IT Risk Management Of Aztek Samples †MyAssignmenthelp.com

Question: Discuss about the IT Risk Management Of Aztek. Answer: Introduction Aztek is an organization that is based out of Australia and it is a financial firm that provides its clients with the services in the financial sector only. There are various business sectors that are present and have been set up in different countries that contribute in the economy of a particular country. Some of these sectors have a lesser contribution and there are some sectors and units that are mandatory and without the strong hold of such sectors, a successful economy will not be developed. One of such examples is the financial sector. There comes a great responsibility as well to the organizations under this sector to give their best so that the customer demands are fulfilled. Aztek has been successfully contributing towards the goal of developing strong economy for Australia and has served its customers excellently. The organization is now expanding which is causing certain issues in terms of the customer satisfaction levels. Owing to the current state of problems and issues, the senior officials at Aztek have come up with different project proposals. Some of these ideas include the permission to the employees of Aztek to bring their personal devices at work, use of external cloud hosting solutions for information management, outsourcing of some of the key IT functionalities and likewise. After analyzing the current and future needs of the organization, the management has decided to include and implement the first suggestion of allowing the employees to bring and use their personal devices at work. The details of the project and the risk areas associated with it have been covered in the report along with the risk management process. BYOD: Project Overview Bring Your Own Devices (BYOD) is a scheme that promotes the use of employee-owned devices in a business environment. IT consumerization is one of the growing trends in the present day business conditions and BYOD is a stepping stone towards achieving the same. Under this scheme, employee-owned devices like Smartphones, networking gadgets, tablets, laptops etc. are sanctioned and allowed by the business units to be used in the organization or as part of the parallel systems. This has been decided to be implemented in Aztek as well so that the load of procuring additional tools and devices is eliminated from the organization. This will allow the accounts department to allocate the costs that will be saved through this attempt in other important sections which would aid the expansion of the organization and the improvement of its infrastructure. Project Review from Finance Service Sector Every business activity that is carried out is regulated by certain laws and policies that vary from one country to the other. In Australia, all the financial services, operations and activities are regulated by a body called Australian Securities and Investments Commission (ASIC). It is an independent body that acts as a corporate regulator for Australia. All the financial transactions and activities that are executed by Aztek must adhere to the ASIC rules and guidelines. There is also an ethical and professional code of conduct that is followed and implemented in Australia irrespective of the business sector which is called Australian Code of Conduct (ASC). The project activities must also confirm to the same. Nowadays, the payment processes executed are mostly electronic in nature. These e-payments are processed and managed by the e-payments code and regulation that comes under ASIC which shall be adhered to. Financial information comes under the classification of sensitive and critical information. It must be protected from all sorts of security risks and attacks and therefore, Intellectual Property rights shall be implemented in such systems. BYOD Description: Financial Aspects Aztek is a finance company that has its own bundle of goals, aims and objectives. Some of the primary points in the list include: The financial services that are provided to the clients are secure, reliable and accurate. Employees of Aztek are satisfied and the engagement percentage with the company grows higher in every quarter. Customers of Aztek are satisfied and the engagement percentage with the company grows higher in every quarter. Meeting the deadlines, estimates and delivery dates for every project. BYOD project that has been approved by the management has its own goals which are in-line with the company aims and goals. With the implementation of the BYOD project, the employee-owned devices will be used for the execution of the business operations. These devices will have the company tools, applications and mechanisms deployed so that employees may use them for the execution of business tasks and for exploring the systems as well. This will make them aware of the in-depth functioning which will improve the reliability of the service and the productivity of the employees as well. They will not be required to stay for enhanced period of time in the company locations as they may operate the functions from their homes as well. The reliability and quality of service will improve which will lead to the improvement of the customer expectations as well. The customers will be provided with the financial solutions as per the promised date of delivery which will enhance their engagement with Aztek. The entire set of activities will be streamlined and the risks associated with schedule and budget will be avoided as a result. There will be many of the financial benefits that will be provided to Aztek with the implementation of BYOD. The employees will bring their personal devices to the office which will eliminate the cost of procurement along with the infrastructural costs of setting up these devices at the workstations of the employees. Operational costs will also come down as the number of operational errors along with the need to work on a particular requirement again and again will be elimiated (Gessner, 2016). Cost of testing may be considerably high as there are many additional tools that are necessary in certain business processes. These tools will already be available with the employees which will bring down costs in this section as well (Retailwire, 2016). IT Security Policies Procedures Changes and Updates Lowering down of the costs is one of the major benefits that are offered by BYOD to the organizations in which it is implemented. There are several other benefits that are provided by this scheme in terms of improved work life balance and satisfaction levels for the employees, streamlining of the business activities, better customer satisfaction levels and many more. On the other hand, there may also be many challenges that may emerge with the use and implementation of BYOD. One of the major items under the challenges that may come up includes the security issues and risks. These security issues may fall under the categories of data security risks, network security risks, device security risks and likewise. The security plan that is currently implemented in Aztek has been designed as per the information security and the nature of projects that are carried out in the organization. There are measures suggested to control the risks associated with the current elements in association with Aztek with no mention of BYOD as it is being implemented for the first time. Therefore, the changes will be necessary in the security policies and procedures which will require a risk assessment and management of all the security risks associated with the BYOD scheme and project. There will primarily be three categories of threats and security risks that will come up with the use and implementation of BYOD. These will include information security risks, network security risks and device security risks. The devices of the employees may or may not confirm to the security requirements of Aztek. Before sanctioning the use of such employee-owned device in the organization, the IT department must carry out a security review of these devices. It shall be equipped with the security tools, security tags and applications for easy tracking and security control (Coleman, 2011). The information and network security risks shall be assessed and the controls shall accordingly be designed and implemented. There shall also be an update on the back-up schedule that must be done along with enhanced forms of disaster recovery controls. Apart from these three risk areas and categories, there may also be risks caused and executed through the device owners, that is, the employees of Aztek. They might use the devices and the organization-oriented applications in the devices on their home networks or the public networks. This may lead to increase in the risk probability as the network security will be weak in such cases. The critical applications and information shall, therefore, be locked out as soon as the employee disconnects from the office network. This shall be included under the security policy and only the less critical applications and public data and information shall be accessible from other networks (Newton, 2015). The employees shall also be provided with the knowledge and information on the best security practices that they must follow. This shall include the preservation and protection of the devices and information from unauthorized users, such as, their family and friends (Trendmicro, 2016). The security procedures and policies must be upgraded as per the security state around the BYOD scheme. Risk Assessment Procedure for BYOD Risk is defined as an occurrence that may cause considerable damage to the party or the system in which it takes place. It is an event that has a specific impact that may be low to high and a specific probability related with it and the combination of these attributes determine its level (Crane, 2013). The impact of a risk is mostly negative and which is why it is desired to avoid the risks that may take place. Risk Management The risks that are identified in association with BYOD will be required to be managed with a defined process. The process will have five steps or phases that will be involved and it is these steps that will determine the overall management of the risks. The five set of processes that will be involved are shown below and a description has also been added for the same. Risk Management for BYOD in Aztek In order to manage the risks, it will be required to have details on the risks that may take place. The first phase will identify the possible risks and the information regarding the same will be investigated from different information sources (Capterra, 2016). These sources may comprise of the organization itself, the employees of the organization, market study etc (Berg, 2016). One the risks are listed and identified, there specific probability and impact will be required to be analyzed and assessed. In the second process, the risk management and security team must pick up every identified risk one by one and determine the impact of the risk on the basis of its probability, nature and type (Castsoftware, 2016). The treatment of the risk will be based upon its associated impact and likelihood along with the nature of the risk. There are different strategies and methods to treat a risk and the same shall be evaluated and applied. The risk treatment process will be required to be closely monitored and controlled by carrying out the security reviews and audits by the senior officials and authorities (Microsoft, 2016). A track on the same shall also be maintained in terms of the treatment activities that are completed, treatment activities that are pending and likewise. A report shall be prepared for the final submission once the risk is completely treated and the likelihood of its occurrence is reduced to zero (Vila, 2012). Risk Register ID Name of the Risk Likelihood (5 is highest and 1 is lowest) Impact (5 is highest and 1 is lowest) Risk Description Risk Ranking (Likelihood x Impact) RAZ1 Data Breaches 4 4 The financial information associated with the organization may be accessed and exposed to the entities not authorized to view or access it. 16 RAZ2 Data Loss Leakage 4 4 The information may get disclosed to the entities not authorized to use and view it on the network and the contents of the same may also get lost (Informationweek, 2016) 16 RAZ3 Hacking of Accounts 3 5 The accounts activities and controls may be hacked by an hacker so that the account information is acquired and misused. These may include user accounts, database accounts etc. 15 RAZ4 Security Loopholes 3 3 BYOD is a first of its kind project that will be implemented in Aztek. There may be improper device scanning or sanctioning of unsecured devices that may be done leading to increase in attack probability (Grimes, 2016) 9 RAZ5 SQL Injection 3 3 Aztek is a huge organization that has many databases in use for the information and data management. These may be attacked by using malicious SQL queries (Usask, 2017) 9 RAZ6 Denial of Service 4 5 The employees and the customers of Aztek may be exempted from using the services and systems by flooding them with unwanted and unnecessary traffic (Stoneburner, 2002) 20 RAZ7 Device Loss and Stealing 2 5 The employee-owned devices may get accidentally broken or lost or may be tracked by an attacker to capture it for getting access to critical applications and information sets 10 RAZ8 Malware Threats 5 3 The employee devices and the information sets may be infected with the malware of different kinds 15 RAZ9 Phishing Attacks 3 4 Users may be tricked by disguising as an authentic entity and the sensitive information such as their account passwords, PIN details etc. may be asked for misuse 12 RAZ10 Eavesdropping Attacks 3 4 Internal or external networks that are used in the Aztek organization for execution of business operations may be targeted and they may be monitored in unauthorized manner 12 There may also be risks caused and executed through the device owners, that is, the employees of Aztek. These attacks may be intentional in nature which would come under the insider threats category or may be accidental as well. The employees might use the devices and the organization-oriented applications in the devices on their home networks or the public networks. This may lead to increase in the risk probability as the network security will be weak in such cases (Qld, 2016). They may also disclose the critical information in front of their family members or friends. Such are the examples of accidental threats with employees as the threat agents. However, when the employees deliberately share such details with the other parties, then the security of the organizational information and assets is put at risk and the threats are classified as deliberate insider attacks (Markovic-Petrovic Stojanovic, 2014). Data Security Types of Data, Possible Risks, User Roles Privileges Information and data have become the most important assets for the business units in the present times. This is because the amount of these data sets has immensely increased and there is also a wide variety of data that is being used by the business organizations. Aztek also uses and manages vast data sets which include the financial details, business information, stakeholder information, customer and employee details etc (Scu, 2016). These data sets are required to be classified in different categories so that the management and processing of the same is simplified. In case of Aztek, there are various information types, such as sensitive and critical information, information sets for office use only, confidential data, public data and private data. There are data security risks that are associated with all of such information categories with varying degree of impact. For instance, the impact of a security attack on a sensitive information set will be higher than the same attack on public data sets (Test-institute, 2016). There are different data security risks, such as, data breaches, data loss and leakage, data alteration, denial of service etc. that may be executed on the Aztek data sets (Chapman, 2000). Proper handling and management of these data sets from the security point of view will be necessary so that the data sets are protected. These various categories of information must be allocated and granted with the specific data operations as per the information type and the user type. The information categories that come under sensitive, confidential or for office use only categories must be accessible only by the data administrator, security manager and director along with the CEO of the company. The execution of the operations such as data updates and data modifications must be allowed to be done by the security manager or the data administrator only. A security log of such activities shall be made and stored. The other data sets, such as private data sets must be accessible to the data scientists and analysts along with the security analysts. It must be allowed to be updated or modified by the data administrator only. The public data shall be visible to all the stakeholders of Aztek and must be modified by the security manager or data administrator only. Conclusion A risk assessment and management of the various risk areas and security threats associated with Aztek has been done in the sections above. The company has decided to implement Bring Your Own Devices (BYOD) project in the organization. The project will be feasible from the technical, operational and economical aspects and will offer many benefits, especially in the area of costs and finances. Lowering down of the costs is one of the major benefits that are offered by BYOD to the organizations in which it is implemented. There are several other benefits that are provided by this scheme in terms of improved work life balance and satisfaction levels for the employees, streamlining of the business activities, better customer satisfaction levels and many more. On the other hand, there may also be many challenges that may emerge with the use and implementation of BYOD. One of the major items under the challenges that may come up includes the security issues and risks. There will primarily be three categories of threats and security risks that will come up with the use and implementation of BYOD. These will include information security risks, network security risks and device security risks. There may also be insider threats and attacks that may get executed. The risks that are identified in association with BYOD will be required to be managed with a defined process. The process will have five steps or phases that will be involved as risk identification, risk assessment, risk treatment, risk control and risk tracking and report. This will lead to the avoidance and prevention of the risks. There will also be many different data types that will be involved with Aztek that shall be managed with adequate information classification and security management. References Berg, H. (2016). Risk Management. Retrieved 25 September 2017, from https://ww.gnedenko-forum.org/Journal/2010/022010/RTA_2_2010-09.pdf Berg, H. (2010). Risk Management: Procedures, Methods and Experiences. Retrieved 25 September 2017, from https://ww.gnedenko-forum.org/Journal/2010/022010/RTA_2_2010-09.pdf Capterra,. (2016). Best Risk Management Software | 2016 Reviews of the Most Popular Systems. Capterra.com. Retrieved 25 September 2017, from https://www.capterra.com/risk-management-software/ Castsoftware,. (2016). What is Software Risk How To Prevent Software Risk | CAST Software. Castsoftware.com. Retrieved 25 September 2017, from https://www.castsoftware.com/research-labs/software-risk Chapman, C. (2000). A desirable future for technology risk management. International Journal Of Risk Assessment And Management, 1(1/2), 69. https://dx.doi.org/10.1504/ijram.2000.001488 Cioupdate,. (2016). Effective Measures to Deal with Cloud Security -- CIO Update. Cioupdate.com. Retrieved 25 September 2017, from https://www.cioupdate.com/technology-trends/effective-measures-to-deal-with-cloud-security.html Coleman, T. (2011). A Practical Guide to Risk Management. Cfapubs.org. Retrieved 25 September 2017, from https://www.cfapubs.org/doi/pdf/10.2470/rf.v2011.n3.1 Crane, L. (2013). Introduction to Risk Management. Retrieved 25 September 2017, from https://extensionrme.org/pubs/IntroductionToRiskManagement.pdf Development, C. (2013). What are the 5 Risk Management Process Steps?. Continuing Professional Development. Retrieved 25 September 2017, from https://continuingprofessionaldevelopment.org/risk-management-steps-in-risk-management-process/ Dey, P. (2008). Risk management in information technology projects. International Journal Of Risk Assessment And Management, 9(3), 311. https://dx.doi.org/10.1504/ijram.2008.019747 Gessner, D. (2016). Towards a User-Friendly Security-Enhancing BYOD Solution. Retrieved 25 September 2017, from https://in.nec.com/en_IN/images/120324.pdf Grimes, R. (2016). The 5 cloud risks you have to stop ignoring. InfoWorld. Retrieved 25 September 2017, from https://www.infoworld.com/article/2614369/security/the-5-cloud-risks-you-have-to-stop-ignoring.html InformationWeek,. (2016). 9 Worst Cloud Security Threats - InformationWeek. InformationWeek. Retrieved 25 September 2017, from https://www.informationweek.com/cloud/infrastructure-as-a-service/9-worst-cloud-security-threats/d/d-id/1114085?page_number=2 Markovic-Petrovic, J., Stojanovic, M. (2014). An Improved Risk Assessment Method for SCADA Information Security. Elektronika Ir Elektrotechnika, 20(7). https://dx.doi.org/10.5755/j01.eee.20.7.8027 Microsoft,. (2016). Risk Management Process Overview. Technet.microsoft.com. Retrieved 25 September 2017, from https://technet.microsoft.com/en-us/library/cc535304.aspx Newton, P. (2015). Managing Project Risks. Retrieved 25 September 2017, from https://www.free-management-ebooks.com/dldebk-pdf/fme-project-risk.pdf Proconceptsllc,. (2016). Risk Radar Enterprise, Risk Management Software | Pro-Concepts LLC. Proconceptsllc.com. Retrieved 25 September 2017, from https://www.proconceptsllc.com/risk-radar-enterprise.html Qld,. (2016). Risks of cloud computing | Queensland Government. Business.qld.gov.au. Retrieved 25 September 2017, from https://www.business.qld.gov.au/business/running/technology-for-business/cloud-computing-business/cloud-computing-risks Retailwire,. (2016). Happiness Is Bringing Your Own Computer Devices to Work RetailWire. Retailwire.com. Retrieved 25 September 2017, from https://www.retailwire.com/discussion/16188/happiness-is-bringing-your-own-computer-devices-to-work Scu,. (2016). The Risk Management Process - Risk Management - SCU. Scu.edu.au. Retrieved 25 September 2017, from https://scu.edu.au/risk_management/index.php/8/ Stoneburner, G. (2002). Risk Management Guide for Information Technology Systems. Retrieved 25 September 2017, from https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist800-30.pdf Test-institute,. (2016). What Is Software Risk And Software Risk Management? - International Software Test Institute. Test-institute.org. Retrieved 25 September 2017, from https://www.test-institute.org/What_Is_Software_Risk_And_Software_Risk_Management.php Trendmicro,. (2016). BYOD - Consumerization of IT Mobility - Trend Micro USA. Trendmicro.com. Retrieved 25 September 2017, from https://www.trendmicro.com/us/enterprise/challenges/it-consumerization/ Uasask. (2017). IT Risk Management Procedure. Retrieved 25 September 2017, from https://www.usask.ca/ict/documents/IT%20Risk%20Management%20Procedure.pdf Vila, S. (2012). Risk Management Model in ITIL. Retrieved 25 September 2017, from https://fenix.tecnico.ulisboa.pt/downloadFile/395144242579/Risk%20management%20on%