Information Systems Risk Management
Essay by Dean McClain • October 25, 2015 • Essay • 1,511 Words (7 Pages) • 1,771 Views
Information Systems (IS) Risk Management
August 17, 2015
Information Systems (IS) Risk Management
In any business, computers and whatever new technology they have keeps that business above the water utilizing the company's resources for sales, accounting, record keeping, and emails internally or externally. In order to keep the technology gears well-greased and maintained, is to make sure all internal employees abide by the rules and policies set forth by the company and also follow protocol for technology from external users with their use of company information. Because one slip up and the whole system goes down. For example, all it would take is one individual to insert a flash drive in the computer, harmless, but he or she does not know that embedded in the flash drive is a virus, and so the mess begins. This paper will discuss Riordan Manufacturing possible computer vulnerabilities along with describing the different threats associated with internal and external personnel. Finally, this paper will delve into what type of security measures are necessary or appropriate to secure the information system while allowing a maximum amount of uninterrupted workflow.
In any company or any corporation, the risk of a computer attack from cyber criminals are very likely to happen. It is not a question of it will never happen to the company, but more on the lines of when the company is going to get hacked. Believe it or not, the single largest threat to an organization and its information security is from within, and many times, organizations suffer from key individuals intentionally stealing information or corrupting files (Taylor, Fritsch, & Liederbach, 2015, p. 325). Every day company information is taken, and some will not even notice until it is too late, and the damage is already done to the system where it is corrupt. In many occasions of computer information security hacks from within, there is practically no detection of an occurrence. Many times, computer information is opened, changed, stolen, or damaged without the company’s knowledge, because the crime is covered up through the use of special programs.
Another area of concern for Riordan Manufacturing is social engineering. This is where employees are led into believing that he or she is getting their computer fixed by an Information Specialist over the phone, but in reality, is not. Possibly one of the best ways for hackers to acquire access to a network is by manipulating the innocent nature of a company’s employees. Because in reality, why go to all the trouble of generating a software package to steal passwords from the company’s network, if individuals will just give out this personal information. You can have the best technical systems in place, but they're not effective if people aren't educated about the risks, and a recent survey conducted by Deloitte found three-quarters of companies have not trained staff in the risks of information leakage and social engineering (Whittle, 2008). It is imperative that all employees understand the importance of company information, should not give out his or her computer information over the business phone and understand what an email containing phishing may look like.
Finally, an area where vulnerability happens and is possibly the most accidental insider threat is that of an unsecure company wireless network. With the emergence of laptop and mobile computing has come the growth of wireless Internet access points, accessible by Wi-Fi connections (Taylor, Fritsch, & Liederbach, 2015, p. 327). Whether it is Starbucks, an international airport or a famous hotel chain, these unsecured networks can quickly put sensitive information in danger. All it takes is a peek into e-mail communications or file transfers for valuable data to be stolen, and Wi-Fi networks are most susceptible to these attacks but don't overlook Bluetooth on smartphones (Beaver, 2015). Also, if the company has wireless local area networks inside the organization, employees could use this to gain access and explore the systems databases after regular working hours, which would be bad for any type of business.
Many different corporations institute intricate organization systems and data-handling guidelines that are too complex to track or monitor. Although data classification is important, it should not be a hurdle in protecting sensitive data, and leverage existing efforts such as business impact analysis (BIA) or disaster recovery (DR) exercises that seek to identify and protect critical areas and sensitive data (Kark, 2015). This is why steps should be made to curtail those that wish to cause harm to small or big businesses.
Out of all this mayhem and exploiting the company of personal or private information, there are ways to help lower the risk of an attack on the company itself. All a company can do is prepare for the worst and hope for the best. Because of the possibility of threats to a company is the employees, it is important that the company set guidelines for all to follow. To protect the company and its information, Information Technology gurus suggest using an approach known as the two-pronged approach. First, use monitoring software to check email and internet traffic for certain keywords or file types, and might also choose to block certain websites and applications completely (Whittle, 2008). The second approach is to devise a Standard Operating Procedure explaining all employees' responsibility for network security, and after he or she has read and understood, ensure it is signed by everybody and again stress that all employees thoroughly understand the risks and his or her responsibilities. Because in the end it is all about protecting Riordan Manufacturing and her secrets of new products.
For companies that utilize the wireless internet, Riordan Manufacturing cannot control the networks outside of the business, but Riordan Manufacturing can enable secure wireless hotspots for users that wish to utilize the Wi-Fi. This entails using a Virtual Private Network (VPN) for remote network connectivity, a personal firewall to keep users from connecting to the wireless computer and Secure Socket Layer/Transport Layer Security (SSL/TLS) for all messaging, such as Webmail via Hypertext Transfer Protocol Secure (HTTPS), Post Office Protocol (POP3s), Internet Message Access Protocol (IMAPs) and Simple Mail Transfer Protocol (SMTPs) (Beaver, 2015). What is important is to make sure that any business internal wireless networks are secure by utilizing correct encryption and authentication with Wireless Protected Access (WPA) or Wi-Fi Protected Access 2 (WPA2), but most importantly is to ensure and enable logging for Riordan Manufacturing. Another vulnerable area that employees and personnel tend to forget is Bluetooth on his or her smartphone. Deactivating Bluetooth if it's not needed or at least making the smartphone non-discoverable can also cut down on wireless network attacks from an external or internal source.
...
...