Identifying critical business processes, information assets and IT assets

The cybersecurity in business is dependent on individuals having various insights. This involves developing a secured system, designing, deploying and enforcing security systems and policies and information management [1].

The “Digital Fruit” at Estonia has been involved in 400 projects for more than 15 years. They are active providers of mobile phone and web solutions. Further, they are helpful to set demands of B2B sales environment and online shops. They have been supporting clients with SEM and SEO to develop simple websites. They are focused on customer-oriented services.

The report has involved identifying of a various complex business process, assets of information, IT resources, vulnerabilities and threat identification. Then there are impact and probability assessment, cybersecurity and information risk analysis and risk treatments. Further, it has included cybersecurity and information control developing and deploying cybersecurity monitoring.

The essential processes should be implemented quickly as any disruption take place at Digital Fruit. This is to assure that their ability is protected. It also includes meeting critical necessities with satisfying mandatory requirements and regulations. Next, information assets of Digital Fruit are the body of knowledge managed and organized as one entity. Similar to corporate assets Digital fruit’s information assets also comprises of financial value. This asset value rise in direct relationship with various people able to use information [3]. Here, IT asset management or ITAM is the set of business practices joining inventory, contractual and financial functions for supporting strategic decision making and lifecycle management to make IT environments.

Business process must be looking at the business of Digital Fruit as the collection of various workflows and practices. Here, business process management has been helpful for organizations for creating, tracking and optimizing business process. One can use solutions for getting complete visibility for Digital Fruit. This has been helpful for discovering, automating and developing business process. This must be done consistently in reducing costs and boosting productivity and efficiency. Various scores of useful quality BPM software are there in the current market [2]. Selecting a proper one for particular necessities has been complicated. One can help to list the smartest business process management as chosen by the review team, from key elements, benefits and main features.

Thus cybersecurity has turned into a primary strategic priority. Further, for innovating and realizing digital potentials for a customer and business goals, Digital Fruit has needed to secure approaches. This is helpful to focus on business. This phenomenon has changed the face of Digital Fruit.

Demonstrating business process and highlighting critical information systems

Any element with value and a useful object can be considered an asset. Under the IT realm, this is seen as data, systems in which data is present. This is on the infrastructures that connect various systems of Digital Fruit. As far as costs related to the system is considered, human resources have required to run them and company data in those systems [5]. It is seen that Digital Fruit has started to notice that the entire three pieces of IT paradigm have been made up of the whole operations. This also includes employees running the business, data contained in that real-world environment of this business.

Confidentiality	Integrity	Availability
The labels of privacy have been assigned to assets that are dependent directly to effect as the confidentiality gets compromised. Preferably, the entire effect for Digital Fruit under case resource that is available publicly must be considered	The asset of information management, one of the shared database for inspection data and database for resource properties. Constant integrity methods are applicable around every resource through risk assessment and industry-leading analytics. Here, the process management having a complete audit trail is implemented for legislative compliance requirements and corporate processes	Under any nutshell, one can achieve better availability with better reliability. Conventionally, maintenance is seen as the cost centre for an organisation. This costs money in hiring support of technicians and purchasing the spare parts in keeping systems to run smoothly  (Muegge, Steven and Dan Craigen 2016). As things are sufficient, the orders are flying out the door such that money is thrown to maintain. This assures equipment availability is maximised.

It is understood through business process dependency over Digital Fruit’s information system. Complicated business processes in the format of service compositions and form of workflows are created on distinct building blocks. These include services and activities. The building blocks have been cooperating in achieving the entire aim of that process. In many situations, the dependencies have been there between distinct activities. This includes executing operations dependent on others. Here, knowledge regarding addictions is vital for managing processes during run times. These take places in situations where problems have been taking place and the procedures are needed to be adapted.

This includes understanding common attacks and inventory of vulnerabilities. Then there are usage of vulnerability scanning tools and analyzing risks. Here, the issue is that one has the public access to the Internet. This needs to get secured because of the nature of various county businesses. One never knows whether one has security breaches [8]. However, there are potentials. These are demonstrated hereafter.

These threats are determined through categorization:  

Elemental Threat

Directed threats

The elemental threat approach involves discover and assess that includes dynamic grouping, system profiling and security posture analysis. Next policies and controls are to be set. This involves extensive policy library and templates of policy baselines. Then there is monitoring and adjustment. This includes adaptive access controls, policy enforcement and change management (Brass et al. 2017). Lastly, this approach involves measuring and reporting. This comprises multi-level reporting and alarms, metrics of security compliances and risk-adjusted visibility.

The directed threats, on the other hand, involves educating employees regarding the most effective security practices. Next, the software regularity is to be updated. A multilayered approach must be undertaken for IT security. Further, the chances to keep back-up should be highly utilized. Also, smart security audits are to be done.

Regarding technology, the weaknesses can be identified through legacy software, default configurations, lack of encryptions, remote access policies and policies and procedures as far as people are considered lost and stolen devices are to be believed. Digital Fruit can identify proper threats using assuring that the tools consist of password protection and various multi-factor authentication that is enabled as soon as possible [9].  Then there are dangers with Wi-Fi. The users should assure that hotspots are legitimate through getting connected to them. Then vulnerabilities due to insider threats are to be determined. Here corporate solutions are helpful to track important data whereabouts and distantly wiping complex data from devices that are stolen or lost. Besides, software updates are to be done. It must be assured that employees install different vendor-official software updates promptly and according to the policies of Digital Fruit.

Determining primary information assets and IT assets

As for identification of threats due to vulnerabilities of an organization are considered, there must be a determination of exposure towards external relationships. Then there is inadequate security training for employees, slow security updates and patches and planning of dated responses. Regarding fetching of threats due to vulnerabilities of processes, Digital Fruit must possess a comprehensive view of their cybersecurity network [11]. Further, they must regularly make audits of various long-established policies. There are analyzing baselines and unexpected inputs that are applicable in multiple monitoring and processes for seeing that seeing that is outcomes are expected. This is also vital to develop awareness under Digital Fruit and educate employees in identifying abnormal and normal behavior. Further, enterprises must also deploy measures of cybersecurity. This can secure networks against recognized tolls of malware instructions.

Risk events, irrespective of opportunity and threats, comprises of two characteristics consists of possibility that can occur and effect that can happen. Risks for impact and probability can be analyzed through scales like high, medium and low. Since as the complicacy of work rises, the sophistication of analysis also rises [15]. Here, in a detailed analysis of risk events for projects of high complicacy and programs consists of point scale with guidelines and different numerical values for every point on that scale.

The risks are driven through alterations in government policy, regulatory environment, technology, customer behavior, competition and markets. New services in the sectors of IT services and digitization of Digital Fruit like communications, security products and cloud services between machines are highly useful. This has been compensating a loss of revenue from the conventional core business. A worst-case scenario is demonstrated hereafter that considers the business of Digital fruit, threats and assets [13].

First of all, there can be an occurrence of breaches. Here information is modified and disclosed with identity and fraud determination of same results. For instance, a web server gets compromised through targeted attacks. Besides, firewall configuration can become ineffective. Further, an internal network can get penetrated. Here, more likely the security incident scenario of the organization’s controls are tested and proved effective as security incident gets declared and responded on time. Here, no media coverage or damage of reputation gets encountered. This has been vital to consider the worst case scenario. This helps information security professionals to think similar to attackers and develop “defence in depth” to various solutions [14]. This is done by imagining that everything can go wrong. Besides, Digital Fruit must remember that their design decisions are always tempered though thinking the scenario of a most likely security incident. This is helpful to select cost-effective controls of security commensurate having risk.

Understanding asset valuations

Information risk indicates that there is potential that particular threat can exploit vulnerabilities of assets. The relationship between risk is represented through the following formula.

Risk= Probabiloty * Impact

The statistics include two primary categories. They are inferential and descriptive. Here, the descriptive statistics highlights previous events and needs enough data for meeting particular requirements. Inferential statistics are predictive and utilizes previous data and mathematical formula for supporting projections for the future.

Cybersecurity risk analysis determined different information assets. This is affected by cyber attacks. This includes intellectual property, customer data, laptops, systems and hardware. Risk assessment and treatment is done after selecting controls for treating determined risks. It is vital to review and monitor risk situation continually. This is to detect changes under the context of the organisation and maintain the overview of a total process of risk management [17].

In the risk matric risk is the lack of certainty regarding the outcome to make a specific choice. Here, the level of downward risk is calculated statistically. The product of the probability of harm is multiplied with a severity of the injury. In this way, the average amount of damage is more conservatively the entire credible amount of harm.

Risks	Discussion
Phishing	This includes the limited understanding experience of computer systems that are attacked.
Hacking	These include cookie theft, keylogging, DDOS.
Bots	These are effective little blighters. These are designed for scanning systems and seek particular information like information about credit cards and weak points. These come from prior unknown access points and new software patches.
Misuse of Employee Privileges	These are severe risks towards digital infrastructure of Digital Fruit.
BYOD or Bring Your Own Device	This also includes security measures to get installed over any device.

Options	Description
Avoidance	This includes the eradication of hazards, exposures and activities. This adversely affects the resources of Digital Fruit. Further, it avoids the compromising of events.
Reduction	This involves precautionary measures of decreasing loss likelihood, reducing the severity of probable loss. For example, security system installation can also be considered here.
Retention	Digital Fruit can perform this through taking responsibilities for specific risks, faced by them. It is opposite to transferring of risks on insurance companies. Digital Fruit can certain risks as they believe that the cost of performing that is less than the expense of partially or insuring against that.

Controls	Description
Assuring flexibility to control	Here, flexibility is an important property of smart control system. This indicates that the control system must be sufficiently flexible for accommodating changes.
Ensuring accuracy	The control systems should be from inaccurate information that can be harmful and costly.
Seeking objectivity of controls	This should provide objective information to managers in evaluating actions.
Achieving economy of controls	This brings the actual and various potential deviations into the light. This is from plans at least cost.
Tailoring control to individual managers	These are expected to carry out functions of controls.
Pointing up exceptions	This brings benefits from time-honored exception principle. This is also helpful to detect sectors that need attention.
The fitting system of control to Digital Fruit’s culture	As the employees are managing instead of any participation in decision making, quick introduction of permissible control systems are succeeded.
Ensuring corrective action via control	It is justified as there is any deviation from plans that are corrected through proper authority.

The various recommendations are provided below.

.Digital Fruit must be careful about what to post about themselves and others.

.Understanding what data is collected by business and Digital Fruit must assure to be protected.

.Keeping every software updated.

.Keeping backups for every data.

.Providing Firewall security for Internet Connections.

.Encouraging senior leadership in spreading a culture of cybersecurity.

.Generating tests of phishing simulations for keeping staffs alerts.

.Conducting inside threat analysis    

.Creating quick response guidelines

.Outlining plans for external communications

.Assuring the network is segments to access that the system never allows access to others.

Describe what to measure:

The measures to be taken are discussed below:

Measures	Description
Controlling physical access to computer networks and premises	Here the access must be restricted to unauthorized users. The services and data must be limited through various controls of applications.
Putting up firewall	They must assure that one can set devices in proper what and is completely effective.
Using security software	This is helpful to find how to seek virus attacks, malware and spams.
Updating systems and programs consistently	Digital Fruit should be assuring to keep their devices and software updated for avoiding attacks from cybercriminals.

This includes the following.

.Creating provisions and operating on formal incident response capabilities.

.Reducing frequency of incidents through effectively securing networks, applications and systems.

.Documenting guidelines to interact with other companies about incidents.

..Preparing to handle incidents and specifically manage common types of incidents.

.Emphasizing on the significance of incident detecting and analyzing that across Digital Fruit.

.Creating written guidelines for prioritizing incidents

.Using lessons learned method to achieve value from incidents.

Conclusion:

For Digital Fruit there can be various attempts of stealing confidential money and data. This can disrupt a business that is actual; threats. Though Digital Fruit can never be safe from risks, there are various measures of security. This is helpful for their systems, processes and people. This is helpful to bust online threats of security. Hence, they must keep their eyes and ears focused on suspicious behaviors. This should be on the part of their outsiders and employers. It must be done with surveillance systems.Further, considering infrastructure, there should encourage a proliferation of open source code, reduced accumulation of institutional software memory, unknown components of software that are delivered to binaries of third-party. Then there is a low-level priority for a debt of engineering and actual fetching to code.  Hence this is to determine the vested interested at Digital fruits. Besides, the above study helps with ample resources which are highly helpful to the cybersecurity of Digital Fruits.

Conducting a business impact analysis

References:

[1]Presley, Steven S., and Jeffrey P. Landry. “A Process Framework for Managing Cybersecurity Risks in Projects.” (2016).

[2]Beaumont, P. (2018). Cybersecurity Risks and Automated Maritime Container Terminals in the Age of 4IR. In Handbook of Research on Information and Cyber Security in the Fourth Industrial Revolution (pp. 497-516). IGI Global.

[3]Webb, Timothy, and Sumer Dayal. “Building the wall: Addressing cybersecurity risks in medical devices in the USA and Australia.” Computer Law & Security Review 33.4 (2017): 559-563.

[4]Wolf, Marko, and Robert Lambert. “Hacking Trucks-Cybersecurity Risks and Effective Cybersecurity Protection for Heavy Duty Vehicles.” Automotive-Safety & Security 2017-Sicherheit und Zuverlässigkeit für automobile Informationstechnik (2017).

[5]Conteh, Nabie Y., and Paul J. Schmick. “Cybersecurity: risks, vulnerabilities and countermeasures to prevent social engineering attacks.” International Journal of Advanced Computer Research 6.23 (2016): 31.

[6]Fu, Kevin, and James Blum. “Controlling for cybersecurity risks of medical device software.” Biomedical instrumentation & technology 48.s1 (2014): 38-41.

[7]Muegge, Steven, and Dan Craigen. “A design science approach to constructing critical infrastructure and communicating cybersecurity risks.” Technology Innovation Management Review 5.6 (2015).

[8]Maisel, William H., et al. “Striking the right balance when addressing cybersecurity vulnerabilities.” (2018).

[9]Peng, Chen, et al. “Modeling multivariate cybersecurity risks.” Journal of Applied Statistics (2018): 1-23.

[10]Brass, I. C., et al. “The Role of Transnational Expert Associations in Governing the Cybersecurity Risks of the Internet of Things.” International Public Policy Association, 2017.

[11]Chen, Jing, et al. “Display of major risk categories for android apps.” Journal of Experimental Psychology: Applied 24.3 (2018): 306.

[12]Henshel, Diane, et al. “Modeling cybersecurity risks: Proof of concept of a holistic approach for integrated risk quantification.” Technologies for Homeland Security (HST), 2016 IEEE Symposium on. IEEE, 2016.

[13]Smith, Samuel Noah, et al. “The Impact of Monetary Value Gains and Losses on Cybersecurity Behavior.” Proceedings of the Midwest Association for Information Systems Conference. 2017.

[14]Sebastian, D. Jonathan, and Adam Hahn. “Exploring emerging cybersecurity risks from network-connected DER devices.” Power Symposium (NAPS), 2017 North American. IEEE, 2017.

[15]Paulsen, Celia. Proceedings of the Cybersecurity for Direct Digital Manufacturing (DDM) Symposium. No. NIST Interagency/Internal Report (NISTIR)-8041. 2015.

[16]Jarrett, Mark P. “Cybersecurity—a serious patient care concern.” Jama 318.14 (2017): 1319-1320.

[17]Gordon, Lawrence A., Martin P. Loeb, and William Lucyshyn. “Cybersecurity investments in the private sector: the role of governments.” Geo. J. Int’l Aff. 15 (2014): 79.

[18]Taeihagh, Araz, and Hazel Si Min Lim. “Governing autonomous vehicles: emerging responses for safety, liability, privacy, cybersecurity, and industry risks.” Transport Reviews (2018): 1-26.

[19]Mertz, Leslie. “Cyberattacks on Devices Threaten Data and Patients: Cybersecurity Risks Come with the Territory. Three Experts Explain What You Need to Know.” IEEE pulse 9.3 (2018): 25-28.

[20]Khidzir, Nik Zulkarnaen, et al. “Critical cybersecurity risk factors in digital social media: Analysis of information security requirements.” Lecture Notes on Information Theory Vol 4.1 (2016).