Managing Risk in Information Systems, Essay Example

Case Study 1

Risk, as it pertains to information technology, is defined as the likelihood that a computer’s components will be attacked in an effort to retrieve sensitive information. Thus, many companies hire information technology professionals to conduct risk assessments that will help them determine how to best control their vulnerabilities. One organization that is a big target for these attacks is Walmart, due to the scale of their operations and prevalence in the United States. The chain currently has 2.2 million employees and a revenue of 476.294 billion as of 2013 (United States Securities and Exchange Commission, 2014).

In order to complete a risk assessment on the company, it is necessary to first determine their risk history in order to help prioritize risks. A literature review yielded examples of several instances in which Walmart’s network security has been compromised in the past. In 2005 and 2006, hackers accessed the store’s point-of-sale system and stole source code and customer bank card information (Zetter, 2009). Fortunately, Walmart has learned from this experience and has begun encrypting their data. Furthermore, password cracking software that has allowed a hacker to gain access to its servers made the company aware that additional security measures were necessary.

Since Walmart is a large corporation, its operations cover many industries including commercial and shipping and logistics. It relies on its computer networks because it must coordinate operations over a large geographical range and be able to effectively transmit information to many different stores and warehouses. Thus, the hazards involved in the way that Walmart conducts business is pertained to its reliance on its multiple servers. Although they are backed up, if one server goes down, it can slow business. Furthermore, since the store has thousands of employees, it is more likely that the actions of one individual on the team will compromise the company’s safety by mistakenly providing private company information.

The information risks associated with Walmart as a business pertain primarily to the data they must have on their customers in order to process credit card transactions. When the company’s system was breached in 2006, the particular document that was stolen was entitled “POS Store Systems Technical Specifications TLOG Encryption and Financial Flows Draft 03/04/2006”. The hackers planned to use this document to gain a better understanding of Walmart’s transaction process. Thus, the information that the store has on its customers is priority for protection, although the information the company stores on its employees are equally important.

While the company’s logistics and distribution information is important to protect as well, it does not need to be set as a high priority. Most hackers are interested in information that will allow them to generate a quick profit from the company and are therefore concerned with sensitive customer and employee data. It is possible that a competitor of Walmart would hack logistics information in order to compete more effectively, but there would be a lesser likelihood of this occurring due to the small number of competitors the company has that would be capable of such a large scale attack. Therefore while protection of this information is important and should be considered, it shouldn’t be emphasized.

Case Study 2

The risk assessment methodology that should be used to study Walmart’s risk is quantitative. Since Walmart is a highly profitable business, it is more beneficial for the company to think about losses due to information security compromises is monetary terms. Therefore, they can weigh their profits against their risk and determine how best invest company funds in preventing detrimental incidents. The goal of this analysis will be to identify the single loss expectancy (SLE), the annual rate of occurrence (ARO), the annual loss expectancy (ALE), and the safeguard or control value (Gibson, 2011).

In the case of Walmart, it is important to have a wide scope for the risk assessment. Because it is a large company, hackers are more likely to have a greater desire to access its systems. Therefore, it is important to ensure that most aspects of its network remain secure. The critical areas that should be assessed at the beginning of the process include the main web servers, backup web servers, the firewalls, and the database server. It is anticipated that the database server is backed up as well. Although it is generally recommended that only the elements of each critical area that communicates with other components be analyzed for risk, it may be necessary to analyze all components. Since Walmart’s previous breaches may have been assisted by a Walmart employee, it is necessary to consider all possibilities.

Next, it would be beneficial to interview the company’s information technology team to determine additional information concerning the history of security breaches in addition to the likelihood that employees accidentally allow access to their accounts. This interview will inform knowledge of password policies and what programs are implemented to train the employees to ensure that sensitive data is not distributed. This information will be used to gain a greater understanding of the source of the breaches so that the company’s information can be protected both internally and externally and to prevent information breaches that will encouragecollaborations between the two.

Although the previously discussed methods help quantity and prioritize risk by studying both past and current data, it would be beneficial to confirm these beliefs by performing qualitative analysis as well. This method can more effectively determine the probability of the risk in addition to its impact. Therefore, there is a more justified manner with which different security vulnerabilities can be prioritized. The probability determines the “likelihood that a threat will exploit a vulnerability” (Gibson, 2011). This likelihood can be described either ordinally or categorically, and should be done in a manner that is meaningful to the company. Impact is typically described categorically, as opposed to being represented as a value. This will help Walmart decide how much money is too much to risk on security and how to effectively balance security and profit based on a ratings system.

Since Walmart’s website is potentially at risk, as it has had problems with people hacking its Twitter account, attempts should be made to protect this information as well. Qualitative methods can be used to prioritize DoS attacks, web defacing, the loss of data that results from unauthorized access, and the loss of data that results from hardware failure by measuring the probability and impact (Caballero, 2009). This process should be repeated for the other system components at risk as well.

Case Study 3

To prevent compromised information technology security from an internal point of view, it is necessary for employees to create complex passwords that only they will remember and avoid sharing it. Since Walmart’s servers were accessed in the past due to a hacker’s ability to guess the system’s access code, it is important that all usernames and passwords used in the company are difficult to guess, even when using software designed for this purpose. Therefore, passwords should contain a combination of uppercase letters, lowercase letters, numbers, and symbols. Furthermore, it should be at least ten characters to make it harder for hacking software to guess. These passwords should contain no personal information and appear somewhat random to outsiders. Lastly, they should be changed at least monthly and Walmart should remind their employees in a monthly email notification that this information should not be shared and provide them with information concerning the latest phishing scams.

Next, the quantitative and qualitative data retrieved from the risk assessment phase can be utilized to determine the priority of the mitigation. It is more likely that Walmart would favor priority on the basis of money loss and gain, so this approach will be utilized with the understanding of the qualitative severity of the risk. Therefore, the systems that would cost most monetary damage to the company will be favored. Since Walmart is a large company, it must consider that a compromised website could lead to damaged reputability and hinder marketing efforts while a compromised point-of-sales system may require customer reimbursements and legal fees. Thus, since legal fees are expensive as is the equipment damage that can result as a consequence of the hacking, the company should prioritize preventing future attacks of this system. After this is complete, it should consider website and social media security in addition to sensitive files utilized by the logistics team.

Since malware is capable of retrieving sensitive data, it is essential that Walmart invests in effective antimalware and antivirus software programs as a part of the control process. Often, employees are uneducated about the data they leave in their computer simply from browsing. Although education programs may be helpful to prevent these kinds of attacks, they are easily mitigated using this type of software. Once this process is implemented, it will be difficult for hackers to take screen shots of important information from remote locations.

Another one of Walmart’s major problems is that its server has been hacked in the past. Therefore, mitigating these attacks involve prevention methods. One major way to prevent the system from being hacked is by implementing a two-part authentication system (Glinton, 2012). Although this may not be necessary for every computer in Walmart, it is ideal for those with administrative capabilities. Furthermore, it is essential for the company to back up its data using multiple sources. Thus, even if there is a security breach and information is altered or deleted, Walmart can feel secure that there is an uncompromised backup in another location and the company will be able to continue its operations almost immediately. Additional ways in which Walmart can prevent its systems from being hacked include the use of patches to prevent root access through vulnerabilities, hardening the system, and to limit its degree of exposure to the Internet (Crucial Paradigm, n.d.). Employees should only be able to access pages required for work on the internet, which will reduce the likelihood that vulnerabilities can be taken advantage of.

References

Caballero A. (2009). Computer and Information Security Handbook, Chapter 14. Morgan Kaufmann Publications, Elsevier Inc.

Crucial Paradigm. (n.d.). Hacking Attacks – Prevention. Retrieved from http://www.crucialp.com/resources/tutorials/website-web-page-site-optimization/hacking-attacks-prevention.php

Gibson D. (2011). Managing Risk In Information Systems. Jones & Bartlett Learning.

Glinton S. (2012). 5 Ways To Avoid Being Hacked. All Tech Considered. Retrieved from http://www.npr.org/blogs/alltechconsidered/2012/08/10/158505688/simple-ways-to-avoid-being-hacked

United States Securities and Exchange Commission. (2014). Form 10-K. Retrieved from  http://www.sec.gov/Archives/edgar/data/104169/000010416914000019/wmtform10-kx13114.htm

Zetter K. (2009). Big-Box Breach: The Inside Story of Wal-Mart’s Hacker Attack. Wired. Retrieved from http://www.wired.com/2009/10/walmart-hack/