ICT RISK MANAGEMENT

Protecting an information system resource requires an elaborate secirity system and a set of
controls.
A risk assignment determines the level of risks in the company and how that organization can be
able to deal with the risk.
It is important for businesses to identify the risks to their IT systems and date to reduce or
manage those risks and to develop a response plan in the event of an ICT crisis
Business owners have legal obligations in relation to privacy, electronic transactions and staff
training that influence ICT risk management strategies Ict risks may include such things as:

Hardware and software fairtures

Human errors
Viruses and malicious attacks
Natural disasters e.g fire and flood

ICT risk management helps to improve security in information systems.With

security,the aim is to achive :

complete

1. Confidentiality: Preveting the discusion of the information to unauthorized individuals

or systems.
2. Intergrity: This is a measure to safeguard data against modification without
authorisation.
3. Availability: This is to ensure that information is available when needed.

Systems Vulnerability and abuse

In computer security the term vulnerability refers to weakness in which allows an attack to
reduce an information systems assurance.
It is intersection of 3 elements:
System susceptibility or flaws
Attackers accessing the flaws
Attackers capability to exploit the flaws

Causes of system vulnerability

Large and complex sytems

Fundamental system design flaws
Password management flaws
Connectivity to a network
Unchecked user input
Internet browsing

Types of risks faced in Information systems

If an organisation relies on ICT system such as computers and network for key business
activities, they need to be aware of a range and nature of the risks to the systems.
Some of the risks include:
General ICT risks

Hardaware and software failures

Malicious software eg viruses ,worms
Human error
Fraud and theft
Industial espionage
Loss of physical infrasture support
Employee sabotage

Criminal ICT Risks/ Threats

Hackers
Fraud
Password theft
Denial of service
Security breaches
Staff dishonety

Examples of threats to IS security

Viruses:
It is a code segment that replicates by attaching copies of itself to excisting executable files.The
new copy of the viruses is execetued wneh a suer excecutes the new host program.
Worms
They are self replicating program that one self contained and do not require a host program .the
program creates copies of itself and causes it to executes. No user interventon is reqired.
Trojan horse
This is a program that performs a desired task but also includes an unexpected and desirable
function .A user will inadvertently introduce the virus into the system while downloading
legitimate software.
Spyware
It is a malicious software desighned to spy on a victims computer. If infected it would spy the
daily activities and will find a way to contact the host and give information.
Scareware
This is a program planted into the system to inform the user that they have hundreds of infections
which they actually do not.
The idea is to trick the user into puurchasing a bogus antimalaware where it claims to remove the
threasts.
Key loggers
It is a program that keeps program that keeps record of every keystoke made on the Keyboard. It
is used to steal peoples log in ID credentials eg username and passwords
Spamming
Sending unsolicitaed messages
Back doors
This is a form of illegal access where once the system is vulnerabilty to it, the attacker will be
able to by pass all the rugular authentification requirements. It is usually installed before any
viruses or trojam to assist the efforts.

 Phishing
This is setting up a face website that is desired to look almos like the actual website. The idea of
this attack is to trick the user into enetering the name and password which can then be used for
illegal access.
Pharming
It is more or less like phishing but in this case a hacker re directs traffic from the catual website
to a fake website that is hosted in the server of the hacker.
Jamming
This a kind of threat where a hacker floods a network with fake messages so that it can be made
unavailable making it vulnerable to the security threat
Snooping
It is an unauthorised access to a persons private information. It involve intercepting messages
that are being sent over a network or using a spyware or key logger without.
Tweaking
This is tha ability a hacker to change the identity when they are send information in a network to
tace the user into thinking that they are a particular individual.

Security controls in information systems

Security contols are an ability desighned to protect an information system from unauthorised
access or damaged. Severals ways have been put forward to ensure security of information
systems
They include:
Authentication
This is a technique used to ensure that communication between two end points is performed by
legimitate users. It can also involve the use of passwords before gaining access into the systems.
Firewalls
It is hardware or software based network security system that determines whether they should
allow packets (data) to go through a network or not. They control both outgoing and incoming
communication in anetwork by analysing data faccets based on rule set. A firewall establishes a
banner between a trusted secure internal network and another network assumed not secure and
untrusted.

 Encryption
This method is used to protect messages sent via network from being accessed by unauthorosed
users. It involves scrabbling data using an encryption key that is known to the sender and will be
encrypted by the receiver using a decryption key. This protects messages from being intercepted
and decifered.
Intrusion detection system
This is the system that can scan a network for people that are not on the network but who should
not be there or are doing things that should not be done.
Honey pots
This are computers that are interntonally or unintentionally left vulnerable to attack by
hackers.this is normally used to check on the areas of vulnerability of a system and find ways of
dealing with the vulnerabilities.
Digital certificates
It is an electronic card that establishes the creadentials of users when transacting on a network. It
will contain the name, serial number and the expiry date of the copy of certificateholder. Their
certificate will be required anytime a user wants to gain access to a netwoek that they can be
authenticated.

Types of controls in information systems

Controls are those activities that have to take place to ensure that the objectives of the systems
are met.the main types of control in information systems are categorised into two:
General Contols
These are control systems that apply to all application processes and systems that are used in a
computer enevironment.the main types of information contols include:
Hardware controls
These are all measures taken to ensure the physical hardware is safe and secure for use.
Software contols
They ensure that all the software is free from malicious program and that they can be used to
execute date efficiently.

 Implementation controls
They cover the development and installation of computer software. They ensure that any system
implementation process is within the policies of the organisation.
Data security controls
They ensure that data within the sytem is accurate, complete and free from unauthorised access.
Computer operations controls
They ensure the use of computers by authorised users within the policies of the organization.
Administation controls
The cover the general management of information systems and include segregation of duties and
raining.
Application controls
Those controls govern specific applications. They will control how a prticular application will
run on the system and will be classified as:
Input controls
They check all data accuracy and completeness when they are entered into the system.
Processing controls
They establish that data is accurate and complete during updating
Output control
They ensure that the results of computer processing are accurate complete and properly
distributed.

Managing Downtime in information system

Downtime refers to the period in which the systems resources are not available and when they
are not operational.
A number of ways can be designed to mitigate the downtime, which includes:

 Fault tolerant systems

This is the use of hardware and software to detect any hardware failure and automatically switch
to a backup system.
High availability computing
Organisations use backup services distributing processing among multiple servers.high capacity
storage and disaster recovery planning enables recovery from a system crash or failure to take
place very fast
Recovery oriented computing
This is where systems are desighned to recover quickly and implement capabilities and tools to
help operators pinpoint the source of fault in multi oriented system and easily correct these
mistakes
Load balancing
This is the spreading of prosessing tasks among multiple computers in network to increase the
computing perfomance on the network, from the users perspective computers will function as
one computer system.
Mirroring
This is having a copy of every terminal and server in the network which will be perfoming the
services in parallel with one being active and the other passive. If an active terminal fails or is
unavailable, the passive terminal will take over the activities of the active terminals.

Disaster Recovery Planning and Business Continuity Planning

Business continuity planning
This are plans that focus on how a company can restore business operations in the event of a
distater without incurring any downtime.
The techniques used in BCP are these that are used to the management of downtime.
Disaster and recovery palnning
These are plans pit in place to ensure that a system recovers as soon as possible in the evet of a
disaster with PRP downtime will be registered.

Objectives of a Disaster Recovery Plan

For the DRP to be successful it has to meet the following objectives
1)
2)
3)
4)
5)
6)

It should reduce the overall risk to the company

It should elevate the owners or investors concerns
It should restore the day to day operations within the shortest possible time
It should comply with external regulation
It should be well maitained and tested
It should/must be written and developed with the goal of responding rapidly to any
disaster

Steps in developing PRP

1. Access the risk of a particular disaster eg flood fire,power cutages which might occur.
2. Identify the most critical applications, the files they use and applications they load.
3. Develop an action for handling mission critical application eg using manual
processing or backup in another location.
4. Outline responsibilities of individuals staff and procedure to follow during a disaster.
5. Test the disaster recovery plan at least once a year,use a consistent planning process
and methodology so that all business groups understand given rules to ensure
enoughbacking and support from top management.

Risk management process in information system

Organisations marriages have to carry out risk analysis in order to identify any element that will
cause damage to an information system.
The following are steps that are followed in management
1. Risk identification
This involves identifying and understanding any activities or event that might cause a risk in an
I.S eg flood, fire, user error etc.
2. Risk assessment
Tis involves trying to identify the likelihood of each risk accuring and theimpact of the risk if it
were to occur
3. Risk Profiling

This is the process of collecting information of the risk and developing a risk assesment
framework.
4. Determing the appropriate control
This involves identifying the appropiate action to take after the risks have been assessed and
profiled.
5. Review of the controls
This is done to determine the effectiveness of the control that has taken place and to determine
the amount of reduces risk.
6. Documenting the process
The activities of the whole process will be documented so that any future actions related to the
risks can be refered to.

Method of dealing with the risk

For each risk in the risk assessment report, a risk management strategy must be deviced to reduce
the risks to acceptance levels.
There are four basic strategies for managing risks
Mitigation
This is the most commonly used risk mangement stretegy .It involves fixing the flaw or
providing some type of compesatory control to reduce the like lihood or impact associated with
the flaw.
Transference
This is the process of allowing another party to accept the risk on your behalf in ICT systems this
is commonly done through outsourcing
Acceptance
This is the practice of of simply allowing the sytem to operate with a known risk many alow risk
to information are accepted .Business managers and IT secirity personnel are the ones to
authorize accepted risks on behalf of an organisation

Avoidance

This is the practice of remaining the vulnerable aspects of the systems or even the sytem itself
when the risks are deemed too high costs to be taken and their likelihood to happen are equally
high.