Discuss about the Report for IT Risk Management of Threats and Risks.
NSW Government is home to a number of security threats and risks as per the current scenario. ICR strategy has been developed in order to keep the information safe and secure from all such risks. The document covers a security risk diagram highlighting the major security risks that the NSW government goes through. A detailed analysis of the potential risks is done along with the countermeasures suggested for the same.
The risks that are associated with NSW Government and its architecture are assessed on the basis of the information category that is affected by the same. The information that NSW Government deals with has been classified on the basis of a number of categories as described below:
This is the category of information that may be used along with the unclassified information only. It is usually the information that is provided by the state agencies and is used by the officials only.
This is the information that has security classified or unclassified where the security provisions must be applicable and the disclosure must be minimum.
The information type that includes the personal information about the individuals that are associated with NSQ Government or the state agencies or other organizations is covered under this category.
The information or data that is subjected to legal professional privilege is covered under this category.
The information that is associated with the Australian Government Cabinet and includes details such as official records of the cabinet, documents containing proposals and submissions related to the cabinet, documents that may reveal decisions taken by the cabinet and likewise.
All the official records those are associated with the NSW Government such as cabinet agendas, submissions, minutes etc.
This category covers the information that includes details which if revealed may endanger individual or private entities and likewise.
The information that is associated with or may have an impact on all the law enforcement activities such as information provided by confidential source, training information on enforcement of law and many more.
Health information is the category of information that is bound by a number of legal and regulatory policies
The risks that are displayed in the diagram above have been identified as per the impacted information category:
Data Integrity Risks: The information flows from one component of NSW Government to another component internally. The same is shared externally as well and these risks are executed primarily during data sharing and data transfer. These allow the unauthorized modification of information that may be sensitive or confidential in nature.
Network Threats: Network threats such as unauthorized network monitoring, man-in-the-middle attacks, sniffing and likewise fall under this category of risks.
Malware Threats: A number of malware is developed on a frequent basis that may affect the confidentiality, integrity and availability of information such as anti-virus, Trojans, logic bombs and worms.
Application Vulnerabilities: NSW Government is composed of a number of interfaces and APIs and the same opens the path for a number of vulnerabilities associated with the same.
Operations Risks: These are the risks that may result from inadequate or failed system or sub-systems that may be internal or external in nature.
Business Risks: These are the risks that may include the vents that would have the potential to bring down the profits associated with the NSW Government.
Legal Risks: These are the risks that may result in the violation of the legal policies, terms and conditions that are associated with NSW Government and the corresponding components of the same (“NSW Government Digital Information Security Policy | NSW ICT STRATEGY”, 2015)
|
Risk ID |
Risk |
Likelihood |
Impact |
Risk Ranking |
|
RS1 |
Data Integrity |
Medium |
High |
High |
|
RS2 |
Network Threats |
Medium |
High |
High |
|
RS3 |
Malware Threats |
High |
Medium-Low |
Medium |
|
RS4 |
Application Vulnerabilities |
High |
Medium-Low |
Medium |
|
RS5 |
Operations Risks |
Medium |
Medium |
Medium |
|
RS6 |
Business Risks |
Low |
High |
High |
|
RS7 |
Legal Risks |
Low |
High |
High |
Deliberate threats are defined as the threats that are executed by humans through human-machine or human-human interaction that is based on a malicious intent. As the name suggests, these threats are executed deliberately to cause harm to the affected party and to gain benefit out of the same (Vavoulas, 2016).
Accidental threats on the other hand are the threats that are caused unintentionally. These are usually occurred in case of negligence or inadequate knowledge.
The threats that are described above comprise of some of the deliberate and a few accidental threats. Malicious threats, data integrity threats are network threats are the ones that are always deliberate in nature. These threats are executed to gain unauthorized access to the information and misuse the same piece of information to cause harm to the victim. The impact of the same may be low to high in nature depending upon the information that is exposed.
Application vulnerabilities and business risks are the ones that are mostly accidental in nature and are caused due to mishandling of the procedure or operations or due to negligence as well (Cole, 2012).
Legal risks and operations risks are both deliberate and accidental in nature and the same depends upon the occurrence and procedure involved in it. There may be scenarios wherein negligence may be involved or some events wherein selfish benefits and deliberate acts are involved.
NSW Government is composed of a massive number of humans, both internally and externally. There will be scenarios of conflicts and disputes between the human entities especially between the parties wherein one is internal and the other is external. Another challenge may be effective communication and availability of the required parties at a common time which may delay the implementation procedure.
NSW Government is composed of policy makers, top management, senior level officials, external users and many more. There may be a lack of communication between the officials at the decisive level and the ones at the implementation level.
This is one of the major challenges that will emerge before the NSW government while implementing the security/risk management policies. Existing technological infrastructure and architecture will not be compatible with all of the suggested solutions. Also, the components of NSW government is spread to such a huge area all across the geographical location such that a minor change in the architecture will impact a chain of changes in the entire architecture (Information Technology and Security Risk Management Top 12 Risks What are the risks? What are the solutions?, 2012).
A risk is defined as an event that is always associated with the probability of either winning or losing something that is worthy in nature. Uncertainties are the situations where the future is not known and cannot be predicted as well. Risks are measurable and controllable whereas the same is not the case with the uncertainties (Surbhi, 2016).
In case of NSW Government, the risks have been highlighted and described above. There are also a number of uncertainties that are associated such as impact of the natural disasters and hazards on the ongoing business activities or the failures that happen at the end of the third parties which could not be predicted earlier. These uncertainties cannot be measured or predicted and hence, cannot be controlled as well. They can never be identified well in advance to form strategies to mitigate or avoid the same. The risks on the other hand can be assessed and controlled with a proper risks management plan.
NSW Digital Information Security Policy (DISP) can be implemented with a strong disaster recovery policy and plan. It will ensure smooth business continuity and service delivery and will provide recovery plan for every single component and application that is associated with NSW Government.
There are a number of low to high impacting network threats which can be controlled through advanced network security measures such as network scans, traffic scans, dedicated networking team, intrusion detection and likewise.
Use of the latest anti-virus software along with internet security will keep all the categories of malware away from the system.
Every party, whether internal or external must abide by the legal and regulatory policies that are defined for the information handling to keep the confidentiality, integrity and availability of the information safe and secure at all times.
Use of Single Sign on and sign off on the web portals, improved physical security, stronger passwords, One Time Passwords and unique identification tracking and handling must be ensured (“ISO IEC 27000 2014 Information Security Definitions”, 2013).
Conclusions
NSW Government deals with massive information on a daily basis. In order to keep the confidentiality, integrity and availability of the information protected and secure at all time is must for the entity. There are a number of risks that are associated with NSW Government which are classified in a number of categories on the basis of the information that they impact. There can be a number of challenges that may appear while implementing a strong security/risk management policy and the risks can be mitigated through a number of legal, network, malware and other controls and strategies.
References
Cole, E. (2012). Accidental insider threats and four ways to prevent them. SearchSecurity. Retrieved 18 August 2016, from https://searchsecurity.techtarget.com/tip/Accidental-insider-threats-and-four-ways-to-prevent-them
Surbhi, S. (2016). Difference Between Risk and Uncertainty – Key Differences. Key Differences. Retrieved 16 August 2016, from https://keydifferences.com/difference-between-risk-and-uncertainty.html
Vavoulas, N. (2016). A Quantitative Risk Analysis Approach for Deliberate Threats. Retrieved 16 August 2016, from https://cgi.di.uoa.gr/~xenakis/Published/39-CRITIS-2010/CRITIS2010-RiskAnalysisDeliberateThreats.pdf
Information Technology and Security Risk Management Top 12 Risks What are the risks? What are the solutions?. (2012) (1st ed., pp. 11-14). Australia. Retrieved from https://www.amsro.com.au/amsroresp/wp-content/uploads/2010/12/AMSRO-TOP-12-Information-Technology-Security-Risk-Management-1.pdf
NSW Government Digital Information Security Policy | NSW ICT STRATEGY. (2015). Finance.nsw.gov.au. Retrieved 18 August 2016, from https://www.finance.nsw.gov.au/ict/resources/nsw-government-digital-information-security-policy
ISO IEC 27000 2014 Information Security Definitions. (2013). Praxiom.com. Retrieved 18 August 2016, from https://www.praxiom.com/iso-27000-definitions.htm
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download