TyroCity

Discussion on: Risk Management and Mitigation risks

Collapse
 
sachitabhattarai profile image
Sachita_Bhattarai

Risk does not comes by knocking at the door; it is uncertain and sweeps away the valuable assets of the organization if not tackle well. That results in the downfall of Organizational performance, sales, profit, goodwill and many others prestigious things. To avoid that, an organization adopts Information security to keep the organization information confidential, and safe from any other destruction. Following are the various steps to manage and mitigate the risk associated with security, identifying threats, assess vulnerabilities, and implementing controls (Wallace, 2013).

Identifying threats

The first step of an organization is to find all the possible threats that can affect the organizational performance and position. Threats arise both from internal and external. To identify the threat, the organization examine the sources and events of threat, their capabilities, intentions and their targeting information from all available sources (Gary Locke, 2011). The internal threat can arise from the negligence of the employees, loss of employees, vendors, misuse of information, theft my office employees or workers, any kind of spam, etc. While the external threats can arise from the occurrence of natural calamities like floods, landslide, volcano eruption, earthquake if you are in the country like China or Nepal, hurricanes, fire, war, industrial accidents etc. For example, the swift system hackers tried to steal money from NIC Asia Bank. If they would have been succeed then the bank would have been liable to the debt of hundreds of customers, clients, shareholders, trustees, etc. and could affect their credibility in the market. Therefore, the use of system security can help the organization in protecting them from all kinds of threats.

Examine vulnerability

The next step after identifying the threats would be examining the vulnerabilities to find out if the existing security that the company has adopted is effective or not and the vulnerabilities in the systems, processes or policies of the organization that can be exploited by the threat. The organization can look for all the possibilities like if any employee are ignoring the malwares, or responding to the mails sent by the hackers from which they can directly go to the company’s systems and leak all the confidential information. In addition, if the information system the company has adopted maintain a log of every attempt of access to the system.

Protection against threats

Once the organization has examined the possible vulnerabilities, the company can evaluate controls that protects the organization against threats. The most important thing they can do is provide proper training to the staffs as well as the senior managers too. Like in the above example, the hackers first attacked in the computer system of the employee at that very time if the employees were trained to handle that situations then the hackers would not have been able to get access to the Swift systems. The another way is to keep all the software updated i.e. anti-virus software, operating systems ensure that they are updated as they fixes for security vulnerabilities. Similarly, firewall, IPS tracker, network segmentation, etc. can be used as protection.

Administrative Security Controls

This step includes the policies, processes, and the various plan of organization to improve the information security and ensure that they can be used at the time of danger to recover all the information stored in the system. For example, the organization where I earlier used to work restricted the employees from using USB drives, pen drives, mobile sharing, and the use of social Medias inside the office premises. In this way, they were trying to avoid any types of viruses in the system from the outside.

Response plan

It is not necessary that the security protection the company is using will save their systems from cyber-attacks or their system will not be hacked, to avoid this the organization should also adopt a response plan to implement at the time of crisis. “An incident response plan delineates what steps need to be taken, and by whom, when a breach or security crisis occurs in an organization” (Rapid7, 2018).

Recovery stage

At last, when all the steps has been followed by the organization, they can recover all the necessary information’s and the system that was attacked by the hacker or from any other sources.

References
Gary Locke, P. D. (2011). Information Security. National Institute of Standards and Technology , 34-35.

Rapid7. (2018). Incident Response Plan . Retrieved from rapid7.com: rapid7.com/fundamentals/incident-r...

Wallace, P. (2013). Introduction to Information Systems, Second Edition. New Jersey: Pearson Education Inc.