Wednesday, May 6, 2020
Risky Situation free essay sample
ldentify three types of sensitive information involved with each situation. Then, describe three ways in which each information item could be misused or harmed. For each of these, note at least one likely finding that you would include in a risk analysis report of the organization. Finally, answer the questions at the end. Situation 1 ââ¬â Online Banking System Information Affected Potential Harm (Risk) Likely Finding in Risk Analysis Report Bank Account Numbers Can be used to steal the userââ¬â¢s funds. Low/medium risk, high probability Can be used by terrorist organizations for money laundering. Very high risk, medium possibility Loss of brand reputation to the bank as being less secure. medium risk, medium possibility Account Numbers of Bills stored in Bill Pay Used to access bill information and change information as personal attack on individual. Low/medium risk, medium probability Used to access additional information about user through userââ¬â¢s profile through that particular bill. We will write a custom essay sample on Risky Situation or any similar topic specifically for you Do Not WasteYour Time HIRE WRITER Only 13.90 / page Medium risk, medium/high probability Close account without userââ¬â¢s approval or them being aware as a personal attack against them. Medium/high risk, high probability. Stock/investment information Investments can be transferred to someone elseââ¬â¢s name without users knowing or approval. High risk/low probability Additional investments can be made in userââ¬â¢s name that are likely to fail, or to illegally support the investment company. High risk/low probability Investments can be donated to charity without userââ¬â¢s consent or knowledge, leaving user with $0 left. High risk/low probability Situation 2 ââ¬â Facebook Page (organization or personal ââ¬â specify which) Information Affected Potential Harm (Risk) Likely Finding in Risk Analysis Report Access to friends list. Can allow undesired persons to gain knowledge about someone that does not want their information seen by anyone but people they specify. Medium risk, low/medium probability List can be emptied, severely affecting marketing for the organization. Very high risk, medium/high probability Unapproved, negative, or undesired posts can be sent to large amounts of the target audience. False information being provided to organizationââ¬â¢s target audience. High risk, medium high probability Loss of brand reputation to the organization. Medium risk, medium probability Inappropriate or unauthorized photographs being uploaded to organizationââ¬â¢s profile, viewable to the public. Loss of trust with customer base, negatively affecting business for the organization. High risk, medium probability. Potential copyright infringement if images are legally protected. Very high risk, medium probability. Negative media coverage broadcasting the intrusion to larger audiences, negatively affecting business for the organization. Very high risk, high probability. Situation 3 ââ¬â Picture Phones in the Workplace Information Affected Potential Harm (Risk) Likely Finding in Risk Analysis Report Pictures taken of proprietary designs being taken and leaked to the public. Loss of competitive advantage. Very high, low probability Loss of revenue due to competition having similar design. Very high, low probability Loss of trust of internal employees High, medium probability Pictures of customer information taken and stolen. Loss of customer trust and as a result, their business. Medium impact, medium probability Legal ramifications from victimized customers High impact, medium probability Loss of trust of internal employees High, medium probability Images of classified documents being taken and released to the public. Loss of customer support and business. Medium/high impact, medium probability Depending on what information was released, could lead to political controversy and legal ramifications. Very high risk, medium probability Loss of contracts, and thus revenue, from existing clients. Very high risk, medium probability Situation 4 ââ¬â E-Commerce Shopping Site Information Affected Potential Harm (Risk) Likely Finding in Risk Analysis Report Credit card information Can be used to steal the customerââ¬â¢s funds. Low/medium risk, high probability Can be used to fund terrorist organizations. Very high risk, medium possibility Loss of reputation for business as being not secure. medium risk, medium possibility Product database Prices can be altered without authorization, causing loss of revenue and unhappy customers. High risk, low probability All product information can be deleted causing major problems for the company. Very high risk, medium probability Product details can be altered or deleted to misinform customers or discourage them from purchasing products Medium risk, medium probability Personal customer information (SSNs, addresses, email addresses, etc.). Customerââ¬â¢s identities can be stolen. High risk, high probability Can provide stalkers with additional information about their ââ¬Å"preyâ⬠. High risk, medium probability Information can be deleted, severely impacting marketing of the organization. Medium/high risk, medium probability Situation 5 ââ¬â Real-World Application (such as CRM, ERP, other internal or external organizational systems ââ¬â pick one and specify) Internal Payroll System Information Affected Potential Harm (Risk) Likely Finding in Risk Analysis Report Employee Checking Account numbers Can be changed so employee paychecks are sent to wrong account where money can be stolen. High risk, medium probability Can be deleted so employees do not get paid. Medium risk, low probability Can be stolen, so money in employeeââ¬â¢s checking account is stolen. High risk, medium probability Employee pay scales Can be changed so employee gets paid less than what they are supposed to. Low risk, low probability Can be changed so employee gets paid More than they are supposed to, costing the company more than budgeted. Low risk, low probability Can be accessed and information can be released to the rest of the employees of the company, causing internal turmoil. Medium risk, low probability Company payroll account information All funds in account can be stolen. Very high risk, low probability Account number can be deleted from system so all employees of the company do not get paid on time. High risk, low probability Account information can be given to terrorist organizations where they can use the account to launder money, or Very high risk, medium probability Questions 1. What is the most effective way to identify risks like those you noted in the tables? The most effective way to identify risks like those noted in the tables above is to perform a risk assessment on the system or website and to hire a top notch security manager and team of developers. 2. What are some important factors when weighing the depth of a formal risk analysis? How would you balance the interruption needed for depth and the need to continue ongoing organizational activity? While there are many factors that come into play when weighing the depth of a formal risk analysis, some of the most important of those factors are the impact to the business, the probability of attack, and the difficulty and cost of repair. To balance the interruption needed for depth and the need to continue ongoing organizational activity, I would weigh each of the factors independently, and then rank them by the level of risk they present. 3. What should an organizationââ¬â¢s risk management specialist do with the information once a potential risk has been identified? What information would be needed for senior management to know the danger of each risk and the proper way to handle the risk? Once an organizationââ¬â¢s risk management specialist identifies a potential risk, the next step would be to analyze the risk and evaluate the impact that risk would have on the company, the probability that the threat will occur (Dr. Wm. Arthur Conklin, Dr. Gregory White, Dwayne Williams, Roger L. Davis, and Chuck Cothren, 2012). Next, a plan must be put into place that specifies what actions are to occur to mitigate the identified risk. Going forward, systems need to be monitored closely to identify trends that lead to occurrences of the risk, and periodically measure the progress of this mitigation. When dealing with senior management, it is important to remember that is not likely that they are as technical as the risk management specialist. With this in mind, the information provided to senior level management should be an understandable, but thorough overview of the risk, and also a recommendation of how to ââ¬Å"fixâ⬠the problem. 4. How would this specialist properly prioritize these risks to make sure the most important ones were mitigated first? There are two methods that this specialist could use to properly prioritize these risks to make sure the most important ones are mitigated first. These methods are qualitatively assessing risk, and quantitatively assessing risk, and both can (and should) be used in conjunction as much as possible. By using both of these methods, the severity of each risk can be objectively ââ¬Å"rankedâ⬠so that the most important risks can be handled first. 5. Who is responsible for ensuring that an identified risk is addressed by the organization? What role does the analyst play? What role does senior management play? What roles do the analyst and senior management each play in addressing organizational risks? Responsibility falls to Senior IT management to make sure that identified risks are addressed by the organization. The analystââ¬â¢s role is to assess the risk on the systems for the organization.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.