3. u10a1
3
Evaluate approaches to risk assessment of organization's IT architecture
Risk analysis or assessment is important to safeguard the process, procedures, workforce
and abide by the law set towards it. Often a risk associated has known successful remedy tagged
to it. But at the same time there are certain risks that have never posed a threat/vulnerability to
the organization and may be a new one. Such risk requires to be addressed with utmost care and
diligence. A risk assessment is all about safeguarding resources in the organization so that it is
safe and not open to damage. The key points, but not limited, to be considered while performing
a risk assessment is as follows-
Identify the various risks;
Determine the segment which will be affected by the risk;
Decide the work to be work to get away from the risk and set security realm for it;
Document the strategy and implement/execute the designed model;
Check the implemented solution on a regular interval and incorporate change/document
it, if required; and
Apply continual improvement cycle wherever applicable to improve the service rendered
to the end-user or customer and thereby minimizing the risk.
It is very important that the person or individual driving this risk analysis/assessment and
finally its implementation to bear adequate responsibility that is defined to complete the activity.
This person typically is the project manager.
There are two vital approaches to get the risk assessment done – qualitative &
quantitative. Quantitative approach involves costs and its way to calculate and determine related
risk. On the other hand qualitative approach deals more on the expert suggestion and from
various market research and analyses done via questionnaires. Quantitative approach is the
4. u10a1
4
product derived from the probability of risk by the impact associated to it. Numbers does not
always give the best value of how much a risk is tagged to it and how it can be remediated. It
definitely can give a figure of how much is the projected cost value to mitigate the risk but does
give the actual risk and the process to get over such risk. Qualitative approach might show up
result within few weeks and can be monitored to give a better result. However, the quantitative
approach will take weeks sometime months and even years to show case the result on the efforts
put to mitigate the associated threat/vulnerability. There is no clear picture of the result in terms
of figures that are achieved using the qualitative way. With the questionnaires and its input
entered by the participants, the risk associated to the threat and related vulnerability can be
gauged. There are many options, suggestions and thought process that are made available to
resolve the posed issue. These options are made known to the management to finally decide
(may consider to use cost-benefit analysis) the best approach to select in minimizing the risk.
(Gibson, 2011)
The organization being discussed here has various sub-units or departments that work
closely to run the business. Such departments and its related team are network, application
infrastructure services, security, identity management, and compliance team. The focus of risk
assessment is on the identity and access management layer and its supported department. Access
to the applications should be granted only once a valid identity is determined. The identity
management should be inducted within the entire technology stack/layer. This way each login
and logout attempt is ensured to be recorded and captured inside the log file. At the end or during
a year there are audits done for the IT infrastructure where different aspects of it are checked to
meet the minimum requirements. Some of them are to audit if password policy is implemented
on the various systems that gets accessed by both IT staffs and their users/partners, proper user
5. u10a1
5
authentication & authorization is applied to Mission Critical applications, minimum required
uptime is given for such applications, check to see if required capacity planning is in place for
the IT infrastructure Most of these are audited through Sarbanes-Oxley (SOX) Act. An
organization’s financial data should be accurate and should be produced in its entirety when
requested by an IT auditor. The senior management should be aware of such data and should be
bound to be free from any data that is manipulated and which shows wrong company profit/loss
statistics and its result. This is just one area of data likewise each department unit should have its
data shown with utmost evidence (with a valid documentation). Below figure (Figure 1) explains
the various inter-connection of the department with one another and give a clear picture how
these units work hand-in-hand.
Figure 1
The IT staff has to thoroughly abide, if not already, by the SOX guidelines and confirm to
its standard. There is no escaping of a true fact. For example, if the audit shows lack of
documentation for a particular process that is getting implemented to get the application move to
production then related IT staff should work diligently (involve vendors, if required) to get the
6. u10a1
6
complete documentation in place to meet and comply by the audit clause and overcome the
pitfall. Compliance laws are implemented for information security, healthcare, financial services
industry, education and child protection (Gibson, 2011). Before the risk gets too hard to manage
one should ensure there are adequate amount of monitoring that is in place that would trigger
required amount of action that can prevent or at least minimize the impact of the related threat
along with its vulnerabilities. There should be proper amount and regular frequency during
which the system checks should be conducted. These frequent checks at defined intervals or at
random intervals will provide the management with required data to plan, design and implement
necessary action to eventually evade the possible risk. The risk may be occurring from the newly
identified risk or that which already existed and is an active risk. Such risk can be categorized as
high, medium or low. The product of probability and impact will give an understanding on the
possible risk level. With proper monitoring and identification of the criticality index will be
helpful to forecast the time required for the risk to be reduced or minimized. Depending on the
category of risk, the related threat/vulnerability should be addressed. Approach adopted to
remove or minimize risk should be clearly communicated to all key stake holders and all efforts
should be taken to document it. The monitoring should not occur in quick interval. This will not
leave the system to capture required amount of data to help correlate the issue in depth. There
should be all effort made to track the planned actions to be implemented successfully and ensure
for its closure without fail. By all means due diligence should be given and should be ensured
that regular update and the completeness of the risk status report is done. There should be
contingency plan that should be made to control the risk. Proper monitoring should yield in
minimizing the posed risk. Any residual risk should be seen to that it is removed from the root
level as well. "Risk Monitoring and control process ensures the success of the project" (Taylor,
7. u10a1
7
2007). An example, ePrint technology was introduced newly to the organization and it already
started to pose risk for the messaging servers. These servers were seen always at high traffic and
it used most of the available bandwidth which ultimately resulted in performance bottlenecks for
the organization’s different applications functionality and posed risk in loss of profit margin big
time. Risk control was put in place to analyze the origination of such ePrint requests. Any and all
ePrint jobs that were not related to organization domain were blocked that were seen flowing to
the organization’s ePrint email address and servers. A thorough monitoring was put in place with
adequate plan to ensure the challenged risk was really been mitigated to its full potential
possible. Documentation was created and preserved to enhance productivity in case of repetitive
occurrence of such situation and was useful to comply per the audit norms.
Security certifications and the certifying agencies
From the Information Security (InfoSec) per say, there requires to be ethics, rules and regulations
that one should abide to keep the information or data safe and secure. InfoSec is primarily based
on three precepts viz. Confidentiality, Integrity and Accessibility (CIA). Security in terms of IT
is safeguarding the business relates information or data. It has to be kept confidential by the real
mention of the word “confidential” on electronic or physical documents. It should be seen to it
that only the required set of people have access to such data. It should be ensured that the data is
kept as the way it was and all secrets are indeed intact without any falsification done to it. There
should be valid trust build from the sources that these data is collected and stored. Proper law
and regulation should substantiate its accuracy, protection from privacy and availability. Few of
the ways to keep the data confidential are-
8. u10a1
8
by encrypting the email while sending and receiving it;
destroy the document that are going to be of no use by shredding it;
use digital signature to provide authenticity to the documents;
IT systems should use public and private key pairs when performing data transaction
from one internet protocol (IP) subnet to another; and
proper access control is implemented while accessing the Mission Critical applications so
that right candidate is allowed to be authenticated and authorized to view the resource within
such application.
From integrity point of view, it verifies and keeps the data valid and accurate and that it
does not contain any unauthorized changes. Integrity ensures that the data is not compromised
and can be trusted to be used. Applications and its availability should be ensured to be there for
the maximum number of days/hours/seconds. Its non-availability can jeopardize the business as a
whole and may even lead to loss of business. To keep the data secured, related certified resources
play an important role. Few of the industry renowned certifications are as follows ("Certification
programs," 2012)-
Systems Security Certified Practitioner (SSCP);
Certified Authorization Professional (CAP);
Certified Secure Software Lifecycle Professional (CSSLP); and
Certified Information Systems Security Professional (CISSP).
To have the best IT infrastructure and technological solutions does not protect the data contained
within it. We need to have qualified professionals who have requisite domain know-how to
handle situations that becomes hard at times to handle. IT professionals should posses adequate
knowledge in the Information Security (IS) area to ensure that the workplace that they work and
9. u10a1
9
the environment that they work is free (or at least does not have) from unwarranted issues that
may compromise the intellectual property. Internationally renowned certification stands out
mainly to provide the IT professional a clear identity and makes them more eligible to handle the
IS department more efficiently and effectively. IT professionals ensure that the work place is set
on industry standards, protects the privacy of others and protects the assets of your organization.
IT workforce should be aware of the security standards applicable to the organization and should
comply with it. They should be ensuring that the entire organization particularly the non-IT
department is made known of the IT security standards and policies by conducting seminars or
hosting related training programs from time to time. For instance, a newly joined employee will
not know the various IT security policies that his/her department is having. Once the domain
knowledge is achieved by working and gaining experience on it one should think for the industry
recognized certification.
Identify the steps to security certification
A certification adds feather to the cap to such professionals and gives organization or the
recruiting world the adequate information of the right candidate that ought to be hired and
employed. The steps for security certification is explained below-
Experience, Experience, Experience: It is vital that for the security related certification
one need to posses adequate years of domain experience that show cases the knowledge level
and is which is useful from the certification study, its different area of understanding and in
preparing for a successful attempt for the final examination.
10. u10a1
10
Complete the application: Forms are available online to download and enter the personal,
experience and related domain certification details. Information on how to fill the application is
available along with the application form. One must make it a practice to first read the
instruction carefully before attempting to fill the application. This filled-in application will be
used by the certifying authority to validate the education and experience mentioned within it.
The application must contain true information and should not carry any errors. Select the
examination date & time and pay the required fees while in the process of submitting the
application to the certifying authority.
Prepare for the examination: It is important that due diligence is given in preparing for
the examination. Proper sources viz. industry known professionals or guru, if any should be
consulted to know the way to prepare for the examination. Related books, materials for preparing
to pass the exam given out by the study/coaching center, exam cram questions etc should be used
to successfully pass the examination.
Passing the exam: After going through extensive training and preparing well for the
examination, it is now time to appear for the scheduled examination and pass it out successfully.
The pass score will be sent to the very same address specified at the time of submitting the
application.
Abide by the code of ethics: Agreement to abide by the code of ethics is taken once
certified. All due importance should be given to respect the certifying the authority and the set
policy standards. Breach of which will forfeit the credentials and will be punished (might be in
terms of money or imprisonment) for disobeying the code of ethics.
("Steps for certification," 2012)
11. u10a1
11
Online tools to conduct risk management research
There are various online tools that could help get to the better understanding of the
associated risk and manage it the best possible way. Online tools to conduct risk management
research is explained below-
Plus, Minus, Interesting (PMI)- When using this tool one has to draw three columns with
heading as “Plus”, “Minus”, and “Interesting”. Thoughts should lead to pen down positive
aspects of a given risk and its assessment in the “Plus” column. All the negative aspect should be
collected underneath the “Minus” column. Now, in the “Interesting” column make it a point to
mention the suggestion and its conclusion when planning to take such action (Bono, 2012). Here
is an example were a professional thinks for a data center to put the application. The risk that is
assessed here is to determine if the application should move to a regional data center or global
data center. The PMI table (Table 1) is drawn to access the risk and choke out the plan to make
an educated decision with adequate data. The table has four (4) “Plus” points, two (2) “Minus”
points and one (1) “Interesting” point thereby resulting for a total of positive two (2) points. This
analysis depicts that hosting the application in the Next Generation Data Center (NGDC) would
yield better result rather than hosting it on the regional data center.
12. u10a1
12
Plus Minus Interesting
Application accessible to
all resources in the globe
(+1)
Application accessible to only
the regional resources and not
for other global regions. (-1)
Application accessible to ALL
resource (+1)
Complies to the rules and
regulation of the Next
Generation Data Center
(NGDC) (+1)
Better bandwidth for regional
application (-1)
Better technologies exists in the
NGDC setup to manage the
network and related bandwidth
bottleneck (+1)
Demand management is
centralized and helps in
managing the IT system
resource effectively (+1)
More support resource will cost
more from the operational point of
view (-1)
Support model operates in
ITIL’s “follow the sun”
modus operandi (+1)
Calling escalation for anything and
everything (-1)
Ease to initiate escalation
in case of potential
application performance
issue and or reported
downtime (+1)
(+4) (-2) 0
Table 1
Applying the “what if” analysis- Key decisions can be taken by asking self and the team
questions related to “what if” pertaining to a given situation. According to such questions the
organization can forecast probable hurdle that the team will have to efficiently and effectively
handle the operation (""what if" analysis," 2012). An example, there is an application that does
not have large user base but is required to manage the key updates to the supply chain business
and should be made available most of the time during a given day. This application is classified
into the category as Entity Essential. The application and infrastructure team met in the detailed
demand review meeting and put up an excel spread sheet to ask few “what if” queries to each
13. u10a1
13
other in determining which hosting space the application needs to be hosted. From the discussion
and the consensus arrived it was decided to host the application on the shared web hosting space
rather than on the dedicated web hosting space.
Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) findings of risk
assessment for an organization
A Disaster Recovery Plan (DRP) is a plan put in place to implement the required steps in
an event of catastrophe (be it man made or caused by nature) and helps to restore the systems and
its aligned services back to normalcy. A DRP might contain one or more Business Continuity
Plans (BCPs) to get back the operation as it was before the disaster (Gibson, 2011). Every
department should develop its own defined BCP to ensure that the DRP is complete in all
respect. Each department has different process involved w/ aligned process and procedure to
restore back the services. An example, there was HP-UX related patching that was undertaken by
the platform team. Post such activity the web services could not started automatically on the
secondary site and failover node(s). The primary site and related nodes were patched long time
back and were working as per required. Upon a DR rehearsal activity, failover activity was
performed and since there was no web services up and running on the secondary site the
application had a downtime until the web hosting team was called in to bring up the web services
on the secondary site and related node (which was the primary site then). The process that the
web hosting team followed was not which was followed by platform team to ensure the web
services was indeed up and running post the platform related patching activity. Per the escalation
and its post mortem activity, platform team was instructed to update their playbook to reflect the
procedure to ensure web services checks to be present on their existing checklist. Last but not the
14. u10a1
14
least there should be required training made available to the key resources to understand and
implement the DRP plan with agility and to reflect the result efficiently and effectively.
(Christodonte II , 2009)
Computer Incident Response Team (CIRT) plan for an organization based on a Business
Impact Analysis (BIA) and in a given scenario
Computer Incident Response Team (CIRT) plays a vital role in efficiently and effectively
removes the reported incident. The related plan helps understand different team players in each
department. It becomes clear to the entire organization the roles and responsibility each
individual has to play in a department/organization. It becomes transparent to a resource that is
looking for assistance in event while addressing the incident and related issue. There leaves no
room for ambiguity and proactive measures can be easily adapted to keep the environment safe
and minimum to no external threats or attacks (Gibson, 2011). An incident that took place in
workplace is presented with the required CIRT plan based on a BIA. A change request was
carried forward by the Linux platform team for the hardware related maintenance and change in
IP address. The hardware related maintenance was to double the existing the CPU and memory
capacity. The change request contained separate tasks for various team involved. Web hosting,
database and application team was involved via these tasks to check and confirm the application
to be responding as per required post the change activity done by the Linux platform team. The
change was planned and scheduled by knowing the team member taking part in the change
activity and ensuring that each team member knew the responsibility and how to perform such
tasks with supporting document attached as an artifact to the change request. Proper amount of
15. u10a1
15
training was imparted to the team players involved so that the change activity goes on smoothly
and as planned. A thorough checklist was presented to each team members with the scheduled
timelines of what needs to be done during the approved change window. The change approval
board approval was granted after validating the presented artifacts. Each team was asked to
subscribe to alerts that were configured to flow-in to the Outlook Calendar that details the status
and health of the environment. The change activity pertaining to the Linux platform team went
on as per planned. However, the IP change did break the trust from the web layer to the identity
layer or infrastructure. The application web links were reported to be not responding of site1 that
underwent the change activity. The other i.e. the site2 worked as per required as the change did
not took place here. Site2 was stated to undergo the similar change only once site1 did undergo
successful change implementation and tested, verified and confirmed to be working as per
desired. Per the CIRT plan, it was decided to re-register the broken trust of the site1 and identity
infrastructure. Once this activity was confirmed to be completed, a web service restart was
performed to finally get the site1 web links responding as per required. The similar issue was
reported when site2 underwent the same change implementation. Here also and on site2 the same
CIRT pan was followed to fix the inaccessibility of application URLs. There was good use of all
forms of collaboration tool (viz. Office Communicator, WebEx, email communication etc) to get
the change and the reported issue addressed with much agility and without losing time.
16. u10a1
16
References
Gibson, D. (2011). Managing risk in information systems. (p. 58). Sudbury, MA: Jones &
Bartlett Learning, LLC.
Gibson, D. (2011). Managing risk in information systems. (p. 117 & 118). Sudbury, MA: Jones
& Bartlett Learning, LLC.
Taylor, S. (2007, March 20). What is risk monitoring and control?. Retrieved from
http://voices.yahoo.com/what-risk-monitoring-control-196553.html
Certification programs. (2012, June 2). Retrieved from
https://www.isc2.org/credentials/default.aspx
Steps for certification. (2012, June 13). Retrieved from https://www.isc2.org/steps-for-
certification.aspx
Bono, E. D. (2012, June 2). Plus, minus, interesting. Retrieved from
http://www.mindtools.com/pages/article/newTED_05
"what if" analysis. (2012, June 2). Retrieved from
http://www.mindtools.com/pages/article/newTED _76.htm
Gibson, D. (2011). Managing risk in information systems . (p. 365).
Sudbury, MA: Jones & Bartlett Learning, LLC.
Christodonte II , M. (2009, April 4). 8 steps to disaster recovery
planning. Retrieved from http://christodonte.com/2009/04/8 -steps-
to-disaster-recovery-planning/
Gibson, D. (2011). Managing risk in information systems . (p. 417).
Sudbury, MA: Jones & Bartlett Learn ing, LLC.