ISOM TUTORIAL ON RISK MANAGEMENT
Risk can be defined as the potential harm to a system that may arise.
From the IT security perspective, risk management is the process of
understanding and responding to factors that may lead to a failure in the confidentiality, integrity or availability of an information system.
5 information System risks
• Human errors
It is of no doubt that Humans are not able to work with the same constancy as
Machines therefore the case of human error is highly likely in any organization, sometimes it may be due to a direct error by a hum n which can cause a malfunction in the system or incomplete or incorrect information. An example could be when a person fails to understand an instruction given by the system and later on getting a different response that the expected one.
• Environmental hazards
These are usually considered as the harms that are outside human control they, in most if not all cases there is nothing to be done to stop them,,in recent news Japan had been hit by a natural disaster, yet they had setup a system to detect the natural disaster beforehand but despite their efforts to protect themselves for such situations it still took place bringing a devastation impact. Natural disasters such as earthquakes can cause communication disruption and even total annihilation of computer hardware and software.
• Computer systems failures
A system failure may often occur because of a number of reasons, some of which include poor design or lack of good quality control and poor development practices, An example of poor development practices causing a system failure can be found in the experience of the Pentagon’s National Reconnaissance Office (NRO). The inadequate testing of the delivery system of Titan IV rocket. Two Titan rockets were lost, meaning that expensive military equipment necessary to the U.S. Governments defence program (namely early warning satellites) were unable to be deployed. The head of the N.R.O. has attributed this error to “a misplaced decimal point” in software, which controlled the rocket.
• Intentional threats
An intentional threat is usually one that is device by a culprit to intentionally cause harm to systems operation. Such threats include deliberate manipulation of data, sabotage, theft of data down to the inappropriate use of it. For example corporate espionage which is Acquisition of trade secrets from business competitors. This can be done by means of computer tapping and many other ways. For instance In the early ’90s allegations came to light that Avant!, a Silicon Valley software company, had stolen code from a rival company, Cadence design systems.
• Cyber Crime
Any crime that involves a computer and a network can be classified as a cyber crime. These are common to hackers and activities such as data tampering and programming fraud. An example is the Nasa incident which took place Seven hours after the Columbia shuttle tragedy a hacking group struck down nine servers belonging to NASA's Jet Propulsion Laboratory (JPL).
The digital attacks were recorded around 22:15 GMT and carried on in succession until 23:54 GMT. All nine JPL.NASA.GOV servers were running on the Sun Solaris operating system at the time. Ways to prevent system risks
· Virus protection
Using a virus to keep the system for being vulnerable to attacks acan be a way to control risks· Encryption
Refers to the act of putting data in a way that can be understood by the authorized people. For example using Public-key cryptography which is used algorithmic keys to read data form a sender to an intended recipient · Audit trail
This is a sequence of steps supported by proof documenting the real processing of a transaction flow through an organization, a process or a system. They can help to protect information from unauthorized use and increase visibility into enterprise processes.· Backup
Regular backups, with at least a weekly copy of the backed-up data kept off-site are, of course, a necessity and the most effective way to minimize data loss when inevitable hardware breakdowns occur.Types of audits
Internal
Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes
Objective
· An internal audit looks more into forming an opinion on the adequacy and effectiveness of systems of risk management and internal control.
· Scope
The scope here lies on checking every other operation in the organization.External
· Objective
An external audit seeks to test the underlying transactions that form the basis of the financial statements. In other words, an external auditor reviews the control procedures and many other operations as their overall evaluation of internal controls.· Scope
The Scope of an external Audit is check financial statementhttp://www.laserfiche.com/en-US/Products/Audit-Trail
http://www.google.com.my/search?q=HUMAN+ERROR%2BRISK+MANAGEMENT&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
http://www.sans.org/reading_room/whitepapers/auditing/introduction-information-system-risk-management_1204
http://www.responsiblenetizen.org/139457-How-to-Prevent-Computer-Security-Risk-and-How-to-Keep-Your-Small.html
No comments:
Post a Comment