Incident Management
Having a well-developed incident response capacity is very important for any entity because it enables it to detect a risk at its earliest stages and manage it before it becomes a disaster. According to Virshup, Oppenberg and Coleman (1999), incident response capacity ensures that an organization can effectively respond to emergencies fast enough and with the required efficiency necessary to avert possible negative outcomes. This means that an entity will always be ready to respond to incidents and accidents in a way that would minimize the adverse effects as much as possible.
The case study about TSF presents one incident that the top management ignored. This firm has been using TSF-ONE in internal data management. It is reported that due to the emerging new trends and the amount of data this firm has to deal with on a regular basis, TSF-ONE has become obsolete. This has slowed data management capacity, sometimes threatening to erode critical data of this organization. The disappearance of TSF’s back-up data due to the insolvency of the service provider is a disaster to this firm. This will cripple its operations unless urgent measures are taken.
Based on the incident and disaster mentioned above, TSF needs to enact a disaster response and communication system that will help in rapid communications of events such as those mentioned above. This system will ensure that the response to the disaster or incident and that communication of the information to the relevant stakeholders is done simultaneously. The stakeholders will be informed that the incident or accident occurred and that relevant agencies are making efforts to respond to the issue. The stakeholders in this case will be the donors, employees, and the focus groups benefiting from the services of this firm.
In incident management, incident triage plays a very critical role. This assessment tool helps in determining if there is an actual security incident. This eliminates cases where an organization responds to mere threats other than security incidents. It then prioritizes the incidents to enable the organization determine the best ways to respond to multiple incidents in cases where an organization faces multiple threats. Finally, the tool helps the response team to know if there is a need for escalation. This way, the response will be well-calculated, accurate, and fast enough in addressing the issue at hand.
The excerpt brings out very important aspects about building contingency plans and capacity. According to Jordan and Silcock (2005), it is almost impossible to eliminate risks. The best that an organization can do is to have measures that can help in managing the risks when they occur. This is the message brought out in this excerpt. When an organization is hit by a disruptive event, in some cases this may exceed its capacity to work under normal routine. The ability of such an organization to overcome such disruptions wholly depends on the contingency measures that it has put in place to deal with the problem. The excerpt clearly describes how such contingency plans work. It explains that when the disruption occurs, an organization is able to shift from the normal operational systems to a contingency system as the risk management team works to normalize the affected system. This means that the contingency plan offers an organization a unique capacity to continue with its operations even after its system has been hit by a disruptive event, but using a contingency platform. It also insists on taking advantage of the opportunities presented by such occurrences to be in a better position to manage risks in future.
Argumentative Essay
Having gone through the lecture notes, it is now clear to me that risk cannot be eliminated in an organizational setting. Firms face different forms of risks almost on a daily basis. Some risks target normal operational systems of an organization. Risks may affect finances of an organization, or even the strategic objectives set by the top management unit. According to Jordan and Silcock (2005), it is not easy to determine the section or systems within an organization that a risk factor will hit next. However, it is possible and very important that one plans for the risks before they occur. In a broad way, Das and Teng (1999) note that risks can be categorized as incidents or disasters. Incidents are disruptive events that cause minor impacts on the normal running of an organization. They are events that can be rectified easily and in many cases the stakeholders involved in daily operations of the organization may not realize they had occurred. These events have minor or sometimes no impact at all on finances of an organization. On the other hand, disasters are events that affect major operations of an organization. Incidents like that may paralyze operations of an organization (Standards Australia 2010). They have the capacity to force an organization out of its operations.
Risk management is something that organizations can no longer ignore. According to Alberts and Dorofee (2004), some firms are using insurance as a strategy of managing risks (Virshup, Oppenberg & Coleman 1999). This is one of the oldest strategies that firms have been using to protect them from such disruptive events. However, it is not possible to insure all the possible risks that an organization may face. For instance, a bank may face a risk of system breakdown, forcing it to stop offering their services to their clients. The bank can insure the loss that may occur due to such incidents, but it may not insure the dissatisfaction of the customers due to such unfortunate occurrences. If fact, Das and Teng (1999) say that excessive insurance reduces the profitability of an organization. This makes it necessary to come up with internal measures that will help in managing risks as they occur in a way that will ensure continuity in the operations. Coming up with an enterprise wide management framework is very critical when developing a risk management plan. This is so because it enables risk management teams to develop a holistic approach on risk management that looks at all the systems and structures within an organization.
It is important to note that I was absent in the first lectures. This means that I have a lot to catch up with. However, I have learnt much about risk and risk management from the lecture notes. My conceptualisation has changed because I have taken initiatives of reading the relevant articles and books that address this topic. I am interested to find out how to develop risk management plans that can help organizations respond to various forms of risk.
It is clear that developing a contingency plan is very important when it comes to risk management. I have noted that the use of information technology helps in risk identification, especially in detecting vulnerabilities and threats. This makes it easy to develop risk mitigation plans that can respond to the threats as soon as they occur. From my personal readings, I have noticed that different people have different perspectives of how technology should be used in developing contingency plans and risk response systems. I would like to know the probable approaches that an organization can use the emerging technologies to develop contingency plans taking into account the fact that these technologies may at times be disruptive in nature. A major question that I would want an answer for is how an organization can use an approach that can at times be disruptive to respond to a disruptive situation. In case the emerging technology used becomes disruptive when addressing a disruption within the system, how should an organization react, especially when the affected process or system is of critical importance? In such cases, an organization may not afford to take chances when the stakes are so high because further mistakes made in addressing the current problems may cripple an organization. These are fundamental questions that I was not able to ask due to my absence from the lectures.
Legal and ethical concerns are also very important when it comes to management of information security. I now know that when developing a contingency plan, this is an issue that cannot be ignored. However, I need further knowledge on how this can be incorporated when developing a contingency plan. As Alberts and Dorofee (2004) says, there are incidences where the law is silent on issues relating to security management. It is important that I understand how one is supposed to act in such situations where the existing laws are either contradictory or silent over some issues.
List of References
Alberts, C & Dorofee, A 2004, Managing information security risks: The Octave approach, Addison-Wesley, Boston.
Das, T & Teng, B 1999, Managing Risks in Strategic Alliances, Academy of Management Executives, vol. 13, no. 4, pp. 50-61.
Jordan, E & Silcock, L 2005, Beating IT Risks, John Wiley & Sons, Chichester.
Virshup, B, Oppenberg, A & Coleman, M 1999, Strategic Risk Management: Reducing Malpractice Claims through More Effective Patient-Doctor Communication, American Journal of Medical Quality, vol. 14, no. 4, pp. 153-159.
Standards Australia 2010, Business continuity, Managing disruption-related risk: AS/NZS 5050: 2010, Standards Australia, Sydney.