SEC 280 Week5 Case Study Principles of Information Systems Security

Document Content and Description Below

SEC 280 Week5 Case Study Principles of Information Systems Security Case Study: You have just been hired as an Information Security Engineer for a large, multi-international corporation. Unfor... tunately, your company has suffered multiple security breaches that have threatened customers' trust in the fact that their confidential data and financial assets are private and secured. Credit-card information was compromised by an attack that infiltrated the network through a vulnerable wireless connection within the organization. The other breach was an inside job where personal data was stolen because of weak access-control policies within the organization that allowed an unauthorized individual access to valuable data. Your job is to develop a risk-management policy that addresses the two security breaches and how to mitigate these risks. Risk Management Policy Background In recent past, the company has suffered multiple security breaches that have threatened customers' trust in the fact that their confidential data and financial assets are private and secured. Credit-card information was compromised by an attack that infiltrated the network through a vulnerable wireless connection within the organization. The other breach was an inside job where personal data was stolen because of weak access-control policies within the organization that allowed an unauthorized individual access to valuable data. Purpose: This risk management policy intends to address this and all other past occurrences and also mitigate any future occurrence. The two main purposes will be as follows: - Seek to identify, reduce and prevent undesirable incidents or outcomes, and - To review past incidents and implement changes to prevent or reduce future incidents. By definition, we will refer to Risk as the probability of an event and potential consequences associated with that event’s occurrence. Completely eliminating risk from an activity or set of activities is like relating to the saying that "the safest ships are the ones that do not sail, but that is not what they are designed for". This attests to the fact that Risk is inherent to any activity and while it is impossible to entirely eliminate it from the activity, it is the norm to manage it. For this policy, we will consider a risk as major or significant when the combination of an event’s probability and the potential consequences is likely to:  Impair the achievement of the organization’s strategic goal or objective;  Result in substantial financial costs that may jeopardize the organization’s core mission;  Create significant damage to the organization’s reputation. [Show More]

Last updated: 2 years ago

Preview 1 out of 7 pages