Security Risk Assessment

Abstract

A better understanding of and approach to security issues requires the knowledge of the critical computer resources. The categories of such resources include infrastructure and data. The infrastructure group consists of networks, purchased software, and the computer. On the other hand, the data consist of the user created documents or files, in-house-developed software, and customization. Mostly, all these activities by the daily users and the administrators add value to the computer system. As a result, the data value transcends that of the computer by greater magnitude hence explaining the need for security assessment concerning any possible threats to the network information. Therefore, the assessment identifies the security issues including network and authentication regarding the GAI. Since the company sensitive services, it is important to identify the vulnerable areas due to the compromised network. The use of asymmetric key allows for both the private and the public cryptography. The private key allows the owner as the only person authorized to access the info hence preventing other people from accessing the secrets of the entity. The network accessibility also proves essential to any operations in the organization.

 

Quantitative Security Risk Assessment

The availability of computers has enhanced the rate at which people process data into information. Individuals and organization find both the hardware and the software components of a computer vital. They run different activities that require different approaches to the computer application. However, for the qualitative security risk assessment, the software component plays a significant role. Therefore, concerning matters security, the computer security theory practice considers such aspects as availability, integrity, and confidentiality. Everyone who inputs any data into the computer thinks of the of it remaining secure and can retrieve it anytime they want them. However, they must accept the availability of threats that if not handled with caution, can lead to the data corruption, as a result, of any malicious action. It follows from such observations that the need for quantitative security risk assessment becomes imperative. Thus, a better understanding of and approach to security issues requires the knowledge of the critical computer resources. The categories of such resources include infrastructure and data. The infrastructure group consists of networks, purchased software, and the computer. On the other hand, the data consist of the user created documents or files, in-house-developed software, and customization. Mostly, all these activities by the daily users and the administrators add value to the computer system. As a result, the data value transcends that of the computer by greater magnitude hence explaining the need for security assessment concerning any possible threats to the network information. Pragmatically, some of the computer data are irreplaceable with other being sensitive hence their exposure compromises many issues. The quantitative risk assessment should, therefore, use numerical approaches to evaluate the degree of vulnerability to any data in the computer system. Apparently, the loss of such data to any possible threat stands a chance of exposing the organizational information to the external people including their competitors. Therefore, the paper explores the best quantitative approaches to security risk assessment regarding the status of the Gloabal Asset, Inc. (GAI).

Background

Gloabal Asset, Inc. (GAI) is a financial company that deals in the management of various accounts in different areas of the globe. Its principal geographical areas include Canada, Mexico, and the United States. This public company trades on NYSE while specializing in financial management, loan application, and wholesale loan processing. Other areas of specialization encompass investment of money management for their customers. Currently, the company has 1600 employees who possess the requisite professional competence thereby ensuring the provision of quality services to the customers. Moreover, the nature of its workforce has guaranteed that its consistent growth for an extended period. The company has been keeping pace with S&P averages which are approximately 8% for nearly six years. Furthermore, the company integrates the use of information technology aimed at boosting its activities. Its use of automation and technological innovation has ensured its high-ranking among other organizations. The approaches provide the entity with a management strategy whose foundation lies in enhancing operations performance in the institutions. Moreover, the company's management team consists of individuals with high-level of competency. They include John Thompson (CEO), Elway, Julie Anderson, Kim Johnson, and Michelle Wang. Others include Ron Johnson (CFO), Mike Willy (COO), Andy Murphy (CCO), John King, and Ted Young. This team ensures that the organizational programs run effectively and efficiently with the aim of making the clients have satisfaction out of their services. The commitment of these personnel proves the main reason for the consistent progress of this financial company for many years. Therefore, the continued ability of this body of staff to engage in activities relevant to ensuring its success explains the company's status quo.

Purpose

GAI, like many organization, has integrated IT with the aim of enhancing its operations. However, it remains no immune to the imminent security threats that emanate from different malicious practices. As a result, the paper highlights the security risk assessment, especially the quantitative aspect regarding the GAI Company. It estimates the quantitative risk related to IT security threats and the level of vulnerability of the GAI operations concerning such possible malpractices. Furthermore, the paper analyzes the IT process and infrastructure in this organization with the aim of establishing the grounds for mitigating the situation. The outcome of the security assessment will avail different solutions to the existing security threats concerning information technology in the organization. It recognizes that such vulnerabilities and threats remain risky to the organizational confidentiality, availability, and integrity. Moreover, they prove dangerous to the IT and the entity's strategic capability. Therefore, the security risk assessment aims at performing the following tasks to ascertain the company's security condition and offer mitigations to the identified threats and vulnerabilities.

The identification and the description of the organizational authentication technology and network security issues.

  1. Making a list of the existing access point both internal and external (remote).
  2. Designing a secure authentication technology and network security for GAI.
  3. Making assumptions for any unknown facts.
  4. Listing all known vulnerabilities identifiable in this environment and addressing them by proposing a new design. This section entails using a combination of combination of technologies to harden authentication process and network security measures.
  5. Addressing the CEO concern regarding the mobility security and designing a secure mobile computing to mitigate the condition. The gadget should consider authentication technology and data protection.
  6. Finally, the security assessment aims at identifying the wireless vulnerabilities. More so, it seeks to provide recommendations regarding what to implement concerning safeguards, authentication technologies, and network security to protect data.

Security Risk Assessment

The need to perform security assessment proves vital to GAI Company since it offers the chance to identify the potential vulnerabilities hence preventing their occurrences. A company like Global Asset, Inc. (GAI) handles sensitive data that requires proper security measures to prevent any malicious acts. The process with ensures that the company retains its integrity, confidentiality, and availability. Handling financial operations proves sensitive hence requires strong security measures. The only way to mitigate the situation is by continuously performing security assessment to prevent rather waiting to cure. This process also helps in tracking financial security related threats which proves useful in performing trend analysis concerning their degree of impact. Therefore, the activity proves relevant to this company if it has to secure its operations to ensure it remains a going concern.

Read also: "Marketing Plan Writing Service"

Authentication Technology and Network Security Issues

Authentication Technology. This IT concept proves imperative in running various organizations like GAI. The technique refers to the process where any IT system demands for the identification of the user before accessing the required information. GAI must ensure the availability of a strong authentication process if it has to bar any unauthorized individuals from accessing the info. For instance, the use of strong passwords proves one way of denying other people access to sensitive documents. Furthermore, the understanding of the organization's authentication technology requires one to identify and assess Asymmetric and Symmetric keys in any system. Symmetric keys refer to the algorithms that aid cryptography and uses the same cryptographic keys for the encryption of the plaintext as well as the decryption of the cipher texts. On the other hand, asymmetric key refers to any cryptographic system using paired keys that the owner is the person who knows. The application involves pairing both the public which remains available to others and the private keys that only the owner knows. However, the asymmetric key proves more flexible compared to the other one hence advisable for use in organizations. For instance, the PKI serves the purpose of ensuring that the certification of the public keys remains up to date and it authorizes them when necessary. PGP also uses a trusting scheme that generates two keys for utilization by the user. It, therefore, the public key that it stores to allow accessibility by everyone but keeps the private key confidential to the owner. For the GAI Company, the inadequate application and monitoring of the asymmetric keys provides a possible reason for frequent cyber-attacks and other vulnerabilities. As a control measure, the organization should ensure that no one accesses the private key information since such people can engage in inside dealing, as a result, of the conflict of interest. Any leakage of such information, especially the financial ones can prove detrimental to the entity. Therefore, the entity must ensure proper implementation of the asymmetric keys if it must remain immune to such attacks. Moreover, this authentication technology promotes accountability and integrity since only those people with the key can access the data. For example, the issue of a private key avoids any blames on other individuals and ensures that the authorized employee remains the only person responsible for malpractices. Thus, the person is likely to keep the key secret from others to avoid any possibility of accessing the private information of the company. The significance of such behavior lies in its ability to prevent information leakage ensure that information goes to the intended recipients only. Other authentication methods available to companies include IPSec Authentication, Single Sign-On, Password Authentication Protocol, and Microsoft CHAP among others.

Network Security Issues. The organization operates on a WAN spanning 10 remote facilities in the organization. In fact, it connects the premises to the central data processing environment. The data transmission in the system takes place through a VPN appliance situated in the border layer of the routing topology. The data comes from a remote site before reaching the VPN. The remote VPN connects to the internal Oracle database which works by updating the customers' data tables. Furthermore, there is no encryption of the data transaction from the remote access to the corporate internal databases which leads to the information vulnerability.

The company also operates Oracle database that handles a bulk of data processing on a high-end super computer. It also runs a high trusted computing based internal network whose location is in a physically separated subnet. The point represents the place where of the completion of all corporate data processing. The internal support team also has its own intranet web server, a SUS server, and an internal DNS. Others include an e-mail system, and other support personnel workstations. Despite the physical segregation of each corporate department on a different subnet, they share the corporate data in the TCB network.

The availability of VPN in the organization provides some level of network security. It secures connection by using a combination of tunneling, authentication, and encryption technologies. However, the GAI needs to ensure the highest level of security for VPN deployment by Layer Two Tunneling Protocol. The protocol should contain Internet Protocol security. The process is likely to mitigate the engineer's report concerning the significant spike in network traffic crossing into the internal networks. In fact, the organization needs to move first in the process implementation to secure the corporate confidential data and customer information. Any potential delay can lead to the organization incurring costs related to lack of confidentiality.

Access points. This section concerns the procedures regarding the network accessibility by the entity's personnel. Furthermore, it considers the possibility of both internal and external information access by these people. The concept proves essential if the institution must block unwanted or unauthorized individuals from accessing its internet. It is plausible that such precautions can offer solutions to the potential cybercrimes that interfere with the company's operations.

Internal access. The employees have access to the internal network based at the individual workstations. They different internal network topologies including the wireless ones. Others include 10gpbs VLAN switches whose segregation is by the department. However, the organization needs to monitor issues of anti-virus since it appears to be the main contribution to the vulnerability of the system to the cyber-attacks. Another important aspect of the organization is the need for the applications and servers to have appropriately privileged access to the required sources. Moreover, the need for auditing and reporting systems to monitor such activities remains imperative. Since networks systems prove the potential sources of malpractices, the entity requires active control measures aimed at monitoring reporting any apparent attack to the system. Another mitigation measure is the implementation of ACLs to control the accessibility. It will restrict who accesses the individual VLAN's, application, databases, email, file and printer servers. Furthermore, encrypting the Wireless Access Points and making SSID's invisible proves another way to prevent vulnerabilities. Additionally, installing a firewall client with automatic configurations and using Web Proxy all have the potential of offering high-degree control to the security threats. Therefore, the organization must work to implement such procedures if its operations and the client information are to remain confidential.

External access. The organization ensures the availability of external network access through RAS servers. It talks to distribution routers VPN gateways and 10gbps switches via a 100 mbps router. This connection acts a possible control to any unauthorized access to the network system. Apparently, any unauthenticated access to network systems, especially externally can lead to it remain vulnerable to scams. The observation implies that people can use different browsers to access the information easily externally. Currently, employees and other individuals who have access to the entity use mobile phones to access the internet services. Some of the mobile phone users have the technical competence that can allow them to hack the systems. It on such grounds that company, through its IT sector must the need for dial ups to authenticate accessibility to such networks. One can assert that threat that the organization is experiencing reading cyber crime to the weak network accessibility control. Therefore, the use of mobile phones and laptops requires the enterprise to having a design network system capable of detecting such gadgets. Moreover, it should require an individual's identity through the use of passwords and also have the application that informs the organization of the type of device ones uses to access the internet. The design has the possibility of controlling any external access and denying it when necessary. Furthermore, the identification of the features of the machine a person uses for browsing enables the technical team to react to any threat expeditiously. Therefore, firm control to the access of the external network proves essential to ant organization.

Mobility

The GAI CEO displays high-level of concern about the mobility. Pragmatically, the need for mobility proves vital since it allows the opportunity for interaction with customers and other workers in near real time in the organization. The constant increase in the performance of GAI is an indication of the organization's growth potential. As a result, the advancement shows the need for mobility in running different operations of the organization. The process depends on the use of such networks as Wi-Fi which accelerates the possibility of locating offices anywhere. The current system of operating organization relies much on the integration of technology. The move allows customers to access services in their geographical locations or nearby places. People do not like walking distance journey while looking for services. As a result, the presence of Wi-Fi in a place allow entities to become mobile by putting their offices anywhere. As a result, they gain the possibility of retaining many clients thereby ensuring their growth. The technological advancements that have made such mobility possible include the availability of wireless and cloud computing.

The use of cloud computing while offering e-commerce services online has the potential of enabling the organization to widen its operations. However, the failure to apply the technology judiciously like using a remotely stored data has the risk of vulnerability to attacks. Such applications require the organization to employ robust security control measure to ensure that they retain their integrity, availability, and confidentiality. Moreover, they must apply such technologies like Microsoft Azure Cloud Computing Platform & Services. This move will ensure that they remain immune to some of the online attacks.

The presence of the wireless networks in the organization also contributes to flexibility. It allows for the information accessibility from the areas where this network is available. Therefore, one does not only need to be present in the office to continue with his/her activities. Instead, one can handle some tasks like responding to the customer's inquiries while relaxing.

Overall, security risk assessment proves essential to any organization if it has to ensure confidentiality, integrity, and availability. Various issues surround the network security system which calls for close monitoring to ensure that information remains accessible to the authorized people. Therefore, the assessment identifies the security issues including network and authentication regarding the GAI. Since the company sensitive services, it is important to identify the vulnerable areas due to the compromised network. The organization has experienced incidences of cyberattacks following its security problems. The areas of interest for the assessment include authentication technology and network security issues in the organization. The level of information control in any entity remains significant since it ensures that only the authorized personnel access the info. For instance, the use of asymmetric key allows for both the private and the public cryptography. The private key allows the owner as the only person authorized to access the info hence preventing other people from accessing the secrets of the entity. The network accessibility also proves essential to any operations in the organization. However, GAI needs to install control measure to the internal and external access to the network systems. The move has the potential of ensuring that only authorized people acquire the right to use them. Another integral aspect of the security assessment is the CEO need for GAIs mobility. It is imperative that organization run offices in different places. However, the implementation of such desire relies on the availability of such networks like Wi-Fi. The CEO must integrate this technology if they have to reach their customers in different place. The outcome of the assessment, thus, recommends the need for the GAI management to implement procedures aimed at enhancing the security matters of this organization. Authentication technology and use of appropriate network systems with control measures proves important to mitigating the entitys problems.

Related essays