This paper analyzed the security measures and risk assessment strategies which are required which are required and should be followed by organizations for future strategic planning. For the most part there are two basic approaches of RA approaches: quantitative RA and subjective RA. The quantitative RA is a target investigation of the hazard that utilization numerical information. Then again, the subjective RA is an abstract assessment dependent on judgment and encounters which does not work on numerical information. It is hard to direct a simply quantitative RA technique, on account of the trouble to appreciate numerical information alone without an abstract clarification.
Nonetheless, the subjective RA does not really request the objectivity of the dangers, despite the fact that it is conceivable to direct RA that is simply subjective in nature. Whenever actualized in storehouses, the restrictions of both quantitative and subjective techniques may expand the probability of immediate and circuitous misfortunes of an association. This paper recommends a consolidated RA model from both quantitative and subjective RA strategies to be utilized for surveying data security dangers.
So as to translate and apply the model, a model of RA for data security dangers will be created. This model will be assessed by data security chance administration specialists from the business. Criticism from the specialists will be utilized to improve the proposed RA model. The usage of a proper model guarantees a fruitful RA strategy and avert the association from the regular and causal dangers that are identified with verifying data resources.Introduction Risk Assessment is the process of identifying the loopholes and threats or vulnerabilities that can exist in a networked organization. Currently as the credit unions are merged and which have over 5000 members, 1000 virtual servers and 10 physical servers based in three regional centers located at Seattle, Los Angeles and Atlanta. In order to maintain the business operations normally and secure the data of the organization, our company needs to perform risk assessment for potential impact on the organization.We will be moving ahead with the below plan, Identify the risks and hazards that can cause harm to the company and its functional services. Assess the risks identified and prioritize the risks based on their impact and importance. Record each findings and then design a plan to mitigate the threats identified. Review the plans developed and make any updates as required. Risk Assessment In the given scenario, risks can exist in the physical security of the regional centers, the network plan developed or designed for the centers, the rules existing in the firewalls, the systems and servers in which sensitive data relating to business operations exist. The key risks that can be identified in this case will be, Applications, software’s and tools installed in the systems used by employees. Backup plan for all the 10 physical servers and all virtual servers hosted. Operating systems and their versions on the computers. Sever configuration and access control configured. Physical security of the company premises. All the backup plans and location of backups. Fire mitigation strategies adopted. Contract and expiry agreements conditions. Firewall and network configuration.Risk Mitigation Plan Based on the list of threats identified a plan has to be developed by prioritizing the risks based on their impact. A cyber threat is possible due to lack of proper networking and firewall implementation. A firewall has to be setup as the gateway to the network and this packets flowing in an out the network have to be monitored for preventing any type of intrusions. Another loophole that can give hackers a chance to penetrate into the network and steal organization’s data is the software, tools and operating systems used in the company. The operating systems have to be updated regularly and should be security compliance to ensure that the loopholes or vulnerabilities in the operating system do not give chance to hack. Later the applications in the systems have to be checked and any unused of suspicious applications found have to be removed from the system to eliminate risk. Amanda Dcosta (2018) states that, Risks are unknown events that are inherently neutral. They can be characterized as either positive or negative. Unfortunately, a lot of time and energy is spent handling negative project risks, or threats rather than positive risks, or opportunities. No organization should overlook the chance to benefit from any opportunities that present themselves. The other risk that can cause chance of a cyber-attack is the loopholes in the network security policy and employees working for the company. When security policies are not properly designed employees tend to use the devices and network for personal use and this can bring risk of phishing attacks and malware attacks. Most of the companies fail to ensure that the employees work as per the guidelines and policies of the company. This brings the risk of internal attack and can be hard to detect. So, plan has to be developed to eliminate any kind of internal risks due to security loopholes in the policies. Further monitoring activities of employees would help in having better security for the network. The risk assessment for credit unions will depend of the services and products offered by the companies. As per the given scenario risk assessments have to be done with the following in mind. Financial risk assessment Disaster recovery risk assessment IT security risk assessment Market based risk assessments. So, conducting risk assessment, developing a plan of action, designing the business continuity plan and disaster recovery plan, testing the plan and updating the plan, training the employees on the plans and policies, maintaining services and monitoring are the key steps to be taken for better functioning of the business. This is a cyclic process and has to be done regularly. Besides these plans it is also important to analyze the fire safety measures and deploy better access control systems for preventing unauthorized access to the devices and premises of the data servers. When network security and physical security are addressed properly proration of assets becomes easy and effective. Conducting fire drills and training employees on the steps to be followed in case of an emergency will help in easy implementation of the plan during a crisis. Acts & Laws Currently this is followed by the below laws and acts which would allow the company to operate maintain and follow all the regulations which would help in regulatory oversight. Also some of the states can have their own credit union laws. National Credit Union Administration (NCUA) Federal Credit Union ActBusiness Impact Analysis The key services of the company are dependent on the physical servers and the data contained in them. The process of using virtual servers will help in load balancing and can help in easy maintenance of business services. If the data on these servers is loss of is breached, the functionality may get affected. We also need to analyze the risk of fire and any other natural disasters that can show impact on the business services. As the key services of the company get effected, clients and users will not be able to access the services they need and this can cause problems to the financial operations of the company. To eliminate this risk, we need to develop a disaster recovery plan and business continuity plan so that market value and reputation are not impacted. When we develop a plan based on the impact analysis, we get to know the key services and the data that has to be protected from risk. John Leo Weber (2019) states that, Scenarios that could potentially cause losses to the business are identified. These can include suppliers not delivering, delays in service, etc. The list of possibilities is long, but it’s key to explore them thoroughly in order to best assess risk. It is by identifying and evaluating these potential risk scenarios that a business can come up with a plan of investment for recovery and mitigation strategies, along with outright prevention. In the process of conducting business impact analysis, we gather information about the key assets and then develop an executive summary. Then we define the scope and objectives of the plan by which acceptable downtime, cost of recovery, recovery point objective and tolerable level of loss.Business Continuity Plan Business continuity plan is the plan designed to keep the key services of the company running even in case of a disaster or cyber-attack or power outage. Disasters can be natural calamities of errors made by human. The plan helps in protection of assets, data and data backups. Having backups will help in easy restoration of services and will keep up the reputation of the company. In the given scenario, we need to understand that the servers have some key data and the virtual severs have the replicated data in these servers to enable efficient services. This data stored on the servers has to be backed up and has to be preserved by the company to enable easy implementation of plan during an emergency. As the company has key operations at 3 cities in the country, it becomes easy to restore the services in case one of the city gets affected. If all the cities are affected due to some unknown problem or disaster, they need to have an alternate site which can help them in setting up the systems and data servers to ensure easy restoration of data and services. They can either develop a site with all the facilities or with basic facilities so that they can transport some of the employees to the alternate site and start the services within the recovery point objective set by the company. The key assets of the company are people working in the company, communication services, any kind of technology services related to the operations of the company. Disaster Recovery Plan Disaster recovery plan is a part business continuity plan which helps in restoring the primary affected area of the organization. The key elements of this plan are, Communication Role Assignment Assets Inventory Service Restoration Organizations will need to develop contact list of all the employees working in the company along with the service vendors and infrastructure vendors. This will help in communicating the plan to the employees of the company and will also help in checking if everyone is present at the safe assembly point during an emergency. The vendors and service contacts will help purchasing the key infrastructure and equipment needed for the company. Entech (2018) states that, “When it comes to a disaster, communication is of the essence. A plan is essential because it puts all employees on the same page and ensures clearly outlines all communication. Documents should have all updated employee contact information and employees should understand exactly what their role is in the days following the disaster. Role assignment is the next important part of disaster recovery plan. As per the plan, employees are to be given specific roles based on which they need to participate in the restoration of services in the affected area. We need to include a crisis management coordinator, business continuity expert, assessment and recovery team, IT experts, network and system administrators as a part of this special team. It is better to gain input for the advisors during the initial stage of plan. This will help in understanding the affected business processes that are affected and the recovery steps that are to be followed to restore the services. Ed Tittel (2009) states that, With the amount of standards surrounding business continuity (BC) and disaster recovery (DR), the roles personnel play in planning need to be established. Computer Security Incident Response Team This team is a special team with set of IT experts having knowledge on cyber security and cyber-attacks. They help in handling the unexpected cyber-attacks or security breaches with their knowledge and capability. They need to be good decision makers and must be skilled enough to handle the cyber-attacks. Peter Sullivan (2019) states that, “Once an incident report has been received, the CSIRT must analyze the report to validate that an incident, or other type of activity that falls under the CSIRT mission, has occurred. They then must determine if they understand the report and the incident well enough to create an initial response strategy that fulfills the goal of regaining control and minimizing damage. They need to gather the data relating to the attack and the risk or impact that can be caused by an attack based on which the vulnerability identified can be fixed so that future attacks are mitigated. The team must comprise of the following people, Team leader for coordinating the team activity and has to focus on minimizing the damage. Lead investigator for collecting data needed for analyzing the root cause and then directs the team of security analysts for service recovery. Communication lead for coordinating all the messages and information from employees of the company. Documentation lead for documenting the activities and investigations for each incident.ConclusionHaving a team of experts and dividing them into teams, allocating them with roles and responsibilities will help in easy implementation of plans and will also help in restoring the key services of the company in case of an emergency. The plans developed are to be stored securely and each of the risk and risk assessments, the steps taken for mitigation of threats are to be stored safely for helping the organization in having a reference for future use.