VIC Government Considers Current Security Risks And Concerns In Their Essay. (70 Characters)

Use a diagram (produced by the means of using Rationale, Visio or any other relevant software application of your choice) to illustrate current security risks and concerns considered by the VIC government.

2. Provide detailed explanation of the diagram and identify the areas of: high, medium, medium-low, and low risk exposure.

3. Carry out comparative analysis of the Deliberate and Accidental Threats and rank those threats in order of importance. Justify your rankings not only on the basis of the case study but also by the means of doing further research and drawing upon other relevant case studies (e.g. Security guidelines for other private and public organizations) that you can identify.

4. While drawing upon theories, tools and patterns covered in the subject as well as your own research, explain the challenges that the VIC government is going to face while deciding on whether security/risk management should be carried out internally or externally (e.g. via outsourcing).

5. Explain the difference between the concepts of make sure that your discussion is linked to the case considered).

6. Discuss and evaluate (with examples) different approaches available to the VIC government for risk control and mitigation.

Areas of risk and their classification

The above diagram is created in Microsoft Visio and it illustrates the current security risk that are required to be considered for the development of the information system by the VIC Government. There are several components that are required to be considered by the VIC Government such as the Malware, Trojans and spyware as threats for the development of the project. The threats that are acting as a barrier for the development of the information system are categorized into accidental and deliberate threats and further into internal and the external risks. The information security guideline of the VIC Government is required to be included in the development process for controlling the risk associated with the system. The above diagram thus defines the different steps of the risk assessment and treats the basic risk associated with the development of the system. The flow of the risk helps to identify the risk and concerns associated with the risk.

The risks associated with the development of the information system is categorized as high, medium, medium low and low risks. The areas of risk according to the category are described below:

High Risk- This are the risk that cannot be controlled by the Vic Government and affect the system negatively. The risks are required to be mitigated as soon as it is analyzed or evaded for develop the system efficiently.

Medium Risk- The financial and the intruder attack can be considered as a medium risk and precaution can be taken such that this type of risk does not arise. There is option of rectification of the error and thus they are considered as the medium risk for the information system.

Medium Low- The risk acting on the information system due to human error and any irrelevant activity such as missing the schedule and incurring extra cost in the development process.

Low Risk- This type of risk are not directly associated with the information system and have low impact. This type of risk can be non-availability of the team members.

Deliberate Threats

The deliberate threats related with the advancement of the project is to consider the risk that are not directly affecting the information system and it can affect the system from different point such as Denial of service attacks, eavesdropping, sabotage, unauthroised access of data, etc. The potential of the attacker is required to be considered for the development of the system and effect of the deliberate threats are also required to be considered (Cpdp.vic.gov.au., 2017). The data exist in in the database of the system can be modified and it can arise from different sources such as hackers, contractors, customers, extortionists, foreign agents and activists. The result of the deliberate threats can be non-availability of the system and the resources, loss of confidentiality, accountability and integrity of the information system.

Comparative Analysis of Deliberate and Accidental Threats

The accidental threats are considered as the threats that are not directly associated with the system and can arise at any point during the course of development of the information system. The accidental threats may occur due to a minor error of a team member or sudden breakdown of the machine or unavailability of the team members (Bernardo, 2012). The error may be due to the occasion of a hazard (for example, framework crash because of programming blunder) or may influence a defenselessness (for example, a PC to screen left unattended may be manhandled by an unapproved customer).

A particularly essential risk, regularly coincidental, is enhanced weakness through erroneously composed or old security controls or exploitable programming, for instance, working frameworks and databases without refreshed mode "patches" (Chance & Brooks, 2015).

The accidental threats associated with the development of the information system are listed as follows:

• Making of incorrect decisions
• Lack of confidence of the user
• Business function disruption
• Monetary loss
• Legal issues and breaching of "commitment of thought"
• Incurring additional cost

The threats found during the feasibility study for the preparation of the development of the information system for the VIC Government are ranked according to their severity and impact in the development process. Generally the deliberate threats have a high impact on the development process as they are directly linked with the software development life cycle (Glendon, Clarke & McKenna, 2016). While in case of the accidental threats they are ranked as medium or low because they does not affect the system directly. From a close examination it is settled that, the target degree can sensibly impact the hazard inside coming ten years however, in the event that there ought to be an event of deliberate, coincidental and normal risks the impact of the threats in the ISMS are introduced as underneath:

The deliberate threats associated with the system cannot be controlled easily and its impact is very high and thus it is required to be mitigated in the early stages of development of the ISMS.

The accidental threats are considered as high because it is not directly associated with the development of the system and the risk can be changed any time during the development of the system. The human error identified is required to be resolved immediately for increasing the efficiency of the system.

The rankings are given in light of the dangers and their effect on the VIC Government data framework. The high positioning is given if there should arise an occurrence of the ponder dangers on the grounds that the vast majority of the hazard related with the security of information is related with this sort of dangers. This kind of dangers influences the VIC Government very.

Ranking of threats in order of importance

The coincidental dangers are positioned as high in light of the fact that these sorts of dangers are not related with the VIC Government straightforwardly. The human blunders can happen deliberately or accidentally and in this manner there is less hazard related with this risk.

There are different challenges faced by the VIC government while taking decision about the risk management and it is required to be done internally or externally for managing the information security management (Hopkin, 2014). The vulnerability of the information system are analyzed for gaining visibility of the potential areas. The challenges associated with the development of the information system are categorized below:

External threats- External team can be assigned for the development of the information system and manage the different risk for increasing the efficiency of the development process. The involvement of the consultant helps in transferring the risk and the cost incurred in the development system can be reduced. Misunderstanding between the team members are also considered as an external threats and a detailed analysis is required to be done on the requirement for the identification of the threats.

Internal threats- The threats can be managed easily and the project manager can assign the task to the different teams for development of the modules for reducing the risk. This can affect the security of the information system and the protection is necessary for the efficiency of the information system. The server used for managing the application and the database is required to be protected from unauthroised access (Lo & Chen, 2012). The database servers are required to be encrypted such that the intruders cannot access the sensitive data of the VIC Government.

The risk and uncertainty differs from each other and the following table is created for a detailed understanding.

There are several risk associated with the development of the information system and they are required to be resolved for increasing the efficiency of the developed system. A risk management plan is necessary and a guideline is required to be created for the development of the project (Burdon, Siganto & Coles-Kemp, 2016). The methodology portrayed underneath should fill in as a manual for workplaces yet can be changed in accordance with singular needs. The different methodologies accessible to VIC for Risk control and relief are as underneath:

For controlling the risk a leadership commitment is required to be made and a detailed analysis is required to be done on the current information system and the following stages are applied such as;

Challenges faced by the VIC Government

Evaluation of the current requirement: The current requirement that is required to be included in the information system is analyzed and project management tools are used for developing project plan to build the information system

Examination of the project development methodology: The information system is required to be developed and the project manager is responsible for assigning the roles and responsibility to each of the team member for reducing the risk (Rainer, Prince & Watson, 2014).

Effect of risk control: The different threats related to the growth of the VIC information system can be documented and their priority should also be mentioned for preparation of the risk control plan.

Methods of disappointment: It is the responsibility of the project manager to create a project development schedule and assign the resources to each of the development stage. The budget of the project is also required to be estimated and monitored until the project is completed (Guo, 2013). The success of the project is dependent on the completion of the project within the proposed time and budget.

There are some risk that can be mitigated after proper diagnosis of the risk and creation of a proper risk management plan and the approaches applied for risk mitigation are listed as follows:

• It fuses describing degree and focuses for risk organization.
• Identify criteria for assessing the Risk organization process (Hopkin, 2014).
• Defining the key parts and issues.

• Identification of all perils that may impact the risk organization process
• Assessing the consequence and the number of times a risk may occur during the development period
• Monitoring the development and discarding the risk with less severity during the development for reducing the complexity
• Identification of immediate and genuine risks that require organization thought (Behnia, Rashid & Chaudhry, 2012)

• Identifying the conceivable responses to immediate and genuine threats.
• Develop risk action gets ready for genuine perils
• Develop organization measures for direct threats (Rogers et al., 2016).

• Implement the action logbooks and organization measures
• Monitoring of the execution
• Periodically review dangers and evaluate the necessity for additional Risk Management

References

(2017). Cpdp.vic.gov.au. Retrieved 26 August 2017, from https://www.cpdp.vic.gov.au/images/content/pdf/data_security/20160628%20VPDSF%20Framework%20June%202016%20v1.0.pdf

Behnia, A., Rashid, R. A., & Chaudhry, J. A. (2012). A survey of information security risk analysis methods. SmartCR, 2(1), 79-94.

Bernardo, D. V. (2012). Security risk assessment: toward a comprehensive practical risk management. International Journal of Information and Computer Security, 5(2), 77-104.

Bompard, E., Huang, T., Wu, Y., & Cremenescu, M. (2013). Classification and trend analysis of threats origins to the security of power systems.International Journal of Electrical Power & Energy Systems, 50, 50-64.

Burdon, M., Siganto, J., & Coles-Kemp, L. (2016). The regulatory challenges of Australian information security practice. Computer Law & Security Review.

Chance, D. M., & Brooks, R. (2015). Introduction to derivatives and risk management. Cengage Learning.

Glendon, A. I., Clarke, S., & McKenna, E. (2016). Human safety and risk management. Crc Press.

Guo, K. H. (2013). Security-related behavior in using information systems in the workplace: A review and synthesis. Computers & Security, 32, 242-251.

Hopkin, P. (2014). Fundamentals of risk management: understanding, evaluating and implementing effective risk management. Kogan Page Publishers.

Hull, J. (2012). Risk Management and Financial Institutions,+ Web Site (Vol. 733). John Wiley & Sons.

Klaic, A., & Golub, M. (2013). Conceptual modeling of information systems within the information security policies. J Econ Bus Manage, 1(4), 371-376.

Lo, C. C., & Chen, W. J. (2012). A hybrid information security risk assessment procedure considering interdependences between controls. Expert Systems with Applications, 39(1), 247-257.

Nassimbeni, G., Sartor, M., & Dus, D. (2012). Security risks in service offshoring and outsourcing. Industrial Management & Data Systems, 112(3), 405-440.

O'malley, P. (2012). Risk, uncertainty and government. Routledge.

Pearce, M., Zeadally, S., & Hunt, R. (2013). Virtualization: Issues, security threats, and solutions. ACM Computing Surveys (CSUR), 45(2), 17.

Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.

Pieters, W., Lukszo, Z., Hadžiosmanovi?, D., & van den Berg, J. (2014). Reconciling malicious and accidental risk in cyber security.

Rainer, R. K., Prince, B., & Watson, H. J. (2014). Management Information Systems. Wiley Publishing.

Rampini, A. A., Sufi, A., & Viswanathan, S. (2014). Dynamic risk management. Journal of Financial Economics, 111(2), 271-296.

Rogers, K., Boon, P. I., Branigan, S., Duke, N. C., Field, C. D., Fitzsimons, J. A., ... & Saintilan, N. (2016). The state of legislation and policy protecting Australia's mangrove and salt marsh and their ecosystem services. Marine Policy, 72, 139-155.