Information System Risk Management of NSW Government

Question: Discuss about the Information System Risk Management of NSW Government. Answer: Introduction In todays world each and every organization is exposed to different types of security threats and vulnerabilities which can affect its functionality in a negative manner (Alhawari, 2012). Therefore, it is important for organizations or governments like NSW government to identify, understand and mitigate these risks and uncertainties that can affect its information system. The following report discusses the different threats (deliberate and accidental) and risk concerns which can affect the information system. Moreover, comparative analysis of the threats, ranking of those threats, challenges faced by NSW government while deciding the approach of risk mitigation are also provided. In addition to this, the report also contributes to the difference between the risk and uncertainty, available approaches for NSW government to control and mitigate the risks. Illustration of security risks and concerns of the Information system Figure 1: Illustration of different security risks and concerns (Source: Created by author using MS Visio) Explanation on the Diagram and Identify the Areas of Risk Exposure Explanation on Diagram Risk can be defined as the factor that can cause potential harm that may arise from some current practice. In case of information systems the risk can be stated as the factors that lead to the failure of availability, confidentiality and integrity of the information system to the NSW government (Frangopoulos, Eloff Venter, 2013). As depicted in the above diagram it is clear that there are several risks to which the information system of NSW government is exposed. These risks include both deliberate and accidental threats that can affect the functionality of NSW government (Zeng Skibniewski, 2013). The deliberate threats include infection of the malware to the system, espionage, data theft, unauthorized access to NSWs information system, denial of service, routing cache poisoning, routing table overflow Use of faulty softwares, errors in operating the information system etc. On the other hand the accidental threats and risks include accidental data disclosure, accidental alteration and modification of residual data, use of faulty software, data transmission error, sabotage of the employees etc. Malware infection: This risk takes into account the malicious software that can be used to intrude into the NSWs information system (Peng, Peng Chen, 2014). Denial of service: This attack causes unavailability of the information system to it intended users. The service may be interrupted for temporarily or for indefinite system. Espionage: As NSW government depends on the different gathered information to take different decisions (McNeil, Frey Embrechts, 2015). Therefore obtaining the information or data from its database which is not publically available by different technical means is called espionage. Accidental modification of the residual data: When the users of information system does not have proper knowledge about the usage of the system (Zeng Skibniewski, 2013). This lack of knowledge leads to the accidental disclosure of confidential data. Data transmission errors: Due to the improper use of information system the confidential data residing at NSW governments information system can be disclosed to an undesired person or organization (Frangopoulos, Eloff Venter, 2013). Use of faulty software: The use of faulty softwares in the information system makes it easy for the intruders or hackers to get access to NSWs database (Alhawari, 2012). The hackers or intruders exploit the different loop holes of the pirated or un-patched software. Risk Exposures Threats High Medium Medium-Low Low Deliberate 1. DoS 2. Routing cache poisoning 3. Espionage Intrusion through malicious website. Unauthorized access to the governments information system. Use of pirated or Un-patched software Sabotage by the employees 1. Operational errors 2. Data transmission error Comparison between deliberate and accidental threats and their ranking Comparison of Deliberate and Accidental Threats For NSW government it is important that it should protect the data that resides inside its information system that cannot be disclosed publically, since it may cause unrest in the society. As the data is targeted by different individual and organizations, therefore information system of NSW government is exposed to different threats. The deliberate threats are mainly manmade and are intended to harm the information system by affecting its functionality or stealing the data residing inside it. Therefore these attacks may not be controlled by NSW government but preventive measures can be taken to protect or minimize the effect of these threats (Zeng Skibniewski, 2013). Like, it is observed that, employees visiting malicious sites are unintentionally helping the intruders to get into the organizations information system. On the contrary for the deliberate threats this are caused due to the lack of awareness of the employees in the organization and hence that can be controlee by providing proper training to the employees (Peng, Peng Chen, 2014). Like, if the employees are advised to take proper control mechanisms for sending and receiving data is adopted then the unintentional disclosure of data can be avoided. From the comparative analysis of deliberate and accidental threats it can be said that both are harmful for the information system of NSW government (Galliers Leidner, 2014). Since they may disclose confidential data in public domain or affect the functionality of the information system which may lead to the interruption between its daily workings and availability of the information system to its users (employees of NSW governments). The table below depicts the ranking of different threats according to their impact and importance to NSW government. Rank of Threats in order to Importance Threat type Impact of the threat Rank of the Threat Deliberate threats The deliberate threats are mainly done by the hackers to get control over the information system to alter or manipulate data that resides inside the information system (Alhawari, 2012). In worse situations it is possible that the system or data is unavailable to its users as a result of the attack. Very High Accidental threats In contrast to the deliberate attacks the if the information system is affected by any accidental threats that has caused due to the lack of knowledge of any employee then it is possible to restore the system to a previous state and retrieve all the data by using proper tools (Galliers Leidner, 2014). More over this threat can be controlled by providing appropriate training to the users of information system. Low Justification for ranking The information system of NSW government is exposed to both deliberate and accidental threats. The comparison between them shows that the affects can be minimized even the risks can be mitigated if proper knowledge and assistance is given to the employees while using the information system (Frangopoulos, Eloff Venter, 2013). Therefore the effect of the accidental threats can be controlled by the NSW government and hence it is ranked as medium. On the contrary the deliberate threats or attacks are carried out intentionally by a intruder in order to get control over the system, in the worst case scenarios it may happen that information system is hijacked and unavailable to the government and the users. Therefore its almost impossible to control the attacks (Alhawari, 2012). Even though the effect of the attacks can be minimized but cannot be totally prevented from occurrence. Hence, the deliberate attacks are ranked Very high. Possible Challenges that may be faced by NSW government Several challenges can be faced by NSW government while taking decision on the risk management (whether risk management for the information is to be outsourced or managed internally). Therefore possible challenges are discussed bellow, Loss of control on the operations: handling over the responsibility of managing the risks to the other organization may cause the loss of control on the different day to day operations on the information system by the users of NSW government (Galliers Leidner, 2014). It becomes worse if the organization and NSW government has conflict between their goals, attitude and motivation. Issue of trust: The issue of trust is another challenge that has to be faced by NSW government. It has to be ensured that the external organization which has access to the governments organizations is also protecting the integrity, confidentiality, and availability of the governments data. Lack of expertise: While outsourcing risk management of the information system it is often difficult to find any third party which have a proven expertise in the concerned filed (Frangopoulos, Eloff Venter, 2013). Hence, the future of the risk management becomes uncertain due to the third parties lack of expertise. Difference between Risk and Uncertainty (Related NSW government) i) The risk of any threat or attack is about the probability of its occurrence to the information system of NSW government. On the contrary the uncertainty of a risk or threat is about the situation in which the future occurrences of the events are not known (Alhawari, 2012). ii) The risk related to a particular threat can be measured. In contrast with that uncertainty cannot be measured. iii) The risks can be controlled by taking preventive measures. In contrast with risk the uncertainty cannot be controlled since the future events are not known (Galliers Leidner, 2014). iv) The probability of the risks can be calculated for NSW government, but for probability it cannot be calculated. v) In case of risk there are a finite number of variables that needs to be considered, but in case of uncertainty it includes too many unknown variables that have to be considered when the outcome is to be calculated. Evaluation of different available approaches for risk mitigation To mitigate and control the threats and risks there are several approaches are available to NSW government. The approaches are discussed below, Access control: It is possible for the organization to control the physical access to the information system (Alhawari, 2012). By this measure the chances of sabotage and unintentional data modification can be mitigated. Up gradation of infrastructure: For better risk management, it is required to upgrade the infrastructure of the information system so that latest technologies can be incorporated; to control the access to the information system, prevention of the intrusion through the fake websites can be done. Prioritization of the operations: Since NSW government is going to integrate new risk management system to protect its information system, therefore it has to prioritize the different operations to be completed (Frangopoulos, Eloff Venter, 2013). Conclusion For better risk management of the information system different risks needs to be identified and assessed properly so that they can be mitigated and controlled accordingly. To mitigate and control the risks in this connected world, the awareness related to the security risks must be raised between the employees. In addition to this, the government should monitor the use of the different data by the users so that misuse or unintentional disclosure of data can be avoided. At the end the standard practices should be incorporated to use the information system by the users so that deliberate attacks can be controlled. References Alhawari, S., Karadsheh, L., Talet, A. N., Mansour, E. (2012). Knowledge-based risk management framework for information technology project.International Journal of Information Management,32(1), 50-65. Axelrod, C. W. (2013, May). Managing the risks of cyber-physical systems. InSystems, Applications and Technology Conference (LISAT), 2013 IEEE Long Island(pp. 1-6). IEEE. Frangopoulos, E. D., Eloff, M. M., Venter, L. M. (2013). Psychosocial risks: Can their effects on the security of information systems really be ignored?.Information Management Computer Security,21(1), 53-65. Galliers, R. D., Leidner, D. E. (2014).Strategic information management: challenges and strategies in managing information systems. Routledge. Gibson, D. (2014).Managing risk in information systems. Jones Bartlett Publishers. Henriksen, E., Burkow, T. M., Johnsen, E., Vognild, L. K. (2013). Privacy and information security risks in a technology platform for home-based chronic disease rehabilitation and education.BMC medical informatics and decision making,13(1), 1. Kutsch, E., Denyer, D., Hall, M., Lee-Kelley, E. L. (2013). Does risk matter? Disengagement from risk management practices in information systems projects.European Journal of Information Systems,22(6), 637-649. Mayer, N., Aubert, J., Cholez, H., Grandry, E. (2013, June). Sector-based improvement of the information security risk management process in the context of telecommunications regulation. InEuropean Conference on Software Process Improvement(pp. 13-24). Springer Berlin Heidelberg. McNeil, A. J., Frey, R., Embrechts, P. (2015).Quantitative risk management: Concepts, techniques and tools. Princeton university press. Peltier, T. R. (2016).Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press. Peng, M., Peng, Y., Chen, H. (2014). Post-seismic supply chain risk management: A system dynamics disruption analysis approach for inventory and logistics planning.Computers Operations Research,42, 14-24. Qin, J., Faber, M. H. (2012). Risk management of large RC structures within spatial information system.Computerà ¢Ã¢â€š ¬Ã‚ Aided Civil and Infrastructure Engineering,27(6), 385-405. Theoharidou, M., Papanikolaou, N., Pearson, S., Gritzalis, D. (2013, December). Privacy risk, security, accountability in the cloud. InCloud Computing Technology and Science (CloudCom), 2013 IEEE 5th International Conference on(Vol. 1, pp. 177-184). IEEE. Yucel, G., Cebi, S., Hoege, B., Ozok, A. F. (2012). A fuzzy risk assessment model for hospital information system implementation.Expert Systems with Applications,39(1), 1211-1218. Zeng, Y., Skibniewski, M. J. (2013). Risk assessment for enterprise resource planning (ERP) system implementations: a fault tree analysis approach.Enterprise Information Systems,7(3), 332-353.