1.0 Introduction to Risk Analysis
Risk analysis in an IT environment defines the procedures used to study or investigate every system of IT to identify threats and to determine the possibility of their occurrence, identify vulnerabilities as well as the determination of the effect of loss in the case where either one or several vulnerabilities are conquered by the possible threat. The possible threats include threat to information integrity, confidentiality and information availability. It comprises of risk assessment planning, risk assessment performance, reporting and verification and reporting of IT assessment risk to the risk agency (Commonwealth , 2014).
The risk analysis is carried out for different IT systems in relation to confidentiality, integrity and availability. Other areas of consideration in the risk analysis include risk vulnerability, the assessment completion date, cyber security framework subcategory, risk threat, its impact and the existing controls that are in place. The systems to be analyzed include management information system, transaction processing system, decision support system, software systems, inventory systems, website systems, the IT hardware systems, computer network system and the payroll system.
2.0 Reporting IT Risk assessment results
2.1 Risk identification
2.1.1 Risk of theft/damage or attack
The majority of information technology systems are affected by this risk threat at different levels ranging from low, medium and high. The analysis shows low magnitude of risk of damage or theft impact to the management information system which is characterized with high sensitivity rating of confidentiality, integrity but with medium availability. This implies that the physical devices and systems associated with management information system are less vulnerable to theft or attack. The present controls in place for protection of this system are the access controls by the use of passwords and user authentication. This same level of magnitude impact applies to the decision support system and the payroll system. However, the decision support system has high sensitivity confidentiality, availability and integrity with different levels of personnel authentication being used as the control in place.
The medium magnitudes of risk impact were found to affect software systems, inventory systems, website systems and network system. This means that is considerable possibility of attack on these systems. It also means that the systems are moderately vulnerable for attack/ theft. The software system has medium sensitivity with respect to confidentiality, integrity and availability. The antivirus software is being used currently as means of controls in place for the software system (Zwikael, & Ahn, 2011). The inventory system has medium sensitivity for both confidentiality and integrity but high sensitivity for availability. The access controls are currently used as a means of control in place to guard against any attack on inventory system. Both the website system and the network system have medium sensitivity for confidentiality and integrity but with high availability. The access controls are currently used in addition to cloud security services as the controls in place for the website system. On the other hand, the cloud security services, firewalls and intrusion detection system are used as controls in place for the network system. The intrusion detection system is also affected by medium magnitude of impact for the threat of risk attack with medium sensitivity, high sensitivity and medium sensitivity on system confidentiality, integrity and availability. The incidence response team is available together with the cloud service providers as the controls in place for security against the attack on intrusion detection system.
The hardware system has high magnitude of threat attack, implying that the available hardware devices are highly vulnerable for attack or theft or even damage. It has low level of confidentiality, medium sensitivity of integrity and high sensitivity of system availability. The cloud security services are currently used as controls in place for protection against any attack on the hardware system (Commonwealth of Virginia, 2014).
2.1.2. Risk of illegal or unauthorized access
The transaction processing system and the payroll system are all affected by the low magnitude impact of unauthorized access to the system. The transaction processing system has high sensitivity for the system confidentiality, integrity and availability according to the risk analysis. It is less vulnerable for the risk threat of unauthorized access attack. The access controls and user authentication are currently employed as controls in place against any attack to do with unauthorized access to the transaction processing system. The payroll system is also less vulnerable for unauthorized access according to the analysis. It also has high sensitivity for system confidentiality, integrity and availability. The access controls, user authentication and antivirus are used as controls in place against the unauthorized access of payroll system.
3.0 Risk treatment plan
3.1 Risk of theft/damage or attack
The treatment plan for management information system is the identification and authentication of users. The treatment plans for decision support system will include personnel security. The intrusion detection system, software systems, inventory systems and website system will all be treated using incident response planning. The treatment plans for IT hardware system and the network system consists of physical and environmental protection and system and communication protection respectively.
3.2 Risk of illegal or unauthorized access
The transaction processing system and the payroll system that are all affected by low risk magnitude will be treated through audit and accountability and risk assessment in that order.
Commonwealth of Virginia.(2014). Information Technology Risk Management Standard, ITRM Standard SEC520-00.
Zwikael, O., & Ahn, M. (2011). The effectiveness of risk management: an analysis of project risk planning across industries and countries. Risk analysis,31(1), 25-37.