Part 1
Information system security threats can affect the integrity and of business systems hence the reliability and privacy of organizational information. Most of the business organizations depend on computer systems, and thus they must deal with systems security threats (Quigley, 2008). The most widespread potential security threat is the computer virus. Computer viruses multiply and can spread to another computer through internet downloads and email. It is almost impossible for any information system to prevent the spread of viruses. However, companies can reduce the threat of computer virus by installing and regularly updating quarantine software. Organizations can also use software like Deep Freeze to protect and preserve original computer configurations (Quigley, 2008).
Secondly, laptop or mobile theft is one of the most common information security threats. Laptops and PDAs are relatively expensive which makes them easy targets of thieves. Laptop theft presents a serious information security threat because the portable device often contains corporate data, sensitive information, and information access codes. Organization can reduce this security threats by installing biometric security and stealth-tracking software in portable devices.
Thirdly, managing information across multiple locations presents the risk of system penetration. When organizations share information across multiple locations, there is a very high chance that hackers may illegally penetrate the information system. This often results in stealing of information, data modification or even damage to the system. However, organizations can manage this threat by installing a network firewall to conceal internal addresses. Additionally, the company can design security and audit capabilities to protect all user levels (Quigley, 2008).
Lastly, sabotage is a potential threat to managing information on business activities across multiple locations. In most cases, employees have access to organizational information, and they may abuse the organization’s trust. They may delete or even share sensitive information. This is a very serious threat to information systems. However, the organization can prevent sabotage by using biometric access and enforcing a company-wide password change on a regular basis (Quigley, 2008).
References
Quigley, M. (2008). Encyclopedia of Information Ethics and Security. New York: Idea Group Inc (IGI).
Part 2
Business organizations should maintain a risk identification and assessment process that drives information risk management strategies and control implementation. The process of risk assessment should incorporate explicit assessments for functional responsibilities. Such responsibilities include security, vendor management, and business continuity. According to Quigley (2008), risk identification, assessment, and the development of risk control strategy involves four processes.
During risk identification, an organization conducts an ongoing data collection for the sake of understanding the environment (Quigley, 2008). The institution’s top management should integrate information on various IT issues such as resource limitations, priorities, threats, and key controls. The organization should ensure that the senior management visits several locations to collect and compile information on the business environment. Some of the most important locations include business systems inventory, business strategic plans, and business audit findings (Chew, 2013). Others are business recovery and continuity plans and call center issue tracking reports. Business systems inventories provide information that senior management can use to understand and monitor business tactical operations. The company’s senior management can also identify the access as well as storage points for confidential organizational information. Strategic plans may spotlight various risk exposures that limit the organization’s ability to pursue its objectives. Call center issue tracking reports can offer insight into the performance and control issues facing the company. Senior management can identify problems depending on the level of recurrence.
Risk assessment involves the use of data on business assets and risks to evaluate the potential impact of the risks on the organization. This evaluation should identify the events and threats that have a negative impact on the operations and strategies of the company. Senior management should evaluate the probability of events and rank their potential impact (Quigley, 2008). Some of the events that can have a negative impact on an organization include security breaches, system failures, and external events. Others include technology investment mistakes, systems development and implementation problems, and capacity shortages. Once the senior management identifies the risks, it should estimate the likelihood of occurrence and their potential impact. Some of the key areas that risk can have a negative impact include reputation and finances. The impact of risk on organizations varies from one organization to another, and this makes it very difficult to prepare quantity estimates. However, an organization should rank results on risk analysis on the basis of the relationship between probability of occurrence and cost (Chew, 2013).
The process of developing risk control strategies involves the prioritization of risk response. However, senior management should first have a comprehensive understanding of the company’s IT environment and potential risks before developing a control plan. The essential foundation for any risk control plan depends on the likelihood of occurrence and magnitude of impact (Quigley, 2008). This ensures that an organization establishes control measures that match the complexities of the organization. The overall results of risk assessment influence most of the major decisions making responsibilities. Such responsibilities include contingency planning, technology budgeting, internal controls, policy enforcement and compliance, and staffing (Chew, 2013).
The last step involved monitoring of risk mitigation activities to ensure that a complete risk management plan. Monitoring should be an ongoing process, and departments should prepare progress reports on a regular basis (Chew, 2013). The greatest advantage of monitoring is that it ensures that risk management becomes a continuous process rather than a one-time activity. Some of the effective monitoring events include management reporting and corrective action plans (Quigley, 2008).
In any business, there is some level of risk. Categories of risk include environmental risks, operational risks, legal risks, compliance risks, economic risks, and strategic risks. Risk control strategies refer to the actions that organizations pursue in an attempt to handle or prevent risk occurrence. According to risk management theory, there are four main types of risk control strategies. The first strategy is risk dissection, which involves the comprehensive analysis of risks facing the organization. This strategy aims at giving senior management an opportunity to enhance knowledge about risks facing the company. This ensures that a company becomes aware of the probability of occurrence of various risks and develops a prevention plan. Successful risk dissection involves the identification of risks open to the company and analysis of consequences. In fact, it is one of the major steps of an effective risk management plan (Chew, 2013).
Secondly, risk avoidance is also an effective risk control strategy. It involves the company eliminating and reducing probable risks. Once a company is aware of the probable risks, it can develop a plan to avoid some or even all the risks. One of the most common risk avoidance strategies is eliminating unnecessary items from a business plan. However, senior management should eliminate risky items from the plan. The simplest approach to avoid risks is to maintain an open communication with both employees and clients. The greatest ingredient for success is maintaining open communication regardless of market performance. This is because communication after poor market performance is the key to survive and succeed. When markets start recording poor results, clients and employees contact their company to express their concerns (Quigley, 2008). In most cases, two things happen: the client or employee does not receive prompt feedback, or senior management does not engage their concerns (Chew, 2013). Consequently, employees and clients may shift their loyalty and tastes elsewhere. However, open communication ensures that top management identifies and eliminates risks.
Even though it is important for a company to prevent risks, a risk management plan cannot be effective without a plan on how to control risks. Therefore, the third strategy is risk loss control. This strategy involves the development of an alternate plan that can assist the company to reduce risks. Risk loss control strategy protects the company against potential fall-out (Quigley, 2008). Loss control strategy aims at handling risks that are already in progress. This strategy helps a company prevent further losses from events that have occurred in the past. A company can implement a risk control strategy through insurance, compliance with OSHA requirements, and preparation of a disaster planning and evacuation plan (Chew, 2013).
The last risk control strategy is risk financing and budgeting. According to research studies, one of the greatest risks that a business can face is financial risk. Risk financing and budgeting involve building financial reserves and purchasing business insurance cover. Financial reserves ensure that a company has adequate liquidity to cater for unexpected expenses while business insurance protects the company from unexpected losses. Insurance is one of the most effective ways of transferring risks to another company (Quigley, 2008). Therefore, business insurance helps companies transfer risks to insurance companies instead of dealing directly with the risks. Whenever a company is developing a risk management plan, the risk financing and budgeting strategy ensures that there is the allocation of money to cater for unexpected expenses. Additionally, the strategy influences an organization to cushion its assets and operations against unexpected losses (Chew, 2013).
References
Chew, D. (2013). Corporate Risk Management. New York: Columbia University Press.
Quigley, M. (2008). Encyclopedia of Information Ethics and Security. New York: Idea Group Inc (IGI).
