Risky Situations
Note three types of sensitive information involved with each situation. Then, note three ways each information item could be misused or harmed. For each of these, note at least one likely finding that you would include in a risk analysis report of the organization. Finally, answer the questions at the end of the table.
Situation 1 – Online Banking System
Information Affected
Potential Harm (Risk)
Likely Finding in Risk Analysis Report
Customer details
Unauthorized access
Terminal unauthorized access to customer account information and details.
Alteration of customer details
Hackers gained unauthorized access and altered customer details and information
Copying of customer details
Unauthorized access to customer details and copying of customer information.
Transaction details
Fraud
Access to transaction information and altering the details for malicious intention.
Hacking
Unauthorized access to transaction data and information
Tapping
Gain unauthorized access to transaction information on a particular transaction and using the information for personal gain
Account Details
Unauthorized access
Acquiring passwords and security details on an account and accessing it for personal gain
Hacking
Unauthorized access and alteration of the account information
Errors and omission
Intentional or unintentional omissions and errors on information and data.
Situation 2 – Facebook Page (Organization or Personal – Specify Which)
Information Affected
Potential Harm (Risk)
Likely Finding in Risk Analysis Report
Status update (organizations)
Unauthorized access and possible update of the organization status.
Other people gain access to organizations face book page and updating the status without the knowledge of administrator.
Inappropriate status update
Organization staff or outsiders post inappropriate status update.
negative publicity
Concerns on negative publicity as a result of inappropriate status updates.
Account information (personal)
Unauthorized change of account information
Personal accounts changed by unauthorized persons
Wrong account information details
Users give wrong or inaccurate personal information and details.
Impersonation of account information
Some users impersonate other persons accounts by using their names and other details.
Post and comments
Unwanted posts
Unauthorized posts from personal accounts
Unwanted and inappropriate comments
Unauthorized and inappropriate comments on posts and status.
Negative publicity through posts and comments from the public and anonymous images and videos.
The unauthorized anonymous upload of images and videos which could result in negative publicity.
Situation 3 – Picture Phones in the Workplace
Information Affected
Potential Harm (Risk)
Likely Finding in Risk Analysis Report
Asset details
Unauthorized capturing of organization assets
Picture phones are used to capture organization assets which result in exposure of the assets to the public .
Capturing asset details
The picture phones could also be used to capture details of assets such as colour, size, model and other information and details.
Circulation of images on company assets
Circulation of the images through text messaging and multimedia messages.
Security codes
Capturing of organization security codes.
Picture phones can capture security codes.
Transfer of security codes data and information details
The captured images of security codes can be circulated or transmitted through the picture phones.
Unauthorized access to security codes through image capturing using picture phones.
The picture phones result in unauthorized access to security codes.
Storage information details
Storage information unauthorized access
Unauthorized access to information can be facilitated through images captured by use of picture phones.
Capturing of Information storage location
Information on storage location of information can be captured by using picture phones.
Dissemination of information storage location
The captured images can be transmitted and circulated by using the picture phones.
Situation 4 – E-Commerce Shopping Site
Information Affected
Potential Harm (Risk)
Likely Finding in Risk Analysis Report
Product information
Alteration of product information ,prices and discounts
People gain unauthorized access to E-commerce sites and alter product prices and specifications.
Unauthorized upload of product details and information
Other people gain unauthorized upload of products details and information to the site.
Error in product information and details.
Employed staff and personnel make errors on product information and details.
Account information
Unauthorized alteration of account details
Hacking into accounts and making unauthorized alteration on account details and information.
Errors and omission
Unintentional or intentional errors and omissions on customer account information
Loss of information
Some account information in E-commerce may be lost .
Transaction details
Fraud
Hacking and tapping of transaction details for malicious intentions.
Errors and omissions
Organization employees and personnel make intentional and unintentional Errors and omissions on Transaction details and information.
Unauthorized alteration of transaction details
Through hacking and tapping unauthorized alteration may be done on transaction details and information.
Situation 5 – Real-World Application (Such as CRM, ERP, Other Internal or External Organizational System – Pick One and Specify)
Information Affected
Potential Harm (Risk)
Likely Finding in Risk Analysis Report
Customer details (CRM)
Errors and omission
Unintentional or intentional errors and omissions by employees and personnel.
Unauthorized access
Unauthorized access to customer details and information in the database.
Fraud
Alteration of customer details for personal and malicious intentions, providing of wrong and unauthorized customer information and details.
Customer benefits (CRM)
Fraud
Employees and personnel may be fraudulently handle data and information on employee benefits for their own personal gain.
Unauthorized alteration
Unauthorized alteration of customer benefits by employees, and external users of the system.
Errors and omission
Employees and personnel may leave out information, add information and other details pertaining customer benefits either intentionally or unintentionally.
Transaction details and information (ERP)
Errors and omission
Errors and omissions on transactional details by employees and personnel.
Fraud
Transaction details obtained fraudulently and altered by either external users or employees and personnel for personal gain.
Unauthorized access and alteration
Unauthorized access and alteration of transaction information.
Questions
1. What is the most effective way to identify risks like those you noted in the tables?
The most effective way of identifying organizational risks is through the use Scenario-based risk identification different scenarios are created. An analysis of the alternative scenarios of achieving set objectives is done and any event that may interfere with the process or cause undesired results is treated as a risk (Crockford, 1998)
2. What are some important factors when weighing the depth of a formal risk analysis? How would you balance the interruption needed for depth and the need to continue ongoing organizational activity?
In weighing the depth of a formal risk analysis the analyst should consider the companies or organizations objectives and goals the procedures and methodologies of the operations that are employed in the process of achieving the objectives and goals and the personnel involved in the process (Crockford, 1998).
Parallel risk analysis and phased analysis can be employed to balance the need for depth analysis and the need to continue organization activities, the process entails the subdivision of the organizations system and activities into subsystems and performing individual analysis without necessarily halting overall organization activity (Borodzicz, 2005).
3. What should an organization’s risk management specialist do with the information once a potential risk has been identified? What information would be needed for senior management to know the danger of each risk and the proper way to handle the risk?
Risk management specialist uses the information gathered during analysis to aide in the process of risk mitigation. The information is used to assess assessment, and prioritization of the risks. The management should know the effect of risk on the objectives, financial implication of the risk, cause of the risk and the positive and negative impacts on the organization. The information will be used to coordinate and manage the mitigation and management strategies to minimize and eliminate impacts on the organization (Borodzicz, 2005).
4. How would this specialist properly prioritize these risks to make sure the most important ones were mitigated first?
In order to properly prioritize the risks the analysts should identify the impact of the risk whether it affects the product or the project, then identify the process or how the operations are done in the organization with respect to the several departments and the areas mentioned in the table above, the identification of the risks on the processes is important for prioritization purposes (Crockford, 1998). Identify the resources to be used; different risks will require different mitigation strategies which may require varied resources.
The analyst then identifies the stakeholders and the levels in which they will be involved in the risk management. Identify the tools used in the risk mitigation (Crockford, 1998).
5. Who is responsible for ensuring that an identified risk is addressed by the organization? What role does the analyst play? What role does senior management play? What roles do the analyst and senior management each play in addressing organizational risks?
System analyst or a system administrator is responsible for identifying risks and ensuring they are addressed in an organization. The analyst identifies the risks, analysis of the risks and collection of the necessary information, prioritization of the risks and development of risk management plan and briefing of the senior management (Borodzicz, 2005).
The senior management provides financial and administrative resources and even takes part in policy formulation in an attempt to mitigate risks. The senior management and the analysts together develop a mitigation or risk management plan and make decision on the best way to address a risk in the organization (Crockford, 1998)
Reference
Borodzicz, E. (2005). Risk, crisis and Security management . New York: Wiley.
Crockford, N. (1998). An introduction to risk Management. Cambridge UK: Woodhead-Faulkner.