Web and Data Security

Questions: 1) What are the five tasks required to get ready for a risk assessment? Explain each one in your own terms and why the task is important.2) Discuss the threats associated with privileged user accounts? Please support your views from sources other than the assigned reading and also the text book.3) Using fig 3 the generic risk model in the document and the threat identified in question 2. Identify the risks at the Organizational level, business process level and information system level.4) Based on the risks identified, recommend the information system policies that would be required. You do not need to write the policy in detail, simply provide the title and one sentence describing the policy. Answers: 1. The five tasks required ready for risk assessment are: Step 1: Identification the assessment purpose: In order to the current prevailing situation the organization needs to understand the difference between hazards and risks. A hazard is the potential to cause harm; whereas risk is the likelihood of the released potential harm (Sharma, Kottahachchi Theebaprakasam, 2013). It can be easily identified by using a couple of technique around the employee workplace. Step 2: Identify the scope of the assessment: This step of risk assessment helps the organization to determine: (i) what categories are transmit the assessment, (ii) it specifies (how and what) part of the assessment are get affected in the organization, (iii) decision making process involved in the risk assessment, (iv) at what time span organization rules are relevant and (v) what influence the organization to update the risk assessment (Kim, Kim Park, 2014). The scope of risk assessment also implies the overall information and report of conducting the assessment. It mainly depends upon the organization authorization boundary of information system (Kottahachchi, Shih Theebaprakasam, 2015). Step 3: Identification of constraints and assumptions associated with the assessment: It is very important to make certain assumptions and constraints for higher clarity as it helps the company management to increase productivity of assessment results. It includes threats events, threats sources, vulnerabilities conditions and approaches of assessment. Besides these, organizations also tend to identify several constraints which include availability of resources, skills assessment and business operational activities. Step 4: Identification of sources of information in input assessment: The fourth step of risk assessment enables the organization to determine the vulnerability and threat relevant information. It generally divided into two segments internal sources of information and external sources of information (Sharma, Kottahachchi Theebaprakasam, 2013). The sources of information include the information like business processes, functional management processes, enterprise architecture and organization environmental infrastructure. Step 5: Review the risk assessment: In this approach, the organization facilitates and identifies the type of models used to accelerate the risk assessment task. 2. The threats that are associated with privileged user accounts are: Transcript of Security Accounts Threats: It is very important to have a proper security account with its password on the device. Avoid using consoled sign in procedures at any point of time. Privileged inside threats: It generally includes mitigating and recycling credentials by sing default password account (Kottahachchi, Shih Theebaprakasam, 2015). It is a very flexible system of authentication by logging it from more than one device. Spoofing attacks threats: It is primarily seen that hackers usually spoof users personal email accounts by mitigating unauthorized access from the system. The threats involved in organizational and business process level is very similar to risk involved in privileged user accounts. There is an absence of hybrid control systems, system specific controls and common controls which enables professional hackers to accelerate the mitigation user account system (Hamlen Thuraisingham, 2013). There are various similar threats that can replicate themselves and spread from one computer to another. They generally arrive by attaching themselves to files or email messages. The phishing threat is very well known threats involved in privileged user accounts. It implies attempting the gain access to financial details, passwords, and other personal privileged information. It is normally done by email messages that pretend to come from any trusted websites or instant messaging or from any social networks. 3. There are various types of risk involve in company management, information system technology risk and business process level risk. These primary risks are classified into strategic risk, financial risk, operational risk and hazard risk (Sharma, Kottahachchi Theebaprakasam, 2013). It is very important to make certain constraints for higher clarity as it helps the company management to increase production assessment. It includes threats events, threats sources, vulnerabilities conditions and approaches of assessment. The sources of information include the information like business processes, functional management processes, and enterprise architecture and organization environmental infrastructure. Risk at organizational level: The risks involved in organizational level includes: acquisition risks, regulatory or compliance risk, legal risk, financial risk, safety risk, program risk, operational risk, supply chain risk, supply chain risk and tolerance risk. Additionally, there are several risk involved in internal company management like: operational planning risk, interim report risks and strategic risks (Hamlen Thuraisingham, 2013). Risk at business process level: The risk at business process level includes: defining the core business process and missions with company aim and objectives, developing an organizational narrow details; protection incorporating strategy, accelerating the degree of autonomy for manipulating organizations with the parent company management which includes accepting, mitigating, evaluating and accessing and data security risk. Other business process risk includes: action plan risks, evaluation risk and establishment risk. Risk at information system level: The risk involved in information system level includes information quality risk, equipment software risk, contingency planning risk, security architecture risk, data accuracy risk, project team risk, usability risk, political and strategic risk and resources risk. Additional there are various risk involved in information system like technical risks (communication issue, lack of experimented testers, human factor and poor coding factors) and functional risks (inexperience of a project leader, misevaluation of load and lack of client maturity). 4. The recommendations based on risk identified: As the researcher has surveyed many case studies and research paper based on risk assessment it is to be recommended that: Instead of logging in a privileged super user; it is beneficial to use an equivalent group that provides private access and characteristics of operating system like sudo or Run as that follow the permanent privileges escalation. Control on User account enables the user to accelerate privileges for software legacy that run on the system administrator. It is necessary to improve the session management by achieving compliance privileged access for remote vendors, administrators, and high risk users. The risk involved in organizational level, information level and business process level can be easily minimized by implementation of security controls system in the management which includes hybrid control systems, system specific controls and common controls (Sharma, Kottahachchi Theebaprakasam, 2013). Consideration of risk transference: Generally in many multi-national companies risk can be transferred to any third parties via an insurance policy and legal agreement. Now-a-days, most of the companies come with the cyber insurance policy to minimize the risk assessment policy (Hamlen Thuraisingham, 2013). It is strictly recommended to implement a strategy of cyber insurance policy in a company management to ensure lesser risk in future. References Hamlen, K. W., Thuraisingham, B. (2013). Data security services, solutions and standards for outsourcing.Computer Standards Interfaces,35(1), 1-5. Kim, Y., Kim, I., Park, N. (2014). Analysis of cyber attacks and security intelligence. InMobile, Ubiquitous, and Intelligent Computing(pp. 489-494). Springer Berlin Heidelberg. Kottahachchi, B., Shih, K. Y., Theebaprakasam, A. (2015).U.S. Patent No. 9,152,783. Washington, DC: U.S. Patent and Trademark Office. Sharma, H., Kottahachchi, B., Theebaprakasam, A., Shih, K. Y. (2013).U.S. Patent Application No. 13/485,408.