The company in question is now facing quite a serious issue, as it needs to switch to a more efficient information system. The major threat source is the fact that the existing system is quite outdated and it cannot include all the necessary operations. The system was developed in 1990 and it cannot process the abundance of information available now. More so, the system is also vulnerable to various security violations due to the appearance of various viruses and programs that are distributed online. This leads to such major threat event as security violations. It has been acknowledged that information security is “both organizational and technological” issue that has to be solved for a company to remain competitive (Alberts & Dorofee 2003, p. 32). Contemporary systems are much more efficient and reliable. The predisposing conditions are the system’s flaws, the company’s operations in different countries, and the fact that employees use personal devices (that are often vulnerable to cyber-attacks).
These factors increase the risk of security violations. The adverse impact will be the disclosure of confidential information, which can have a detrimental effect on the company’s reputation. The loss of data can also be a significant problem. The organizational risk for the company is the damage to its reputation. People will stop trusting the charity and they will donate to other non-profits. This risk should be addressed and a new information system should be utilized. The company’s management should acknowledge the need to identify major risk factors and develop a proper plan to address them (Jordan & Silcock 2006). In this case, it can be enough to use a new system and to provide corporate devices to employees. Of course, the company should consider addressing professionals who can develop an efficient and safe IS rather than rely on start-ups. Additional funds will be necessary (to pay for services and acquire devices for employees) but this is crucial for the proper development of the company.
The NIST SP 800-30 Risk Model can be an effective tool employed for identifying risks. I have read several sources on risk management. Thus, Knight (2010) provides a list of actions that have to be undertaken. The steps suggested are quite detailed but they are somewhat ambiguous and the author does not provide sufficient information on identifying risks. Woody and Alberts (2007) pay more attention to the identification of risks and threats but they fail to provide an efficient framework.
The NIST SP 800-30 Risk Model can be seen as this efficient framework for detecting risks and identifying possible outcomes. For me, it was easy to apply the model to the case study. The case study provides quite detailed information on the matter but it could be challenging to identify risks and especially the outcomes for the company. However, the model provides a set of milestones to pay attention to. I followed the steps and it was easy to identify the threats and understand organizational risks. When working on a report concerning IS/IT, it is important to employ the model, as it will help to explain why the change is important. I believe that the model could help the company’s managers to develop a detailed plan for managing the existing risks. More so, it could help them to make the top management understand that the company needs a new information system, which would respond to the challenges of the non-profit operating in the 21st century.
Reference List
Alberts, C & Dorofee, A 2003, Managing information security risks, Addison Wesley, Boston, MA.
Jordan, E & Silcock, L 2006, Beating IT risks, John Wiley & Sons Australia Ltd., Chichester, UK.
Knight, KW 2010, ‘AS/NZS ISO 31000:2009 – the new standard for managing risk’, Keeping Good Companies, pp. 68-69.
Woody, C & Alberts, C 2007, Considering operational security risk during system development. Web.