Managing Financial And Security Risks Associated With IT Services For Aztek

The final assessment is to deliver an IT Risk Assessment Case Study in support of a significant technology decision that is to be taken by a fictional company called Aztek that operates in the Australian Financial Services sector.

Senior executives in both business and technology divisions within Aztec have collected a portfolio of projects from their respective strategists that could be potentially funded for deployment. The portfolio includes projects such as:

Allowing employees to bring their own devices (laptops, tablets and mobile phones for example) into the workplace to be used as their main or sole devices in achieving their work tasks.

Migrating business-critical applications and their associated data sources to an external Cloud hosting solution.

Outsourcing key IT functionality such as the network, desktop management or application development to a third party.

Upgrading or introducing a major technology such as mobile platforms and applications, migrating to an improved networking technology (such as IPv6), creating a corporate-wide email archive for compliance purposes, or upgrading applications and desktop operating systems.

Each of these potential projects carries significant IT risks which will need to be managed to support the business case as to whether the project should go forward. In this case study, you are the IT Risk Assessment lead at Aztek, and your role is to be the interface between business stakeholders and technologists, translating potential technical difficulties into risk language to facilitate effective decision-making by stakeholders.

For the Aztek case study you will need to select one of the projects from the list above for a thorough IT Risk Assessment. You may select another project beyond those listed above with the approval of the subject coordinator, and you may wish to select a project that is relevant to your workplace for example.

Financial Risks

Aztek has decided to shift to the cloud and they are hoping to shift to the IT can be a blessing for them, the IT services can offer the facilities that can help them to enrich their business activities, the IT services can help them to outsource their services to third-party company and can be largely benefitted, however, they should be mindful of all the risks associated with the IT services (Lam, 2014).

The report will focus on financial risks, the threats and the vulnerabilities associated with the IT services. The report will highlight the security or the control measures that they should adopt to conduct their business operations in a better way.

The risks associated with the financial services are-

The systematic risks

The systematic risks are the risks over which the organisation has no control. The risks generally occur due to some external aspects and the effect is felt throughout the company and throughout the industry. The risks involve war, political events or any other recession, even the interest rates are also considered as well (Wu & Olson, 2015). The aforesaid risks are classified as a market risk, Interest Rate Risk and the purchasing power risk.

The Unsystematic risks

The risks are termed as a diversified risk; the risk is carried out within the enterprise. The risk effect is considerably lesser and generally affects an enterprise’s resources. The enterprise assesses the risk and they themselves solve the issues or the risks within. The operational risk, liquidity risk, financial risks are the risks described over here (McNeil, Frey & Embrechts, 2015). The examples of unsystematic risks are liquidity risk, operational risk factor and the business risk.

Relevant risk

The relevant risk consists of the both systematic risk and unsystematic risk. The systematic risk is not taken into consideration as relevant risk as the risk cannot be controlled. The unsystematic risk is taken into consideration as the relevant risk as the risk can be assessed and can be controlled (Chance & Brooks, 2015). The financial risks involved are solvency risk, strategic risk, liquidity risk, counterparty risk, regulatory risk and the legal risk.

Strategic risk

The strategic risks occur when any organisation takes any wrong decision and use their company resources in wrong way. The faulty business plan can be the reason for the failure of projects, the company can even face losses due to the business tactical mistake or the strategy mistake.

Systematic Risks

Market risk

The market risk occurs when the prices of a particular resource augment in the market (Lam, 2014). The price of the market products can increase due to interest rate risk, financial market risks and the equity risk.

Credit risk

The credit risk occurs when the borrower becomes unsuccessful in repaying the loan, in other scenarios the lenders who lend money is unsuccessful to detect whether the borrower is capable to repay the money back or not.

The legal compliance is necessary to consider in Australia and this assists in taking up the best strategy which can significantly furnish the business activities. There are external risks factors associated with political factors too which can affect the company's performance (Chance & Brooks, 2015). These factors need to be detected and based on that the external factors must be assessed in an effective manner. The carrying out of business operations effectively can diminish the risk occurrence within the company.

Internal risks are related to different factors like -

• The communication procedure
• Following of transparent procedure

In the given scenario, Aztek must adopt the best possible strategy to communicate with the outsourced company; the strategy must be taken in a way such that the risk incurred can be diminished. In some scenarios, the enterprise can decide to train the employees of the enterprise to adopt the best strategy such that the company does not face such kind of loss. The strategies have been taken to enhance the quality of the customer experience and the customer service. Aztek must be careful if any mishaps occur within the company then the whole reputation can be under threats and thus the reputation of Aztek will be threatened. Aztek being adopting the IT services must be aware of all the IT threats, vulnerabilities and the security measures (Bromiley et al., 2015). The security measures can assist Aztek to conduct the business activities in a more secure manner and Aztek can gain profit as a result of this.

The federal body of Australia has imposed certain rules and every individual including the enterprises must follow the rules imposed. The strict rules and regulations can assist the enterprises to conduct the business operations efficiently and ethically. The regulations will help the managers of Aztek to learn about the issues which are faced by the employees and proper rules and regulations can help to mitigate those risks within. It is the duty of the management to detect whether everything is going on the basis of regulations of the company or not (Sadgrove, 2016). It is also the responsibility of the finance team to monitor the finance section within the company premises and also look for opportunities to increase the profit of the company. Therefore, certain policies must be taken into consideration before proceeding –

1. The rules and regulations must be in accordance with the financial sections and those policies must be properly undertaken and must be applied effectively in financial sections.
2. The threats and the risk must be properly evaluated and for this reason, the financial market and the market of the employees must be carefully examined. This evaluation can protect the company from losses (Bolton, Chen & Wang, 2013). Also, the tasks undertaken must be kept in digital format as well as in written format.
3. Aztek must follow the government’s policies and must accordingly. Only by this procedure, they can safeguard their companies from huge losses.

Unsystematic Risks

Aztek must have a proper risk management plan. Only the effective plan can help them to conduct business activities in agile and effective manner. The issues Aztek face must be well taken care of and if possible must be communicated with the stakeholders to find out a suitable solution to those issues faced. In this way, a healthy relationship can be developed between investors and the stakeholders (Ali, Warren, & Mathiassen, 2017). The report has also highlighted the advantages and the disadvantages the practices of Aztek can bring in.

The report has been prepared by Aztek company. Both the benefits and the disadvantages correlated with IT services carried out by Aztek have been discussed in the report (Ali, Warren, & Mathiassen, 2017). The IT services that Aztek conducts in their premises are network implementation, implementation of software and implementation of a proper management system for the desktop.

Aztek must take efficient decisions to conduct the business activities and also to outsource IT services. Thus they must a threat model to identify the potential risks and the threats that can create loopholes in Aztek. Aztek must find out the best solution to safeguard their business activities. Aztek must take into consideration the threats and the risk intensely otherwise there is a possibility Aztek can get in serious trouble. Aztek provides financial benefits to its customers so it is their duty to store the customers' data in the database safely and securely. Thus they must consider the security measures via which they can protect the confidential information.

The IT service that Aztek work on must be carried on in a safe and secure manner, otherwise there is a chance that the Aztek can face huge losses and there is a possibility their reputation gets endangered (Ali, Warren, & Mathiassen, 2017). That is why Aztek must cooperate and coordinate and should work on as per the outsourced organisations’ demands. This can certainly check the negative impact of the company.

Strategies to detect security goals- The risks associated with database storage has been showcased in the report. This initiative can assist Aztek to take the correct decision to implement the best policy and by this method, the information can be stored efficiently.

Assess the application- The requirements and the demand for each company are different. Aztek, for this reason, must choose software applications wisely. Ztek should assess the risks associated with that application (Choo, 2014). The risk assessment will help them to furnish the business goals; also it helps Aztek’s management team to take the appropriate decision to take the best decision to safeguard their clients’ sensitive data.

Relevant Risk

Identification of threats

Phishing attacks- The attack involves hacking of one’s confidential data and account credentials. The intruders copy the HTML code of Aztek and develop a website, a replica of Aztek website. The Aztek clients being unaware of the fact can gain access to the fake website by giving credentials. The intruders getting the credentials can steal the vital information of the clients (Islam et al., 2016). This attack is also carried out by them via emails. The attackers send emails to the clients providing them with the links, the clients upon clicking the link got directed to the fake website, in this way their sensitive data can get breached.

Data Packet Sniffing- The hacktivist can take advantage of the insecure network, can hack it and can take control over the data flow, in this way the clients’ personal data can get breached by the intruders’ attack.

IP spoofing-The hacktivist can change the source of data flow thus one cannot trace the source of attack (Rittinghouse & Ransome, 2016). Aztek's system if getting compromised Aztek can only identify the malicious data flow but can be unsuccessful to detect the source of the attack.

Port Scanning- The port scanning is the technique by which the activists trace or identify the service which Aztek is using in the cloud system, thus can implant a virus on the system and can make their system vulnerable to attack.

Backdoors- The web developers create backdoors for applications while building a software application or website and via this backdoor, the developers keep an eye on the code executed (Albakri et al., 2014). Similarly, in case of Aztek site there are backdoors which can be a threat to the organisation, thus the developers must take the initiative and remove the backdoor so that the hackers do not get any kind of scope to attack the system.

Identification of vulnerabilities

1. Predictable session identifiers-Base 64 usage can let the hackers to recognise the session identifiers, they also reverse engineered the algorithms and modify it and carry on their malicious activities.
2. Dependence on client-side validation-The browser history and settings can get hijacked and with that the Javascript stored in the database gets disabled and thus, the privacy and security of the system and the database can get endangered.
3. SQL injection-Another noteworthy threat is SQL injection. The hackers can gain the credentials of the clients exploiting the account of the clients.
4. Unauthorised execution of operations-The authentication can be severely violated due to the attack of the hacktivists and Aztek can face the disaster (Albakri et al., 2014).
5. Cross-site scripting-The browser cookies can get stolen from the browsers by the hackers and make it exploitable to attack (Peltier, 2016). The hacktivist who have the knowledge of CSS, web scripting language and HTML can expose any Aztek’s client website.
6. Issues related to uploading-The Aztek system applications and the database can be under serious threat due to the malware attack. The hackers via XSS and the Trojans can exploit the system and the database.  
7. Issues related to logging out-The clients sometimes feel too lazy to log out of the system, the attackers can gain into the Aztek account via an insecure network and can rob the important data of the database, thus the clients' data can get breached (Sennewald & Baillie, 2015).
8. Passwords-The clients sometimes set very easy predictable passwords for their system which can be guessable and thus the system becomes vulnerable to attack. The lazy approach from the clients can prove dangerous (Rittinghouse & Ransome, 2016). The hackers via brute force method can gain access to the system and expose the vulnerabilities residing within the database and the system of Aztek.
9. The unencrypted passwords-The clients unknowingly store passwords in their system as they tend to forget the password. The attackers attack the system via virus and malware and Trojan virus and acquire those files where the password is written. Also, the hackers search for the hidden files in the system where the password is saved in unencrypted form.
10. Phishing attack-The phishing attack is another noteworthy mention which is a disastrous one, the hackers send spam emails to the clients of Aztek claiming that they are sending emails from Aztek (Almorsy et al., 2016). The clients can unknowingly enter those malicious sites and thus can lose confidentiality and lose all the credentials and can even lose all the sensitive data.
11. The absence of account lockout-The account lockout absenteeism can lead to cybercrime attack.
12. Not showing the previous sessions-The innocent clients unknowingly can enter their personal information again and again and thus risks their own privacy. In this way by catering the username, password the clients can get into trouble and their confidential data can get breached (Ahmad & Maynard, 2014).
13. No appropriate settings for cookie security:The hackers can develop a channel for Aztek clients and the server and via this channel, the browser cookies get transmitted (Siponen Mahmood & Pahnila, 2014). The hackers first exploit the system and gain access to those browser cookies and this way threats can spread all over Aztek.
14. Weak cyphers-The attackers can expose the system and the database and can record what is being transacted and in this way, the SSL key is cracked the intruders get into the system.

The management team of Aztek should take effective decision to mitigate the risks related to financing and the IT services. The executive should act in a proactive manner. They also should have sound knowledge on the security and the control measures via which the information security system can be greatly embellished. They must follow the federal body's rules and policies as that can give them the option to run the business activities more securely and ethically and effectively. They must take up the code of practice that is based on ISO strategy and they can gain huge benefits by this methodology (Chen et al., 2013). The risks residing within the Aztek premises can be checked to a greater extent with the help of this method. For this reason, they must adopt the control measures and should follow the guidelines effectively to make the required changes to enhance the quality of IT services.

Security Measures for IT Services

Aztek can enjoy the cloud technology and this can cater Aztek with the best services that they can get. The cloud technology can help them to communicate with the clients throughout day and night. Also, the cloud technology can make their business procedures fast and effective. However, they should be mindful of the problems related to cloud computing. All they need is fast bandwidth and fast and secure network connectivity to carry out their business activities (Sawik, 2013). The below factors must be considered while carrying out the business activities and they are-

1. Issues which is related to integrity
2. Company trust
3. The transparency that to be followed by Aztek and third party outsourced companies
4. Confidentiality
5. Use of the features available for IT services
6. Availability of the options

The above factors suggest that Aztek must take up the effective decision strategy to carry out their business. The effective decision strategy can also help them to fight with the system and the database loopholes or vulnerabilities (Pascoal, 2012). The outsourced tasks can be largely benefitted due to the methodology and decision they adopted.

For this reason, to get the maximum productivity and the advantages, Aztek must take up the effective service level agreement (Dotcenko, Vladyko & Letenko, 2014). The approach can help them to overcome the barriers and can help them in the long run.

1. Managing an accurate inventory of control system devices:Aztek should not allow their computer nodes to stay connected with any kind of wired or wireless network partly if gets connected to any sort of network partly then the hackers will get the opportunity to grasp over the insecure network (Kimwele, 2014). Therefore, Aztek must keep an eye on the system nodes whether they are connected as a whole and should check whether they are partly connected or not, otherwise via those loopholes the hackers can enter the system.
2. Developing network boundaries:The network boundaries are there to assure security to the system and the database and to detect any defects within the security framework model (Fenz et al., 2014). These are the controls that are used to filter out the inbound and outbound traffic. The firewall is network boundary equipment and is used to check the malicious data flow and in this way, the network must be governed.
3. Using Secure Remote Access methods:Aztek should use the Virtual Private Network as they are known to cater the secure channel via which they can carry on their business operations. The Aztek clients can conduct all the financial activities in a safe and secure manner, they can also protect and safeguard their system due to this secure channel (Crossler et al., 2013). Aztek can safely use the printers and websites connecting to the Internet due to this secured channel.
4. Establishment of role-based access controls:The clients should be given certain permission to use the database and system and that should not exceed. The employees should also be given the permission to access the database according to their job role. In this way, the hackers' entry can be checked to an extent. Thus Aztek can carry out their business activities in a secure manner (AlHogail et al., 2015). This initiative also let us know that the malicious activities of the hackers. Aztek can also utilize the logging capabilities and via this method, Aztek can enhance their security in their office premises.
5. Use of strong passwords:The clients must act in a proactive manner while using the Aztek system. They must utilize a password which is not predictable, cannot be guessed easily and cannot be predicted so easily that is why the password which the clients set must contain at least one big case letter, one small-case letter and one symbol, and the password must be overall eight digits long. The password set by the clients cannot be anyone’s one place or anyone’s name (Bell, Ndje & Lele, 2013). Thus setting a strong password they can assure safety and security of them and also Aztek, otherwise, the weak password can lead to vulnerabilities like hacking of one's personal data. Thus they all must be careful while choosing the password for their system.
6. Installation of antivirus software:Aztek must not deny the positive effect of antivirus software. Aztek must choose antivirus software wisely otherwise there is a chance their vital data can get breached. They must know that the antivirus software is capable to defend that malicious software those try to enter the system. The system can get overall security due to the approach. They also should use the latest hardware, latest software and the latest operating system as this can help them to achieve the goals. They also must update their system and the database regularly along with that they must apply patches (Singh et al., 2013). Thus it will help them to carry out their business activities in agile and effective manner. The outdated software and hardware are threats to any system and Aztek is no exception so they must be careful.
7. Enforcing policies for mobile devices:The mobile devices must have an antivirus installed and along with that the clients must use a strong password for the system. This can save the sensitive information stored in the system by the installation of the aforesaid approach.
8. Cybersecurity:The cybersecurity plays an important role to fight with the hackers. The Aztek employees must know all the security measures as that will help them to carry out their business operations in safe and secure manner. Any hackers if want to gain entry to the system they can get to know the vulnerable attack and also about the vulnerable network (Singh et al., 2013). The cyber security team thus can educate the Aztek employees to conduct the business activities.
9. Involving executives:The executives can prove to be beneficial while identifying any cybersecurity risks erupt within the system; they can also help to connect to the stakeholders (Bell, Ndje & Lele, 2013). The executives are aware of the cybersecurity threats thus can provide best solutions to the check the IT risks and also this effective decision can help them in the long run.
10. Implement a disaster plan beforehand:A disaster management plan must be made as this can help to effectively run the business and to make best decisions, also the company’s huge losses can be controlled (Bell, Ndje & Lele, 2013). Like any other organisations, a disaster plan is an absolute necessity for Aztek too.

Conclusion

It can be concluded from the above discourse that they can get significant benefits if adopt the IT services and the cloud technology. The cloud technology can help them in their business in the long run. The cloud technology can assist to cater better IT services thus more productivity can be expected. This can also help them to build a healthy relationship with clients. However, they should be mindful of the risks, threats and the vulnerabilities in relation to IT services. Therefore, they must adopt the security framework model to secure the business process. They can abide by the policies to execute their business process ethically and effectively. The report has highlighted all these aspects in details.

References

Ahmad, A., & Maynard, S. (2014). Teaching information security management: reflections and experiences. Information Management & Computer Security, 22(5), 513-536.

Albakri, S. H., Shanmugam, B., Samy, G. N., Idris, N. B., & Ahmed, A. (2014). Security risk assessment framework for cloud computing environments. Security and Communication Networks, 7(11), 2114-2124.

AlHogail, A. (2015). Design and validation of information security culture framework. Computers in human behavior, 49, 567-575.

Ali, A., Warren, D., & Mathiassen, L. (2017). Cloud-based business services innovation: A risk management model. International Journal of Information Management, 37(6), 639-649.

Almorsy, M., Grundy, J., & Müller, I. (2016). An analysis of the cloud computing security problem. arXiv preprint arXiv:1609.01107.

Identification of Threats

Bell, B. G., Ndje, Y. J., & Lele, C. (2013). Information systems security management: optimized model for strategy, organization, operations. American Journal of Control Systems an Information Technology, (1), 22.

Bolton, P., Chen, H., & Wang, N. (2013). Market timing, investment, and risk management. Journal of Financial Economics, 109(1), 40-62.

Brender, N., & Markov, I. (2013). Risk perception and risk management in cloud computing: Results from a case study of Swiss companies. International journal of information management, 33(5), 726-733.

Bromiley, P., McShane, M., Nair, A., & Rustambekov, E. (2015). Enterprise risk management: Review, critique, and research directions. Long range planning, 48(4), 265-276.

Chance, D. M., & Brooks, R. (2015). Introduction to derivatives and risk management. Cengage Learning.

Chen, Z., Han, F., Cao, J., Jiang, X., & Chen, S. (2013). Cloud computing-based forensic analysis for collaborative network security management system. Tsinghua science and technology, 18(1), 40-50.

Choo, K. K. R. (2014). A cloud security risk-management strategy. IEEE Cloud Computing, 1(2), 52-56.

Cremonini, M. (2016). Cloud Security Risk Management. Cloud Computing Security: Foundations and Challenges, 87.

Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., & Baskerville, R. (2013). Future directions for behavioral information security research. computers & security, 32, 90-101.

Dotcenko, S., Vladyko, A., & Letenko, I. (2014, February). A fuzzy logic-based information security management for software-defined networks. In Advanced Communication Technology (ICACT), 2014 16th International Conference on (pp. 167-171). IEEE.

Fenz, S., Heurix, J., Neubauer, T., & Pechstein, F. (2014). Current challenges in information security risk management. Information Management & Computer Security, 22(5), 410-430.

Goldstein, A., & Frank, U. (2016). Components of a multi-perspective modeling method for designing and managing IT security systems. Information Systems and e-Business Management, 14(1), 101-140.

Islam, S., Fenz, S., Weippl, E., & Kalloniatis, C. (2016). Migration Goals and Risk Management in Cloud Computing: A Review of State of the Art and Survey Results on Practitioners. International Journal of Secure Software Engineering (IJSSE), 7(3), 44-73.

Kimwele, M. W. (2014). Information technology (IT) security in small and medium enterprises (SMEs). In Information Systems for Small and Medium-sized Enterprises (pp. 47-64). Springer Berlin Heidelberg.

Lam, J. (2014). Enterprise risk management: from incentives to controls. John Wiley & Sons.

Latif, R., Abbas, H., Assar, S., & Ali, Q. (2014). Cloud computing risk assessment: a systematic literature review. In Future Information Technology (pp. 285-295). Springer, Berlin, Heidelberg.

McNeil, A. J., Frey, R., & Embrechts, P. (2015). Quantitative risk management: Concepts, techniques and tools. Princeton university press.

Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.

Pritchard, C. L., & PMP, P. R. (2014). Risk management: concepts and guidance. CRC Press.

Rittinghouse, J. W., & Ransome, J. F. (2016). Cloud computing: implementation, management, and security. CRC press.

Rittinghouse, J. W., & Ransome, J. F. (2016). Cloud computing: implementation, management, and security. CRC press.

Sadgrove, K. (2016). The complete guide to business risk management. Routledge.

Sawik, T. (2013). Selection of optimal countermeasure portfolio in IT security planning. Decision Support Systems, 55(1), 156-164.

Sennewald, C. A., & Baillie, C. (2015). Effective security management. Butterworth-Heinemann.

Singh, A. N., Picot, A., Kranz, J., Gupta, M. P., & Ojha, A. (2013). Information security management (ism) practices: Lessons from select cases from India and Germany. Global Journal of Flexible Systems Management, 14(4), 225-239.

Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees’ adherence to information security policies: An exploratory field study. Information & management, 51(2), 217-224.

Wu, D. D., & Olson, D. L. (2015). Financial Risk Management. In Enterprise Risk Management in Finance (pp. 15-22). Palgrave Macmillan UK.