Risk Mitigation

Last week we learned about the Risk Management: controlling risk. The chapter talked about different risk handling procedures, feasibility analysis and recommended risk control practices. When we talk about Risk Management, it is important to talk about Risk Mitigation.

In simple terms, Risk mitigation is taking steps to reduce any adverse effects. It is a process by which organization introduce specific measures to minimize or eliminate unacceptable risks associated with its operations. There is no doubt that we are surrounded by different kinds of risk. To understand those risks and implementing the appropriate strategies to mitigate and manage risk, it is important we learn about Risk mitigation.  

 

There are different ways to mitigate the risk. Some of the risk mitigation handling options are:

Ø  Assume/Accept:   Project manager acknowledge the existence risk and make a decision to accept it without changing any project plan other than just agreeing to address the risk if it occurs.

Ø  Avoid: The team adjusts the project requirements to eliminate or reduce the risk. The adjustment could be done by changing the funding, schedule or any other technical requirements.

Ø  Control: Implementing actions to minimize the impact or likelihood of the risk.

Ø  Transfer: Changing or reassigning the organizational accountability, responsibility and authority to another stakeholders or project teams that are willing to accept the risk.

Ø  Monitor: Monitor the environment for changes that affect the nature or impact of the risk.

 

Overall, Risk mitigation is all about understanding those risks that can impact the objectives of the organization and taking appropriate steps to reduce or eliminate the risks.

 

Reference:

Anonymous (Feb, 2011). Risk Management: Understanding Risk Mitigation. Retrieved from URL: http://www.ica.bc.ca/ii/ii.php?catid=17

 

Anonymous (N.d.). Risk Mitigation Planning, Implementation, and Progress Monitoring. Retrieved from URL: http://www.mitre.org/publications/systems-engineering-guide/acquisition-systems-engineering/risk-management/risk-mitigation-planning-implementation-and-progress-monitoring

Threat Identification

Any organization can face wide variety of threats. A threat is some action or event that can lead to a loss. Threats and risk are usually used synonymously. Threats and risk always exist and cannot be avoided, but they managed to minimize the risk. Organization should be able to manage and minimize the losses in order to maximize the returns. It is very important for any organization to identify these threats and steps should be taken to control threats. Regular monitoring is necessary to control the threats as well.

 

Types of Threat:

Physical Threat: Physical threats are damaged caused to the physical infrastructure of the information system. Some of the examples are fire, water, energy variations, structural damage, pollution, intrusion.

 

Local Threat: Logical threats are damage caused to the software and data without physical presence. Some examples include viruses and worms, logical intrusion etc.

 

There are two approaches to threat identification.

Consider Common Threat:

In order to asses’ threat, consider the common threats like people, software and natural disaster.  There can be number of ways threat can occur. For e.g.  A employee could disclose the data. Or a software program could destroy data.

 

Review Properties:

In order to assess assets consider their properties like availability, integrity and confidentiality. Classify threats that may affect these properties: destruction, interruption, removal or loss, disclosure and corruption (toolbox.com).  

 

It is important for organization to understand the various threats and their potential effects on an information asset. Organization should be able to identify which threats presents a danger and which threats represents the gravest danger to their information assets.

 

Reference:

Anonymous (n.d.). Threat Identification. Retrieved from URL: http://www.zeepedia.com/read.php?threat_identification_types_of_threats_control_analysis_impact_analysis_occurrence_of_threat_information_systems&b=14&c=30. Retrieved on : Oct 22, 2014

 

Borysowich, C (Jul, 2009). Identifying security Threats. Retrieved from URL: http://it.toolbox.com/blogs/enterprise-solutions/identifying-security-threats-33182. Retrieved on: Oct 22, 2014.

 

Issue-Specific Security Policy

Issue-Specific Security Policy is one among three other Information security Policy. I found Issue-specific security policies (ISSP) more common policy used by business and organizations. Issue-specific policies may cover electronic mail, use of internet, Home use of company-owned computer equipment, use of personal equipment on company networks, use of telecommunications technologies etc. It provides a detailed, targeted guidance to instruct all members of the organizations in the use of resources.

The overall objective of ISSP is pretty clear. It assures employees and members of organization what resources can be used and what cannot be used.  An effective ISSP is a binding agreement between parties (the organization and its members) and shows that the organization has made good faith effort to ensure that its technology will not be used in an inappropriate manner. (p. 134, Whitman, Mattford)

Every Organization’s ISSP has three characteristics

Ø  It addresses specific technology-based resources.

Ø  It requires frequent updates.        

Ø  It contains an issues statement explaining the organization’s position on a particular issue.

Components of a typical ISSP:

1.       Statement of Purpose

a.       What is the scope of the policy

b.      What technology and issue it addresses

c.       Who is responsible and accountable for policy implementation

2.       Authorized access and usage

a.       Who can use the technology governed by the policy

b.      What the technology can be used for

c.       What constitutes ‘fair and responsible’ use of technology and it may impact ‘personal information and privacy’

3.       Prohibitive use of equipment

a.       What constitutes disruptive use, misuse , criminal use

b.      What other possible restrictions may apply

4.       System management

a.       Which kind of authorized employer monitoring is involved (e.g. electronic scrutiny of email & other electronic documents)

5.       Violation of Policy

a.       What specific penalties, for each category of violation, will apply

b.      How to report observed or suspected violations – openly or anonymously

6.       Policy review and modifications

a.       How is the review and modification of the policy performed, so as to keep as ‘current’ as possible

7.       Limitation of Liability

a.       How is liable if an employee violates a company policy or law

Whitman, M.E., & Mattord, H.J. (2014). Management of Information Security (4th ed.). Stamford, Cengage Learning

The Importance of Security Awareness Training

Cyber threat has been a major concern in IT world today.  Recent data breach in many companies like Chase, Home depot, Target has already proved that companies need to build their IT security strong enough to avoid any further damage.  Threat can come from anywhere, it may come from within an organization or outside the organization. But when threat comes from inside the organization, it is most dangerous since the employees are quite familiar with the infrastructure of an organization.  Most of the time when the threat comes from inside the organization it is either from accident or uninformed employees.

 

Many in organization who are not informed about the security threat often visit websites infected with malware, responding to phishing e-mails, storing their login information in an unsecured location or even giving out sensitive information over the phone when exposed to social engineering (sans.org). This can expose to major security threat to the organization.  Important information can leak.  One of the best ways to avoid these kinds of threat is providing with security awareness training to company employees. Organization can institute company-wide security awareness training initiatives like formal classroom style, seminars, discussion group, regular emails or posters in the break room. This will help ensure employees have a solid understanding of company security policy, procedure and best practices (sans.org)

 

Below are two You Tube videos that provide the importance of Information security awareness.

 

 

 

 

 

 

Source:

Sans (n.d.). The importance of Security Awareness training. Retrieved from URL: http://www.sans.org/reading-room/whitepapers/awareness/importance-security-awareness-training-33013. Retrieved on: October 9, 2014

 

Sayes, A (Mar, 2012). Physical & Information Security Awareness. Retrieved from URL: https://www.youtube.com/watch?v=tmOGJVDvJaQ. Retrieved on : October 9, 2014

 

Anonymous (Feb,2013). IT Security Awareness Week. Retrieved from URL: https://www.youtube.com/watch?v=LWi_ljAIhcM. Retrieved on: October 9, 2014

 

Importance Of Security Policy

Maintaining the information security is core part of the business today. Many businesses today maintain the security as an essential part of their business. It is also important for business to maintain the availability, integrity and confidentially of information in order to remain in business. Failing to maintain those three core values of information security might lead to unsuccessful business. 

Some of the important information like manufacturing records, sales, financial, customer, employee records are kept on computers. But how safe are all these information. In today’s digitized world, with the access of Internet this information can be easily stolen from any parts of the world.  Some of our confidential information can be compromised. Business might implement strong security technologies to avoid any kinds of hack. But how about the policies and procedures that will help keep your business/organization’s information confidential? It is very important to create and implement several security policies to define the overall security strategy.

 

All the business must have an information security policy that covers Enterprise information security policy, Issue-specific security policy (ISSP) and System-specific security policies. An Enterprise information security policy will focuses on issues relevant to every aspect of an organization.  It sets the strategic direction, scope and tone of an organization’s security efforts. An Issue-specific security policy security policy provides detailed, targeted guidance to instruct all members of the organization in the use of resources.  It focuses on specific department, network services, and function. A system specific security policy focuses on individual systems or types of systems and prescribes approved hardware and software, outlines methods for locking down a system, and even mandates firewall or other specific security controls (Marcelo Ferreira’s linkedin post).

 

No matter how large or small your organization is, it is very important to have a information security policy in place. It will provide a framework to keep your company at a desired security level by assessing the risks you or your organization might face.  Think about this, your organization’s information is crown jewels of your business. You wouldn’t want someone to steal your crown jewels, right? You want to keep it safe and secure.  I strongly believe, every organization should have a strong information security policy.

 

Reference:

Ferreira, M (n.d.). Why having an information security strategy is important for an organization. Retrieved from URL: http://www.linkedin.com/groups/Why-having-information-security-strategy-3138056.S.91456697

 

Kadam, A (n.d.). Why information security is important for your Organization. Retrieved from URL: http://www.networkmagazineindia.com/200209/security2.shtml

 

Business Contingency Planning....

Preparing for something unexpected is called contingency planning.  From the business perspective, unexpected event or situation can be financial crisis, market share of company going down, or it can also be large order, high market demand etc.  So anything that disrupts the company’s day to day operation by something unexpected is known as Business Contingency.  When businesses creates a plan or are ready to cope with any unexpected situation, it is known as business contingency planning.  Some of the threat usually covered in contingency plans is crisis management, business continuity, assets security, mismanagement and reorganization.

Crisis Management:  Some of the crisis that company run into includes natural disaster, terrorist attacks, fire in the warehouse, on the job injuries or even unhappy customers. Any plans to deal with these kinds of crisis are Crisis Management.

Continuity Plan: Business continuity plans cover a range of situations, including the death of a key executive or managers, threat to shut down of business, or other financial situations. Continuity plan generally involve insurance policies that provide cost of keeping the company in operation, and the cost and hiring consultants that can help solve problems.

Asset Security:  This includes the theft or destruction of intellectual property such as trade secrets or computer programs. A security plan attempt to block any negative contingencies that might occur is asset security.

Mismanagement: Fraud, theft, operational errors, mismanagement and personal scandal are all mismanagement crisis. Companies create a system of checks and balances to prevent such problem.

Reorganization: After any unexpected event happened, companies contingency plan also covers how the company will re-establish normal operations and reorganize to limit. It is very important to reorganize the new challenges that might come.

So what happens when Business Have Contingency Plans?

    A Contingency plan is a question and an answer to the questions. Contingency plan is also “What if Scenario”.  So what can a management do when they have a contingency plan? Here are few lists that a management can do:

Ø  React Quickly

Ø  Stay Ahead of Competitors

Ø  Lead with Confidence

Ø  More Accurate Forecasting.

Duff, V (n.d.) What is Business Contingency Plan?. Retrieved from url : http://smallbusiness.chron.com/business-contingency-plan-1081.html

Hill, Brian (n.d.) what happens when business have contingency plans? Retrieved from URL: http://smallbusiness.chron.com/happens-businesses-contingency-plans-20616.html

How to avoid online scams when selling your cell phone or tablet?

With the new phone being released every other month, a lot of you might be thinking to change your phone. Especially this week apple released a new iphone 6 and iphone 6 plus, many of you like me are thinking how you can sell your old phone and get the new iphone. I know most of you go to Amazon, eBay or some other online site to sell the phone. Unfortunately, some of you might be the victim of online scammed. So it is very important to take few extra steps, be cautious and sell the devices to the right person.  I found this article, which tells us some excellent tips to take into consideration.

1.      If you are selling it online, make sure to look closely at the official email from Amazon, PayPal, eBay or another entity. If the email consist of misspelled words or grammatically incorrect, the email is very likely not the official email from Amazon, or eBay. It is most probably fake.

2.      If you have sold before, compare previous, “your item just sold” emails to the ones you just received.

3.      Look at the sender’s email address.  Make sure its official email address.

4.      Before taking action, verify the transaction by logging into your account at the site you are selling through.

5.      If someone contacts you outside of the official Amazon, eBay or other seller messaging system, be wary. There’s rarely a good reason for this.

6.      If you want to avoid the risk of scam altogether, just sell your gadget to Gazelle, USell, or similar company. You might not make as much money as selling it yourself, but you don’t have to worry about fraud.

Originally published: Network world.com.

Martin, James A.  (n.d.) “How to avoid online scams when selling your iphone or ipad”. URL: http://www.networkworld.com/article/2682701/tablets/how-to-avoid-online-scams-when-selling-your-old-iphone-or-ipad.html