04-IS421-Chapter-4

Page 1: Introduction

IS421 IT INFRASTRUCTURE AND NETWORK TECHNOLOGIES

Page 2: Chapter Overview

CHAPTER 4: Ensuring Business Continuity

• Risk Management Business Challenges

• Managing Risks: Threats, Vulnerabilities, and Exploits

• Understanding and Maintaining Compliance

Page 3: Risk Management Business Challenges

Page 4: Understanding Risk

What is Risk?

• Definition: The possibility of an event adversely affecting objectives or desired results.

• Business Context: Affects financials, reputation, legal compliance, and operations.

Page 5: Understanding Management

What is Management?

• Definition: Process of planning, organizing, leading, and controlling resources to achieve goals efficiently.

• Coordination: Involves managing resources optimally while guiding people to desired outcomes.

Page 6: Understanding Risk Management

What is Risk Management?

• Definition: Process of identifying, assessing, and addressing potential risks to ensure business continuity.

• Goals: Minimize harm and proactively manage risks while ensuring stability.

Page 7: Risk Management in Business

Key Elements

• Involves identifying, assessing, and mitigating various risks.

• Sources of Risks: Financial uncertainties, legal liabilities, operational challenges, strategic decisions, natural disasters, and cyber threats.

Page 8: Importance of Risk Management

Benefits

• Protects resources, supports decision-making, enhances stability, and promotes growth.

• Increases stakeholder confidence through proactive risk management.

Page 9: Risk Management Process

Steps

1. Identify

2. Assess

3. Treat

4. Monitor & Report

Page 10: Step 1 - Risk Identification

Process

• Identify events that can negatively or positively affect project objectives:

  • Project milestones

  • Financial trajectory

  • Project scope

• Use risk matrix and risk register to document risks.

Page 11: Risk Identification Characteristics

Key Aspects

• Risk/opportunity defined by description, causes, qualitative and quantitative assessment, and mitigation plan.

• Responsibility assignment for action is essential for effective risk management.

Page 12: Tools for Identifying Risks and Opportunities

Methodologies

• Analyze existing documentation, expert interviews, brainstorming, standard methodologies (e.g., FMECA), and lessons learned from previous projects.

• Use checklists or questionnaires covering various project areas.

Page 13: Step 2 - Risk Assessment

Types of Assessments

• Qualitative: Analyzes criticality based on event's probability and impact.

• Quantitative: Evaluates financial impact or benefit.

• Both assessments are required for a comprehensive evaluation.

Page 14: Qualitative Assessment

Process

• Rank and prioritize each risk based on occurrence probability (P) and impact severity (I).

• Criticality = P x I. Focus on critical items first for response priorities.

Page 15: Quantitative Assessment

Objectives

• Establish financial evaluation of potential risks or benefits.

• Conducted by Risk Owner and Risk Manager, relying on accurate estimation of costs or profits relevant to the project budget.

Page 16: Evaluating Potential Costs in Quantitative Assessment

Key Elements

• Review potential costs incurred related to:

  • Internal engineering hours

  • Subcontracting hours

  • Additional work

  • Amendments and claims

Page 17: Step 3 - Risk Treatment

Objective

• Develop treatment plans to reduce risk probability and impact, or enhance opportunities.

• Determine response strategies based on the nature of risk or opportunity.

Page 18: Risk Treatment Strategies

Possible Strategies

• Opportunity: Exploit, Enhance

• Risk: Avoid, Share, Transfer, Mitigate, Accept

Page 19: Risk Response Strategies Explained

Definitions

• Accept: Monitor with no action.

• Mitigate/Enhance: Change probability or severity.

• Transfer/Share: Assign risk responsibility to third party.

• Avoid/Exploit: Eliminate risk or maximize opportunity.

Page 20: Treatment Plan Guidelines

Key Considerations

• Actions must have clear purposes, responsible individuals, and deadlines.

• Include cost-tracking for any financial impact.

Page 21: Identifying When Risk Becomes an Issue

Key Aspects

• Assess uncertainty of event date and plan for prevention or fallback.

Page 22: Step 4 - Risk Monitoring and Reporting

Overview

• Risks and treatment plans require monitoring and reporting based on criticality.

• Develop a reporting structure to address escalations.

Page 23: Sample Risk Management Plan #1

Overview

• Tech Solutions Inc.: Fast-growing tech company specializing in software solutions.

• Focus: Quality, security, compliance, and digital transformation.

Page 24: Sample Risk Management Plan - Risk Identification

Identified Risks

• R1: Data Security Breach

• R2: Regulatory Compliance Issues

• R3: Project Timeline Delays

• R4: Customer Adoption Risks

• R5: Budget Overruns

Page 25: Sample Risk Management Plan - Risk Assessment

Evaluation Method

• Likelihood and Impact scoring (1-5 scale) to prioritize risks by risk score.

Page 26: Sample Risk Management Plan - Risk Treatment

Mitigation Strategies

• R1: Conduct audits, training on data security.

• R2: Ensure compliance through legal counsel and training.

• R3: Use contingency planning for timeline adjustments.

• R4: Understand customer needs through research.

• R5: Monitor expenses closely.

Page 27: Sample Risk Management Plan - Monitoring Framework

Structure

• Monitoring frequency: Monthly with milestone reviews.

• Responsibilities assigned to Project Manager and Risk Management Team.

• Use a risk dashboard for regular updates.

Page 28: Sample Risk Management Plan - Monitoring Framework Continued

Page 29: Summary for Sample Case #1

Final Notes

• The plan assists in mitigating and monitoring risks for successful project achievement.

• Emphasis on proactive risk handling and maintaining transparency.

Page 30: Managing Risks Overview

Focus

• Examining Threats, Vulnerabilities, and Exploits.

Page 31: Understanding Threats

Definition

• External factors negatively impacting business goals.

• Sources: Economic, competitive, technological, regulatory, and environmental.

Page 32: Common Types of Threats in Business

Categories

• Economic Threats: Financial instability, inflation.

• Competitive Threats: Aggressive rivals.

• Technological Threats: Obsolescence due to rapid changes.

• Regulatory Threats: Compliance with new laws.

Page 33: More Types of Threats

Additional Risks

• Environmental: Natural disasters, climate change.

• Social: Cultural shifts affecting demand.

• Cybersecurity: Data breaches and cyber threats.

Page 34: Importance of Identifying Threats

Key Benefits

• Prepare and respond to challenges.

• Develop mitigation strategies and adapt strategies accordingly.

Page 35: Intentional Threats

Definition

• Hostile actions motivated by greed, anger, or desire to damage.

• Can disrupt operations and lead to availability loss.

Page 36: Unintentional Threats

Categories

• Environmental: Natural disasters affecting operations.

• Human: Errors leading to data loss or mishandling.

Page 37: Unintentional Threats Continued

More Types

• Accidents: Minor mishaps to major catastrophes.

• Failures: Equipment malfunctions leading to service loss.

Page 38: Common Attackers

Types of Attackers

• Criminals: Organized fraud and theft.

• APTs: High-resource-focused attacks against targets.

Page 39: More Common Attackers

Additional Groups

• Vandals: Intent to cause damage to assets.

• Disgruntled Employees: Internal threats from dissatisfied staff.

Page 40: Other Attackers

Overview

• Nations engage in espionage and cyber warfare.

• Hackers of varying motivations attempt breaches.

Page 41: Best Practices

Recommendations

• Developing security policies to guide actions.

• Utilization of insurance for financial protection against risks.

Page 42: Best Practices Continued

Additional Recommendations

• Automate processes to reduce human errors.

• Regular training to enhance security awareness.

Page 43: Understanding Vulnerability

Definition

• Weakness in systems or processes exploited by threats.

• Leads to increased susceptibility to risks.

Page 44: Threat/Vulnerability Pairs

Concept

• Occurs when a specific threat exploits a vulnerability, leading to harmful events.

Page 45: Examples of Threat/Vulnerability Pairs

Scenarios

• Fire without detection: Total business loss.

• Malware exploited via lack of antivirus.

• Equipment failures without backups lead to data loss.

Page 46: Mitigation of Vulnerabilities

Key Techniques

• Identifying and prioritizing vulnerabilities.

• Reducing exposure and occurrence rates through training.

Page 47: Mitigation Techniques

Specific Actions

• Fire: Install detection equipment.

• Malware: Implement antivirus software and regularly update.

Page 48: Policies and Documentation

Importance

• Create standard written policies and regular audits.

• Maintain updated documentation for quick troubleshooting.

Page 49: Best Practices Continued

Key Operations

• Separation of duties to prevent fraud.

• Configuration management for consistent settings.

Page 50: Ongoing Maintenance

Policy

• Implement a patch management policy for software vulnerabilities.

Page 51: Understanding Exploits

Definition

• Tool or method used by attackers to take advantage of vulnerabilities.

Page 52: Exploit Example

Scenario

• Exploiting public-facing servers through vulnerabilities in firewalls.

Page 53: SQL Injection Attacks

Definition

• Attacker injects SQL code through unvalidated input.

• Key to preventing by validating user data.

Page 54: Denial of Service Attacks

Concept

• DoS attacks aim to disrupt services, consuming server resources.

• DDoS involves multiple compromised systems attacking a single target.

Page 55: Initiation of Exploits

Attack Methods

• Programs developed by attackers automate the launch of exploits.

• Script kiddies use simple tools to initiate user-level attacks.

Page 56: Information Gathering Techniques

Methods

• Public server discovery using scanners.

• Fingerprinting for identifying server types and vulnerabilities.

Page 57: Exploring Vulnerabilities

Discovery Techniques

• Programmers write code to exploit vulnerabilities once discovered.

Page 58: Sources of Vulnerability Information

Key Sources

• Blogs, forums, and security newsletters keep attackers and defenders informed.

Page 59: Continuation of Sources

Additional Insights

• Security professionals share findings, helping to identify vulnerabilities.

Page 60: Mitigation Techniques

Key Measures

• Remove default configurations and change passwords.

• Reduce attack surface by disabling unnecessary services.

Page 61: Further Mitigation Strategies

Security Enhancements

• Implement firewalls, intrusion detection, and antivirus programs.

Page 62: Best Practices Continued

Security Policies

• Use configuration management and conduct compliance audits regularly.

Page 63: Risk and Vulnerability Assessments

Practices

• Performing risk and vulnerability assessments informs mitigation strategies for security management.