Tuesday, May 5, 2020
IT Risk Assessment Of Aztek Australian Finance Industry - Samples
Question: Discuss about the IT Risk Assessment Of Aztek Australian Finance Industry. Answer: In this new world of technology cloud computing is playing very important role in transforming this world into digital world. Technologies like Big Data and Cloud computing are enhancing the performance of the organization through improving the operational activities in better and efficient manner. The aim of this report is to assist Aztek on the threats and risks that could be raised due to the implementation of Cloud Computing within the organization. Aztek is a financial industry and most of the finance industries are adopting cloud computing for the betterment of the organization but yet many of the industries are lacking in adopting it. However, this could change the face of file transfer andmanagement system in much cost effective manner and help the Aztek to improve the quality of services in very few time and investment. Cloud computing can be stated as pay-per-use model for enabling available, convenient, on-demand network access to a shared pool of configurable computing resources (e.g.., network, servers, storage, applications, and services) that can be rapidly provisioned and released with minimalmanagement effort or service provider interaction (Erl, Cope Naserpour, 2015). This cloud model promotes availability and is comprised of five key characteristics, three delivery models and four deployment models (Bansal Sharma, 2015). It has the flexibility that provides feature of scaling up or down accessed through pooled computing resources through using the multi-tenant model that can be metered and billed as per the usage of the organization. There are mainly three delivery models for the cloud computing that can be listed as: Information as a service (IaaS), Platform as a service (PaaS), and Software as a service (SaaS). The vendors for the respective service providers are Google Docs and salesforce.com for SaaS, Microsoft Azure and Google App Engine for PaaS, and Amazon EC2, Rackspace, and NYSE Euronext CMCP for the IaaS (Sreeramaneni, Seo Chan, 2017). These cloud service can be delivered through three models that can be described as: Public cloud: This is a cloud service that is being offered and available for everyone over the internet. Private Cloud: This is service is available for the trusted users of the industries. This is either managed by the cloud provider or organization itself. Community Cloud: It is accessible to the members or individuals of a wider community that is composition of more than one industry or firm. Hybrid Cloud: It can be described as the mix of private and public cloud and mitigates the ch allenges that occur in the individual deployments. Aztex should deploy Hybrid model in manner to keep data and information secured and protected (Rani Ranjan, 2014). This will let the organization avail all the services and minimize the risks related to the data security. The following report emphasis on the regulation and compliance of the agreements and services offered by the cloud service provider along with the existing policies of the organization. This report also states various Australian laws or policies that could be implemented or considered while implementing Cloud Computing within the organization. All perspective should be clear between the service provider and the service consumer related to the information security to the information that is being transferred to the cloud. Security posture has been also explained in this report in relation with the IT infrastructure of the Aztek. For themanagement of information security six Ps concept has also been proposed in this report. This report presents a risk assessment for the threats, vulnerabilities and issues raised due to this innovative change in the organization. Aztek should consider following risk assessment before and after implementing cloud computing within the organization. Industry Regulation or Compliance Cloud Computing or hosting cloud applications for the operational activities within the finance industries can be described as a new delivery and sourcing model that is capable of sharing many legal issues. That give birth many legal challenges for the implementation of this technology in the existing system of the firm or the organization that can be listed as: first and the top most prior challenge is the legal compliance issues between the services and protection provided by the third party, is compatible with the existing policies of the organization or not. Second is the Service Legal Agreements or service level performance that should be again aligning with the existing policies of the firm (Gangwar Date, 2016). Cross-border issues raises when the cloud service providers main database system or IT infrastructure is situated in other country and the consumer is availing those services from outside the country. Data protection usage and rights that is one of the most important a spects for any sector of the organization including the financial industries that are availing cloud computing services for their firm or the organization (Srinivasan, 2014). Transition and transition that is often very hard once the organization is connected to the service provider, it becomes much complex to leave them and move to another service provider including the rise in budget. For Australian finance industries there are specific laws that could be related to the cyberspace and cloud computing that can be listed as: Copyright Amendment (Digital Agenda) Act 2000 (Cth) - intellectual property Archives Act, FOI Act Spam Act 2003 Privacy Act 1988 Privacy Amendment (Private Sector) Act 2000 (Cth) Electronic Transactions Acts (Selvadurai, 2013) Telecommunications (Interception) Act 1979 (Cth) Cybercrime Act 2001 (Cth) The policy should be based on considering the impact and consequences on the stakeholders. Internal stake holders such as manager of the Aztec, their staffs, and boards or heads should go thoroughly to the agreement made between the service provider and the government policies (Almosry, Grundy Muller, 2016). However, this will alternatively affect the external stakeholders, which are government agencies, financiers, suppliers and many others. Security Posture Implementing cloud computing into the existing system and using cloud hosted application could lead to issues to the security of the information and data that is being transferred on the cloud. Information related to operational activities and sensitive information related o the employee and transactions of the organization will mitigate on the cloud. Data breaches and other malicious attack could hamper these data and information and priority should be given on mitigating such issues (Rittinghouse Ransome, 2016). However these security issues could managed by application of the principles of information security management that could be explained as six Ps: Planning: It can be stated as the first and most important approach towards Information Security Management. This step includes modelling of the strategies that could be implemented in manner to support the information strategy that involves designing, creating and implementing of the strategies respectively. There are various types of information security planning that includes: Business continuity planning, Incident response planning, Policy planning, Security program planning, Disaster recovery planning Technology rollout planning, Personnel planning, and Risk management planning (Chandra, Challa Hussain, 2014). Policy: There should be certain set of guidelines for the Aztec that dedicates the behaviour within the organization after the migration of data to the cloud and hosting cloud applications. Recommended policies for the cloud computing adoption for Aztek can be put into three categories that are; firstly, ISSP (Issue-Specific Security Policy), secondly, EISP (Enterprise Information Security Policy), SysSPs (System-Specific Policies). Implementation of these policies before or after adopting cloud computing will help in enhancing the information security (Rivery et al., 2015). Programs: The operations involved in the information security management should be executed as a part of the culture of the organization and should be managed separately. Programs such as SETA (Security Education Training and Awareness) should be enrolled in the list of the primary activities within then management system including the physical security programs. This will help in protecting personal credentials and devices that could be connected to the network of the cloud (Aikat et al., 2017). Protection: This could be a vast chapter in the implementation of cloud computing within the existing system of Aztek as it includes risk assessment of the identified threats and issues, tools to minimize the identified threat, control, technologies, and protection mechanism. These mechanisms could be helpful in improving and achieving maximum information security for the data and then information (Haimes et al., 2015). People: The stakeholders including internal, external and cloud service provider are the most critical link for the information security management in the cloud computing adoption. There should be recognition of the roles and the responsibilities of each individual within the organization and should be motivated toward achieving better information security management. This section describes about the security personnel and the security of the personnel including the aspects of the SETA program. Project Management: This includes controlling and identifying the resources that could be applied to the project like new infrastructure or more systems within the premises for adopting cloud computing. Continuously monitoring the progress and motivating the employees to the target stated by the organization. For this case of cloud adoption information system cannot be described as a project rather it can be defined as a process in which each element should be managed as a project (Rao et al., 2016). This should be a chain or series of projects. Operational Categories Security of the information while moving towards cloud adoption is also based on the way of implementation of the technology. There are three common classification based on the implementation, which can be listed as: Management controls: Management security control emphasis on using assessment methods based on the planning made earlier in manner to manage and reduce the risks related to the data security. It can also be described as the management controls as administrative controls. Most common management controls are: Firstly, Risk assessments that could be helpful in making quantitative and qualitative analysis of the risks within the cloud adoption in the organization and will provide helpful output for managing the serious risks. It can be explained as cost and asset values for implementing cloud computing, and risk assessment for that for the monetary values is a quantitative risk assessment (McCrie, 2015). However, qualitative risk assessment is based on the impact and probability of the risks that have been identified during the risk assessment. Second component is vulnerability assessment that is an attempt for discovering the current weaknesses or vulnerabilities. Aztec can implement ad ditional controls for reducing the risks from these vulnerabilities. Third approach involved in this control is Penetration tests, which can be stated as the one step further from then vulnerability assessment that can be helpful in attempting to exploit vulnerabilities that might occur due to the cloud storage (Layton, 2016). An example stating the situation is that vulnerability assessment will discover that the server is not up-to-date but the penetration test will make an attempt in compromising the server through exploiting several of the un-patched vulnerabilities. Operational Controls: It could be helpful in ensuring the operational activities that are being performed using cloud of the Aztek and complying with the overall security plan. Operation controls that are being controlled by the individuals can be listed as: Firstly, Awareness and training; it can be a beneficial aspect for maintaining the information security and minimizing the threats. It could be helpful in understanding password security malware attacks, phishing, and many more. Second control is the configuration and chain management that ensures that the systems are properly configured (Rohdes, 2013). Third control includes contingency plan plans that could ensure the planning and execution are going in right way. Technical Controls: This includes protecting the data and systems from being breached by an unwanted intruder or unauthorized use Risk. This includes proper encryption of the systems, which could be helpful in protecting confidential and sensitive information. Antivirus, anti-malware, IDSs (Intrusion detection systems), updated firewall, and least privilege are recommended in this control (Peppard Ward, 2016). Threats, Vulnerabilities and Consequences Assessment Following is the list of threats vulnerabilities and consequences along with the impact probability and severity that could help in later risk severity matrix that could be a beneficial aspect for the decision-making by the stakeholders: Sl. No. Risks Explanation Probability Impact Priority Risk 1. Supply Chain Failure Cloud service provider sometimes hires the server of another service provider. L M M Risk 2. Interface compromises Using cloud hosted application leads to such issues because the customer management interfaces of the public Cloud service providers are mediate access and accessible to the internet (Albakri et al., 2014). M VH H Risk 3. Conflicts in the Cloud environment When the service provider lacks in providing the offered services and solutions. M M M Risk 4. Lock-in The customer or client got stuck with single service provider because moving to other could cost much more than estimated (Theoharidou, Tsalis Gritzalis, 2013). H M H Risk 5. Intellectual property issues Lacking in proper infrastructure and risks to the data and information. L M M Risk 6. Social Engineering Attacks (Phishing) It can be tricked manipulation through sending malicious coding via mail or any messaging media and hamper the information saved in the system (Theoharidou et al., 2013). M H M Risk 7. Malicious Insider (Cloud Provider) Generally formal stakeholders with credentials can cause such risk. H VH H Risk 8. Ineffective deletion of data or Insecure Generally data is not deleted completely from the cloud. H VH H Risk 9. Loss of Governance Completely dependent on the service provider for own data and information. VH VH VH Risk 10. Technical risks Not meeting the infrastructure requirement leads to such risks M M M Risk 11. Intercepting data in transit Involvement of an intruder while data transfer could intercept the exchange of information (Carlson, 2014). M H M Risk 12. Isolation Failure There are chances of failure in data transfer either not properly uploaded or not encrypted properly. H H M Risk 13. DDOS (Distributed Denial of Service) This is a network attack that happens due to many requests at the same moment from different applications or sources (Latif et al., 2014). M H M Risk 14. Loss of Cryptographic keys Losing decryption code is similar to the loss of data as the user will not be able to recover his or her files. L H M Risk 15. Service Engine Compromised Compromise of the major component could lead to serious risks that in general very less probability (Craig Shackelford, 2013). L VH H Risk 16. EDOS (Economic Denial of Service) Manipulation with the budget planning by an unauthorized user could create distance for the users in availing the complete service that is being offered by the service provider. L H M Risk 17. Cloud-specific network related technical attacks or failures This could cause serious issues while exchanging the files means either uploading or downloading, by consumer or the service provider. The loss in internet connection or failure in establishing proper network. Natural calamities and low bandwidth network are the main reasons for this cause. M M M Risk 18. Natural Disasters Calamities like earthquakes, flooding, tsunamis and many others could affect the infrastructure of the service provider and will alternatively affect the Customers as most of the service providers have different and far locations VL H M Risk 19. Data protection services Legislations and policies of the different country could lead to the issues related with the security of the data and the information that is being saved on the Cloud in different country. Another issue related with it is the data protection authority from different government cannot be accessed (Djemame et al., 2016). H H H Risk 20. Risks from changing jurisdictions Many of the service providers provide their services from outside the country and change in jurisdictions might seize the data. H H H Risk 21. Loss of Backups The above mentioned all the threats could lead to the loss of data and information is power for any organization. There should be proper backup storage for the instances when data losses due to some accident or intrusion. L H M Risk Severity Matrix Probability Very High Risk 9 High Risk 4. Risk 12 Risk 19 Risk 20 Risk 7 Risk 8 Medium Risk. 3 Risk 10 Risk 17 Risk 6 Risk 11 Risk 13 Risk. 2 Low Risk. 1 Risk 5. Risk 14 Risk 16 Risk 21 Risk 15 Very Low Risk 18 Very Low Low Medium High Very High Impact Data Security Issues Cloud computing security can be seen with two perceptive, one from the side of the user and another from the side of the cloud service provide Risk. The service provider should ensure that the server that is being used by them is well maintained secured from external threats and breaches. There should be no window left for the unauthorized user to enter the server and command on it. There should be backup plan from the provider side for the instances when there is breach or data theft, or data loss due to some unwanted events (Hashem et al., 2015). There are chances of identity theft, in this case all the users have been provided with unique credentials. It could give access to the network to the unauthorized user who had already stolen the identity of the individual and alter the data for personal use (Hashizume et al., 2013). Cloud security can be divided into three groups that are Infected Application Data Issues, Data Issues, and Privacy issues. Cloud services provide access to the data from anywhere via connected to the internet that lead to another security issue that is data breach. Since the data is being saved over the internet, it becomes vulnerable to such attacks that could lead to the several issues for the provider and the consume Risk. This could lead to the expose of data, manipulation of data, and even data can be lost due to such intrusions into server. Recently, there are various examples of the cyber-attacks that have caused serious damage globally and data that is being saved on the cloud are much vulnerable to such attacks (Stojmenovic Wen, 2014). This is because the intruder could affect more than one organization at the same time through hacking the server of the service providing Risk. This could also lead to privacy issues as the data and information that is being saved into the cloud will contain very sensitive and personal information of the employee and expose of such data or information. Organizati ons acquire third party for the maintenance of cloud service and their data related to the day-to-day operations, whereas for many cases even cloud service provider acquire third party for the server distribution (Modi et al., 2013). This result in the fourth party involvement and the organization will never know about how much they concern about security policy. This also increases the concern related to the server breaches that could serious loss to the data security. Data loss is most common security issue in adopting cloud computing from third party as the organization becomes completely dependent on the third party after delivering all the informational assets and no one knows when the service provider shut down his services. There are certain natural activities that could also lead to data loss or data corruption such as natural calamities like earthquake, tsunami and many more that could affect the IT infrastructure of the customer or the service provide Risk (Rewagad Pawar, 2013). Amazon and Google are the very recent examples of such case when the thunder lightning causes loss of all the data that were saved. This implies that physical location of the storage is very crucial and important to keep all data safe and protected from losing it. Physical location of data storage is very important and crucial. The involvement of third party role in managing the data and the information leads to some opaque clarification about the way they are pro tecting the information and the place where they are keeping the information. The service provider provides services to more than one organization; it may provide cloud services to the competitors of the Aztek. This leads to the probability that the data is being shared to the competitors and it is a very big issue in all the aspect for any organization (Inukollu, Arsi Ravuri, 2014). It is the responsibility of the service provider to maintain the privacy of the data and there should be not a single chance that information gets exchange between any other user and customer Risk. Solution of the Issues Related to the Data Security Proper research about the service provider: an individual or heads of the organization should firs thoroughly investigate about the background of the service provider whether he is loyal to his agreements or not whether the vendor is experienced, well established, regulated, and standard or not according to the needs of the organization. Cross checking the agreement and Service Level Agreements (SLAs): Before agreeing to the agreements there should be proper compliance of the services that are being offered by the service provider with the existing policies and regulation of the organization (Arora, Parashar Transforming, 2013). Data Backups: This is a measure that should be taken by both the consumer and service provider in manner of precaution if there is any data loss happens due to some unwanted event or activities like natural calamities, terrorist attacks or many more (Ahmed Hossain, 2014). IT Infrastructure of Aztek: Aztek must have proper and advanced infrastructure that could smoothly allow the configuration and installation of hardware components and the software that are being offered by the cloud service provide Risk. It should also installations of routers, proxy servers, software, servers, and firewalls including the infrastructure that could prevent the cyber attacks and intrusions (Hashem et al., 2015). Data encryption: Again this is the precaution that if both the customer and service provider should emphasis on. Initially encrypting the data before uploading the file to the cloud will help in protecting the file even if only intrusion or data breach happens in the server of the service provider or the organization. This encryption should have only decryption code in manner to keep it safe (Almorsy, Grundy Muller, 2016). IT management team should properly define the efficient key strategy and security elements to decide which data should be encrypted and where there is no need of the encryption. Chart preparation regarding data flow: The decision-making can be improved by preparing a flow chart of the data flow. The data analysis should be made thoroughly and there should be proper investigation about where the data is being saved and where it is being transferred and many more (Rao Selvamani, 2015). Cloud Computing Security: Cloud computing security (sometimes referred to simply as "cloud security") is an evolving sub-domain of computer security, network security, and, more broadly, information security (Zhao, Li Liu, 2014). It refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing. Conclusion Based on the above report it can be concluded that Aztek can improve many of the operational activities including computing, data storage, data transfer management and many more. Cloud computing is a leading advance technology in the field of Information Technology sectors, that is spreading widely with rapid rate. Implementing Cloud computing into the system of the Aztek could help in enhancing the performance of the organization with much efficiency and accuracy. Implementing cloud computing will ensure the maintenance and it is also cost effective system as the third party will be responsible to manage all the maintenance and provide security for the information and data the customer is sharing with them. However, despite of all the benefits there are certain threats and issues in implementing this into the system that has been stated above along with a risk assessment that could improve the decision making of the executives and improve the data security. References: Ahmed, M., Hossain, M. A. (2014). Cloud computing and security issues in the cloud.International Journal of Network Security Its Applications,6(1), 25. Aikat, J., Akella, A., Chase, J. S., Juels, A., Reiter, M. K., Ristenpart, T., ... Swift, M. (2017). Rethinking Security in the Era of Cloud Computing.IEEE Security Privacy,15(3), 60-69. Albakri, S. H., Shanmugam, B., Samy, G. N., Idris, N. B., Ahmed, A. (2014). Security risk assessment framework for cloud computing environments.Security and Communication Networks,7(11), 2114-2124. Almorsy, M., Grundy, J., Mller, I. (2016). An analysis of the cloud computing security problem.arXiv preprint arXiv:1609.01107. Arora, R., Parashar, A., Transforming, C. C. I. (2013). Secure user data in cloud computing using encryption algorithms.International journal of engineering research and applications,3(4), 1922-1926. Carlson, F. R. (2014). Security analysis of cloud computing.arXiv preprint arXiv:1404.6849. Craig, A. N., Shackelford, S. J. (2013). Hacking the planet, the dalai lama, and you: managing technical vulnerabilities in the Internet through polycentric governance.Fordham Intell. Prop. Media Ent. LJ,24, 381. Djemame, K., Armstrong, D., Guitart, J., Macias, M. (2016). A risk assessment framework for cloud computing.IEEE Transactions on Cloud Computing,4(3), 265-278. Erl, T., Cope, R., Naserpour, A. (2015).Cloud computing design patterns. Prentice Hall Press. Gangwar, H., Date, H. (2016). Critical Factors of Cloud Computing Adoption in Organizations: An Empirical Study.Global Business Review,17(4), 886-904. Hashem, I. A. T., Yaqoob, I., Anuar, N. B., Mokhtar, S., Gani, A., Khan, S. U. (2015). The rise of big data on cloud computing: Review and open research issues.Information Systems,47, 98-115. Hashem, I. A. T., Yaqoob, I., Anuar, N. B., Mokhtar, S., Gani, A., Khan, S. U. (2015). The rise of big data on cloud computing: Review and open research issues.Information Systems,47, 98-115. Hashizume, K., Rosado, D. G., Fernndez-Medina, E., Fernandez, E. B. (2013). An analysis of security issues for cloud computing.Journal of Internet Services and Applications,4(1), 5. Inukollu, V. N., Arsi, S., Ravuri, S. R. (2014). Security issues associated with big data in cloud computing.International Journal of Network Security Its Applications,6(3), 45. Latif, R., Abbas, H., Assar, S., Ali, Q. (2014). Cloud computing risk assessment: a systematic literature review. InFuture Information Technology(pp. 285-295). Springer, Berlin, Heidelberg. Layton, T. P. (2016).Information Security: Design, implementation, measurement, and compliance. CRC Press. McCrie, R. (2015).Security operations management. Butterworth-Heinemann. Mller, I. (2016). An analysis of the cloud computing security problem.arXiv preprint arXiv:1609.01107. Rani, D., Ranjan, R. K. (2014). a comparative study of SaaS, PaaS and IaaS in cloud computing.International Journal of Advanced Research in Computer Science and Software Engineering,4(6), 458-461. Rao, J. R., Chari, S. N., Pendarakis, D., Sailer, R., Stoecklin, M. P., Teiken, W., Wespi, A. (2016). Security 360: Enterprise security for the cognitive era.IBM Journal of Research and Development,60(4), 1-1. Rao, R. V., Selvamani, K. (2015). Data security challenges and its solutions in cloud computing.Procedia Computer Science,48, 204-209. Rewagad, P., Pawar, Y. (2013, April). Use of digital signature with diffie hellman key exchange and AES encryption algorithm to enhance data security in cloud computing. InCommunication Systems and Network Technologies (CSNT), 2013 International Conference on(pp. 437-439). IEEE. Rhodes-Ousley, M. (2013).Information security the complete reference. McGraw Hill Professional. Rittinghouse, J. W., Ransome, J. F. (2016).Cloud computing: implementation, management, and security. CRC press. Rivera, J., Yu, H., Williams, K., Zhan, J., Yua, X. (2015, May). Assessing the security posture of cloud service providers. InProceedings of the 5th International Conference on IS Management and EvaluationICIME(pp. 103-110). Sreeramaneni, A., Seo, B., Chan, K. O. H. (2017). A Business Driven Scalable Cloud Computing Service Platform (PaaSXpert). 15(1), 35-44. Srinivasan, S. (Ed.). (2014).Security, Trust, and Regulatory Aspects of Cloud Computing in Business Environments. IGI Global. Stojmenovic, I., Wen, S. (2014, September). The fog computing paradigm: Scenarios and security issues. InComputer Science and Information Systems (FedCSIS), 2014 Federated Conference on(pp. 1-8). IEEE. Theoharidou, M., Papanikolaou, N., Pearson, S., Gritzalis, D. (2013, December). Privacy risk, security, accountability in the cloud. InCloud Computing Technology and Science (CloudCom), 2013 IEEE 5th International Conference on(Vol. 1, pp. 177-184). IEEE. Theoharidou, M., Tsalis, N., Gritzalis, D. (2013, June). In cloud we trust: Risk-Assessment-as-a-Service. InIFIP International Conference on Trust Management(pp. 100-110). Springer, Berlin, Heidelberg. Zhao, F., Li, C., Liu, C. F. (2014, February). A cloud computing security solution based on fully homomorphic encryption. InAdvanced Communication Technology (ICACT), 2014 16th International Conference on(pp. 485-488). IEEE.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.