An Information Security Risk Assessment for Woltech
Woltech is a UK based organisation, operating in the field of energy. It has additional offices in Eastern Europe and China, and the staff volume consisting of 65 employees. The given case study presents a range of issues that are associated with information security (IS). Considering that the organisation uses various sources of the remote access and communication between the offices, it is necessary to ensure the high-quality protection of employees’ and Woltech’s data.
We will write a custom Report on Woltech Company’s Information Security Risk Assessment specifically for you
301 certified writers online
This paper aims at discussing the problems encountered by the organisation, including threats, vulnerabilities, and risk treatment options in order to suggest the potential strategies for addressing the mentioned challenges.
First of all, it is necessary to identify the concept of information security risk to analyse the case study in an in-depth manner. According to Peltier (2014, p. 16), “the purpose of risk assessment is to ensure that the organisation understands the security impacts”. The risk assessment is central to the information security management system, where risk is understood as the uncertainty, which presumes the possibility of damage related to the infringement of IS.
To assess risks, it is essential to understand which business processes in the organisation are the most critical ones, following the prospects of Business Impact Analysis. It also implies evaluating how to eliminate these threats and their sources and how to minimise their likelihood. Both threats and vulnerabilities may cause serious impacts in the form of an undesirable incident, as a result of which the organisation will suffer significant losses (Feng, Wang & Li 2014).
This damage can arise because of attacks on information belonging to the organisation and leading to its unauthorised disclosure, modification, damage, destruction, inaccessibility, or loss. Threats can occur from either accidental or deliberate sources or events. The main threats to information security at Woltech may be specified as follows:
- the risk of leakage of confidential information;
- the risk of loss or unavailability of important data (top priority);
- the risk of using the incomplete or distorted information;
- the risk of unauthorized or latent exploitation of information and computing resources (when working via the Internet);
- the risk of spreading of information in the external environment that threatens the reputation of the organisation.
The vulnerabilities are the weaknesses of IS protection associated with the assets of an organisation. These weaknesses can be integrated by one or more of the threats, thus causing the unwanted incidents. As stated by Peltier (2014), vulnerability itself is not dangerous as it is merely a condition or a set of conditions that creates the opportunity to damage the organisation. The following vulnerabilities of Woltech can be identified:
- violation of the integrity of information stored on the Internet databases and servers (top priority);
- breach of the availability of the server as it is hosted by the other organisation;
- violation of confidentiality of information due to the lack of encryption.
Each of the mentioned threats and vulnerabilities can arise as a result of SQL Injection and Cross-Site Scripting attacks, for example, and the escalation of the perpetrator’s privileges in the system as a result of buffer overflow of the OS.
As it can be noted from the case study analysis, the activities of the given organisation are mostly automated. In fact, the organisation can be regarded as a human-machine system that provides the functions of interacting with its customers, both individuals and legal entities, and controlling bodies, both state and international industry regulators. The machine component of this system may be called an automated system of organisation, including communication channels, computer facilities, system, and software.
It should be emphasized that these assets store, process, and transmit intangible information, the cost of which often exceeds the cost of the automated system by orders of magnitude. In its turn, the human component, by the very definition, implies personnel, management, IS policies, and so on – all that provides information protection.
IS risks can be divided into two categories: risks caused by information leakage and its use by the unauthorized parties for purposes that may damage business; and risks of technical failures in the operation of hardware and software and information transfer channels. The core challenge is to minimise IS risks to prevent unauthorised access to data, as well as failures of equipment and software (Baskerville, Spagnoletti & Kim, 2014). Speaking of risk treatment options, it is possible to suggest that the most relevant method in this situation is avoidance and prevention. However, the modification of the likelihood of critical situations can also be applied.
As identified by the European Union Agency for Network and Information Security (ENISA), “more than one option can be considered and adopted either separately or in combination” (Risk treatment 2017, para. 9). Such an approach implies the mitigation of risk and reduction in the probability of occurrence of an incident due to this risk as well as a reduction in the impact of this risk to an acceptable level.
The Advantages and Disadvantages of Woltech Seeking Certification for ISO27001
ISO/IEC 27001 Information technology is a standard that presents a model for the development, implementation, operation, monitoring, analysis, support, and improvement of the Information Security Management System (ISMS). The introduction of the ISMS is a strategic decision for the organisation (Humphreys 2016). The design and implementation of the organisation’s ISMS are influenced by its needs and objectives, security requirements, processes used, and the scale of the organisation’s activities and structure. It is assumed that the above factors and their supporting systems will change over time under the impact of both internal and external factors. It is also suggested that the ISMS will change in proportion to the needs of the organisation, depending on the complexity of the situation.
The key advantage of ISO/IEC 27001 is that it aims at standardisation in providing information security to organisations through developing, strengthening, increasing confidence and maintaining stability as well as achieving adequacy of measures to address threats for IS, and prevent and / or reduce the damage from IS incidents (Humphreys 2016). Another beneficial aspect of the mentioned standard is that it defines the requirements for the selection and correction of the approach to assessing the risks of infringement of IS and the development of plans for handling these risks.
In particular, it is necessary to adopt methods for assessing the risks of infringement of information security at the enterprise, determining the criteria for accepting the risks and the level of the acceptable risk. When implementing this system, the organisation receives monitoring and security management tools that help to reduce various types of risks.
Get your first paper with 15% OFF
In this standard, the model of Plan-Do-Check-Act (PDCA) is proposed. The adoption of PDCA model also reflects the principles set forth in the Directives of the Organisation for Economic Cooperation and Development (OECD) that determine the security of information systems and networks (Humphreys 2016). It seems rather significant to point out that this standard represents a visual model for the implementation of these principles on practice, thus contributing to the risk assessment, design, and implementation of the information security system, its management, and reassessment, if required.
The most significant advantage of implementing ISO 27001 is the increase in transparency of all departments from the bottom to the top management of the company. This also applies to the information security department, whose activities are akin to some incomprehensible issue for many employees. The core purpose of ISO/IEC 27001 standard is to ensure the co-ordination of IS management along with other management systems in the company. In other words, this means that when implementing other management standards, it can easily apply a single audit system due to high-level compatibility.
As for disadvantages, one may note that the implementation of ISO 27001 standard is a rather long procedure, the duration of which depends on various factors, such as the initial state of IS in the organisation, the readiness of management and personnel for changes, the size of the company, and the presence of other implemented standards. Therefore, it is impossible to specify the definite period of implementation, namely, the terms of introduction of the standard and the passage of certification, because there are so many variables on which this period depends.
The expenses on the implementation of the standard compose another disadvantage. It may involve costs on consultation, preparation of the organisation, staff training, etc. It is important to approach to the selection of the consultants who will assist in the implementation of ISO 27001 as carefully as possible. Despite the fact that the services of a consulting company are, as a rule, expensive, it will be erroneous to assume that the decision to handle risks independently will allow the organisation to save money (Humphreys 2016). Costs after the certification, on the contrary, will be reduced due to the fact that the organisation will concentrate on significant risks, rather than trying to protect itself from everything that can threaten.
Organisational Needs for Maintaining Operation Following a Major Incident
Among all the variety of instruments of reaction towards IS risks, it seems important to highlight the business continuity associated with the quality and minimisation of risks. It is necessary to apply the methodology of Business Continuity Management (BCM), which provides insights on how to address the threats identified earlier in this paper. At present, the organisation of an effective information system protection becomes a critical strategic factor for the development of any company.
In fact, information is one of the key elements of business. At the same time, information is understood not only as static data resources, including databases, current hardware settings, etc., but also dynamic information processing procedures. In this regard, the main goal of the security system is to ensure the stable functioning of the facility to prevent threats to its security and protect the legitimate interests of the organisation from illegal encroachments, theft of funds, disclosure, loss, leakage, distortion, and destruction of official information, thus ensuring standard production activities of all units.
Considering the needs of Woltech, the following activities can be recommended to carry out with the aim of providing the necessary protection against IS risks and security control:
- Identify the circle of employees responsible for information security and create the regulatory documents that will describe the actions of the organisation’s personnel aimed at preventing IS risks as well as providing backup capacity for the operation in a critical situation. First, it is important to prepare for these events through backing up critical data and data centres and initiating the regular training of employees.
- Develop unified standards for information systems within the organisation by creating the unified reporting forms and rules for calculating indicators that will be used in all software products of the company. In particular, all the offices located in the UK, Eastern Europe, and China are to adopt a new system of data protection in order to eliminate information violation. At this point, “all information security roles and responsibilities should be formally allocated by defining them in writing using terms that are clearly understood across the organisation” (Peltier 2014, p. 11). To continue functioning in the standard mode, communication channels are to be re-established as appropriate.
- Classify data by the degree of confidentiality and delimit access rights to it. This activity concerns the fact that employees utilise both corporate and personal devices to access their email and work remotely, thus creating additional threats to the organisation’s IS (Feng, Wang & Li 2014). In particular, even though Woltech may come up with the unified system of data protection, it is impossible to protect the personal devices as well. Therefore, it should be strongly recommended to avoid using individual iPads and other devices to access the corporate resources.
- Ensure that any documents that are circulating within the organisation are created using systems that are centrally installed on devices. The installation of any other programs should be authorised, otherwise, the risk of failures and virus attacks may increase dramatically. By downloading and installing the extraneous programs and utilities, employees jeopardise the whole system.
- Introduce monitoring tools to observe the status of all corporate systems. In case of unauthorised access, the system should either automatically deny the entry or signal the danger, so that personnel can take action (Baskerville, Spagnoletti & Kim, 2014). At this point, the current situation shows that Woltech’s support system maintains only easy and moderate problems, while the third party company resolves some more complicated issues. In this regard, it is essential for the organisation to employ its own team of professionals to become independent and more protected in terms of information security.
- Develop and implement a system that allows quickly restoring the functionality of IS infrastructure with technical failures. This point is associated with server errors and failures. Currently, Woltech reports the inability to adequately and timely react to server losses and storage of data on the removable hard disks. It seems to be better to own a new server, so that it would be possible to restore data rapidly and prevent IS risks realisation.
In addition, special program called CCTA Risk Analysis and Management Method (CRAMM) may be applied as one of the first methods of risk analysis in the field of information security. The method of CRAMM is based on the integrated approach that combines procedures for the comprehensive evaluation (Vacca 2017). The study of IS can be carried out in two ways, pursuing two qualitatively different goals: providing the basic level of information security and conducting a complete risk analysis.
It should be noted that CRAMM can rightfully be referred to methods that use both qualitative and quantitative approaches to the analysis of IS risks as the assessment takes into account the level of expected financial losses from risk realisation, and the results are provided in points for scale from one to seven (Vacca 2017). This fact significantly increases the rating of CRAMM methodology due to its effectiveness.
In conclusion, it should be noted that the development and implementation of measures to minimise IS risks will not be useful if the recommended standards and rules are misused. For example, if employees are not trained in their application and do not understand their importance. Therefore, work to ensure IS security should be comprehensive and thoughtful. It is essential to prepare for the consequences of possible critical situations and identify the company’s actions to overcome the crisis.
An indispensable condition for the successful risk management in the field of information technology is its continuity. Therefore, the assessment of IS risks along with the development and updating of plans for their minimisation should be done at a certain intervals, for instance, once a quarter. The periodic audit of the system of work with information conducted by the independent experts will further contribute to minimising risks.
Baskerville, R, Spagnoletti, P & Kim, 2014, ‘Incident-centered information security: managing a strategic balance between prevention and response’, Information & management, vol. 51, no. 1, pp. 138-151.
Feng, N, Wang, HJ & Li, M 2014, ‘A security risk analysis model for information systems: causal relationships of risk factors and vulnerability propagation analysis’, Information Sciences, vol. 256, no. 1, pp. 57-73.
Humphreys, E 2016, Implementing the ISO/IEC 27001:2013 ISMS standard, 2nd edn, Aptech House, London.
Peltier, TR 2014, Information security fundamentals, 2nd edn, CRC Press, Boca Raton, FL.
Risk treatment. 2017. Web.
Vacca, JR 2017, Computer and information security handbook, 3rd edn, Morgan Kaufmann, Cambridge, MA.