JB

04-IS421-Chapter-4

Page 1: Introduction

IS421 IT INFRASTRUCTURE AND NETWORK TECHNOLOGIES

Page 2: Chapter Overview

CHAPTER 4: Ensuring Business Continuity

  • Risk Management Business Challenges

  • Managing Risks: Threats, Vulnerabilities, and Exploits

  • Understanding and Maintaining Compliance

Page 3: Risk Management Business Challenges

Page 4: Understanding Risk

What is Risk?

  • Definition: The possibility of an event adversely affecting objectives or desired results.

  • Business Context: Affects financials, reputation, legal compliance, and operations.

Page 5: Understanding Management

What is Management?

  • Definition: Process of planning, organizing, leading, and controlling resources to achieve goals efficiently.

  • Coordination: Involves managing resources optimally while guiding people to desired outcomes.

Page 6: Understanding Risk Management

What is Risk Management?

  • Definition: Process of identifying, assessing, and addressing potential risks to ensure business continuity.

  • Goals: Minimize harm and proactively manage risks while ensuring stability.

Page 7: Risk Management in Business

Key Elements

  • Involves identifying, assessing, and mitigating various risks.

  • Sources of Risks: Financial uncertainties, legal liabilities, operational challenges, strategic decisions, natural disasters, and cyber threats.

Page 8: Importance of Risk Management

Benefits

  • Protects resources, supports decision-making, enhances stability, and promotes growth.

  • Increases stakeholder confidence through proactive risk management.

Page 9: Risk Management Process

Steps

  1. Identify

  2. Assess

  3. Treat

  4. Monitor & Report

Page 10: Step 1 - Risk Identification

Process

  • Identify events that can negatively or positively affect project objectives:

    • Project milestones

    • Financial trajectory

    • Project scope

  • Use risk matrix and risk register to document risks.

Page 11: Risk Identification Characteristics

Key Aspects

  • Risk/opportunity defined by description, causes, qualitative and quantitative assessment, and mitigation plan.

  • Responsibility assignment for action is essential for effective risk management.

Page 12: Tools for Identifying Risks and Opportunities

Methodologies

  • Analyze existing documentation, expert interviews, brainstorming, standard methodologies (e.g., FMECA), and lessons learned from previous projects.

  • Use checklists or questionnaires covering various project areas.

Page 13: Step 2 - Risk Assessment

Types of Assessments

  • Qualitative: Analyzes criticality based on event's probability and impact.

  • Quantitative: Evaluates financial impact or benefit.

  • Both assessments are required for a comprehensive evaluation.

Page 14: Qualitative Assessment

Process

  • Rank and prioritize each risk based on occurrence probability (P) and impact severity (I).

  • Criticality = P x I. Focus on critical items first for response priorities.

Page 15: Quantitative Assessment

Objectives

  • Establish financial evaluation of potential risks or benefits.

  • Conducted by Risk Owner and Risk Manager, relying on accurate estimation of costs or profits relevant to the project budget.

Page 16: Evaluating Potential Costs in Quantitative Assessment

Key Elements

  • Review potential costs incurred related to:

    • Internal engineering hours

    • Subcontracting hours

    • Additional work

    • Amendments and claims

Page 17: Step 3 - Risk Treatment

Objective

  • Develop treatment plans to reduce risk probability and impact, or enhance opportunities.

  • Determine response strategies based on the nature of risk or opportunity.

Page 18: Risk Treatment Strategies

Possible Strategies

  • Opportunity: Exploit, Enhance

  • Risk: Avoid, Share, Transfer, Mitigate, Accept

Page 19: Risk Response Strategies Explained

Definitions

  • Accept: Monitor with no action.

  • Mitigate/Enhance: Change probability or severity.

  • Transfer/Share: Assign risk responsibility to third party.

  • Avoid/Exploit: Eliminate risk or maximize opportunity.

Page 20: Treatment Plan Guidelines

Key Considerations

  • Actions must have clear purposes, responsible individuals, and deadlines.

  • Include cost-tracking for any financial impact.

Page 21: Identifying When Risk Becomes an Issue

Key Aspects

  • Assess uncertainty of event date and plan for prevention or fallback.

Page 22: Step 4 - Risk Monitoring and Reporting

Overview

  • Risks and treatment plans require monitoring and reporting based on criticality.

  • Develop a reporting structure to address escalations.

Page 23: Sample Risk Management Plan #1

Overview

  • Tech Solutions Inc.: Fast-growing tech company specializing in software solutions.

  • Focus: Quality, security, compliance, and digital transformation.

Page 24: Sample Risk Management Plan - Risk Identification

Identified Risks

  • R1: Data Security Breach

  • R2: Regulatory Compliance Issues

  • R3: Project Timeline Delays

  • R4: Customer Adoption Risks

  • R5: Budget Overruns

Page 25: Sample Risk Management Plan - Risk Assessment

Evaluation Method

  • Likelihood and Impact scoring (1-5 scale) to prioritize risks by risk score.

Page 26: Sample Risk Management Plan - Risk Treatment

Mitigation Strategies

  • R1: Conduct audits, training on data security.

  • R2: Ensure compliance through legal counsel and training.

  • R3: Use contingency planning for timeline adjustments.

  • R4: Understand customer needs through research.

  • R5: Monitor expenses closely.

Page 27: Sample Risk Management Plan - Monitoring Framework

Structure

  • Monitoring frequency: Monthly with milestone reviews.

  • Responsibilities assigned to Project Manager and Risk Management Team.

  • Use a risk dashboard for regular updates.

Page 28: Sample Risk Management Plan - Monitoring Framework Continued

Page 29: Summary for Sample Case #1

Final Notes

  • The plan assists in mitigating and monitoring risks for successful project achievement.

  • Emphasis on proactive risk handling and maintaining transparency.

Page 30: Managing Risks Overview

Focus

  • Examining Threats, Vulnerabilities, and Exploits.

Page 31: Understanding Threats

Definition

  • External factors negatively impacting business goals.

  • Sources: Economic, competitive, technological, regulatory, and environmental.

Page 32: Common Types of Threats in Business

Categories

  • Economic Threats: Financial instability, inflation.

  • Competitive Threats: Aggressive rivals.

  • Technological Threats: Obsolescence due to rapid changes.

  • Regulatory Threats: Compliance with new laws.

Page 33: More Types of Threats

Additional Risks

  • Environmental: Natural disasters, climate change.

  • Social: Cultural shifts affecting demand.

  • Cybersecurity: Data breaches and cyber threats.

Page 34: Importance of Identifying Threats

Key Benefits

  • Prepare and respond to challenges.

  • Develop mitigation strategies and adapt strategies accordingly.

Page 35: Intentional Threats

Definition

  • Hostile actions motivated by greed, anger, or desire to damage.

  • Can disrupt operations and lead to availability loss.

Page 36: Unintentional Threats

Categories

  • Environmental: Natural disasters affecting operations.

  • Human: Errors leading to data loss or mishandling.

Page 37: Unintentional Threats Continued

More Types

  • Accidents: Minor mishaps to major catastrophes.

  • Failures: Equipment malfunctions leading to service loss.

Page 38: Common Attackers

Types of Attackers

  • Criminals: Organized fraud and theft.

  • APTs: High-resource-focused attacks against targets.

Page 39: More Common Attackers

Additional Groups

  • Vandals: Intent to cause damage to assets.

  • Disgruntled Employees: Internal threats from dissatisfied staff.

Page 40: Other Attackers

Overview

  • Nations engage in espionage and cyber warfare.

  • Hackers of varying motivations attempt breaches.

Page 41: Best Practices

Recommendations

  • Developing security policies to guide actions.

  • Utilization of insurance for financial protection against risks.

Page 42: Best Practices Continued

Additional Recommendations

  • Automate processes to reduce human errors.

  • Regular training to enhance security awareness.

Page 43: Understanding Vulnerability

Definition

  • Weakness in systems or processes exploited by threats.

  • Leads to increased susceptibility to risks.

Page 44: Threat/Vulnerability Pairs

Concept

  • Occurs when a specific threat exploits a vulnerability, leading to harmful events.

Page 45: Examples of Threat/Vulnerability Pairs

Scenarios

  • Fire without detection: Total business loss.

  • Malware exploited via lack of antivirus.

  • Equipment failures without backups lead to data loss.

Page 46: Mitigation of Vulnerabilities

Key Techniques

  • Identifying and prioritizing vulnerabilities.

  • Reducing exposure and occurrence rates through training.

Page 47: Mitigation Techniques

Specific Actions

  • Fire: Install detection equipment.

  • Malware: Implement antivirus software and regularly update.

Page 48: Policies and Documentation

Importance

  • Create standard written policies and regular audits.

  • Maintain updated documentation for quick troubleshooting.

Page 49: Best Practices Continued

Key Operations

  • Separation of duties to prevent fraud.

  • Configuration management for consistent settings.

Page 50: Ongoing Maintenance

Policy

  • Implement a patch management policy for software vulnerabilities.

Page 51: Understanding Exploits

Definition

  • Tool or method used by attackers to take advantage of vulnerabilities.

Page 52: Exploit Example

Scenario

  • Exploiting public-facing servers through vulnerabilities in firewalls.

Page 53: SQL Injection Attacks

Definition

  • Attacker injects SQL code through unvalidated input.

  • Key to preventing by validating user data.

Page 54: Denial of Service Attacks

Concept

  • DoS attacks aim to disrupt services, consuming server resources.

  • DDoS involves multiple compromised systems attacking a single target.

Page 55: Initiation of Exploits

Attack Methods

  • Programs developed by attackers automate the launch of exploits.

  • Script kiddies use simple tools to initiate user-level attacks.

Page 56: Information Gathering Techniques

Methods

  • Public server discovery using scanners.

  • Fingerprinting for identifying server types and vulnerabilities.

Page 57: Exploring Vulnerabilities

Discovery Techniques

  • Programmers write code to exploit vulnerabilities once discovered.

Page 58: Sources of Vulnerability Information

Key Sources

  • Blogs, forums, and security newsletters keep attackers and defenders informed.

Page 59: Continuation of Sources

Additional Insights

  • Security professionals share findings, helping to identify vulnerabilities.

Page 60: Mitigation Techniques

Key Measures

  • Remove default configurations and change passwords.

  • Reduce attack surface by disabling unnecessary services.

Page 61: Further Mitigation Strategies

Security Enhancements

  • Implement firewalls, intrusion detection, and antivirus programs.

Page 62: Best Practices Continued

Security Policies

  • Use configuration management and conduct compliance audits regularly.

Page 63: Risk and Vulnerability Assessments

Practices

  • Performing risk and vulnerability assessments informs mitigation strategies for security management.