Information security refers to the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information. An ideal organization usually comprises of the following layers of security put in place to safeguard its operations:- physical, operations, communications, networks, personnel, and information security. A risk can be defined as the probability that something unwanted will happen. Risk analysis and management therefore refers to the process of identifying risks to an organization’s information assets and infrastructure, and taking steps to reduce these risks to an acceptable level. Threats are dangerous actions that can cause harm. The degree of threat depends on the attacker's Skills, Knowledge, Resources, Authority, and Motives. Vulnerabilities are weaknesses in victims that allow a threat to become effective. Risk management comprises of three major steps as shown in the figure below. Risk identification, risk assessment/analysis and risk control. Risk identification involves the examination and identification of the security status of the organization’s technology and the risk it faces. Risk assessment is the process of determining the extent to which the organization’s information assets are exposed or are at risk. Risk control involves putting controls in place to reduce the risk to an organisation’s data and information systems.
The process of risk identification is broken down into stages. First the information security team identifies organization assets which include people, procedures, data, software, and hardware. Next the assets are classified and prioritized. Finally, threats are identified and prioritized. This final stage of threat identification is important because it helps the information security team to know and understand the possible risks out there in order to devise appropriate controls of mitigating against them. These potential threats include though not limited to the following. 1.
Compromise of intellectual property: This occurs when attackers gain access to sensitive material that the organization considers integral to their day-to-day functions. 2.
Information extortion: This occurs when an attacker is able to access packets of data before they reach their final destination. This threat is made possible by absence of secure systems of data transmission where encryption is implemented on all data coming in and going out of the organization. 3.
Deviations in quality of service from service providers: Any form of attack in an organization in any of its key areas of operation can cripple its very existence. 4.
Forces of nature: fire, floods, earthquakes are some of the calamities that an organization can face. 5.
Human error: This threat comes as a result of mistakes by employees or any other person that has direct access to the organization. This could also be caused by an accident or failure of an employee to follow procedure. 6.
Technology obsolescence: The lack of up-to-date systems in an organization acts as a vulnerability that attackers can use to create attacks. Software vendors are aware of the threat and ensure they release frequent updates to the software to counter any new attacks present. 7.
Theft: This is a physical threat that comes about primarily from not ensuring proper physical security in an organization. 8.
Technical hardware failures or errors: an organization is exposed when equipment is not maintained in proper working condition. 9.
Technical software failures of errors: Both custom built and off shelf software are prone to attacks if measures are not put into place to defend them. Bugs, errors in codes are some of the vulnerabilities that lead to attacks whereby malicious code can be inserted into this code to carry out a specific act 10.
Software attacks: these include viruses, worms, macros or denial of service. These attacks can be either internal (where a case of either a former...
Please join StudyMode to read the full document