Threat Assessment
Name:
Course/Number:
Date:
Instructor Name:
Threat Assessment
Information Security is a key issue to be considered in every organization. Having information security measures implemented in an organization does not ensure protection to your information. Nevertheless, having standards or policies to ensure security to information is simply the best start in ensuring information security. This way, an organization will have a way forward into studying what threats they may face or they are facing and then set the measures that will manage their systems securely. This paper shows the threats the organization is facing or may encounter and what measures can be implemented to safeguard the organization’s information systems.
According to Maiwald, information Security comes from two words; Information and Security. Information is useful data collected and kept in communication systems like computers to be used for different purposes. On the other hand, security is protecting something from danger or threats (2004, p. 6). Therefore, the term Information Security is all about implementing measures that protect the organization’s data from any threat. These information Security threats are there, and they can harm any information security system. It is an organization’s strategy to protect its information systems against them.
According to Staub, Goodman and Baskerville (2008), before attempting to implement any security measure, a strategy should be set. This process involves examining what values and purposes in terms of external and private environment that the organization has. Plans and goals should be set during this process. This process helps to find out with what level of protection is available in the organization. This is by first carrying out an investigation regarding the information security system. The second task will be determining what security measures to implement and determine if it will be beneficial to the organization’s security if adopted. The third step is creating the formulae of how to apply the security measures into the organization’s security system (p.18).
Carrying out a thorough assessment of the threats known as threat assessment is essential in evaluating risks to the organization. This process helps in coming up with what is happening in terms of information security. Information about the threats facing the organization’s information system, security measures already implemented, possible threats and the way to improve the security. It can mean creating additional security measures or simply improving what is there. Additionally, according to Straub et al (2008), during the assessment process, it is advisable to take into account the activities and security environment of the organization in order to implement the security measures that comply with it. In terms of the security environment, an organization dealing with critical information will need strong security policy (p.24). This process is essential in that it helps in coming up with a complete program for the Information security system.
According to Bonnette (2003), assessing threats involves examining the possible causes of threat and determining their chance and consequences to the information system. During this assessment, five types of evaluation can be done. There is the system level which examines the computer systems. The second is network level, which examines the computer network. The third is organization level where the organization is thoroughly analyzed to find any possible threat within. The fourth are the audit policies and how the organization abides by them. The last is a test to the organization’s ability to respond if there is an intrusion. Threat analysis is extensive and information vulnerability should be considered during the process. In essence, there is a relationship between risk, threats and information vulnerability. Risk is certainly a cause of threat acting on a vulnerable entity (p. 5).
Securing the Information System is managing the risks. Therefore, it is essential to understand the risks in an organization’s information system. Failure to understand may lead to misuse of resources. When a risk is identified, then the value of information is also identified and its system. This whole process is risk management (Maiwald, 2004, p. 135).
Risk management is critical in every organization in the digital era as each tries to protect information systems. According to Stoneburner, Goguen and Feringa (2002), risk management is critical in terms of a successful security program. The process should attempt not only to protect organizational information but also its ability to carry out its operations. This process is a critical function in the management of the organization (p. 7).
Maiwald (2004) defines risk as a chance to be attacked and, therefore, a need for protection. Vulnerability is the potential entity to be attacked. In an organization, this can be the computers, networks or organizational policies. Information transmitted over the network can also be accessed. Therefore, consideration should be put into all vulnerable entities and not just the computer systems. On the other hand, a threat is an action that breaks the information system security. Threats can be Targets, Agents or Events. Targets are the entities vulnerable to the threat. Agents are the sources of the threat while the events are the actions that pose to be a threat (p.134-135).
In most cases, agents of threats are people who want to explore the targets like confidentiality, integrity, accountability and availability. These Agents have the ability to access the target, they have knowledge of the target, and that have a reason to access the target. Mostly, they can gain access to the target simply because they might have an account to get into the system, or they might get in indirectly. Sometimes, the agents may have knowledge of the target like passwords, file location, network addresses, employee names and other useful information. These agents have three main reasons why they get into the systems unauthorized. They might be greed, with malicious intentions, and others do that as a challenge, trying to prove something. An agent might be an employee, ex-employee, commercial rival, hackers, terrorists, customers, criminals, the general public or natural disaster like earthquakes (Maiwald, 2004, p.137-138).
Information can be tampered with in different ways. This can be abuse of authorized access to the system, malicious or accidental alteration to information, unauthorized access, malicious or accidental destruction, malicious software, hardware and software theft, internal and external communication eavesdropping and natural disasters. Threat plus vulnerability is equals to risk; therefore, risk is simply a combination of threats and vulnerable entities (Maiwald, 2004, p.139).
Risk can be defined to be low, medium or high. A low risk is where vulnerability of information is at risk, but it is unlikely to happen since the control measures will prevent it. The other level is medium. In this, the threat poses a significant risk to the information system, and it is advisable to have controls to remove it. The third level is high. In high level, the threat poses a serious danger to the information’s confidentiality, integrity, availability and accountability. Safety measures should be taken immediately to remove the threat. When trying to remove a threat within the system, take into account the consequences, for example, the costs of applying a corrective measure in the risk level (Maiwald, 2004, p. 139).
Maiwald (2004), identification of the risk involves identifying the threat and vulnerabilities. Measuring the risk level is also done to help in the security program. This way it can help prioritize the risks to handle first. Identification of vulnerabilities is extremely important in order to determine the risk. This is done by checking all the access points to the system and information. Internet connections, remote, wireless and users access points, physical access to facilities and connections to the outside are the areas to check. Identifying how information is accessible through this access points and the possible vulnerabilities. The next step is identifying the threats. It is a complex task but attempting to identify the specific and targeted threats will make it easier. Possible areas of breach into the security system should be examined, and security controls implemented to determine if the vulnerability exists. Countermeasures can be implemented, and they can include firewalls, anti-virus, access controls, badges, card readers, guards, encryption, intrusion detection system, and two factor verification systems. With all this determined, it is easy to determine the level of risk facing the security system of the organization. It will also help in measuring the risk. This is done by checking the cost incurred on the organization after the attack. The cost can be in terms of resources affected, loss to the organization, and the reputation caused by the attack (p. 139-147).
Whenever threat assessment is carried Maiwald (2004), there are key areas to examine to find the problem of security in an organization. They include; the network; physical security; the organization’s policies and protocols; employees and their awareness towards security measures; attitude of employees; precautions set in place; the organization’s business; how employees comply with the rules and procedures (p. 154-160).
After all information is gathered, then the security team can analyze the information can come up with better measures. According to Maiwald (2004), development of policies and procedures will be created to define expected state of information security within the organization. Policies and procedures are extremely valuable when it comes to security. If the organization already has them, then an update on them should be done. The policies are then implemented to be effective. A security reporting system can also be implemented to monitor and track to ensure policies are adhered. Authentication systems should also be created to provide identification of users before they use the system. Internet security measures like firewalls, virtual private networks are introduced to prevent threats related to the Internet. Intrusion detection systems to alert incase of intruders and security staff be employed. Another key step is creating awareness to the staff and ensures everyone is trained on conduct and use of the system. The final step is creating a conduct Audit to ensure that the policies and controls are configured well (p. 160-168).
In conclusion, threat assessments are particularly important in any information security system of an organization. In most cases, they are never conducted well since many do not consider this process important. This leads to failure in information security. This procedure should be consistent within any organization because threats will always be there to attack the systems. The assessments should also be documented for future use.
References
BIBLIOGRAPHY l 1033 Bonnette, C. A. (2003). Assessing Threats to Information Security in Financial Institutions. 5.
Straub, D. W., Goodman, S. E., & Baskerville, R. (2008). Information Security. Policy, Processes, and Practices , 18.
Stoneburner, G., Goguen, A., & Feringa. A (2002). Risk management Guide for Information technology Systems. 7.
Maiwald, E. (2008). Fundamentals of Network Security. New York: McGraw Hill.
