Risk Management Plan For Shire Of Cornersea

Overview of Shire of Cornersea

The Cornersea Shire Council’s IT manager, Lex Georghiu has accepted your report on the initial risk assessment. It was tabled to the leadership team, and after much deliberation a reasonable budget was approved to improve the council’s security posture.

You have been assigned to the Shire of Cornersea to carry out an extensive risk assessment on the council’s information management practices and on its information assets

Your  task is to produce a 2500 word business report addressing the above requirements.

The Shire of Cornersea is a medium-sized council that is spread over the area of 900 square kilometres. There are twenty townships and 18 postal districts in the council with a population of over 150000. The residents are from diverse cultural and ethnic backgrounds, such as Europe, Asia, and Africa. There are numerous risks that are identified in relation with the information system and information security of the council. There are also legal risks, physical security risks, resource risks, risks of natural hazards, and communication risks that may take place. The report covers a risk management process for the council.

The purpose of the plan is to highlight the outline and schedule that will be followed in risk management process associated with The Shire of Cornersea. The plan is also prepared to define the key roles and responsibilities for risk management and assess the risks in terms of likelihood, impact, and priority.

The risk management plan is extremely significant for The Shire of Cornersea as there are information security and information system risks that may occur. These risks shall be prevented, controlled, detected, and avoided with the aid of this plan failing which there may be adverse implications on the council and its associated entities.

The Shire of Cornersea is composed of 150000 residents and manages huge data sets associated with its residents. These data sets comprise of varied categories of information, such as public information that may comprise of location details of the council, facilities, and services offered, etc. There are also private, sensitive, and confidential data sets associated with the council as well (Calandro, 2015).

For instance, demographic and health details of the residents is extremely private and confidential in nature. The legal norms and principles that the council shall maintain along with the regulatory policies is also sensitive information. The internal processes and information is private information.

The risk tolerance level would be high for public information sets as compared to the private, confidential, or sensitive data. The Shire of Cornersea is exposed to numerous risks and vulnerabilities that are covered in the later sections of the report; however, the risks with low probability and low impact levels may be tolerated. 

Key Risks Identified

An outline of the risk management plan has been depicted in the diagram above. There will be five processes involved in the risk management plan viz. risk identification, risk analysis and prioritization, risk treatment, risk control, and risk monitor & report.

The first process will include a listing of all the risks that may occur in association with The Shire of Cornersea irrespective of their probability and impact score. There will be information investigation techniques, such as interviews, surveys, observations, and domain analysis conducted to identify the risks (Bromiley, Rau and McShane, 2014).

The second process will analyse and prioritize the risks identified. In this process, a risk assessment table will be developed that will include the probability and impact score for each risk and a priority will be assigned accordingly.

The risk treatment process will include the assigned of a treatment strategy to each risk that may include risk avoidance, risk mitigation, risk acceptance, or risk transfer. The strategy selected will be implemented for each risk (Frigo and Anderson, 2011).

The risk control process will be applied in the fourth process. It will include the attempts to reduce the risk impact on the council and its associated entities and may include controls, such as internal controls, preventive, or detective controls (Ykhlef and Algawiaz, 2014).

The application of the risk treatment strategy and risk controls will be monitored in the last process and the risk reports will be prepared to trach status and completion.

The scope of risk management process will cover the identification, analysis & prioritization, treatment, control, monitoring and reporting of the risks. The identification process will include risk planning as well which will include data collection process and distribution of key roles and responsibilities along with estimation of schedule and budget (Schiller and Prpich, 2013).

Risk Assessment

Key Roles & Responsibilities

• Lex Georghiu – IT Manager: Development of a risk management plan and strategy for The Sire of Cornersea and ensure that the risks are avoided, prevented, controlled, and detected. Risk monitoring and control processes (Arnaboldi and Lapsley, 2014).
• Mal Locking – Director of Infrastructure: Assistance and support to Lex by providing the relevant information on that may improve the processes of risk identification, analysis, and treatment, approvals on the deliverables.
• Wolfgang Kauffman – Development Team Leader: Assistance and support to Lex by providing the relevant information on that may improve the processes of risk identification, analysis, and treatment.
• Chief Information Security Officer (CIO): Assistance and support to Lex by providing the relevant information on that may improve the processes of risk identification, analysis, and treatment.
• Business Analyst: Analysis of the council policies, norms, and principles to provide information on the business strategies to be developed and implemented, maintenance of ethical compliance.
• Security Advisor: Providing information on the latest security controls and mechanisms that can be applied.
• Environmental Expert: Listing and identification of the probable environmental changes that may impact the council in an adverse manner, identification and assessment of the environmental risks.
• Technical Expert: Analysis of the technical components and applications associated with the council to identify, assess and prioritize technical risks.
• Technical Writer: Status reporting and documentation of the risk completion report.
• Legal Expert: Details on the legal and regulatory aspects and ensuring that legal compliance is always maintained to avoid any obligations.

Information Assets & Systems at Risk

These data sets at the council comprise of varied categories of information, such as public information that may comprise of location details of the council, facilities, and services offered, etc. There are also private, sensitive, and confidential data sets associated with the council as well. For instance, demographic and health details of the residents is extremely private and confidential in nature. The legal norms and principles that the council shall maintain along with the regulatory policies is also sensitive information. The internal processes and information is private information (Tohidi, 2011).

Risk Management Process

The information assets and systems are at risk and the top 6 risks are described below.

Information Security Risks: There may be information security risks that may come up and may involve malware attacks, denial of service attack, distributed denial of service attack, media alteration attack, message alteration attack, eavesdropping attack, man in the middle attack, spoofing attack, phishing attack, database injection attack and account hijacking attack

Legal Risks: There are various laws followed and implemented in the council as road and transport laws, local laws, waste management, food transportation laws, and likewise. Non-compliance or violation of these laws or improper handling by the IT department may result in legal obligations.

Resource Risks: The recent employee turnover and leaves may lead to scarcity of the resources or may impact the productivity and efficiency levels of the existing resources.

Physical Security Risks: The access to the IT department is not secure and protected by strong access control mechanisms. This may lead to unauthorized access to the area and exposure of confidential data and information.

Data Backup & Data Loss Risks: There has been no testing on the data backup process since the initial testing was performed. There may be performance issues associated with the backup process which may lead to data loss or leakage.

Risks of Fire/Natural Hazards: The server room of the council does not have a separate fire extinguisher system that may lead to unrecoverable data loss in case of fire.

The risks with the highest priorities include information security risks and attacks, data backup (data loss) risks, and physical security risks. The threats associated with the resources engaged with the council are also of a great concern as the scarcity of the resources may lead to the breakdown of service and business continuity.

There are several vulnerabilities present in The Shire of Cornersea. The first category is the network security vulnerabilities. The network security protocols and access points used in the current systems may provide the attackers to have a larger attack window and attack surface making it easier for them to give shape to the information security risks and attacks. There are a number of information security risks that the council is exposed due to the vulnerabilities present in the systems and networks. These vulnerabilities, such as insecure access points, weak passwords, poor access control and authentication mechanisms etc. may be used by the malicious entities to give shape to the security attacks. The poorly tested backup system and processes and lack of physical security in the IT division and server room may lead to occurrence of the risks such as exposure of confidential information to the unauthorized entities and likewise (Brustbauer, 2014).

Scope of the Risk Management Process

There can be any non-IT member that may gain access to the IT department and may look in to the operations being carried out by the resources or over-hear the discussions on important system operations being executed by the team. This may lead to exposure of the information to the unauthorized entity. With the current state of untested back-up processes, the system may fail to capture the data sets in such situations leading to increased damage and difficulty in the process of disaster recovery.

The operational risks and risks of fire and natural hazards will have low probability. It is because the natural hazards and similar occurrences seldom take place and the operational issues associated with the systems is also less due to familiarity of the resources with the systems in place. The probability of legal, ethical, supplier, and communication risks has been found to be moderate while technical risks, data back & data loss risks, and technical risks may have high probability. Due to increased security vulnerabilities, the information security risks and physical security risks have a very high probability.

The impact of resource risks, legal risks, ethical risks, information security and physical security risks, and risks of fire or natural hazards will be high. It will be because legal obligations, ethical non-compliance, resource scarcity or drop in productivity, compromise of information properties, and damage to lives and properties will not be easy to recover from. Supplier, communication, technical risks will have an intermediate impact as there will be mitigation techniques in place to control the damage. The occurrence of operational errors and mistakes will have a mild impact.

• Information Security Risks & Attacks: These risks will have severe impact and high probability that may result in compromise on the information properties, such as confidentiality, integrity, and availability.
• Physical Security Risks: The entry to the IT department or data centres by an unauthorized entity will lead to compromise on the security of the systems and the data sets. The impact and probability of these risks are high making it significant in nature.
• Resource Risks: The human resources are the most significant organizational assets and a drop in their productivity and efficiency levels or lack of satisfaction will be of a great concern for the council.
• Data backup & data loss risks: The poor and untested backup processes may lead to permanent data loss that may cause legal obligations and poor reputation in the market for the council. The possible consequences and higher probability of the risk makes it significant.
• Technical Risks: There are technical systems and applications that are used in the council that may turn faulty. These risks will be significant if they impact the continuity of operations.

	The Shire of Cornersea Risk Assessment Table
Impact	Severe	Risk of Fire & natural hazards	Legal Risks Ethical Risks	Resource Risks Data backup – data loss risks	Information Security Risks & Attacks Physical Security Risks
Intermediate		Supplier Risks Communication Risks	Technical Risks
Mild	Operational Risks
		Low	Moderate	High	Very High
		Probability

Recommendations & Conclusion

The council must develop and implement risk controls for the avoidance and prevention of the risks. For instance, it shall implement advanced technical controls, such as anti-denial tools, intrusion detection and prevention systems, anti-malware tools, firewalls, etc. to prevent the information security risks from taking place. It must also use encryption techniques for data protection (Domanski, 2016). The state of physical security shall be improved by implementing multi-fold authentication, biometric authentication, and advanced access control. The security and safety against fire or other natural hazards shall be upgraded and implemented in all the sections and divisions. There must be standard protocols and policies followed for communication internally and externally and tele-communication protocols and secure information sharing portals shall be included. There shall also be resource engagement and assessment programs carried out to maintain the motivation of the resources and bring down the employee turnover rate (Merigo, 2014).

References

Arnaboldi, M. and Lapsley, I. (2014). Enterprise-wide risk management and organizational fit: a comparative study. Journal of Organizational Effectiveness: People and Performance, 1(4), pp.365-377.

Bromiley, P., Rau, D. and McShane, M. (2014). Can Strategic Risk Management Contribute to Enterprise Risk Management? A Strategic Management Perspective. SSRN Electronic Journal.

Brustbauer, J. (2014). Enterprise risk management in SMEs: Towards a structural model. International Small Business Journal, 34(1), pp.70-85.

Calandro, J. (2015). A leader’s guide to strategic risk management. Strategy & Leadership, 43(1), pp.26-35.

Domanski, J. (2016). Risk Categories and Risk Management Processes in Nonprofit Organizations. Foundations of Management, 8(1).

Frigo, M. and Anderson, R. (2011). Strategic risk management: A foundation for improving enterprise risk management and governance. Journal of Corporate Accounting & Finance, 22(3), pp.81-88.

Merigo, J. (2014). Decision-making under risk and uncertainty and its application in strategic management. Journal of Business Economics and Management, 16(1), pp.93-116.

Schiller, F. and Prpich, G. (2013). Learning to organise risk management in organisations: what future for enterprise risk management?. Journal of Risk Research, 17(8), pp.999-1017.

Tohidi, H. (2011). The role of risk management in IT systems of organizations. Procedia Computer Science, 3, pp.881-887.

Ykhlef, M. and Algawiaz, D. (2014). A New Strategic Risk Reduction For Risk Management. International Journal of Computational Intelligence Systems, 7(6), pp.1054-1063.