Discuss about the Risk Management and Information Technology.
Risk is often been termed as the disaster or the malicious activities which is being present as the undesirable form of an activity been occurred. The activity which is being occurred as the vulnerable event and the threats which are being occurred as the expected harm which is being occurred in an organisation which is used to combine all the risks and the threats occurred into an organisation to set the risk for the regret and the remuneration on the probabilities based on expected outcomes. The application used for managing the risks in and organisation to prevent and to overcome from the malicious and harmful activities which mainly affect the main part of an organisation i.e. the whole infrastructure of an organisation (Aubert et al., 2005). The business risk is been linked with the ownership, operational activities, regarding the investment made with involvement of IT in an Organisation. It is usually based on the risks been performed on the on-going basis. It is critical to examine the risks and the threats being occurred in an organisation so as to prevent and to continuously process all the business activities. It is the complete approach to all the IT security and the risks management to cover the entire model of the business risks and management that is usually used for the identification of the security-related business to overcome from all the risks and for working on this it is essential to teach the employees working in an organisation so as to have a proper guidance on the security and the main objectives to be worked on and to have a proper security and network architecture (Benaroch et al., 2007). It security allows the clients to update and improve the security risks management and the strategy which is being used for continuing all the organisational activities and use the latest technologies to raise the data information and the protection to mitigate the current risks and threats.
The resources which are being used in the organisation to have a strict security measures to prevent and to overcome form all the problems. The inward and outside dangers to the secrecy, uprightness, and accessibility of these assets have expanded. Security breaches in an organisation are the most popular targets that have increased to destroy the IT architecture of an organisation. They mainly target on the business transaction of an organisation, the employee database, client database and organisational personal data. It is essential for every organisation to overcome from the threats and to protect from the intrusions and wrong utilize or divulgence (Benaroch et al., 2006). All the systems of an organisation should be daily or weekly updated and maintained so as to overcome and have the prevention of the systems from the intrusions and the malicious activities. The main purpose of the organisation regarding the IT securities and the procedures is to ensure all the responsibilities of an individual to understand the main scope and the responsibility of employees to be followed for reducing the risks and to take the appropriate actions and the measures to be takes in terms of security policy to protect the organisational resources. IT Security Assessments that incorporate methodologies to administer the ID of and assurance from dangers and vulnerabilities through a successful hierarchical structure, an arrangement of all around reported polices and forms, and a sound security design (Fenz, 2014). The organisational policies specifically focus on the resources being used to overcome from the threats and mainly intend to require the responsibility to the safety measure in a suitable manner. Aztek has the main responsibilities to establish and follow the organisational standards for the information security and the internal controls and planning the disaster recovery plan. It is important for the organisation management to follow the main procedures, guidelines and have the proper guidance for performing the tasks regarding security. The Primary focus is been on the information which is kept confidential and reliable for conveying data all through the State (Galliers et al., 2014).
The Main Policies and the Procedure to be followed:
- Confidential Information- Information is based on the performance and the position of a company. The information is strictly based on the job related functions. The confidential information should remain within the organisation it should not cross the boundaries of an organisation. It should be appropriate to prevent from the appropriate transfer of the sensitive and confidential information. The users working for an organisation should follow the required security practices and services by keeping the passwords for the user validating (Glendon et., 2016).
- Information Content- The essential Information provided should be content based and owned the primary responsibilities of the company to maintain the authentication, integrity and the information provided should be accurate in flow. The target of the owning the information regarding the organisation is to shield the data from coincidental or purposeful harm and also unapproved revelation or use as per the arrangement of the principles. It is essential that all the information content should reflect the actual problems being faced in the company.
- Access to an Information- Information being used for the accessibility should be in the correct state to form the desired access to information which is responsible for maintaining and holding the current and the accurate access to the employees who are working in the company for performing the security and functions. Imparting the suitable strategies, rules and best practices to the important client, proprietor, or individuals sincerely in charge of facilitating exercises, conceding, in the interest of their organization, client access to framework capacities, and announcing all deviations to the Policy, systems, rules and best hones (Grace etr al., 2015).
- Information Security- It is essential for the organisation to maintain the security so as to avoid the threats and the risks being affected in an organisation. The information should flow in and to be classified in the well organisational manner for maintain the security. It interprets the confidential information imposing to the rules and regulations and for establishing the classification and the approving the information access.
- Availability of Information- The availability of information is necessary to hold the responsibility of the client. The access of information is being granted as to follow the required business process to be continued for performing the following operations. The required availability is needed to for flowing of the information regularly, periodically and constantly in an organisation (Hopkin, 2017).
IT Control Framework
A n organisation framework is used for controlling of the organisation data structure and is which generally categorizes and bring together an organisational controls which are performed internally which are used for practicing and establishing the procedure for creating the business and reducing the business risk. The fundamental goal for having a system set up is to help the convergence between the operations and control execution. Various standards and frameworks have developed to meet the essential requirements of an organisation. The Control framework is been designed to ensure that the threats or the risks should be reduced by having a proper design in an organized form for having the proper implementation, testing of a data and monitoring of the systems (Hoyt & Liebenberg, 2015). It is essential to have a powerful tool used for implementing the proper framework tool which primarily focuses on the key structures, Business values and processes so as to have the proper concept on internal control. It is the process which is performed in the teams or by the individuals for the dynamic learning for having a proper knowledge. The IT control Framework consider the following aspects which are the core elements of an organisation which mainly includes the administration, resources, structure of a company, its culture, business activities, assigned tasks, etc. so as to meet the organisational objectives. It is totally dependent on the individual belief or the ethical values which is essential to be followed by the employee for the organisational standards. It plays a vital role for controlling, identifying and mitigating the risks so as to have a continuous flow of business activities. These include the risks which are not only related to the organisational achievements but also with the company specific objectives and goals to the fundamental risks and availability (Jouini et al., 2014).
Operations in outsourcing key IT functionality in risk management
The company conduct business and rely on Information Technology for accessing large market research databases and finding new consumers .whereas some other companies transfers IT assets to third party vendors that helps the company to build safe It culture and ensures that an organization remains in competition without losing ground. The outsourcing is practiced now for many years and earlier this was named as “facilities management”. IT outsourcing is basically a long term contract between a vendor and a consumer where vendor helps consumer in organizational operations. These employees working in an organisation provide the control, operate, maintain or manage the customer’s information systems such as in equipment’ network and applications systems which is present either on customer or a vendor’s side. In such relationship the equipment involved maybe owned by the vendor or the customer. In this process customer finds a suitable vendor for their IT operations, then on long term contract is established between a vendor and a customer with a condition of not leaking the information that is outsourcing is done by non-information systems but information systems is an integral part of it. This service is a mission critical service where Information systems security is an important part of an outsourcing (Bahli & Rivard, 2003).
The main Principles used for controlling the framework
- Purpose- The framework should be designed to have a proper modelling of an organisation and have the main purpose or designing so that the risk should not take place in an organisation.
- Commitment- The employees working in an organisation should understand the main aim and align as individuals to follow the organisational identities and the ethical values. It can include the ethics regarding the organisation, integrity, policies regarding human beings, responsibilities, accountabilities and the mutual trust which should be maintained in an organisation.
- Capability- The employees working currently should be equipped with the resources being utilised in the company and have the proper competence to understand the requirements of the control model. It includes various tools and skills for accessing of information and controlling of activities. The capability totally depends upon the training and the awareness being made for contributing into all the business activities (Lam, 2014).
- Action- It is based on the actions being performed so as to overcome from the risks and threats according to the framework being designed and to initiate the action plan during emergency.
- Monitoring- It is essential for all the employees working in an organisation to monitor the problems being made and based on the internal and external environments of an organisation. It is essential to make the inspection, supervising and examining to the situations being raised so as to methods and the strategies should be implemented to overcome from all the situations (Larson & Gray, 2013).
Data Security in an Organisation
Data security is the most essential part of an organisation. IT is the major issue which is generally been faced by all the organisations to have a proper security of a database. For this it is important to use the latest technologies for securing and ensuring the data to be secured to every business operations. It is also known as the backbone of an organisation which mainly holds the database of the clients, the users, information of employee, financial data of the customer as well as companies’ data. Data security is the most important asset of an organisation. It is the process of an organisation where the data is been securely placed and unveiling the data security as the most complex one. In today’s scenario the data is been moved freely within the corporate networks, the main impact arise from the mobile devices and from the clouds storage which has the increasing power in the rapidly evolving threats. It is the organisational infrastructure which mainly aims to expand the needs of an organisation by using the new technologies and services which is being used for initialising the tasks and activities. Mainly the company should aim to organise and manage the significant tasks of data security and risks for the data security (Laudon & Laudon 2016).
Managing of the data security form the remoteness is not the option left or simply accessing to the various security tools which is not sufficient with the risks and the threats evolving in an organisation. To implement the data security risks, it is essential to successfully address and cope with the data security risks, company follow the important approach for data centric so as to keep the main concepts in mind. To manage the risks been associated within the organisation in today’s environment, company have the data centricity approach for valuing the important data of the business, which makes it important to implement the information security. Using all these approaches the company is in the successful phase to overcome from all the risks and threats being affected in the company (McNeil & Embrechts, 2015).
- Ensuring Data Security Accountability- It is necessary for an organisation to assure that the workforce management have the key responsibilities of an organisation to be aware from the threats and risks. The classification of the data should be made so as to be understood by the people working in an organisation to easily understand the difference. The classification of the data includes the
- Data Confidentiality
- The Internal data which is been sent to the other management within the same organisation.
- General Data
- The data which is to be shared with the other networks.
- Network Services and the Policies been Govern- It depends upon the capability of the company that how the company handles the issues being placed like IP address configuration, and remote accessing of the data. It mainly covers and ensures all the security policies and its main components regarding the Intrusion Detection System.
- Scanning for Vulnerabilities- It is important for n organisation to find out the vulnerabilities in the company and its IT infrastructure. For avoiding all this company should have a routine checking of its networks regularly to overcome from the risks.
- Managing Patches- The implementation of the code should be done for eliminating the vulnerabilities to protect against the Threats.
- System Data and its Security- It is necessary to maintain the servers of the organisation so as to continue performing the operation in the systems with the data security policy. Rules and regulations made regarding to the server systems that are implemented on the company networks and should have the accounts and the passwords must be clearly defined (Olson & Wu, 2015).
It is the process from migrating of the database from one source to another by transferring of the entire data between the computer storage and the types of file. The data is been migrated for the variety of the reasons which initially tend for including the storage devices or server storage. Migrating of the database is the most important activity of all the organizations. It helps in moving or copying of the data from one source to another. Aztek Company, copy and move their whole organisational data from 1 source to another for keeping the security maintained. It is the key component of all the states which helps in mitigating the risks within the each component of a migration (Schwalbe, 2015).
The four basic components of migrating of the database:
- Infrastructure of networks: It mainly includes the various servers, firewalls and the system security software tools used for maintaining the proper IT infrastructure so to keep the database maintained and secured form the threats.
- Databases: Their typical products which is being used for storing the database from one system to another system using various technologies. There are various software tools used for typical products for entering into the low risk entry points when the migration is be consider.
- Third Part Applications: This is being used for the involvement of the Third Party application which has the low risk migration products to be used or run on the multiple platforms.
- Custom Code: The different Scripting languages are used for creating thousands of applications which company uses to run the critical applications which may sometimes rise the risks or some malicious activity takes place because the applications which are being used is not meant for the target (Van De Walle et al., 2014).
Strategies Used for Mitigation
- Reasonableness -A Company is not dealing with each conceivable hazard in light of the fact that not all the hazard is sensible to oversee. It is essentially the test that can be connected to decide if the hazard can be controlled. It is gotten from the sensible individual standard in law.
- Balancing Risk and Cost-The cost charge to oversee or control the hazard must be adjusted against the effect esteem. The cost is essentially adjusted by its real fiscal esteems in the event that they are accessible in an organisation (Webb et al., 2014).
- Perceptions made on the Threats- In staff not all the perfect individuals will comprehend the danger to an organization's if chance isn't overseen. A standout amongst the most difficult errands with the compelling danger administration is to accomplish an appropriate harmony between the security and ease of use.
- Stability in security and its Usability-One of the testing errand with compelling danger administration is to accomplish an appropriate adjusting of framework convenience and security.
- Techniques used for Risk Identification-It is essentially to learn and distinguish the dangers happened. Misfortunes are happened for the most part when the risk is been detected. There are 3 stages:
- Identification to the Malicious Activities
- Performance and the Calculation Performed to the livelihood
- Identification to susceptibilities (Willcocks, 2013).
Database Security Best Practices of Aztek Organisation
It is very essential to protect the confidential data, Integrity and Availability of the informational security. The best practices are made on:
- It is essential to ensure the database administrators to understand both the business value as well as the certifying the databases which are secured so that the various resources used for securing the database can be properly maintained.
- It is important to parameterize the queries made on the database so as to detect the malicious activities which intend to harm the database of an organisation.
- They make the analysis using the static code tool used for an organisation and developing of the various applications for the database which arises the mis-configuration issues.
- It is necessary for maintaining of an organisational database; the database should be up to date, removing an unwanted data, it is essential to ensure the confidentiality, integrity and the availability of the databases.
- To maintain the services and have the important features to work smoothly with the databases. The Database should be kept on updating so as to reduce the redundancy or the duplicate data of an organisation.
- To provide and maintaining the availability uses of the data so as the data should not be lost due to power cuts or UPS is down, to ensure and keep in mind that during the shut-down process the data is not loss.
- Data masking allows the accessibility to the users to access to the certain information so as to continue process the business operations like the credit card processing, testing and maintenance of the database. It mainly helps in data confidentiality.
It is essential in today’s scenario that the companies are mainly affected from the risks, threats or any malicious activities have taken place in an organisation. To overcome from all these situations it is necessary to deal and mitigate the threats which are affecting to the Organisation. For keeping the business safe from all the harmful activities it is essential to control all the risk by following the various policies, procedures and the set of rules within an organisation so as to be aware of the risks and can be cured soon. The company should use the latest technologies and the software tools so as to be aware from the risks. Company should have a proper action plan and its strategies used for implementing in the business activities so as to avoid risks in the near future.
Akintoye, A. S., & MacLeod, M. J. (1997). Risk analysis and management in construction. International journal of project management, 15(1), 31-38.
Alhawari, S., Karadsheh, L., Talet, A. N., & Mansour, E. (2012). Knowledge-based risk management framework for information technology project. International Journal of Information Management, 32(1), 50-65.
Aubert, B. A., Patry, M., & Rivard, S. (2005). A framework for information technology outsourcing risk management. ACM SIGMIS Database, 36(4), 9-28.
Bahli, B., & Rivard, S. (2003). The information technology outsourcing risk: a transaction cost and agency theory?based perspective. Journal of Information Technology, 18(3), 211-221.
Bandyopadhyay, K., Mykytyn, P. P., & Mykytyn, K. (1999). A framework for integrated risk management in information technology. Management Decision, 37(5), 437-445.
Benaroch, M., Jeffery, M., Kauffman, R. J., & Shah, S. (2007). Option-based risk management: A field study of sequential information technology investment decisions. Journal of Management Information Systems, 24(2), 103-140.
Benaroch, M., Lichtenstein, Y., & Robinson, K. (2006). Real options in information technology risk management: An empirical validation of risk-option relationships. Mis Quarterly, 827-864.
Fenz, S., Heurix, J., Neubauer, T., & Pechstein, F. (2014). Current challenges in information security risk management. Information Management & Computer Security, 22(5), 410-430.
Galliers, R. D., & Leidner, D. E. (Eds.). (2014). Strategic information management: challenges and strategies in managing information systems. Routledge.
Glendon, A. I., Clarke, S., & McKenna, E. (2016). Human safety and risk management. Crc Press.
Grace, M. F., Leverty, J. T., Phillips, R. D., & Shimpi, P. (2015). The value of investing in enterprise risk management. Journal of Risk and Insurance, 82(2), 289-316.
Hopkin, P. (2017). Fundamentals of risk management: understanding, evaluating and implementing effective risk management. Kogan Page Publishers.
Hoyt, R. E., & Liebenberg, A. P. (2015). Evidence of the value of enterprise risk management. Journal of Applied Corporate Finance, 27(1), 41-47.
Jouini, M., Rabai, L. B. A., & Aissa, A. B. (2014). Classification of security threats in information systems. Procedia Computer Science, 32, 489-496.
Lam, J. (2014). Enterprise risk management: from incentives to controls. John Wiley & Sons.
Larson, E. W., & Gray, C. (2013). Project Management: The Managerial Process with MS Project. McGraw-Hill.
Laudon, K. C., & Laudon, J. P. (2016). Management information system. Pearson Education India.
McNeil, A. J., Frey, R., & Embrechts, P. (2015). Quantitative risk management: Concepts, techniques and tools. Princeton university press.
Olson, D. L., & Wu, D. D. (2015). Enterprise risk management(Vol. 3). World Scientific Publishing Co Inc.
Pritchard, C. L., & PMP, P. R. (2014). Risk management: concepts and guidance. CRC Press.
Rainer Jr, R. K., Snyder, C. A., & Carr, H. H. (1991). Risk analysis for information technology. Journal of Management Information Systems, 8(1), 129-147.
Schwalbe, K. (2015). Information technology project management. Cengage Learning.
Talet, A. N., Mat-Zin, R., & Houari, M. (2014). Risk management and information technology projects. International Journal of Digital Information and Wireless Communications (IJDIWC), 4(1), 1-9.
Torij, H. W., Venekamp, A. A., de deGroot, N., & Bonsel, G. J. (2016). Vulnerable pregnant women in antenatal practice: caregiver's perception of workload, associated burden and agreement with objective caseload, and the influence of a structured organization of antenatal risk management.
Van De Walle, B., Turoff, M., & Hiltz, S. R. (2014). Information systems for emergency management. Routledge.
Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber security. computers & security, 38, 97-102.
Webb, J., Ahmad, A., Maynard, S. B., & Shanks, G. (2014). A situation awareness model for information security risk management. Computers & security, 44, 1-15.
Willcocks, L. (2013). Information management: the evaluation of information systems investments. Springer.