Risk Analysis – A Case Study by the unemployed professors
A risk is defined as “a function of the likelihood of a given threat source’s exercising s particular potential vulnerability, and the resulting impact of that adverse event on the organization. In other words, where a threat intersects with a vulnerability, risk is present” (NIST 2006). Risks result from uncertainties such as changes in managerial and other positions, changes in the legal environment or even customer change of test and preference and much more. Assuming the role of the new Director of IT department at Goodstuff and together with my experience in the same position in a nearby competitor, gives a wide perspective of the business operations especially considering that the company’s 40% of its business runs online. The tool suitable for analysis of the risks would then be the CIA (Confidentiality, Integrity, Availability) model.
Problems and Risks Identified
As the head of the IT department, it is easy to identify that the company has several IT risks. An indication of this risk is the fact that the monthly report received from the merchant services do not match with the transaction codes sent from the point of sale systems. This connection between the PoS systems and the main servers is inconsistent as the two ends are “loosely” connected. Online business transactions are carried out over a highly secure, fast and reliable network.
Another IT risk noted is that the company is using a locally hosted server placed in a closet. Ideally servers usually have their own facilities called server rooms that are located in highly guarded remote locations far from the working environment. Smaller organizations who cannot meet the capital required to set up such facilities would usually rent the service or seek hosting from another firm.
The company uses an old accounting system installed over a decade years back together with PoS systems also installed in the early nineties. This poses a technical risk to the company since the equipment are probably legacy and out of the market. Search for technical support for these system is a be a big challenge since manufacturers do not generally provide customer support to the products over long periods of time. Another technical problem that would arise is that installing new equipment would require extra training to the workers thus increasing further the cost of installation.
Other possible problems and risks observed by the unemployed professors is that would not be discussed in detail here include, employee resistance to adoption of new equipment. A poor motivational climate can also be noted. The excuse provided by the employees that it would be stressful to install new equipment was rather vague and lame and indicates that there could be another fundamental problem in the company that needs to be addressed.
Analysis by the unemployed professors
The CIA triad model would be used as a tool to analyse the risks and problems stated. Confidentiality is the property that information is not mode available or disclosed to unauthorized individuals, entities or processes, Integrity is the property of safeguarding the accuracy and completeness of assets while Availability is the property of being accessible and usable upon demand by authorized entity. (Andy and David, 2008).
From an information security point of view, the company
does not meet the minimum requirements to guarantee assurance of the
information stored and transmitted by the company over the network. “Any
organisation should have a policy for its management of Information
Assurance” (Andy and David, 2008) and clearly, Goodstuff Inc. does not have such policies. The whole set-up has no data backup system in the first place. This allows for data to be lost and never recovered in the event of critical issues such as natural disasters, malfunction, breakage and forth.
Besides, unemployed professors highlights that the lack of availability of information on time may result in delays in operations and this presents a financial risk. Maximum operation can only be achieved when there is synchronism between the PoS systems and the main servers. The lack of it will obviously slow down operations as worker on both sides would have to wait for a considerable amount of time before completing transactions.
The systems used in the company are legacy and were installed long time ago. With no upgrades, this makes them susceptible to software attacks in the form of viruses, worms, trojan and horses, theft of intellectual property, phishing among many more cybercrimes. These attacks can easily compromise the integrity of data transmitted through the whole system and the confidentiality altogether.
Recommendations as pointed out by the unemployed professors
Based on the risk evaluation carried out the risks observed, ranked in order of the impact it has on the company would be IT risk, technical risk, financial risk and the rest. As such, majority of the problems listed would be solved by addressing the key issues mentioned regarding Goodstuff Inc’s technology and use of technology. The other problems are mainly technical and financial in nature while the remaining few are mainly behavioural issues.
Concerning IT risks analysed, it is recommended that the company move their servers to another secure facility if possible or perform a system upgrade. There is a new version of windows server, version 2012, which is obviously a better performer and more secure. Another possible solution would be to seek cloud services for both the web hosting and email services. Also, the IT department should also install a faster and robust internet connection that connects all the PoS systems in order to guarantee availability of information instantly at the main server.
A better solution to data storage, data security and server issues is to upgrade the whole system the modern cloud-based web hosting and storage technology. Cloud storage facilities are generally more secure and are affordable even to small-sized companies. This would help reduce the risks associated with server failures as well as data storage saving the company resources to concentrate its efforts on other crucial factors in order to improve their production.
E-commerce and online business transaction can easily be vulnerable if proper software, secure connections and storage are not installed. Technology is dynamic and is constantly evolving. The cause for this rapid changes are usually due to new innovations in the industry that aim to improve efficiency and security the IT systems. This means that technology becomes obsolete with time and therefore companies that rely on IT need to be not only be apprised with latest trends but also to constantly review their systems, performing upgrades and checks. The software installed at Goodstuff are old and there is a possibility that they are rarely serviced and therefore there could be a breach on the system through malware or simply defunct security functionality. To prevent software attacks, it is recommended that the systems be upgraded regularly and software vendors should be regularly consulted on matters of security concerning the software.
Employees’ have an attitude towards new technology and therefore a complete behavioural change is required if the same employee are to work on new equipment. The technical issue can be solved by first running an awareness program to educate the employees on the risks of using legacy equipment. After a while, then company would then organize for the upgrade and training required for installation of modern equipment. Another possible reason for demotivation could be poor salaries hence the company could consider improving remunerations and other possible ways of motivating them. The findings of this risk analysis can be used in the next stage of risk management and return Goodstuff Inc. to profitability.
From the study, the unemployed professors found that Goodstuff Inc.s’ suffered from varies forms of risks. The largest of all, from an IT point of view is the IT risk. This is mainly because of the huge percentage of the company business runs online. It was also observed that there were major technical risks such as usage of legacy infrastructure and improper storage of the company’s web server.
However, despite the
large impact IT risks pose on the Goodstuff Inc.s’ business, there were still
other minor problems such as employee behaviour and attitude towards change. It
is also possible that the risks and their order in terms of impact would be
totally different when the study is approached from another perspective such as
finance considering that the corporation’s profits are low.
Pauline Bowen, Joan Hash & Mark Wilson (2006). Information Security Handbook: A Guide for Managers. NIST Special Publications, 10, 85-86.
Andy Taylor, David Alexander, Amanda Finch and David Sutton (2008). Information Security Management Principles. The British Computer Society, 1, 1-4.