Global Finance, Inc. (Gfi) IT Risk Assessment

GLOBAL FINANCE, INC. (GFI)

IT RISK ASSESSMENT PAPER

When it comes to the risk assessment of Global Finance, Inc. there were identified vulnerabilities that were occurring in the locations of Technical Security, Management, and Operational. Vulnerabilities at the company are looked at as being weaknesses that could possibly be oppressed by a group of threats or just threats in general. Basically, all of these vulnerabilities are able to be alleviated by safeguards that are recommended. These safeguards are security features and certain controls that, when included or added in the information technology environment, alleviate the risk that is connected with the operation to what are the manageable levels. However, a complete conversation of the vulnerabilities and suggested safeguards are discovered in this report. If the safeguards suggested in this risk assessment are not applied, the outcome could be alteration or damage of data, disclosure of sensitive information, or denial of service to the users who are requiring the information on a recurrent foundation.

Risk Assessment Purpose

The goal of this risk assessment is to assess the competence of the Global Finance, Inc. network and security. This risk assessment will give a structured qualitative assessment of the environment that is considered to be an operational environment. The assessment jobs are to be able to addresses sensitivity, threats, risks, vulnerabilities and also the safeguards. The assessment approves cost-effective safeguards to alleviate threats and associated practical weaknesses.

Risk Assessment Scope

The option of this risk assessment measured the system's utilization of controls and resources (planned or implemented) to get rid of and/or handle vulnerabilities usable by threats external and internal to the Global Finance, Inc. system. This Risk Assessment Report will be able to evaluate the privacy (defense from unauthorized expose of system and statistics information), honesty (defense from inappropriate modification of material), and availability which means losing access to the system. Recommended security safeguards will permit management to make decisions in regards to security-connected creativities.

Threats, vulnerabilities, and risks

For Global Finance, Inc. To reach their mission and then to be able to upkeep their standing in the marketplace, three areas must be covered in this report, confidentiality, integrity, and availability. Any vulnerability threat any of these areas must be kept in consideration and create a control or safeguard to protect these areas from these vulnerabilities.

Loss of Administrative Power: Whether you authorize an agreement to have another business achieve the function of a whole department or sole mission, you are turning the control and management control of that works over to another business.

Hidden Costs: they will need to authorize a contract with the company that is being outsourced that will cover the particulars of the service that they will be delivering. Anything that is not covered in the agreement will be the foundation for you to pay charges that are additional.

Threat to Confidentiality and Security: The life-blood of any business is the material that keeps it going on. If there is payroll or any other information that is confidential that will be transmitted to the outsourcing company, there is a risk that the confidentiality may be compromised.

Quality Problems: The outsourcing business will be motivated by proceeds. Ever since the agreement will fix the price, the only way for them to raise profit will be to reduce expenses. On condition that they meet the conditions of the agreement, you will pay. Furthermore, you will lose the aptitude to quickly reply to alterations in the business environment. The contract will be very specific and you will pay extra for changes.

Tied to the Financial Well-Being of Another Company: Ever since you will be turning over part of the procedures of your business to another corporation, you will now be secured to the monetary well-being of that corporation. It would not be the first time that a company that is outsourcing would could go bankrupt.

Another risk is the development in business Global which has been taken place in the last many years. For the reason of this occurring, there was a lot more manpower needed, if the CEO essential to half of the Information Technology department, this will more than likely produce a huge over load on the Information Technology department which in the end may cause them to lose some business. Remote admission worker complaining of the network dormancy, this postponement as a huge effect on their work and production.

It is clear that the Global Finance, Inc. is lacks a lot of information security guidelines that assist workers to act in proper ways in case of disaster or threat. They just have two forms of policies made by the executive supervision, privacy policy, and acceptable use policy. The information security policy is the guys that staff members the DO'S and the DON't'S, what they SHOULD do, what they HAVE to do, and what their EVERYDAY JOBS are. A procedure states what needs to be done. Actions are what define how to instrument the strategy. There are numerous sub-information security policies that are able to assist in securing the organization system such as physical security policy, data classification policy, control and audit policies, network and telephone administration policies, business steadiness plans, password policy, tragedy recover policies, cyber event reply policy, etc.

The deficiency of these policies can cause the organization go up under threat which already took place by social engineering was hacking on the computer system. Integrity is one of the regions that have some influence on the security of the company. Integrity can be what regulates by utilizing methods of auditing and monitoring the tools. Global Finance is not able to generate an auditing policy in order to make sure that their data integrity is good for the reason that the lack of standards needed to audit against it. Utilizing one layer security is considered to be a risk, since penetrating this layer will permit hacker to get their hands on the company information system. For instance, utilizing magnetic cards to admission very sensitive parts are a risk in case of embezzled or damage of these cards.

This will have an effect on the confidentiality of the company by permitting illegal person to enter these areas, and company obtainability that will not permit persons to just walk into these rooms. The same situation with remote access approval, contingent on the password by itself is considered to be a risk; we can't settle that the right person utilizing the PIN to make his remote access to our system, what if unauthorized individual has the password and use it to access our network? Especially, if the company does not have any password rules. Also, Humans are an advantage for the company, and controls must be in place in order to protect human from getting rid of any law suits that could destroy the company. The fire protection system could hurt the employee working in that room because it is heavily sealed and people could fir sure get locked in the room. Shutting down the company system without any notice could cause so many different issues could affect reputation of the company, because of employee not saving their work in good way, and affect system availability that will affect salespersons to get access to the system.

Safeguards and controls

Security is usually defined as the freedom from danger or as the ailment of safety. Computer security, precisely, is the protection of data in a system that against illegal disclosure, alteration, protection or destruction and of the computer system itself against use that is considered to be unauthorized, modification, or refutation of service. For the reason that certain computer security controls prevent productivity, security is naturally a negotiation which security practitioners, system users, and system work in order to attain an acceptable balance among productivity and security. Controls for providing information security can be technical, physical, or organizational.

Physical security is the utilization of locks, badges, security guards, alarms, and similar procedures to control access to computers, related equipment (including utilities), and the processing facility itself. In addition, measures are required for protecting computers, related equipment, and their contents from espionage, theft, and destruction or damage by accident, fire, or natural disaster (earthquakes and floods).

Technical security includes the utilization of safeguards combined into computer operations or applications software, hardware, communications software, and hardware and devices that are related. Technical switches are sometimes recognized as the logical controls. Personnel or administrative, or, security contains management constraints, operational measures, accountability measures, and supplemental administrative controls recognized to offer a suitable level of protection for calculating resources. Furthermore, administrative controls consist of procedures recognized to safeguard that all personnel who have access to computing resources have the necessary authorizations and appropriate security authorizations.

By means of utilizing all three controls it will bring layers of protection, which will in the end, increase security and then making the whole entire process much easier to control. For instance, to make access security better to the data center, rather than using the swap cards that has events of stolen and lost. Company can utilize pass code as technical control, and then be able to come up with a policy and process as what is considered to administrative control.

The lack of security in any one of these components is going to have some kind of negative impact on the computer environment. If there not policy in place, then there can be no good or organized management direction on how to keep the business protected, which also means their people, operation and its information. If there are no procedures and actions with related values, application of policy will be founded on an individual's understanding of policy -- which is expected to vary from individual to individual. If there is no physical security, then administrative and logical controls can be effortlessly avoided without being exposed. The absence of environmental controls can bring down the enterprise and then cause more destruction than a mischievous agent. If there is personnel security that is insufficient, the probability of insider threat increases dramatically and the influence may not be noticed for an important period of time.

The business report developments for the past few years must face with improve system that is tackling more remote users. Upgrade of hardware and application will resolve the delay users complain about and will aid the corporation to keep their evolution in the future. An Employee is considered to be an asset for the company, and improving their qualification will improve the corporation performance and will end the end support their growth. Outsource could possibly solve some money issues, but it might not necessarily take care of everything.

One major security control Global Finance, Inc. is missing is the administrative control policies. The company has to come up with some policies that are necessary to back their operation in order to get their mission in way that is considered to be proper. Management must find a way to force their rules by doing two things. The first would be to bring security awareness training which is considered to be a preventive measure that will aid users to recognize the profits of security practices. If workers are not able to understand the need for the controls being forced, they may sooner or later avoid them and in that way weaken the security program or render it unproductive. Technical training can aid so that they will not run into all of the common security issues such as omissions and errors in addition to making sure that they understand how to make suitable backup files and notice control viruses. Also, technical training just in case there is an emergency and fire drills for operations personnel that can make sure that proper action will be done to stop such events from moving into disasters. Second, a law that explains violations for workers who are not ignoring or following organizational policies.

At the same time, Global Finance lacks a disaster and recovery procedure which is a document that shows all of these procedures for emergency response, and protracted backup operations. It also needs what is called recovery, and this is necessary just in case a computer installation experiences some kind of a partial or total loss of physical facilities (or of admission to such facilities) or computing resources. The most important goal of this plan, used in combination with the contingency plans, is to make available sensible assurance that a computing installation can recover from disasters, continue to process critical applications in a mode that is degraded, and return to a normal mode of operation inside a time key that is reasonable. An important part of disaster recovery planning is to make available for processing at an alternative site throughout the time that the original facility is unobtainable.

Emergency and contingency plans instituted some kind of recovery procedures that speak to specific threats. These strategies aid in stopping minor incidents from being able to escalate into some disasters that could be far worse. For instance, an eventuality plan might deliver a set of procedures that describes the condition and response necessary in order to return a computing competence to nominal operation. An emergency plan is much needed because it might be a specific process for shutting down equipment in the occurrence of a fire or for leaving a facility in the occasion of an earthquake.

Redundancy is the replication of critical mechanisms or functions of a system with the purpose of increasing dependability of the system. The corporation does not need to shut down their system just in case there is hacking and stop their business for these kinds of incidents. Global Finance will need to know the importance of having regular backups of their data they see as important, but to what extent does data need to be backed up in order for it to be safe? It is very possible that someone or even a worker could possibly break into the system and then steal the backups that they could have been using for hundreds of gigabytes of photo files, home videos, and documents of past computers. In some cases certain software information can be stolen, and if Global Finance has the originals on their laptop or a redundant offsite backup, they could very well would have lose all of their data. Global Finance situation is not uncommon, and it's a perfect example of an often understated standard that all of the employees at the company should be able to understand: Global Finance needs redundant backups.