This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
In order to develop an IT systems strategy a risk based approach is the most recommended one than a baseline approach. In general a base line approach is most preferred in developing a general management strategy. In baseline approach a set of predefined events is the basis to start or to assess the organisation strategy. When referred to development of a strategy for IT systems possibility of future events is the most concerned factors rather than the available solutions for the available problems. By definition,
A baseline is a “value or profile of a performance metric against which changes in the performance metric can be usually compared”.1 in information security; base-lining can provide the foundation for internal benchmarking. The information gathered for an organisation first risk assessment becomes the baseline for future comparisons.
Risk assessment consists of assigning values to attacks on assets, assess the likelihood that vulnerable systems will be attacked by specific threats, calculate the asserts risk to which are exposed in their current setting, conduct a preliminary review of the controls that could be used to protect vulnerabilities.2
So we recommend the UEL to carryout risk assessment rather than following simply a baseline approach in the first process of design and plan of the strategy for IT systems. Results obtained from risk assessment can be used in future as a baseline. In order to assess the risk factors UEL is in need of the Risk management experts to advice and assess the associated risk factors with IT systems.
To find threads and vulnerabilities tools like risk assessment or risk analysis is used to find the damage and to find whether to implement security safeguards.
Risk analysis is carried out
- To ensure the relevant security, cost-effective, timely, and even responsive to threats.
- It helps in integrating the company's business requirement and objectives of security program and objectives.
- For maintain an economic balance between the cost effective countermeasures and the impact of the threat.
- To provide a cost/benefit comparison, this compares the annualised cost of safeguards to the potential cost of loss.
Steps of Risk Analysis
Step 1: Identifying assets and values
Step 2: Identifying the threats and vulnerabilities
Step 3: Analyzing the risk with both approaches
Step 4: Selecting and implementing countermeasures.
STEP 1: Identifying Assets and Values
Two types of assets are Tangible and Intangible
- Tangible assets are measurable Examples: facilities, computers and supplies.
- Intangible assets are immeasurable or even difficult to assess Examples: organisation's Reputation and the intellectual property.
Following are the factors that should be considered while assessing the value of assets and the information it contain.
- Cost to acquire, develop, maintain and to guard the assets
- Value of the asset to adversaries, owners and users etc.
- The intellectual property value which had gone through the developing information.
- Market price offered by others to own the asset.
- Replacement cost if the asset being lost or stolen.
- Intermission to other activities if the asset is unavailable for some time.
- Other issues (liability) if the asset is compromised.
- Use and the role of asset in the organisation.
Determining the value of asset also an important factor. Because
- To perform cost effective cum benefit analyses
- To opt for a specific safeguards and countermeasures.
- To estimate the purchase the level of insurance coverage.
- To understand what exactly is at risk
- To comply with legal and regulatory requirements.
STEP 2: Identifying the threats and vulnerabilities
Most of the threat agents can take an advantage of vulnerabilities in systems resulting in a variety of threats. Common form of threat agents is Employees, users, Contractors, attackers, intruders, Fire, malicious software, virus, hackers etc.
For example: a virus being considered as a threat agent that makes use of vulnerable system and can yield to infect the system. Here threat agent is Virus, Vulnerability of the system being lack of antivirus software, and the threat to the asset is virus infection.
STEP 3: Risk analysis approaches
Quantitative approach of risk analysis
- It uses to identify the level of monetary losses and the percentage of chance to each type of threat for risk calculations.
- It provides the actual probability percentages when shaping the likelihood of threats.
- Elements within the analysis are solved and entered into equations to determine the outstanding risks and total risks.
Metrics of quantitative analysis:
SLE - Single loss expectancy: ALE - Annualised loss expectancy: EF - Exposure Factor
ARO - Annualised rate of occurrence
SLE- represents the loss is due to the occurrence of threat at single time.
ALE- represents the estimated loss per annum.
- Asset value EF = SLE
- SLE ARO = ALE
Qualitative approach of risk analysis:
Qualitative method of defining a risk is the sum of 3 elements threat, impact, and likelihood.
QUALITATIVE RISK= THREAT + IMPACT + LIKELIHOOD.
In this approach, we do observing different risk scenarios possibilities and giving ranking to the importance of the threats and checking the validity of the countermeasures for these threats. This approach technique includes the experience, judgement, best practices, and intuition.
Examples of qualitative risk analysis techniques: Delphi, Story boarding, Surveys etc.
Qualitative risk analysis requires simple calculations, involves guesswork, and provides all areas with risk indication, last but not least it provide valuable opinions of the experts who know the processes best.
When determining threats it uses different categories like availability/privacy, integrity/accuracy, access control, repudiation, legal, general, and identification/authentication.
Comparing both approaches qualitative based risk assessment is more advantageous than quantitative. The reason is qualitative approach prioritizes the risk and identifies the areas for immediate improvement. More over it doesn't provide specific quantifiable measurements of the magnitude of the impacts; therefore, making a cost benefit analysis of any recommended controls is difficult.
STEP 4: Selecting and implementing countermeasures
Countermeasures - involves security policy, security organisations roles and responsibilities, specific mechanisms.
- Defining the security policies to information based on the level of risk.
- Defines security roles and responsibilities.
- Define policies and distribute.
- Implement policies.
The University of East London is an academic organization, which has been providing a vast range of computer related services, network, telecommunications and information to the students and staff. It is vitally important the information held with the organization (UEL) is well protected against any kind of threats. The external sources such as Computer related Acts of parliament are also governing some practices and JANET.
The policy of the University of East London is to protect its information sources by employing the best practices and providing good services that accomplish a balance between user requirements, strategic aims and technological opportunities. This policy applies to all students and staff who are entitled with the organization (UEL). Compliance with this policy is the duty of every user of UEL. This policy will be backed by the UEL's disciplinary procedures. All users will be informed about this policy and the code of practice will be circulated among all the users.
All users must be aware of their responsibilities and be in line of the code of practice associated to them. They are standards that come in accordance with is policy; those standards are also needed to be practiced in accordance to the situation.
The objective of this policy is to make sure that all the requirements and responsibilities for maintaining the UEL's IT services are evidently documented and that all staff are aware of the their responsibilities ,code of practice for good running of the organization. The objectives include
This policy shall be implemented thought the UEL, with effect from 27th November 2009. All the other security policies, standards and procedures are subsidiary to it
This policy covers all the users which include staff and students, external bodies like JANET, network systems (hardware/software) and legal issues (laws and practices). This policy is designed to allow all the users to raise concerns and disclose information at a high level, which the discloser believes in good faith to show evidence of serious malpractice.
Methods of Achieving the Objective
Several method have been incurred in achieving the objective such as codes of practice and sanctions, network security unit, procedural and technical guidelines on security. The codes of practice and sanctions help in maintain the disciplinary procedures. The network general unit consist of existing staff with designated responsibility for network security; it will monitor security on the network, advise users and departments on security measures and investigate on breaches. The guidelines help in guiding the administrators and users in the state of fault correction.
Where a breach occurs it must be brought to the notification of the management and the security officer. If a beach occurs due to an individual the network access to that individual is disabled and the following procedures applies
Employee's disciplinary code and procedures
General regulations for students
Maintenance of this Policy
The Project manager shall undertake all the reviews to ensure that adequate provision is in place, the Project manager shall be responsible for maintenance and review of the policy. There policy is reviewed by regular reporting and security procedures and policy.
Diversion from this policy shall not be permitted. There shall be diversion from the policy only after consultation and agreement with the reverent management authority in the UEL and the Project manager.
The Project Manager Pervin Hussain(who works for the director of it services) is held responsible for managing and monitoring information security.
SIGNED AND ENDORSED BY
(Director of IT srvices)
1. Phillip Carden, “Network Base lining and Performance Management,” Network Computing online [Cited 19 June 2002]; available from the World Wide Web http://www.networkcomputing.com/netdesign/base1.html [accessed on 20 Oct 2009].
2. Michael E. Whitman and Herbert J. Mattord. . “Principles of Information Security” Canada: Thomson learning, Inc ÂÂ© 2003.
3. Open source website “Information security and risk management”, [online], available: http://en.wikibooks.org/wiki/Information_Security_and_Risk_Management#Risk_Assessment.2FAnalysis. [accessed on 20 Oct 2009]
4. Phillip Carden, “Network Base lining and Performance Management,” Network Computing online [Cited 19 June 2002]; available from the World Wide Web http://www.networkcomputing.com/netdesign/base2.html?cid=ref-true
[accessed on 20 Oct 2009].
5. Gary Stoneburner, Clark Hayden, and Alexis Feringa [June 2004]. “Engineering Principles for IT Security (A Baseline for Achieving Security), NIST Special Publication 800-27 Rev A. Available from the World Wide Web http://csrc.nist.gov/publications/nistpubs/800-27A/SP800-27-RevA.pdf
[accessed on 27 Oct 2009].
6. Karen Scarfone, Wayne Jansen, Miles Tracy [July 2008]. “Guide to General Server Security”, NIST Special Publication 800-123. Available from the World Wide Web
[ accessed on 27 Oct 2009].
7. Andy Jones, Debi Ashenden, . “Risk management for computer security” USA, Elsevier Inc ÂÂ© 2005.
8. National Institute of Standards and Technology, [Online]. “Risk Management Guide for Information Technology Systems”, NIST Special Publication 800-30, [July 2002].
Available from the World Wide Web