3.Create a risk management plan and indentify key areas of concernwithin the organization.Aneffective risk management process is an important component of a successful IT securityprogram. The principle goal of an organization’s risk management process should be to protectthe organization and its ability to perform their mission, not just its IT assets. Therefor, the riskmanagement process should not be treating primarily as a technical function carried out by theIT experts who operate and manage the IT system, but as an essential management function ofthe organization.Common threat sources: Natural Threats – Floods, earthquakes, landslides, tornadoes and other such events. Human Threats– Events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network based attacks, malicious software upload, unauthorized access to confidential information). Environmental Threads – Long-term power failure, pollution, chemicals, liquid leakage.To derive an overall likelihood rating that indicates the probability that a potential vulnerability may beexercised within the construct on the associated threat environment High - The threat source is highly motivated and sufficient capable, and controls to prevent the vulnerability from being exercised are ineffective. Medium - The threat source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability. Low - the threat source lacks motivation or capability, or controls are in place to prevent, or at last significantly impede, the vulnerability from being exercised. We will identify risks pertaining to the group in 4 main areas: 1. Risk identification 2. Risk probability 3. Risk impact 4. Mitigation and or corrective action
Risk Management PlanRef. Risk Identification Risk probability Risk impact Corrective actionsNo High Med Low1 Distributed system X Open to attack resulting in Adequate firewall and system performance security settings, issues including failure, different sub nets, loss/corrupted or stolen domain & group policy data2 Data storage X Current each site stores its Centralized servers own data sets and only with mirror backups – few sites have a proper introduce user profiles backup facility –Employee limiting access data, pay role, sales & enforcing segregation marketing, production of duties3 X Ina event of a data loss System back up and Disaster Recovery unable to recover and Disaster recovery plan operate effectively4 Software Licensing X The group holds 4% of the Proper assets export share in Sri Lanka management. Obtain not been with global common licensing for standard in IS/IT is an software for the entire impact to the reputation group and the competition6 Procurement X Each company purchasing Implementation of own IT equipment- centralized manager to leading to compatibility oversee the control IT issues, over specified at the grup /underspecified machinery7 Asset management X There are no current Purchase asset facility to register or management software manage the IT assets8 Continuity- different X No current standard with Identify best practice information sets in the business no implementation of stored, recognized best practices centralized approach compatibility, for IS systems Inc. data management Version control and ,centralized data base usability9 Training X Different levels of IT Provides a standardized awareness within the training approach business ,( employees )10 Data Access ability X All employees have access Introduce user profiles/ to customer information levels of access (data protection act) pertaining to job role11 Infrastructure X Long time take to be back Emerge with branded management in the operations on products and reliable (computers) breakdowns suppliers
How Hayleys outlined the ITrisk,IT Risk The group *Implementation of sound IT policy Moderate depends on throughout the group is support by accurate, timely adequate systems and controls. information from *A contingency plan is in place to key computer mitigate the risk of IT failures. systems to enable *A central IT team is in place to support decision making IT within the Group.Risks associated with information technology are assessed in the process of “Enterprise RiskManagement”. Use of licensed software ( with Microsoft Corporation ), closer monitoring of internetusage (for compliance with the group’s IT use policy)and mail server operations and the use of antivirusand firewall software, are some of the practices in place in the group. Also the decision of changing thegroup’s communication system is another risk factor it has some negative risk points but the positiveeffective to both IT infrastructure (security, control) and cost is high.