Describe about the IT Risk Management for Robust Economy.

 

New South Wales is the most preferred site in the region of Asia-Pacific because it had a robust economy. “NSW government is working on securing property and personal. It also focuses on risk management program. It works on providing structure to the on-going risk management” Mark, 2014). The activities like documentation and record keeping are also generated with the development of risk management program. The most important step correspondent to the security purposes is the regular monitoring of the activities and evaluation. “The activities which are associated with the risk management program are divided into four sections which are named as framework for security risk management, control for core security risk, control for security risk should be provided in priority areas, and control for security risk should be provided in unplanned activities” (Moodley, 2011).

The objectives of the government of NSW are summarized below:

“Confidentiality of the information: It restricts the unauthorized access and the disclosure of the information” (Taylor, 2008).

Integrity of the information: it helps in protecting the information for unauthorized alteration of the data and prevents it from challenges faced in providing authenticity.

Availability: The authorized user of the information should be provided reliable and timely access of the information and data.

Compliance: “The security controls should comply with the applicable regulations, policies, legislation, and contractual obligation which are essential for the information to be lawfully available to the users” (Jin, 2011).

Assurance: The assurance should be provided to the government for accessing the confidential information.

Explanation of the Diagram:

Identification of Hazard for Security:

The nature of work should be observed

Proper review should be carried out of incident reports, hazard reports, and any other relevant data.

Proper review should be carried out of results of the recent security incident

Proper review should be carried out of the operational reviews.

“Consultation should be done with staff to predict the data which they consider as the hazards” (Taylor, 2008)

Consultation should be done with the stakeholders to predict the external agencies data which they consider as the hazards

Inspection and audits should be done of the workplace

“Development of the scenarios which can be predict as the consequence of the incident which is relevant to the security” (Richard, 2011)

Proper analysis of the breaches and the incidents

Establishing of the risk factors which are associated with the information.

Frequency and exposure of the hazard

The potential of the loss which is associated with the risk

Occurrence of the damage or loss

Risk associated with the property

Control strategies which are taken into consideration.

• Consultation with the staff members
• Experience at the workplace should be examined
• Reviewing of the incident
• Reviewing of the guiding material

Source of the risk	Action associated with it
Cracker	·         Profiling of the system ·         Social engineering concept ·         Intrusion in the system ·         Accessing of the unauthorized system
Computer criminals	·         Cyber crime ·         Act of frauds ·         Bribery of the information ·         Spoofing of the system ·         Intrusion in the system ·         Botnets ·         Spam ·         Activity of phishing
Terrorist	·         Penetration of the system ·         Tampering of the system
Espionage of the industries	·         Exploitation of the economy ·         Theft of the information ·         Penetration of the system ·         Social engineering ·         Unauthorized access of the system
Insiders	·         Blackmailing ·         Computer abuse ·         Theft and the fraud ·         Loss of personal information ·         Misuse of personal information ·         Creation of the system bugs ·         Creation of the system intrusion

The magnitude of the risk can be categorized as high, low, and medium which are summarized in the table below:

Impact of the Risk	Explanation
High	The costly loss of Assets is categorized as High
Medium	The risks which are associated with violating and harming operational activities are categorized as medium
Low	Some Loss of assets and operational activities are categorized as low

The table below shows scaling of the risk:

Portability of the Risk	Low	Medium	High
High (1.0)	Medium 10 * (10 * 0.1)	Medium 20 (20 * 0.1)	High 30 * (30 * 0.1)
Medium (0.5)	Low 10 * (10 * 0.5)	Medium 10 (20 * 0.5)	Medium 15 (30 * 0.5)
Low (0.1)	Low 1 (10 * 0.1)	Low 2 (20 * 0.1)	Low 3 (30 * 0.1)

“Deliberate threats are the threats which are caused to the sensitive data by unauthorized accessing of the data” (Gordon, 2015). Failure of the equipment and software etc are come under the category of accidental threats.

Sequential order of the threats is given below:

Failure due to power

Failure of errors in network infrastructure

Obsolescence in technology

Errors or failure in the hardware

Errors or failure in the software

Issues in operation

Interception in communication

Repudiation

Espionage of the communication

Attacks of Social engineering

Deliberation attack of data

Misusing of the system

Unauthorized accessing of the resources

Shortage of the staff

Threats due to environment

Reduction in the quality of service

Misusing of the web application

Incomplete policies or planning for the organization

Fraud in finance

Unauthorized access of information

Equipment theft

NSW government works on providing structure to the on-going risk management. “The risk associated with the information security is amalgamation of the likelihood and the result associated with the incident” (Brightwell, 2014). The risks are associated with the threats and threat can exploit the vulnerabilities of the information system. “The situation which arises from imperfect and unknown information is known as uncertainty” (Mahmood, 2015). It may arise due to the internal or external accidental loss of data.

Economic Appraisal	Management of the risk	Management of the values
·         Objective specification ·         Identification of the option ·         Modification of the option according to the reviewing of the risks ·         Evaluation of the option ·         Selection of the option	For each option available: ·         Establishment of the content of risk ·         Identification of the risk associated with each option ·         Assessment of the magnitude ·         Development of the strategies	·         Development of the option ·         Identification and evaluation of the risk ·         Evaluation of the option ·         Preparation of the report

Familiarization of the proposal:

• Objective Definition
• Identification of the criteria
• Definition of the key elements

Analysis of the risk

• Identification of the risk
• Assessment of the risk
• Ranking of the risk
• Risk associated with screen minor

Planning of the response:

• Identification of the responses
• Selection of the best response
• Development and management of action

Report Generation

• Management of the schedules and measures

Implementation:

• Schedule management effect
• Monitoring and reviewing of the plan

Substitution of the hazard which can give rise to the hazard

Isolation of the hazard by putting it on the risk

Minimization of the risk by using the engineering process

Minimization of the risk by using the administrative process

Equipments should be used for personnel protection

Inspection and audits should be done of the workplace

Development of the scenarios which can be predict as the consequence of the incident which is relevant to the security

Proper development of the hazard report, incident report, incident management report, incident investigation report, injury management report, and others.

The key principles on which the policies are based are as follows:

The objective is to provide services which are in the welfare of the people.

The information related to the person should be securely managed so that the privacy and confidentiality of the data can be preserved

Security should be provided to the critical and sensitive information

The level of security should be determined for securing the information

Policy for digital information security is classified as M2012-15

Awareness program should be organized for educating the people about the security to the digital information

The information which is released should be comply with the current state of the legislation

The controls for securing the information should be implemented to mitigate from the risk associated with the sensitive information.

Least privileged rule: For example; creation of the security policies

Change rule: For example; Backup of the test server

Trust rule: For example; accuracy in the perception

Weakest link rule: For example; Identification of the environment weakest link

Separation rule: Isolation of services and data

Three fold process rule: It is the combination of implementation, monitoring, and maintenance

Preventative action rule: Awareness of security issues

Immediate and proper response rule: Quick reaction

Mark, S. (2014). Regulation of the legal services in the E-world (1st ed.). Retrieved from https://www.olsc.nsw.gov.au/Documents/regulation_of_legal-services_working_paper_oct2011_part1.pdf

Moodley, K. (2011). Electronic Information Security Policy – NSW Health s (1st ed.). Retrieved from https://www0.health.nsw.gov.au/policies/pd/2013/pdf/PD2013_033.pdf

Gordon, T. (2015). Useful Security Information for Business (1st ed.). Retrieved from https://www.secure.nsw.gov.au/what-you-can-do/useful-security-information-for-business/

Brightwell, L. (2014). NSW Electoral Commission (1st ed.). Retrieved from https://www.elections.nsw.gov.au/__data/assets/pdf_file/0007/193219/iVote-Security_Implementation_Statement-Mar2015.pdf

Mahmood, F. (2015). Eight Rules of Information System Security (1st ed.). Iversion. Retrieved from https://blog.iversion.com.au/eight-rules-of-information-system-security/

Taylor, A. (2008). Information Security Management Principles (1st ed.). BCS. Retrieved from https://www.bcs.org/upload/pdf/infosec-mgt-principles.pdf

Richard, M. (2011). Risk Management Guideline (1st ed.). Retrieved from https://www.treasury.nsw.gov.au/__data/assets/pdf_file/0009/5103/risk_management.pdf

Jin, Z. (2011). Vulnerability Analysis Approach To Capturing Information System Safety Threats and Requirements (1st ed.). Retrieved from https://www.sersc.org/journals/IJSEIA/vol5_no4_2011/7.pdf