Home > Business essays > Risk Assessment procedures and cybersecurity in business

Essay: Risk Assessment procedures and cybersecurity in business

by

Essay details and download:

  • Subject area(s): Business essays Information technology essays
  • Reading time: 9 minutes
  • Price: Free download
  • Published: 4 September 2022*
  • Last Modified: 30 July 2024
  • File format: Text
  • Words: 2,766 (approx)
  • Number of pages: 12 (approx)

Text preview of this essay:

This page of the essay has 2,766 words.

Assessment, mitigation and contingency

The objectives of risk assessments are to assess the risks and identify the minor acceptable risks versus the major unacceptable risks.

Then to act accordingly by comparing the risk level to a pre-determined set of standards of acceptability. There are number of ways to assess risks that can involve quantitative, qualitative or semi-quantitative evaluation. Whatever approach is adopted, the likelihood and consequences of each risk event are determined and the combination of these two evaluations provides the risk level.

It is common undertake a first pass review of all risks prior to considering existing controls and other risk treatments, to remove inconsequential and minor risks from further, detailed deliberation.

In analysing identified risk events, you should consider whether each event could interrupt the normal course of business operations and formulate a mitigation plan for each risk. Events which have a direct, damaging effects on an organisation’s resources such as fire, power supply failure and fraud, are events that should be considered to have some serious business interruption consequences.

Risk criteria are the reference points against which the significance of risk are evaluated and measured.

The criteria are results from the businesses;

  • Culture and industry
  • External and internal context
  • Applicable laws
  • Standards and ethics
  • And any other requirements

In general, risk criteria should include a risk scoring system that includes risk factors, defined scales of risk levels and a risk matrix so that the business can measure risks for the purpose of ranking and taking proper business interest decisions.

Assessing risks

To assess a risk, you must evaluate these three characteristics;

1. The likelihood of an event happening

2. The impact of an event

3. The severity of an event

Once you have identified the risks you are then able to assess each on how likely is it to happen, the impact it will have, and the severity of the risk to the business.

Risks that are not likely or not serious you don’t have to worry about. But if they are both likely and serious you might need to consider having mitigation plans, and contingency action plans in place.

Adopting these plans will ensure that there are measures in place that will address the risks and reduce the likelihood or seriousness of the risk.

Risk Register

A risk register is one well accepted method of documenting the risk assessment and its results.

  • High – 5 ID Description Likelihood Impact Severity Mitigation Contingency plan
  • Low – 1 R1 Relaying on external vendor
  • R2 high turnover of staff
  • R3 Need staff training to bring users up to date
  • R4 license agreement or copyright issues
  • R5 Getting feedback from testers on time
  • R6 3 prototypes in development stretching resources

A matrix helps visualize and communicate risk levels to decision makers by providing a means for categorizing combinations of likelihood and severity and their risk levels.

They are used as a screening tool when there are many risks to evaluate.

The impacts to organisational security resulting from an IT security audit.

By regularly undertaking security audits, this helps businesses keep their compliance programs and accreditation up to date and pointing in the right direction.

These assessments are not only vital and important, but they are also very effective for identifying and fixing issues within your company’s policies and procedures.

Furthermore, by reviewing your policies, procedures, and standards to identify weaknesses in IT security regularly, you can better prepare your business against potential threats or risks. An IT security audit can prevent active and passive attacks, reduce the impact of these attacks, and protect against the following factors;

  • Financial loss
  • Damage to reputation
  • Compromised data reputation
  • Damage to customer confidence
  • Damage to investor confidence
  • Legal consequences
  • Interruptions in business operations

Potential impact on business and their likelihoods.

You should determine the likelihood of each threat or risk and the potential impact it could have on your business. You can do this by studying the number of realised attacks and the degree of impact each attack has had. By tracking how often each kind of threat occurs, and its impact, you can then focus your resources accordingly.

Review threats, vulnerabilities, likelihoods and impacts to identify business risk.

As with any threat, you need to determine the level of risk to your business. To do this, you must review all threats and vulnerabilities, the likelihood of each, and the impact it would have. You need to design and implement a strategy and process to prepare your business against the risks that could impede your businesses’ success. Each of these aspects is an important part of your security audits and risk assessments.

Organisational changes

Organisational change is both the process in which a business changes its structure, strategies, operational methods, technologies, or business culture to affect change within the business and the effects of these changes on the business. Implementing the right amount of security safeguards to protect business operations may include retraining staff, updating outdated security procedures and policies or even applying for accreditation.

These changes might identify areas where you need to allocate additional resources to such as;

Staff training

Retraining staff on all the new policies and procedures can be a costly endeavour, take from example the new GDPR laws coming into effect. Businesses will have to retrain all staff to ensure adherence to these new laws and ensure compliancy throughout all operations.

Policies and Procedures

GDPR

Internal security on computers

Additional security

Physical security ensures that only authorised personnel have physical access to the businesses systems. Not having the appropriate preventative physical security measures in place can lead to the unauthorised use of a system, preventative measures must be put in place and you should look at factors such as:

  • Locked communication rooms.
  • Perimeter defences – CCTV, Fences, Locks and alarm systems.
  • Access control/ swipe cards
  • Man trap
  • Biometrics

Additional monitoring

Implement auditing for example, it’s a good idea to disable guest accounts on dedicated Windows servers, ensure there is an auditing policy in place for successful and unsuccessful logins.

Don’t run IIS (internet information services) on Windows DC’s (domain controllers), and DNS (domain name system) servers should not be running services other than DNS either.

A security audit is not the being all end all as it may not always identify these all issues. But a good rule of thumb is to disable all unused services, or research a secure solution to address the risk.

Data backup and encryption

A data backup recovery plan will ensure that business data is protected from any data loss in the event of a security risk that affects the integrity of a business’s data.

Having a data backup recovery plan in place, that is regularly tested will support in the recovery of the data, in the event of data lose or malicious activity, this will help remediate any affect caused in a data disaster situation.

Any data being sent over the network can be intercepted and altered. Encryption is a method of changing the original numbers and characters so that they are hidden or disguised. This method should be used and is important if you are sending sensitive information over a network.

How data protection regulations and risk management standards apply to IT security.

Data protection regulations and risk management standards are used as a valuable tool for businesses to regulate the execution of and compliance with standard requirements, prioritising action, raising and informing awareness about risks, identifying appropriate mitigation and contingency measures.

Data Protection Act

The Data Protection Act says that:

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

In essence this means you must have appropriate security measures in place to prevent personal data you hold being accidentally or deliberately compromised. In particular, for IT security you will need to:

  • Design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security attack
  • Be clear about who in your organisation is responsible for ensuring information security
  • Make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff
  • Be able to respond to any breach of security quickly and effectively.

Computer Misuse Act

GDPR

One of the key principles of the GDPR in article 30, is that you process personal data securely by means of ‘appropriate technical and organisational measures, to ensure a level of security appropriate to the risk’ this is the security principle.

Doing this requires you to consider things like risk analysis, organisational policies, and physical and technical security measures.

You will have to take into account additional requirements about the security of your data processing to protect the company – and these also apply to data processors.

  1. Where appropriate, you should consider the of measures such as pseudonymization and encryption of personal data.
  2. Your measures must ensure the ‘confidentiality, integrity and availability’ of your systems and services and the personal data you process within them.
  3. The measures must also enable you to restore access and availability to personal data in a timely manner in the event of a physical or technical incident.
  4. You also need to ensure that you have appropriate processes in place to test the effectiveness of your measures, and undertake any required improvements.

http://www.haerting.de/sites/default/files/pdfs/proposal-eudatap-regulation-final-compromise-151216.pdf

The new GDPR regulations are designed to ensure that you process personal data securely. This is not a new data protection obligation. It replaces and reflects the previous requirement to have ‘appropriate technical and organisational measures’ under the Data Protection Act 1998.

GDPR provides more specifics about what you have to do about the security of your processing and how you should assess your information risk and put appropriate security measures in place. GDPR means they are now a legal requirement.

What technical measures do we need to consider?

Technical security measures are sometimes thought of as the protection of personal data held in computers and networks. Whilst these are of obvious importance, many security incidents can be due to the theft or loss of equipment, the abandonment of old computers or hard-copy records being lost, stolen or incorrectly disposed of. Technical measures therefore include both physical and computer or IT security.

When considering physical security, you should look at factors such as:

  • the quality of doors and locks, and the protection of your premises by such means as alarms, security lighting or CCTV;
  • how you control access to your premises, and how visitors are supervised;
  • how you dispose of any paper and electronic waste; and
  • how you keep IT equipment, particularly mobile devices, secure.

In the IT security context, technical measures may sometimes be referred to as ‘cybersecurity’. This is a complex technical area that is constantly evolving, with new threats and vulnerabilities always emerging. It may therefore be sensible to assume that your systems are vulnerable and take steps to protect them.

When considering cybersecurity, you should look at issues such as:

  • System security – the security of your network and information systems, including those which process personal data;
  • Data security – the security of the data you hold within your systems, ensuring appropriate access controls are in place and that data is held securely
  • Online security – the security of your website and any other online service or application that you use
  • Device security – including policies on Bring-your-own-Device (BYOD) if you offer it.

Depending on the sophistication of your systems, your usage requirements and the technical expertise of your staff, you may need to obtain specialist information security advice that goes beyond the scope of this guidance. However, it’s also the case that you may not need a great deal of time and resources to secure your systems and the personal data they process.

Whatever you do, you should remember the following:

  • your cybersecurity measures need to be appropriate to the size and use of your network and information systems;
  • you should take into account the state of technological development, but you are also able to consider the costs of implementation;
  • your security must be appropriate to your business practices. For example, if you offer staff the ability to work from home, you need to put measures in place to ensure that this does not compromise your security
  • your measures must be appropriate to the nature of the personal data you hold and the harm that might result from any compromise.

A good starting point is to make sure that you’re in line with the requirements of a good risk management framework that includes technical controls you can put in place to protect your business.

ISO31000 Risk management framework

ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization.

The purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management. ISO 31000 seeks to provide a universally recognised paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies and paradigms that differed between industries, subject matters and regions.

Organisational Policies & IT security.

Describe policies, procedures, standards

Consider how IT security can be aligned with organisational policy, detailing the security impact of any misalignment.

it’s the general opinion of most companies, particularly at the management level, that their computer systems are secure. However, one of the only ways to determine whether this is actually true is by performing a thorough audit of computer systems. But most companies don’t make it a habit of performing regular security audits, if they perform them at all.

The complexity and variability of administering and interpreting a comprehensive computer systems audit is equal to the complexity and variability of the systems used in businesses.

The responsibilities of employees and stakeholders in relation to security, emphasising the role stakeholders play in implementing security audit recommendations.

Employers

Employees

  • https://it.toolbox.com/blogs/craigborysowich/risk-management-process-detail-part-2-121515
  • https://it.toolbox.com/blogs/kevinbeaver/every-organization-has-security-challenges-especially-on-the-inside-020718
  • https://downloads.cisecurity.org/?bypassToken=gd3h2vSw04shem7NXVJiw8iBOrcCEIVt#/

List the five main components of a disaster recovery plan

Identify what matters

The amount of tech at your disposal might be extremely varied. Tablets, phones, computers and special industry gear can all be hacked and tampered with. You’ll have to identify what is most at risk, what contains the most data, how you will protect each item, and where money should be spent to do so. Prioritising data storage systems will bolster the general strength of your DRP.

Business Continuity Management

The most successful DRPs are proactive, rather than reactive. Business Continuity Management (BCM) tools give you a real-time report of your resources and overarching view of your system, and the strengths and weaknesses within it. Developing this sort of ‘situational awareness’ will alert you of impending disasters, to ensure that you avoid downtime in your business.

Keep it up-to-date

As your business evolves, so will the technology within it. To ensure that your DRP continues to remain relevant, it’s vital to review and update your plan on a regular basis. Understanding the ins and outs of your technology will mean the DRP is adaptable and up-to-date, whilst taking advantage of the latest anti-virus, cloud storage and BCM tools at your disposal.

Communication

No matter how many employees you have, maintaining communication is unspeakably useful for building a network of trust in your business. Making sure you can contact one another, no matter where you are, ensures that a disaster can be mediated as soon as it occurs. Employees or remote workers should also know the stages of a DRP for procedural purposes, to ensure that everyone is singing from the same hymn sheet.

Test the plan

No plan is complete without an acknowledgement of its potential for failure. The only way to refine your DRP is to test it out. If you can set yourself a timeframe or target for resolving the problem, and undergo regular trials, you’ll be leaps ahead to actually having the perfect response if and when something does go wrong.

Unfortunate things happen to great business ventures all the time, so it doesn’t pay to scrimp on your DRP. Identifying the need for a plan within your business, however small it may be, is the first step to protecting yourself from disaster.

2018-5-17-1526565444

Related essays:

About this essay:

If you use part of this page in your own work, you need to provide a citation, as follows:

Essay Sauce, Risk Assessment procedures and cybersecurity in business. Available from:<https://www.essaysauce.com/business-essays/risk-assessment-procedures-in-business/> [Accessed 09-04-26].

These Business essays have been submitted to us by students in order to help you with your studies.

* This essay may have been previously published on EssaySauce.com and/or Essay.uk.com at an earlier date than indicated.