found in the UK that the number of security incidents continues to rise with 74% of businesses reporting a security breach in 2004, as compared with only 44% in 2000 (Garg, Curtis & Halper, 2003, p. 78).

In recognizing these issues in the IT environment, the case study in this dissertation focuses on TrainTech Inc. The International Standard ISO/IEC 17799, prepared by the British Standards Institution (as BS 7799-2), was adopted by Joint Technical Committee ISO/IEC JTC 1, Information technology, in parallel with its approval by national bodies of ISO and IEC (BS 7799-1:2000, p. vii). BS 7799-2 was prepared for business managers and their staff

to provide a model for setting up and managing an effective Information Security Management System (ISMS) (BS 7799-2:2002, p. iii). (See Appendix A for BS 7799-2 acceptance). Information security is required because the technology applied to information creates risks. Broadly, information might be improperly disclosed, modified in an inappropriate way, or destroyed or lost. Compromise of a valuable information asset will cause dollar losses to the information's owner whether acknowledged or not; the loss could be either or indirect.

In business terms, a risk is the possibility of an adverse event which would reduce the value of the business were it to occur. However, risks can be managed. Blakley, McDermott & Geer (2003, pp. 97-98) identified a variety of mechanisms in managing risks such as: (1) Liability Transfer, (2) Identification, (3) Mitigation, and (4) Retention. The British Standard provides managers and their staff involved in ISMS risk management activities guidance and advice to specifically support the implementation of those requirements defined in BS ISO/IEC 27001:2005.

The process approach is adopted for assessing risks, treating risks, and ongoing risk monitoring, risk reviews and re-assessments to encourages its users to emphasize the importance of: (a) understanding business information security requirements and the need to establish policy and objectives for information security; (b) selecting, implementing and operating controls in the context of managing an organisation’s overall business risks; (c) monitoring and reviewing the performance and effectiveness of the Information Security Management System (ISMS) to manage the business risks; and (d) continual improvement based on objective risk measurement (BS 7799-3:2006, p. 1).

Security Standards of TrainTech Inc. TrainTech Inc. is an international company based in Canada

that provides skills and training development for technological advancement online. It has 4 branches in different countries such as the United States, Singapore, Saudi Arabia, and Belgium. Clients choose any of the different technical courses and they can pay either by credit card or via a direct transfer from their bank accounts. TrainTech Inc. has 16 employees in at the main office in Ontario. Their positions include the following: Chief Executive Officer (CEO), two Technical Support Assistants, Vice President for Marketing, Database Administrator, Vice President for Business Development, IT Director, Systems Security Officer, Computer Programmer, Course/Program Director, Two Curriculum Developers, Web Page Designer, Graphic Designers, Lawyer, Accountant, and Office Manager.

TrainTech Inc. runs its Web site on Microsoft Internet Information Server (IIS). Its database product of choice is the Oracle and the servers are co-located at Exodus. The company uses Windows Live Hotmail and Messenger for internal communications. It uses Yahoo! Mail Beta and Instant Messenger for its communication with customers. The movement towards a company-wide operational system is driving change in risk management technology. A successful risk management strategy begins with the implementation of a company-specific enterprise operational framework. TrainTech Inc. has been applying its risk management design for three years: Step 1: Establishing a risk management framework.

In this phase, the company identifies, evaluates, exploits, finances and monitors risks in order to increase the short and long-term value of the enterprise. In this framework, decision-making is where corporate management sets the direction and controls. Corporate management will consult the stakeholders, constantly monitor the operations to reduce risk, evaluate and prioritize the enterprise's financial, operational and strategic risks. A unique individual--ideally the

risk manager or, even better, the chief risk officer--is elected as the “champion” of the initiative. This person should have a top-level view of all risks facing the enterprise and also the authority to establish changes in business practice. Step 2: Risk requirements.

This step requires an understanding of the organisation's internal and external key stakeholders. Interviews with employees are carried out to determine their perception, objectives and strategies regarding: data currently collected and reasons for their collection; data that is not worth the cost; additional data desired; bottlenecks in current procedure; notes and diaries; exposure and policy administration; risk measures and risk models. It is essential to analyse each interviewees’ perspective to understand the organisation information flows and risk management decisions.

The risk strategy aims is to eliminate manual gathering and management procedures. Step 3: Identify the flow of information. The development of an accurate and detailed flowchart is the most important step in obtaining a well-designed risk management strategy. It includes the content of information flows, the risk assessment software and hardware needed in different departments or locations, and the skills needed to operate the hardware and software. It serves as a blueprint for a proposal. Step 4: Determination feasibility. The aim of a feasibility study is to see whether it is possible to develop a system at a reasonable cost considering the benefits. The determination of exactly what is and is not feasible for now and for the future as the business grows and technology advances is significant to the stakeholders.

The most common reason for replacing systems today is the inability to extend the existing implementation to cope

with increased demands placed upon it due to rapid growth within the organisation. Step 5: Buy or lease? During the selection process, the company finds a system that can adapt and provide the benefits required. If unsure which options to choose, it selects at least five vendors. Each vendor should provide an in-depth product demonstration. It is also important to assess each vendor’s level of service and support. During the implementation, the Chief Security Officer responds to unexpected changes and problems that may arise.

One example would be people resistant to change, whose ability to interpret, communicate new results might not be adequate. While managers are putting into operation a new risk assessment strategy in the organisation, the managers are in fact implementing a new risk control. In so doing, the manager must organize, motivate, monitor and communicate to enable a smooth transition to the new system. The quality of products to be bought should be assured in order to obtain their expected functions.

Risk Evaluation Risk assessment play significant role in security management. Risk is a possibility of negative impact to an organisation’s asset. It is interchangeably used with the probability of a loss or threat (Holton, 2004, p. 22). A risk management approach which can be implemented by any organisation is specified in governance and security frameworks such as Control Objectives for Information and Related Technology (COBIT), International Organisation for Standardisation (ISO), and National Institute for Standards and Technology (NIST) documents, and these are references for regulatory compliance audits. IT security organisations can utilise the risk management process as a means of ensuring the IT environment integrity and the alignment of

IT with the enterprise risk strategy as well as in justifying security expenditures (Byrnes, Fry & Nicolett 2006, p. 1).

Risk assessment, is fundamental to the security of any organisation in ensuring that controls and expenditure are fully commensurate with the risks to which the organisation is exposed. Risk assessment is part of information security management system (ISMS) in BS 7799-2:2002. The choice of risk assessment method depends from one organisation to another. This is one of the requirements in establishing ISMS (see 4.2.1c). Risk assessment for the British Standard is the overall process of risk analysis and risk evaluation.

The application of the British Standard to any organisation, regardless of type, size and nature of business is explained in BS 7799-2:2002 (2002, p. 5) that when exclusions are made, claims of conformity to the standard are not acceptable unless such exclusions do not affect the organisation’s ability, and/or responsibility, to provide information security that meets the security requirements determined by risk assessment and applicable regulatory requirements.

Any exclusion of controls found to be necessary to satisfy the risk acceptance criteria need to be justified and evidence needs to be provided that the associated risks have been properly accepted by those who are accounted for. TrainTech Inc. has the following assets: computer units and IT infrastructures, e-mails employees’ user accounts, sales mail templates, customer relationship management database, course outlines and descriptions, program modules, website, academic modules, and marketing information. Specifically, the company faces two risks identified for e-mails and client transactions database.

For e-mails, the threats include: (1) failure and corruption of data in mail server hardware, (2) losing data when

there is power interruption in server room, (3) corruption or deletion of data due to virus attacks, and (4) exploitation of confidential information due to unauthorized or accidental forwarding and sending of e-mail. The vulnerabilities include: (1) improper hardware maintenance, (1) lack of uninterrupted power supply (UPS) in the server room, (3) out-dated anti virus software, and (4) uncontrolled hackers. The threats for the sales and customer relation management templates database include: (1) failure and corruption of data file server hardware, (2) loss of customers contact information, and (3) accidental deletion of templates. Its vulnerabilities include: (1) lack of backup for the file server; (2) improper hardware maintenance, and (3) improper permission configuration. These risks need to be mitigated in order to avoid loss of data that can lead to a total business failure.

Risk Mitigation Byrnes, Fry and Nicolett (2006, p. 2) identifies four types of countermeasures or mitigation for vulnerabilities such as deterrent (reduce likelihood), preventive (protect or reduce vulnerability), corrective (reduce loss) and detective (discovery attack and trigger prevention or correction). Similarly, BS ISO/IEC 17799:2005 provides possible options for risk treatment such as: (a) applying appropriate controls to reduce the risks; (b) knowingly and objectively accepting risks, providing they clearly satisfy the organisation’s policy and criteria for risk acceptance; (c) avoiding risks by not allowing actions that would cause the risks to occur; (d) transferring the associated risks to other parties, e.g. insurers or suppliers.

Many modern organisational environments are driven by variables that are dynamic and move together in a complex manner. The building of scenarios is one technique that has been developed to cope with this complexity. Basically,

scenarios are different stories about how the future may evolve. The scenario building process treats the uncertain elements that drive future conditions in an internally consistent (Mackay & Mckiernan 2004, p. 161). Along this line, scenario thinking can be an appropriate tool in mitigating risk and in contingency planning. Traditionally, scenario thinking is also referred to as scenario planning.

However, there is increasing recognition that the process of building scenarios has value that goes beyond that of a mere planning tool for improving foresight. For this reason, the term scenario planning has been changed increasingly to scenario thinking in the literature (van der Heijden & Schuttle, 2000, p. 21), to reflect its role in cognitive processes (Grinyer, 2000, p. 28) and the importance of individual reasoning techniques in interpreting the past, considering present events, and processes and perceiving the future. The IT Management Group has already attempted to improve its information systems project firmly.

Although the sum involved is very much smaller, the company has tried to focus on the need for the company to invest in its Information Systems innovation as a means of improving its performance, attracting more clients, developing its image of modernity, and remaining competitive in the industry. The company’s CEO supports both in terms of finance and business process through the scenario thinking technique in addition to the guidelines on risk management provided by the British Standard Institution which prepares the company to address problems that may come along the way.

Get an explanation on any task
Get unstuck with the help of our AI assistant in seconds
New