It Risk Management, Research Paper Example
Words: 1708Research Paper
Information Technology has become the life-blood of virtually every organization and Banks are no exception to this rule. The Data Centre’s of Banks contain expensive computer and communication systems (hardware) and important client information and programs (software). Together they provide the central back-bone of the organization and as such any threat to these systems can be extremely disruptive and costly to the business. Security Managers are responsible for the overarching strategy that provides coverage of these important assets. The duties can be classified into the following sub headings:
- Protection of the Assets : Includes recording of assets, insurance coverage of assets, secure environment of assets, back-up of assets;
- Disaster Recovery: Disaster Recovery Plan ( emergency plan), Business Continuity Plan, security of secondary site;
- System Security : Access to the systems, Password protection, control of authorized users ( restrictions), security of information ( data vaults, secure back-up site);
- Corporate Security policy: Ensuring that corporate security policy measures are carried out and enforced.
IT Security services normally are structured into three separate categories:
Management Services: Management of the computer risks and security of information technology in the firm. The function works closely with the IT Executive of the Bank and Head of Internal Audit. The objective to ensure that all corporate security policies are properly carried out and fully implemented.
Operational Services: These are more focused upon the human interface and the controls that are the responsibility of people. Automated control functions are also examined. It is the man/machine interface and the security controls of same.
Technical Services: Focuses on the in depth security controls within the overall Information Technology and computer systems of the banks. Ensuring there are no loop holes or potential breaches in security.
More recently the threat of terrorism has been added to the Security Managers busy agenda. This was highlighted during the IRA terrorist campaign conducted on the square mile of London resulting in the blasts at Bishopsgate (1993) and St. Mary’s Axe (1992). These caused severe disruption to many City Financial Institutions and resulted in considerable loss of life. Strategy now has to consider how the assets and people might be protected from such an attack. This has been broadened to consider the consequences of natural disasters that include such items as Fire, Flood, and Earthquakes etc.
Fortunately technology has assisted in this program by making it easier to create secure data recovery sites. An example being the Royal Bank of Scotland that mirror images its’ entire hardware, software and communications systems at a highly secured site in Dalkeith, Scotland. The site is designed for 24/7 systems disaster recovery invocation throughout the entire RBS system. Many other Banks have developed similar in depth robust security recovery plans as part of the Corporate IT Strategy. (Jake Kouns)
Banks and other Financial Institutions are responsible for holding a great deal of confidential client information and this can be extremely damaging if this information is either tampered with or stolen. In recent years there have been a number of serious incidents that give rise to concern Firms’ risk assessment of their exposure to data loss incidents is often weak. . What has made this a nightmare for the IT security manager is the fact that data can be easily copied onto small storage devices, laptop and portable computers. This has intensified the need for improved security techniques over data and particularly that of data encryption . Encryption has become a critical security feature for thriving networks and active home users alike.
In the United Kingdom there is also the question of the Data Protection Act and confidentiality over information. The 1988 Act essentially defines how data shall be used and how long it can be stored for. One of the worst breaches or lapses of Security was carried out by the Yorkshire Building Society. An employee copied a large section of the client database onto a laptop computer and copied the access passwords onto a piece of paper which he kept in the bag. The computer was recovered in 48 hours and no data was accessed despite attempts to do so. (Holland)
Aligning security and risk management
It is useful to understand the concept of both Security and Risk Management in terms of how the two duties harmonize with one another. As previously stated, the security element is essentially focused on the protection of Company Assets, security of people and the working environment and mitigation of damage to people and property by the implementation, monitoring and control of a Corporate Security Plan. Risk Management is concerned with the potential identification of threats and providing certain mitigation actions to prevent or minimize the impact of such threats should they become a reality. Such Risk Management plans prioritize the level of threats and provide sensitivity analysis illustrating the threat levels. This is often accomplished by the use of simple colour coding tags, sometimes referred to as RAG (Red, Amber, Green) analysis where RED indicates an imminent and high level risk, Amber a medium threat and Green a low threat. The trend of the risk can then be assessed by and trend analysis. These form three types (1) Increasing: The risk increases in severity of time (2) Stable: The risk neither increases nor decreases over time it remains stable (flat-line) (3) Decreasing: The risk decreases in severity over time. You can now see what happens when you apply the colour (RAG) coding to specified risk identification. For example:
Risk Identification: Possible forced entry to the bank in the evening
Category: red increasing
Means this represents a serious risk to the Bank and the possibility of impact increases over time without appropriate intervention or mitigation actions taking place. These become priority 1 risk avoidance actions
Category: green decreasing
This represents a relatively low risk to the Bank and the threat level is steadily diminishing over time to the point where it no longer represents a risk. These type of risks are low priority items and often do not have mitigation actions placed against them.
Security Managers may now gain the assistance of sophisticated software applications in order to help them maintain compliance levels with International Systems Security . One such application is that of ‘Risk Management Studio®’ – Risk Management Studio® offers a framework for procedures, processes and policies in the software, for your information security. (Risk Management Studio)
Most Financial Institutions are international or multi-national and as such the Security planning takes on the nature of Global Risk Management. This means taking a more holistic view of security and risk management with the view that a common set of procedures and standards are implemented, monitored and enforced across the entire international corporate network. Such a task is a major undertaking and many of the larger Banks have found it cheaper (by economies of scale) to subcontract this work to that of specialist security firms. One such firm being GRM (Global Risk Management) who operates international security on behalf of its clients . (Security Risk Management Consultants)
Cyber attacks over wireless computer networks
Before addressing the types of security measures in place over wireless networks, it is necessary to have some understanding of the threats imposed. These vary from eavesdropping to that of physical intrusion and penetration of your system. Both can be potentially damaging but as a minimum a gross invasion of your privacy. Threats may be as simples as:
Rogue Wireless Area Networks: This is where someone may introduce an additional router to your network and thereby gain access to the wider network. This is essentially a hardware intrusion. Software applications like Network Magic will detect and report such intrusions to the network administrator.
Spoofing Internal Communications: This is a direct attack and intervention from outside computers wishing to gain access to your system. They simulate internal domains and essentially look harmless on the network maps.
Direct Theft of network resources: This is where your system is hacked and the intruder steals bandwidth to surf the internet. They can then indulge in a variety of illegal activities that indicates the source as your network. i.e. downloading pornography, music, video clips etc. Degradation of your network performance is an indication of this type of attack. (Bradley)
Whilst segmentation is a useful step you will also require wireless encryption which is essentially a means of preventing eavesdroppers on to your personal wireless network. The early method used WEP (Wireless equivalent privacy) but this was later discovered to be flawed as anyone who gained the key access could join the network. It was also easily cracked by professional hackers. We quickly moved over to WPA (wireless protect access). This used temporary key integrity protocol and provided a much tougher code system to decipher. Even this was not good enough for large enterprise networks that required a much higher degree of sophistication and security.
The major computer manufacturers, software suppliers and communications providers will work with you to provide robust solutions for network security. One of the main considerations being the architecture itself and no computer wireless network are ever really safe from intrusion(Malcolm). The more immediate security in wireless will focus upon hand held devices and the more sophisticated wireless cellular phones. It is highly likely that we will move towards some chip technology that will be built into the hand held mobile devices similar to that built into credit card applications. This will involve personal identification to the owner of the handheld device with higher degrees of encryption built in for network allowance. This is already being termed Personal Area Networking or PAN for short. The objective being to link all of your personal electronic devices like PC, PDA, Printer, Laptop, Fax etc. to your mobile phone. This providing full mobile access to all of your personal data files by your own personal wireless network. There is no doubt that security issues will still need to be addressed in the new wave of technological developments in this area.
Bradley, T. Secure your wireless network. 6 12 2007. http://netsecurity.about.com/od/secureyourwifinetwork/a/securewifi.htm. 25 11 2011.
Holland, C. YBS rapped after computer wioth customer data is stolen from office. 27 8 2010. http://www.thetelegraphandargus.co.uk/news/8356458.Yorkshire_Building_Society_s_pledge_after_laptop_theft/. 25 11 2011.
Jake Kouns, Daniel Minoli. Information Technology Risk Management in Enterprise Environments: A Review … New York: Wiley, 2010. Book.
Malcolm, J. Net Security. 14 4 2010. http://www.net-security.org/article.php?id=755. 25 11 2011.
Risk Management Studio. Risk Management. 29 8 2010. http://www.riskmanagementstudio.com/index.php/en/knowledge-center/information-security. 25 11 2011.
Security Risk Management Consultants. Security Risks. 29 8 2010. http://www.s-rmc.com/home.html. 25 11 2011.
Time is precious
don’t waste it!