Risk Assessment Analysis, Research Paper Example

Risk is the possibility of a deviation from the expected result. Many people that are monitoring, controlling, reviewing or evaluating risk associate risk as a potential loss or a type of undesirable outcome to an intended plan, project, process or system. The result of a risk can be associated to specific outcomes or costs associated with the risk. This is heavily dependent upon the variables of the risk such as probability or likelihood of occurrence, level of deviation from the intended plan and the breadth or impact of the risk (Vacca & Rudolph, 2011). A risk that could shut down the entire facility working on the project would have a high level of deviation from the objective but it may also have a very low likelihood of occurrence. Another risk may be schedule slips due to a project’s dependence on overseas resources and their holiday/work schedule is misaligned with the headquarters implementing the project. This type of risk does not have the high level of project plan deviation that a facility shut down has but it has a higher likelihood of occurrence. Each would be measured, monitored and controlled through different types of risk mitigation. Assessing risk entails assessing the probability of a specific outcome to occur.

This assessment can be accomplished through the application of the basic probability theory. This theory is a mathematical theory that models specific events with different variables or risks to the outcome. This theory allows the user to derive outcomes based on the inputs of variables to the situation. This is extremely useful when trying to develop a picture of what could potentially occur when multiple risks are associated to the same project. With any type of project management activities in which risk is defined it then needs to be measured in both a qualitative and quantitative perspectives. When measuring risk there are the two different areas of measure. There are also different tools for measuring the types of risks and inputting those results into the project. For qualitative risk management the first important tool is the risk management plan. This pulls together all the findings, risks, mitigation plan, and other pertinent information required for the project team to perform their duties regarding to project scope, schedule and cost. Quantitative risk analysis helps assign specific values to risks and this is normally in either cost values or time values. The value of the risk also plays into the risk mitigation plan and depending on the cost or schedule impact the amount of effort to mitigate the risk.

For this specific project, establishing security requirements for our organization, there needs to be a risk assessment completed and analyzed to fully understand the requirements for the organization. The areas within the risk assessment include infrastructure, hardware, software, policies and inherent weaknesses and vulnerabilities of those areas. The network infrastructure must match current technological needs as well as provide secure and efficient transfer of information. The focus of the network infrastructure is on wireless capability and operates under the Wireless Local Area Network (WLAN) build structure. The risk areas include all of the Access Points (AP’s) where communication is promoted and devices and entities access the network (EC-Council Press, 2011). These areas are the gates to the information that must be secured. With the centralized architecture, the WLAN controller is the single point of contact that will be used to control, manage and the points. The risk is the intrusion of other entities trying to gain access then damage and/or destroy the secured data. The implementation of wireless intrusion devices, firewalls and security procedures will mitigate the risk of intrusion activities. These items must be in place for the infrastructure to have mitigated risks.

The data handling capability will be compromised if the WSIDs, firewalls, policies and procedures are not fully implemented and followed with rigor. When handling data and providing access to individuals there is an inherent risk with the tools and techniques the people access the information, store the data or transfer the information. The security to allow only trusted devices as well as install monitoring capability on these devices will allow for visibility into the information accessed as well as the potential threats accessing the network. This risk is high due to the number of tools that can access a network which include tablets, laptops, cell phones, thumb drives or other memory storage devices. Internal users must only access with approved tools and follow the policies and procedures outline in the security doctrine so that they do not negate the security measures by internally bypassing security.

Training and Awareness

In order for those to follow the policies and procedures there must be training incorporated to provide the framework for operating within the confines of the network security of the organization (Calder, 2009). Training will raise the awareness of those utilizing the system so that they are aware of the risks associated with accessing the network. Training would be provided not only to new employees but also as a refresher to ensure all employees are up to date with current security risks and policies. The role of training provides the capability for information to flow to the right people, increase the awareness of the security of the organization and provide a level of defense by ensuring proactive actions by those people accessing the network are conducting the right activities to ensure security.

Training would incorporate three different methods of delivery. The first is in person training for those that are new to the company or are accessing critical and high interest network capability. The next would be training through remote access where the employee could take the online material at their own pace and complete the course prior to engaging in work activities as well as a refresher course yearly. The last set of material would include manuals and guides that would be shared in a public location for the end users to access to use in case the need arose during the course of their business activities. The materials would cover overall security needs of the company, how to access the network, what tools are allowed and how to ensure they are secure as well as how to report a violation or a potential security risk.

Specifically there are two types of training that will be incorporated into the training plan. There are the self-directed online courses that would cover basic security requirements as well as the individual responsibilities on how to access the network and what information can be transmitted. This online coursework would be monitored and distributed based upon the roles and responsibilities assigned to the individual. This provides a high level of granularity regarding the actual training provided. The role of the individual would determine how specific the training is in terms of implementation and enforcing security. The types of materials covered will encapsulate network security configuration, setup, enforcement, accountability, failover and continuous improvement and will incorporate both in person and online training methods. In conjunction with the online presence of the training material, in person seminars will cover current standards and operating procedures as well as new trends in security. These combined efforts will help prepare the users and mitigate the risks associated with networks and potential vulnerabilities.

References

Calder, A. (2009). Implementing information security based on ISO 27001/ISO 27002 (best practice). Van Haren Publishing.

EC-Council Press. (2011). Security and vulnerability assessment. Clifton Park, NY: Course Technology Cengage Learning.

Vacca, J. R., & Rudolph, K. (2011). System forensics, investigation, and response. (1st ed.). Sudbury, MA: Jones & Bartlett Learning, LLC