Sample Case study on Information security management systems risks

Information security management systems risks

Information security risks can be defined as more or less any event that could result to vulnerability or exposure to harm/danger of organisations’assets or information. NSW government is not an exception and like other governments or organizations, there are potential risks that could compromise its operations. Their digital information and digital information systems are at risk due to increased cybercrime like hacking, and piracy among the few. This has challenged the NSW government to come up with the current security risks and concerns as illustrated below:

Confidentiality: This is to limit or prevent access whatsoever to unauthorized bodies/individuals to their confidential information or systems. Failure to put up this measure, they feel that their information may be leaked or shared to potentially harmful individuals/users. Their security operations can be exposed to their enemies who can use them against their advantage. Moreover, they are keen not to expose their health operations and researches/inventions at their will. This is to ensure they have control over their inventions and information. On financial sector, like all other government agencies they opt not to publicize their financial conditions and operations. Lack of confidentiality can lead to budget alteration and misappropriation of not only funds but also resources/assets. In reference to their case, confidentiality may be ranked as a high risk exposure.

Availability: They have put up measure to ensure information is only accessible to authorized users in time. Notably, availability of information to unauthorized users could pose a threat to their operations since execution of intended missions or projects could be known prior.

Exposure of their information to unauthorized users may lead to tampering of this crucial and confidential information. Reckless leakage of their information to the public could also lose the trust they enjoy from them tarnishing their already decorated image (Flyvbjerg and Budzier 37-32). This kind of risk is categorized as a high risk exposure. This availability of information to authorized users helps in execution of intended missions appropriately and within confined time limits.

Compliance: Generally, they consider this as the tendency of conforming with or agreeing with their measures. They feel that those entrusted to carry out certain tasks are well vast and also agree to the terms of service (Antunes, 41-47). It also ensures that relevant bodies which have access to information, abide with the regulations and rules governing digital information and digital information systems. This promotes good regulations and flow of information since individuals have personal responsibilities of whatever tasks that are entrusted to them. This risk is categorized as medium-low risk exposure.It enhances competency level of individuals entrusted with given tasks.

     Integrity: Is a measure they highly consider to ensure their information is not altered by unauthorized users in a way that is undetectable by authorized users. Alteration can consequently lead to wrong dissemination of information contrary to what was intended (Cortada 67-78). This also accelerates smooth running of their operations since those entrusted with handling of information/operations have passed the integrity test. They are keen to uphold integrity and ensure it is not compromised since the consequences among the most notable being corruption can lead to poor service delivery. Integrity is categorized as low risk exposure.

Assurance: Meant to give at most good faith and earn that trust from the people that indeed the information on their welfare is protected and confidential. Moreover, it boosts the morale of the users and agencies since they are guaranteed that their information is not exposed/vulnerable. This also ensures that the information is used for the confined intended purposes not for other means that can cause malicious damage to the affected. It also boosts the level of acceptance of their operations from the intended users and also extensively to the public. Notably, assurance is categorized as low risk exposure.

Awareness: Involves thoroughly enlightening the users on how to minimize or curb security threats (Ross 21). This ensures that the users are consequently well vast and equal to the task to deal with arising security threats. Awareness also helps the users keep in mind what is expected of them and how they should respond appropriately in case of eventuality. This consequently also makes the relevant bodies trust the operations carried out by the users since awareness is infused in their performance. Moreover, this awareness also minimizes errors in execution or handling of information meant to be confidential and critical. Awareness is under medium risk exposure.

Ethics: Condition in which participants are called upon to act professionally, diligently and respectfully. They are expected to portray a good image, instill confidence and act professionally. It also promotes smooth flow of information between departments and agencies. This also minimizes manipulation of information by the trusted users who have the privilege to access the vital and confidential documents/information (McGivern 23). It also promotes good working relationship between the users. Lack of ethics may compromise the running of government operations and also execution of the same. Ethics is under medium risk exposure.

A threat is an assault to system security. Accidental threat is scenario where occurrences are beyond human control cause, malfunction or complete failure of performance by the systems/machines. Most appropriate occurrences to explain accidental threats are eventualities like equipment failure and also software failure. Deliberate threats on the other hand are an intentional assault to systems or machines. A good explanation can be given to occasions where there is illegal processing of data, hacking and spying.

Threats are ranked as very important, important and not important. On accidental threats, prevention of software failure is very important while on the other hand prevention of equipment failure is ranked as important. This is because the software part is the mother of all operations carried out in an organization and acts as the nerve centre in handling, processing and executing commands. The seriousness of having a strong software system is eminent in mobile transaction agencies who invest so much on the security of their software applications. Likewise on deliberate threats, both prevention of illegal data processing, hacking and spying are important. This is because in an event of hacking and illegal data processing, scrutinization of the data can reveal this errors. An evident of this kind of occurrences is where hackers stole approximately one billion dollars located in twenty five countries including United States of America. They were able to program and penetrate institutions computer systems and stole the money (Wallace par 3).

The challenge of goodwill by the operators may lead to the leakage of confidential information which may in turn cause more harm than good. Controlling the confidence of this information may proof to be a challenge for the government of NSW. Moreover, compromising integrity may arise which could lead to alteration of information by unauthorized persons undetected. This may lead to misuse of confidential information or manipulation of data. Some of the users availed with the information end using it inappropriately or even for personal selfish addition, in case of non-compliance, poor tracking of transactions or records may be witnessed. The reason behind this is by the fact that NSW government will not be able to secure system information and advice appropriately as may be required. Failure to respond to a threat by the concerned bodies may have unfriendly and devastating repercussions.

The concept of risk is the potential that a given threat may exploit vulnerabilities of an asset/assets consequently harming an organization. It is viewed as a probability that particular telecommunications will be exploited by a hostile entity. The concept of risk assessment is done by putting into considerations its intention, probability, values, equity and consent. In evaluating risk on the other hand, we consider the consequences of an event and also that such an event does not occur. Risk response is mostly of two kinds namely positive and negative. In connection with NSW government, risk can emerge when the users may be comprised and wrong data entry is done maliciously and may in turn reciprocate with unfriendly consequences. These consequences may be wrong planning or judging of events as incorrect results may be got from wrong or inaccurate data entry. Risk can also be evaluated in the event where users are given the awareness about the operations of the systems and the probability that some may not have that goodwill to serve without leaking information cannot be ignored. These risks can in turn lead to negative responses. Negative response mostly entails avoiding, mitigating and transferring as seen in the drop of number of Americans using air travel in the aftermath of the 11 September 2001 terrorist attack (Gerd 286 – 287). On the other hand, positive response entails exploiting, enhancing and sharing.

The concept of uncertainty refers to situation of doubt or threat of unknown information that can harm an organization. It is having limited knowledge of future possible outcomes that can cause threat to an organization. Extensively uncertainty has attributes namely; subjective and objective. From these uncertainty there emerges other attributes which summarize the kind of uncertainty in a given scenario.These attributes can be referred to as decisions which include; knowledge guided, quasi-rational, rule guided and intuition guided. In reference to the NSW government, the concept of uncertainty can emerge since it is not a guarantee that the measures they have put in place surpass the knowledge or skills of the enemies. The security of their system is not certain, as one cannot ignore the issue of hacking and other internet or system interference. Moreso,it is not certain that the users will uphold integrity and observe compliance since some may be decide to quit or unceremoniously withdraw their services which indeed is a set back to the NSW government. It is worthwhile noting that uncertainty reflects incomplete knowledge and mostly is a probabilistic concept.

Risk mitigation basically provides guidelines that minimize internal and external threats to institution or organization. NSW government should employ policies and procedures that should address most if not all the key areas. IT operations should precisely be of major concern as it broadly covers nearly all departments. NSW should also have a well-established environmental controls. This is influenced by the fact that mostly unfavorable environment which time after time cause disruptions may hinder smooth and efficient operations of the institutions. Eventuality like power interruptions should be minimized if not eliminated. Similarly, communication apparatus in IT sector should be different from other operational department. NSW should make sure that their IT department has very limited access to keep the confidentiality at a higher notch. The management should go further and assess whether armed guards are suitable and that they follow standard industry practice. Moreover, NSW should ensure that their database that stores confidential information has a more significant control environment. They should also come up with an independent testing centre for maintaining data integrity. NSW management should also concentrate on providing data storage solutions to guarantee availability of data and that the data is not lost. It would be advisable to back-up and store their data in an off-site location to enhance retrieving of data in case of data loss or related eventualities. Lastly, the management should make sure they dispose the media appropriately or destroy them to ensure there is no leakage of their information. When disposing this media, they should keep in mind that the disposal of media files is somehow tricky since the information stored in this media is not easily erased

Work Cited

Antunes, Ricardo and Gonzalez, Vicente. “A Production Model for Construction: A Theoretical Framework”. Buildings 5(1) (3 March 2015): 209–228

Flyvbjerg, Bent and Budzier, Alexander. “Why Your IT Project May Be Riskier Than You Think”. Harvard Business Review, 2011.

Cortada, James W. The Digital Hand: How Computers Changed the Work of American Manufacturing, Transportation, and Retail Industries. New York: Oxford University Press, 2003.

Gerd, Igerenzer. Dread risk, September 11, and fatal traffic accidents. Psychological Science, 15 (4) (2004): 286–287. Available at

McGivern, Gerry and Fischer, Michael D. “Reactivity and reactions to regulatory transparency in medicine, psychotherapy and counseling”.(1 February 2012) Social Science & Medicine

Anderson, Ross. J. Security engineering: A guide to building dependable distributed systems (2nd ed.). Hoboken, NJ: Wiley, 2008. p. 1040, Chapter 2