1. 3.Create a risk management plan and indentify key areas of concern
within the organization.
Aneffective risk management process is an important component of a successful IT security
program. The principle goal of an organization’s risk management process should be to protect
the organization and its ability to perform their mission, not just its IT assets. Therefor, the risk
management process should not be treating primarily as a technical function carried out by the
IT experts who operate and manage the IT system, but as an essential management function of
the organization.
Common threat sources:
Natural Threats – Floods, earthquakes, landslides, tornadoes and other such events.
Human Threats– Events that are either enabled by or caused by human beings, such as
unintentional acts (inadvertent data entry) or deliberate actions (network based attacks,
malicious software upload, unauthorized access to confidential information).
Environmental Threads – Long-term power failure, pollution, chemicals, liquid leakage.
To derive an overall likelihood rating that indicates the probability that a potential vulnerability may be
exercised within the construct on the associated threat environment
High - The threat source is highly motivated and sufficient capable, and controls to prevent
the vulnerability from being exercised are ineffective.
Medium - The threat source is motivated and capable, but controls are in place that may impede
successful exercise of the vulnerability.
Low - the threat source lacks motivation or capability, or controls are in place to prevent, or at
last significantly impede, the vulnerability from being exercised.
We will identify risks pertaining to the group in 4 main areas:
1. Risk identification
2. Risk probability
3. Risk impact
4. Mitigation and or corrective action
2. Risk Management Plan
Ref. Risk Identification Risk probability Risk impact Corrective actions
No High Med Low
1 Distributed system X Open to attack resulting in Adequate firewall and
system performance security settings,
issues including failure, different sub nets,
loss/corrupted or stolen domain & group policy
data
2 Data storage X Current each site stores its Centralized servers
own data sets and only with mirror backups –
few sites have a proper introduce user profiles
backup facility –Employee limiting access
data, pay role, sales & enforcing segregation
marketing, production of duties
3 X Ina event of a data loss System back up and
Disaster Recovery unable to recover and Disaster recovery plan
operate effectively
4 Software Licensing X The group holds 4% of the Proper assets
export share in Sri Lanka management. Obtain
not been with global common licensing for
standard in IS/IT is an software for the entire
impact to the reputation group
and the competition
6 Procurement X Each company purchasing Implementation of
own IT equipment- centralized manager to
leading to compatibility oversee the control IT
issues, over specified at the grup
/underspecified
machinery
7 Asset management X There are no current Purchase asset
facility to register or management software
manage the IT assets
8 Continuity- different X No current standard with Identify best practice
information sets in the business no implementation of
stored, recognized best practices centralized approach
compatibility, for IS systems Inc. data management
Version control and ,centralized data base
usability
9 Training X Different levels of IT Provides a standardized
awareness within the training approach
business ,( employees )
10 Data Access ability X All employees have access Introduce user profiles/
to customer information levels of access
(data protection act) pertaining to job role
11 Infrastructure X Long time take to be back Emerge with branded
management in the operations on products and reliable
(computers) breakdowns suppliers
3. How Hayleys outlined the ITrisk,
IT Risk The group *Implementation of sound IT policy Moderate
depends on throughout the group is support by
accurate, timely adequate systems and controls.
information from *A contingency plan is in place to
key computer mitigate the risk of IT failures.
systems to enable *A central IT team is in place to support
decision making IT within the Group.
Risks associated with information technology are assessed in the process of “Enterprise Risk
Management”. Use of licensed software ( with Microsoft Corporation ), closer monitoring of internet
usage (for compliance with the group’s IT use policy)and mail server operations and the use of antivirus
and firewall software, are some of the practices in place in the group. Also the decision of changing the
group’s communication system is another risk factor it has some negative risk points but the positive
effective to both IT infrastructure (security, control) and cost is high.