• Home
  • Education
  • Assess Security Risk Management Options ,Prepare Security Risk Management Plan , Implement Security Risk Management Plan (Security Guards)

Assess Security Risk Management Options ,Prepare Security Risk Management Plan , Implement Security Risk Management Plan (Security Guards) Essay Example

  • Category:
    Education
  • Document type:
    Assignment
  • Level:
    High School
  • Page:
    6
  • Words:
    4129

Lecturer

1. Establish the Context There are major threats that faces specific organization key among them being security risk. Security risk may involve the facilities, hardcopy and softcopy document, tools, equipment and personnel. It is the ultimate role of the organization to counter incidences and threat. For this discussion, it will critically look at Book Express security management strategies based on four areas of work; pursue, prevent, protect and prepare.
It will evaluate how it has identified and understood it risks by referring to Australian Standard for Risk Management AS/NZS ISO 31000:2009. 
1.1. Briefly describe your organization by discussing
Book Express is an Australian family owned online company that shares extensive range of information including; Sci-fi, Thrillers, Fantasy, Romance, range of Thrillers, Horror, loads of non-fiction with wide-range clients as well as dealing with communication portfolio over the phone or by email. It disseminate information through different media in Australia through legislation, codes and practice as well as standards for companies operating online. Hence, its major roles are to gather data, store, and share and execute it uses in the organization and with clients. There are a number of departments but key among them are IT and Record Management departments. The IT manages the organizational electronic records system while Records Management deals with content creation, storage, sharing and discarding. Book Express is based in Wangara DC WA with its headquartering department.
1.2. Book Express Description
Records Management is the central area where knowledge is shared internally and with the clients. Records are commissioned in a streamlined manner and in a number of databases where different types of data are integrated in databases. There are key technological infrastructure; computers, CPUs, databases, software and a hybrid system where paper-based recordkeeping system works together.

Most of staffs working in Book Express have a diploma or a degree in record management, ICT, IT and equivalent courses that promote them to work and comply with procedures, policies, and guidance and training requirements.
Most of Book Express roles are carried in its facility’s ground and first floor to serve visitors and clients who visit despite their disabilities and ensure fast access to personnel, officers and services. However, managerial and executive roles, boardroom meetings and departmental meetings are carried in other offices in upper floors. The major risk that Book Express has dealt with before was a time when it was implementing an electronic record management system and infrastructure to manage its activities effectively and efficiently.
1.3. Elements that affect security risk management process in Book Express
To prevent impermissible use as well as disclosure, protected electronic information and technological safeguards will be used appropriately. HIPAA security standards guides on how implementation and specifications will be classified on physical, technical safeguards and administrative (Dorsey 3). Physical safeguards involves the physical measures, policies and procedures that protect all the covered facilities and entities, electronic information systems, general equipment premises and related buildings from any unauthorized intrusion, other environmental as well as natural hazards.

Organizational requirements- electronic record system has a lot of risks involved including; preservation and protection of records due to loss, misdirection, access by unwanted persons.

Legislative requirements and regulations- National Archives through Business Classification Scheme regulates system upgrade to ensure that clients records will not be compromised and the organization follows the procedures and policies set in dealing with records.
Occupational health and safety requirements and regulations- As per Occupational Safety and Health Act 1984 there must be continuous review and upgrade of workers safety particularly when adopting new facilities (Matos 505).
Standards and codes of practice- staff are regulated by
to promote and be committed to fairness, independence, respect of rights and honesty in respect documents, information and client’s rights.• Privacy and confidentiality requirements- plan documents according to types; those that are shared across and the data that has to remain confidential.

2. Establish Risk Evaluation Criteria

Evaluation Criteria

Area of Impact

Customer confidence/ Reputation Risk

Reputation can irrevocably be destroyed or damaged.

Loss of accreditation by National Archives.

More than 30% drop of customers following loss of confidence

Reputation damage with some effort and expenses required for its recovery

Public violation of Privacy Act: disclosure if person in ACMA without the need to know access information or anyone reveal sensitive information about clients

10-30%v drop of customer for loss of confidence

Clients driven to seek services from other sources

Reputation minimally affected- no effort or little for recovery

No change in accreditation

Less than 10% customer drop

Non-public violation of Privacy Act due to disclosure to persons within Book Express (trusted agent)

Fines/legal penalties

$4 million may results from claims and litigations that might arise due to duty of care owed to clients’ information, company liability and failure to act in ethical manner.

Employees injuries and compensation

$ 1 million due to litigation process, attorney’s fees and defenses.

Less than $1 million for addressing issues out-of-courtroom and process of conciliation.

Facilities

Crash of software and databases.

Loss of client’s data

Costs of recovery and lost business time and profit amounting to $ 3 million.

Breakdown of equipments and machines due to poor handling, break-ins, or natural disaster like earthquake.

Human-errors and factors due to unregulated actions and failure to follow safety precautions in handling and navigating through databases.

Updating facilities due to dilapidation

Finances

Limited cash flow due to drop of customers

High firm debt to sustain operations and recurring costs

Seasonal demands for materials (low seasons will have low cash flow)

Lack of full stock (galleries, articles and new materials)

Lateness to pay suppliers and distributors.

Lack of finances to implement technological facilities

Life/health of staffs

Death and critical injuries due to poor facilities’ handling.

Loss of staff due to disability caused by accidents

Minimal injuries, hospitalization and treatment bills

Minor injuries and first aid costs

Productivity

Remuneration costs in low seasons- demands for resources

Failure to meet quarterly targets due to lack of required facilities, resources and expertise

Poor organizational culture threatening company’s operations

3. Identify Risks
3.1. Major assets

Lack of continuous training among staffs may affect security safeguard. New staffs may not be fully aware of practices and regulations that govern personal information in Books Express. Inappropriate safeguard may lead to break-in hence loosing important data. Lack of secure room equipment systems like setting computers at easily accessible site to hibernate and close after some few seconds may lead to information theft. Hacking and cyber security safety issues affect the safety of information when storing, sharing and disseminating to clients. The building is accessible premises where malicious persons can enter and leave away with valuable equipments (Masri and Mahmoud 23).
3.2. Main threats

Fire that might result from faulty electrical appliances and system is the main disaster that might affect both the building and equipment. Natural disaster like earthquake and terrorists attack can affect the building by collapsing or affecting its structural soundness (Marchesini 2). Criminals can break-in and leave with facilities with quality data and that support key operations of Book Express. Staff failure to report misconduct that would then affect the soundness of operations and client protection. Staff may disclose clients’ information and company’s strategies to competitors decreasing company’s economic advantages.
3.3. Vulnerability each asset has to each threat.

Fire, earthquake and terrorist attacks may lead to equipment breakages, loss and increase repair costs. Staff may disclose or share information in unacceptable manner leading to litigation and vulnerability of clients (De Hert et al 438).
3.4. 5 main security risks affecting the organization

  • Loss of personal information, lodged complaints and risk of losing valuable equipments with data

  • Unacceptable information use and disclosure- personal information due to lack of client consent

  • Legal claims due to mishandling of client’s information

  • External threats from terrorists, theft, break-in and cyber security.

  • Failure of information quality and security if information collected, disclosed is incomplete, inaccurate, or insecurely stored leading to access by unauthorized persons.

3.5. Risks Register
(Dorsey 2)

Implication

Significance

Likelihood

Staff failure to self-regulate to work and ethical policies and deliver

Inability to achieve and litigations

Loss of facilities, software and databases- lack of process in place

Slow delivery and delay of data entry

Programs unavailability

Income shortfall, need for other parties support

Building/structural damages and refurbishment delay

Working space not available and reputation risk

Seasonal demands and staffs failure to take opportunities

Slower progress and increased operations costs as well as overheads

4. Analyze and Evaluate Risks

4.1. Security measures your organization already uses to treat the risk. Describe how effective these security measures are and whether they could be made better.
Basic elements involved within Book Express involves usage, security, devices, facilities access as well as media controls. The first thing is to limit unauthorized physical access to Book Express facilities that house electronic information and databases systems. Only authorized personnel can access. Contingency operations are promoted with restrictions implemented to prevent access to work areas and specify appropriate usage of facilities and access (Masri and Mahmoud 11).

Administrative safeguard will entail actions, procedures and policies to manage selection, development, implementation and maintenance of security measures to protect electronic information.

Through encryption process, data can be encoded; messages and information to make it impossible to hack, read or falling in the hands of unauthorized parties (Lewko et al 63).

Book Express uses its Code of Ethics where staffs fail to deliver and act in ethical manner. The Code of Ethics requires staffs to act in fairness, honestly, respect of client rights and ensure standards of work. They can be made better by being defined into specific ways like defines standards in regard to data collection, ensuring clients’ consent, avoid personal interests that might affect fairness, not use the position in irresponsible manner.

Loss of facilities, software and databases- lack of process in place- having a contingency plan by having data back-up in a separate facility. Ensure that the facility work independently and always ready to avoid delay when the current system fails is recommendable (Wand and Weber 204).

Programs unavailability- Books Express has a reliable web host to attend to IT issues within the shortest time possible. Books Express can also have two service providers to ensure that its operations do not stop once the web host system fails.

Building/structural damages and refurbishment delay- Books Express have insures the structures and facilities with reliable insurers who can respond within the required time. It also has a subsidiary in Perth that can support some important operations. It is recommended to have another facility where system support can be ensured.

Seasonal demands and staffs failure to take opportunities- Books Express is prepared by having more part-time staff in holiday seasons to attend to clients. Ensure prior training to ensure efficient services by part-time staffs.
4.2. Risk’s likelihood and rating.

Likelihood

Staff failure to self-regulate to work and ethical policies and deliver

Loss of facilities, software and databases- lack of process in place

Programs unavailability

Building/structural damages and refurbishment delay

Seasonal demands and staffs failure to take opportunities

4.3. Risk’s consequences rating

consequences

Significance

Staff failure to self-regulate to work and ethical policies and deliver

Inability to achieve and litigations

Loss of facilities, software and databases- lack of process in place

Slow delivery and delay of data entry

Programs unavailability

Income shortfall, need for other parties support

Building/structural damages and refurbishment delay

Working space not available and reputation risk

Seasonal demands and staffs failure to take opportunities

Slower progress and increased operations costs as well as overheads

4.4. Risk’s overall level

Significance

Likelihood

Overall level

Staff failure to self-regulate to work and ethical policies and deliver

Loss of facilities, software and databases- lack of process in place

Programs unavailability

Building/structural damages and refurbishment delay

Seasonal demands and staffs failure to take opportunities

4.5. Acceptable or unacceptable risk

Overall level

Staff failure to self-regulate to work and ethical policies and deliver

Unacceptable

Loss of facilities, software and databases- lack of process in place

Unacceptable

Programs unavailability

Acceptable

Building/structural damages and refurbishment delay

Unacceptable

Seasonal demands and staffs failure to take opportunities

Acceptable

4.6. Greatest risk at the top and the smallest risk at the bottom

Overall level

Staff failure to self-regulate to work and ethical policies and deliver

Unacceptable

Building/structural damages and refurbishment delay

Unacceptable

Loss of facilities, software and databases- lack of process in place

Unacceptable

Programs unavailability

Acceptable

Seasonal demands and staffs failure to take opportunities

Acceptable

5. Identify Treatment Options

Risk 1: Staff failure to self-regulate to work and ethical policies and deliver

Books Express has a mandate to fulfill Personal Information Protection responsibilities and this highly involves staffs activities that interact directly with information and electronic document. To continue with online business, staffs must acknowledge and respect privacy rights, continuously review and improve handling practices for personal information. Two approaches are envisaged to control the risk of staffs sharing or using the information in unethical manner. Books Express should have an ACT to guide staffs and third parties; either visitors or technicians that repair and maintain machines ((Lewko et al 67). The staff should abide to collection and use of personal information for the purpose it was collected and should never disclose individual information. Staff should seek advice from seniors or through teamwork decision when faced by tricky situations.

Third parties should be regulated when dealing with information. Major areas would include databases management and access control. This can be done by data protection activities, segregation and encryption where the data can be accessed or passes by third parties. Encryption standards should be ensured for sensitive data through consistent mechanism. Logging standards should be ensured for every machine and databases to ensure securely log in, configuration changes and access control. Ethics, policies and procedures should be promoted by ensuring sanctions for staffs that act inappropriately. Administrator should note and detect any intrusion to systems (Masri and Mahmoud 21).
Risk 2: Building/structural and facilities damages and refurbishment delay

There should be a team for disaster response planning who are aware of facility layout and recovery options. Ensuring computer and information security measures majorly by having access control system and working closely with recovery team to have all the computer and electronic facilities recovered.

Risk 3: Loss of facilities, software and databases- lack of process in place

Software audit is very important and there should be set regular review and management program to sure that the system is fit, identify issues and facilities’ problems in advance and treat them. Where there are patterns of failure in one system, an alternative should be considered or a standby facility to be used in case the one fails. A good reporting structure should be ensured and a team to correct the problems that arises (Boneh, Sahai, and Waters 264).

6. Assess and Select Treatment Options
6.1. Analyze and evaluate each treatment option you identified in Part 5

Training is important together with an Act and Code of Ethics to guide staffs activities and habits to ensure that they comply with the highest ethics to avoid ligation and risking company’s reputation. It will also make Books Express strategies inaccessible to competitors and thus increase competitive advantage. It will also lay down procedures and policies to be followed and thus incorporate new employees to work culture and policies.

Preventive actions will save Book Express a lot as it will ensure that problems are solved before they reach higher levels that might lead to stoppage of operations. Facility refurbishment will take minimum cost as the service provider will be contacted without hurry. Risk preparedness will see a team that will have identified major problems, response criteria and routes to recovery and make sure the process is carried with shortest time possible. Security personnel will also control and movement in the premises and thus reduce the impact of damage in case of terrorist attack. Preventive strategy that involve continuous review of the system will benefit the Book Express as there will be reduced risk of system crash, software malfunctioning and failure to have Books Express accessible to clients. Workers will also have to work without stoppage and that will improve productivity and continuous performance saving time, resources and money that would have been lost were the system dysfunctional.
6.2. The best strategies for treating risk
Training: This should involve the staff that deal with data directly, share and disseminate to other user as well as other supporting staff and risk response team. The staffs affects overall day-to-day organizational activities and should be regulated through continuous identifying, understanding, diagnosing and creating acceptable strategies to have the best practice. In turn, the use of facilities, client information and security measures shall perform optimally reducing incidences and accidents (De Hert et al 439).

IT, technical and facilities’ teams should continuously review the system function, refurbish and repair before major damages that are costly and time wasting occurs. The team should report and document problems to identify patterns of problems and control their reoccurrence.

7. Develop and Schedule Risk Treatment Action Plans
7.1. Risk treatment strategy: action plan

Risk Treatment

Expected effect

Resources

Monitoring

Training

Encryption and standards

Communication and operation management

Information acquisition, development and maintenance

Asset management and access control

Data segregation and separation

Provide logical segregation of client’s data

Enable client classification and sensitive data

Enable protection of data commensurate with risk as well as defined information classifications

Enable encryption for sensitive data through consistent mechanisms

Securely logs for relevant computers, creating specific user activity and configuration change

Managers- internal consultants

External consultants- record management experts

Teams- peer working and departmental problem identification, brainstorming and solutions.

Learning materials, brochures and pamphlets

Fortnightly meetings and department reviews

Workshops trainers

$ 3000/ month- Training costs and materials

Confirm the items are delivered and understood by reviewing staffs understanding

Review the use of standards- encryption, application and management

Constant review and repair of facilities

Specific teams for each facility; IT, technical and physical facilities

Documenting, reporting and identifying pattern of facility failure

Provide audit in a continuous manner

Ensure internal and external review

Periodically review higher-risk audit.

Taking ate action when requested.

Strictly limit risky facilities access to only key administrators and access.

IT experts workers

Expert technicians contracted in the city.

Mechanical troubleshooters

Review after one-and-a-half month

Have a skillful staff to document, report and ensure reported issues are rectified

Ensure that the teams report accordingly and provides reports after each review

7.2. Using the information from Parts 6 and

7.1 develop a risk treatment schedule showing when each of the action plans will be implemented and how they will be co-ordinate.

When to implement

Co-ordination

Training

Encryption and standards

Before, during and after data storage, sharing and dissemination

Internally done by departmental managers

For every existing computer and new one before use.

It coordinators and personal responsibility

Communication and operation management

Continuous report on use of data

Departmental managers

Information acquisition, development and maintenance

Departmental managers and external consultants

Asset management and access control

Executive and managers

Data segregation and separation

During data storage

Done by personnel responsible

Constant review and repair of facilities

Specific teams for each facility; IT, technical and physical facilities

Regularly After one-and-a-half-a-month

IT managers

Documenting, reporting and identifying pattern of facility failure

Regularly After one-and-a-half-a-month

Skilled IT technician

8. Develop Communications Strategy for Plan Implementation

Communication strategy in Book Express will beginning with identifying the structure to facilitate continuity. Every department will be represented to ensure a two way communication from bottom to the top and top to bottom after decision are set. Representatives will meet after a fortnight to review department security issues, corrective and management actions. When speaking to individual of their responsibilities in security risk management, small groups will be involved and carry out collective tasks. Develop ideas together before responding to questions and ensure that security issues are discussed all the time and particularly in informal meetings and with informal groups to evaluate each other responsibilities or create a culture for security risk management. The process should also involve listening to others and establishing their challenges or other barriers that make it hard to apply appropriate security risk management (
De Hert et al 442).

In turn, it will be possible to gather information, engage others by asking probing questions to understand their views, skills, clarify and manage tensions. Resources including materials, equipment and money will be requested depending on identified needs, priority of their application in departmental operations and evaluating the financial status and financial priorities. Eventually, it is possible to identify resources required in the short-run and those required in the long-run. These tools will be applied in a way that soon after their application, they will be used to deliver identified deficiencies and that way, resources will be requested in an incremental manner and in the order of importance ((Boneh, Sahai, and Waters 270).

Monitoring security should be communicated and implemented in team for them to understand its importance and cooperate in problem solving. Working with teams will help to see the common barriers and loopholes that will in turn lead to common actions and strategies to get the issues effectively addressed. It is possible to use wide-range graphical and physical data to deduce and diagnose problems, prioritize actions and help individuals work in a collective manner.

9. Develop Monitoring and Review Strategy
One of the most effective way of noting security risks is review of each staffs activities to analyze data management strategies adopted. Another important way to monitor staffs interaction with databases is to alert an administrator who manages vital databases. Eventually, audit should be carried accordingly after application of new infrastructure and data management processes. To evaluate a treatment strategy, it requires first to have set the objective each treatment would achieve and the process of attaining those objectives. In case, it delivers, the objectives of security risk management will be fulfilled. However, in case it falls short, it will be noted by looking at effectiveness each course of actions taken and its shortcoming or replacing the treatment strategy with more effective strategy.

If a strategy fall, there is a need to look at its nature and envisage alternative way of applying the same strategy. In case that does not work, it can be complemented by another strategy to fill the gaps identified in security risk management. However, when it is clear that it cannot be supplemented or it cannot be effectively implemented in a different way, a new mechanism can be selected to replace the existing treatment strategy. Large-scale change would need prior preparation, communication with all staffs, education and training, collaboration and partnership to ensure that change is adopted and welcomed by all staffs and thus efficiency. New security risks affecting the organization need to be dealt with at earlier stage by designing and implementing control mechanism and improving them in the process.

10. Security Risk Management Plan
This Security Risk Management for Book Express has been developed by critical analysis of its functions to ensure additional security for the company’s growth, management of employees, current and future security issues and offer direction. Although Book Express has launched security risk management strategies to manage its functions, the firm is experiencing greater-than-anticipated growth as client demands its contents. Research shows there are many external and internal threats even for other online-minded competitors. These risks including mishandling of information by staffs, soundness of facilities and threats to premises can affect Book Express. These processes that are adopted identify risk and extend treatment strategies adding training, preventative actions through facilities’ management and setting standby facilities. In addition, Book Express plans to explore quite a number of opportunities for security risk management. In turn, these strategies shows what, who, when, where, why and how of the security risk management. A formal plan that will obtain additional financing from the organization will expand and launch new activities. The marketing environment in online transactions has been receptive to Book Express online content sales. Over the next few years, Book Express can increase its security mechanism by implementing new treatment strategies and secure as well as win new clients.

Works Cited

Al-Masri, Eyhab, and Qusay H. Mahmoud. «Investigating web services on the world wide web.» Proceedings of the 17th international conference on World Wide Web. ACM, 2008.

Boneh, Dan, Amit Sahai, and Brent Waters. «Functional encryption: Definitions and challenges.» Theory of Cryptography. Springer Berlin Heidelberg, 2011. 253-273.

De Hert, Paul, et al. «Legal safeguards for privacy and data protection in ambient intelligence.» Personal and ubiquitous computing 13.6 (2009): 435-444.

Dorsey, Terrence. “10 Great Features in 10 Different OSes.” Retrieved 20 05, 2014, from Redmondmag.com: http://redmondmag.com/articles/2011/01/25/10

Lewko, Allison, et al. «Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner product encryption.» Advances in Cryptology–EUROCRYPT 2010. Springer Berlin Heidelberg, 2010. 62-91.

Marchesini,. Types of Cloud Computing. Retrieved 1 18, 2013, from Cloud Computing: http://www.unc.edu (2010, 3 26).

Matos, Carlos. «Service extraction from legacy systems.» Graph transformations. Springer Berlin Heidelberg, 2008. 505-507.

Wand, Yair, and Ron Weber. «On the deep structure of information systems.»Information Systems Journal 5.3 (1995): 203-223.