Tuesday, May 5, 2020

Information Security Risks and Concerns

Question: Describe about the Essay for Information Security Risks and Concerns. Answer: Current security risks and concerns considered by NSW government - diagram Figure 1: Threats, Risk Concept Relationship and ISO codes linked to ISMS (Source: created by author) Diagram explanation and identification of low, medium-low, medium and high-risk exposure High-Risk exposure threats contain Earthquake, Flood, Storm, and Fire. This level of risk can wipe out the entire system and the buildings which comprise the server. They are categorized under Natural Disasters and can happen anytime and anywhere (Carrara Guzzetti, 2013). Medium Risk exposure threats include communication failure, errors in programming or software, transmission errors, technical failures, user or operational staff errors, outsourced operations failure, absence or loss of key personnel, rerouting or misrouting of messages, and building the fire. These threats are categorized under accidental threats because they are unpredictable most of the time (Kemppainen et al., 2012). According to Pathak (2016), medium-low exposure threats contain eavesdropping, sabotage, malicious destruction of data and facilities, industrial action, web site intrusion, unauthorized software changes, use of pirated software, denial of service, unauthorized dial-in access, social engineering, fraud and theft, malicious code, masquerade and unauthorized data access. They are categorized into deliberate threats because these types of risks are intentional who wishes to do harm to the system to disrupt the service. Low-risk exposure threats contain electronic interference, power supply failure, power fluctuations, vermin, extremes of humidity and temperature. They are categorized into environmental conditions and are considered low risk because these threats often take some time from hours to years (Ham, Park Jeong, 2015). Comparative analysis of Deliberate and Accidental Threats and justification of ranking in order of priority As stated by Guo (2013), there are quite a few comparisons that can be made between accidental and deliberate threats which happen in practical usage. Following are some comparative threats in order of degree are Use of pirated software which often has backdoors for hackers to manipulate critical system files, but also limits the economic growth of a country and the information sector. The rise of torrent and warez sites gave birth to online piracy and software easily available online often paid versions without any fee (Andrs Goel, 2012). The arrest of the largest torrent website Kickass, led to other web sites crippling or shutting their services. The piracy site allegedly stole over $1 billion in profits from the US (U.S. Authorities Charge Owner of Most-Visited Illegal File-Sharing Website with Copyright Infringement, 2016). Eavesdropping is another such issue and many big giants like Microsoft, Google and Facebook have been blamed for collecting, storing and selling user data. Edward Snowden became the whistleblower when he leaked papers and sensitive data of NSA collection data, snooping networks and internet traffic, voice calls and media over the past few years (Wu, Ma Chan, 2015). Distributed Denial of Service (DDOS) can often cause failure of communications services or halting them altogether, which was the case in 2013 when hackers too down NASDAQ for three hours on August 22nd (Kaur, Sachdeva Kumar, 2012). Social Engineering on the system can be misused in rerouting or misrouting of messages, instance of it as the Hidden Lynx Watering Hole on Bit9 case in 2013 (Doherty, 2013). Unauthorized software changes can cause transmission errors and may also result in technical failures. Errors on the part of the user or operational staff can cause theft and fraud (Ramadan, Al-Khedher Al-Kheder, 2012). NSW Government possible challenges for risk/security management To mitigate security threats the government has to identify the problems on whether it should carry out security/risk management internally or external via outsourcing. Challenges that the government may face in risk management sector are Management of Organizational Assets Organizational assets are required in the form skills and resources since security is a problem that is scattered throughout a sector (Karimidizboni, 2013). Coping with Rapid Changes in Technology Keeping up with rapid changes in technology would require using modern operating systems on its servers and desktop computers and has to be actively managed (Christensen, 2013). It becomes complex and dynamically changing environment when it has to be managed actively. Security as an Additional Expense Additional expenditure on security is expensive, and the government does not always want to bear the costs as they reluctantly view security as an investment. This prevents from embracing security as a legitimate long-term plan investment for the strategic plan of the government (Peltier, 2016). Familiarization with Technology Employees have to be trained with updated technologies and simpler technical terms need to be used for them to be familiarized with and will require additional manpower and time (Chaston, 2015). Differences between Risk and Uncertainty in Information System Risk consists of theft, neglect, insecure practices and loss. When someone deliberately attacks a system to collection sensitive data, the person can cause much harm and pose a threat. Everyone breaches out of four breaches occurs due to theft. Primarily the inside employees play a role in this who has a grudge with the organization or criminals, who are looking to steal cash from sensitive electronic powered devices (Parekh, 2016). Neglect occurs when the discarded electronic items are not erased correctly and the data stored can be easily obtained by cheap tools. Same goes when the electronic items are not protected by a secure password (Schell, 2013). Insecure practices include data being shared carelessly over networks which can lead to unauthorized access or exposure. Irresponsible or carelessly handling of data which can misplace or loss of devices is another common way for the loss of media and data (McGregor et al., 2015). Uncertainties in information security present a challenge in itself. It can overload the user with lots of details of a particular product or service and yet may not represent the actual one and is the case of misrepresentation, and many times there is no way to verify. Adapting to newer technologies is not for everyone and people often are wary of the service, failure, and theft. This unfamiliarity brings more hazards to those using it (Luo, Ba Zhang, 2012). To deliver more personalized content and recommendation based on a users habit, cookies" are stored, which itself is sold and commoditized to other third-party services. Not only it can be a risk to privacy, but the personal usage data is often collected, bought and sold often without the user's content (Newman, 2013). Possible approaches of NSW government for risk mitigation and control To approach information system security, the NSW government can take many approaches as follows as per ISO 27001:2013. Governance According to Susanto, Almunawar and Tuan (2012), senior management must aid in support and direction for digital information systems and security in compliance with relevant regulations and laws for business requirements. The governance arrangements included in the ISMS or Information Security Management Systems are a policy for information security, a person handed over the responsibility for online security, and alignment to the management policy and organizations internal risk and audit such as TPP09-05. Controlling access to information system and data classification labeling and handling Access to information systems online must be controlled and monitored having regards to relevant regulations and laws like Health Records and Information Privacy Act 2002, State Records Act 1998, Privacy and Personal Information Protection Act 1998, NSW Classification and Labeling Guidelines, and Government Information (Public Access) Act 2009 (Smith, 2014). Controlling relationships with outside parties The security of digital information systems and information processed, accessed, managed, or communicated to third parties must be monitored. Security regarding software exchanged and digital information with any third-party entity needs to be maintained(NSW Government Digital Information Security Policy | NSW ICT STRATEGY, 2016). Training and Awareness Employees who take on the role of information security performance must be aware of the role and keep up-to-date with the changes by keeping their skills through education and training when necessary (Peltier, 2016). Security incident management Relevant authorities must keep contact with the agencies. For digital information security near misses, incidents, events and weakness associated with digital information systems, internal processes must be in place, and therefore, timely corrective action must be taken (Baskerville, Spagnoletti Kim, 2014). References Andrs, A. R., Goel, R. K. (2012). Does software piracy affect economic growth? Evidence across countries.Journal of Policy Modeling,34(2), 284-295. Baskerville, R., Spagnoletti, P., Kim, J. (2014). Incident-centered information security: Managing a strategic balance between prevention and response.Information management,51(1), 138-151. Carrara, A., Guzzetti, F. (Eds.). (2013).Geographical information systems in assessing natural hazards(Vol. 5). Springer Science Business Media. Chaston, I. (2015). Public Sector Online. InInternet Marketing and Big Data Exploitation(pp. 221-239). Palgrave Macmillan UK. Christensen, C. (2013).The innovator's dilemma: when new technologies cause great firms to fail. Harvard Business Review Press. Cobb, C., Cobb, S., Kabay, M. E., Crothers, T. (2012). Penetrating computer systems and networks.Computer Security Handbook. Doherty, S., Gegeny, J., Spasojevic, B., Baltazar, J. (2013). Hidden LynxProfessional Hackers for Hire.security response, Symantec Corp. Guo, K. H. (2013). Security-related behavior in using information systems in the workplace: A review and synthesis.Computers Security,32, 242-251. Ham, S. W., Park, J. S., Jeong, J. W. (2015). Optimum supply air temperature ranges of various air-side economizers in a modular data center.Applied Thermal Engineering,77, 163-179. Karimidizboni, R. (2013). Human resources information system.Interdisciplinary Journal of Contemporary Research In Business,4(10), 1004. Kaur, D., Sachdeva, M., Kumar, K. (2012). Recent DDoS Incidents and Their Impact.International Journal of Scientific Engineering Research,3(8), 1-6. Kemppainen, J., Tedre, M., Parviainen, P., Sutinen, E. (2012). Risk Identification Tool for ICT in International Development Co-operation Projects.The Electronic Journal of Information Systems in Developing Countries,55. Luo, J., Ba, S., Zhang, H. (2012). The effectiveness of online shopping characteristics and well-designed websites on satisfaction.Mis Quarterly,36(4), 1131-1144. McGregor, S. E., Charters, P., Holliday, T., Roesner, F. (2015). Investigating the computer security practices and needs of journalists. In24th USENIX Security Symposium (USENIX Security 15)(pp. 399-414). Newman, J. (2013). Cookie Monsters: Locally Stored Objects, User Privacy, and Section 1201 of the DMCA.AIPLA QJ,41, 511. NSW Government Digital Information Security Policy | NSW ICT STRATEGY. (2016).Finance.nsw.gov.au. Retrieved 23 August 2016, from https://www.finance.nsw.gov.au/ict/resources/nsw-government-digital-information-security-policy Parekh, S. M. (2016).U.S. Patent No. 20,160,094,566. Washington, DC: U.S. Patent and Trademark Office. Pathak, P. B. (2016). The Review of Terms and Concepts used to Understand Cybercrime to Safeguard Ourselves from Cybercriminals.International Journal of Advanced Research in Computer Science,7(1). Peltier, T. R. (2016).Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press. Peltier, T. R. (2016).Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press. Ramadan, M. N., Al-Khedher, M. A., Al-Kheder, S. A. (2012). Intelligent anti-theft and tracking system for automobiles.International Journal of Machine Learning and Computing,2(1), 83. Schell, R. R. (2013). Computer Security.Air Space Power Journal,27(1), 158. Smith, Z. W. (2014). Privacy and Security post-Snowden: surveillance law and policy in the United States and India.Intercultural Hum. Rts. L. Rev.,9, 137. Susanto, H., Almunawar, M. N., Tuan, Y. C. (2012). A novel method on ISO 27001 reviews: ISMS compliance readiness level measurement.arXiv preprint arXiv:1203.6622. U.S. Authorities Charge Owner of Most-Visited Illegal File-Sharing Website with Copyright Infringement. (2016).Justice.gov. Retrieved 23 August 2016, from https://www.justice.gov/opa/pr/us-authorities-charge-owner-most-visited-illegal-file-sharing-website-copyright-infringement Wu, A., Ma, W. W., Chan, W. W. (2015). Whistleblower or Leaker? Examining the Portrayal and Characterization of Edward Snowden in USA, UK, and HK Posts. InNew Media, Knowledge Practices and Multiliteracies(pp. 53-66). Springer Singapore.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.