Essay Example on Robust IT Systems: A Necessity for Business Entities

Introduction

Business entities in both the public and private sector depend on robust information technology structures to carry out the various roles and objectives in the daily execution of activities in multiple capacities. In the contemporary scene where information technology systems find use in numerous scenarios, they are especially significant to business entities regardless of whatever function that they serve. One of the business entities that rely on information technology systems is one that deals with intelligence gathering for foreign and local diplomats. The work of such a business entity is especially sensitive since it encompasses a myriad of policies both domestic and international. As such, its information technology systems need to be robust and safe from attacks by malicious individuals. Information technology systems in such a setting are prone to severe threats which often have adverse effects on the operations of the entity which can sometimes lead to national disasters. Malicious individuals take advantage of vulnerable systems to attack sensitive aspects of a government's actions and therefore, there is a severe need to ensure that the person in charge of information technology systems performs regular checks to limit the chances of malicious attacks. All pertinent persons should understand their various functions in security risk assessment so that they support the missions and features of the organizations that they are working. In the case of the government agency, Bureau of Research and Intelligence, it has a massive task of gathering and analyzing information that is relevant to diplomats and other prominent U.S officials. To this end, it performs a delicate task which requires robust information technology systems that are safe from malicious attacks. As such, there is a need to conduct regular security assessments to ensure that the information technology systems in use are not prone to malicious attacks.

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Save 25%

Security risk assessment is the core function of an organization's risk management protocol. The purpose of a risk assessment is to identify, estimate and prioritize the various risks that an organization's operations are prone to experiencing. The evaluation will analyze the risk of the security breach about the effect that it will have on the organization's mission, functions, reputation, and social standing. The assessment encompasses a myriad of tasks and responsibilities which extrapolate to the organizational assets, individual assets, and the effect to the nations and also the consequences of a security breach on the relations with foreign countries or governments. To this end, a risk assessment aims to inform the relevant authorities concerning the vulnerabilities of a company's or an organization's information technology system. The risk assessment analyzes the threats of the internal operations of the organization, the potential of the organization's procedures to affect other external services of another organization, the vulnerabilities of the organization's systems and their overarching effects. The assessment also analyzes the impact of security breaches or threats that an organization may be subject to if malicious individuals use the loopholes present in the company's information technology system. The ultimate purpose of a security risk assessment is to analyze the likelihood that the threat will occur and therefore, inform the organization on what it should do to prevent the worst-case scenario from happening. Security risk assessments often occur according to the three tiers of an organization's structure. The first tier is on the organization level where a security risk assessment encompasses governance, management, enterprise architecture, funding of information technology systems and the mission of the organization. The second tier analyzes the business processes, and it includes an analysis of the functions captured in the first tier. The final level assesses support and implementation of an organization's risk management framework where there is a myriad of activities. Some of these activities include security control selection, categorization, assessment and implementation of the various security protocol and finally security control monitoring which means conducting regular checks on the system's security (Talabis &Martin, 2013).

Threats Sources and Events

A threat is an event or a circumstance that has the potential to severely impact the operations and assets of the organization and the people working in it. The situation has the capability of adversely affecting the activities of a nation if sensitive information leaks out to malicious individuals. Threat events have their origin in threat sources which most professionals in the information and technology sector characterize as follows. One, it is the intent and a method that targets the organization by exploiting a vulnerability. Secondly, the event may lead to the malicious individual knowing about the organization's weakness and then use it to cause more harm. Some common threats sources include; malicious cyber-attacks, physical attacks, human errors which either omit or include unnecessary information, failure of an organization to control relevant areas of an information technology system and natural disasters which may be in or may be out of control of a human being (Landoll, 2016). An example of this is when a burglary happens, and the thieves steal computers and storage devices which contain sensitive information. A failure to recover these items leads to the robbery being a threat source as it is the event that led to the loss of an organization's sensitive information.

In the case of BRI, there are a variety of threat sources and events which greatly influence the safety of the intelligence reports that U.S diplomats use in their jobs. BRI's network is and has been the victim of malicious cyber-attackers who target the organization's intelligence data. The staff at the organization are also a source of the security threat in the organization. For instance, the chief of the bureau uses his e-mail system to carry out both his personal and business interests. As such, attackers can access his e-mail and have easy access to the organization's sensitive information. With regards to the organization's information technology infrastructure, there is a software defect in the human resource segment where a web application allows the users who access it to be able to view personal information of BRI's employees. The information displayed on the organization web's is a threat to the individuals working for the company and therefore, the web application is a threat source that can cause a threat event. One of the organization's employees took home a work laptop and unfortunately, there was a burglary which led to the theft of the computer which was later not recovered. The burglars, therefore, have sensitive data concerning the operations of the organization and this is a potential security threat. There was also a case of a disgruntled employee disclosing classified documents through media outlets. The confidential information that the employee disclosed has the potential to harm not only the employees in the company and the diplomats whose information was likely among the published data but also could affect the nation's foreign relations with other countries. The organization's systems were also defective as malware had infected all the computers in several foreign embassies. The event led to the organization and the state losing her reputation once the information became public knowledge. It also led to massive financial losses to both the individuals whose information became general knowledge and the government agencies responsible for preventing such an occurrence.

Vulnerabilities and Predisposing Conditions

A vulnerability is a deficit in an information technology system, the system's security procedures, internal controls and at times, the implementation of various security features which can lead to a malicious individual exploiting them to advance their evil agenda. Most of the vulnerabilities in a system, however, have an association with security controls that need to be in place but are not yet in place. As such, these deficits are a potential source for threat sources leading to threat events when a malicious individual exploits them. In other instances, the organization may have put in place security controls, but they are not adequate to protect sensitive information (Talabis, 2012). Some vulnerabilities, however, arise in the course of an organizations operations, and these are often beyond a person's control; an example of this is when an organization restructures some aspect of services and in so doing, expose a department to a security risk by not having adequate security to cater for the expansion. In such instances, the existing security protocols are inadequate and need a reassessment to regain control of the situation. As such, whenever an organization restructures its affairs and operations, it is vital to continuously conduct a security risk assessment and maintain situational awareness of the security posture of the organization. Other vulnerabilities are sometimes present in the management and governance structures of the organization. Predisposing conditions is one of the causes of security threats to the operations of an organization. A predisposing condition is one where the presence of a vulnerability or threat event and source can increase the effects of a security breach. The situation magnifies the impact of a threat source or development by letting the proponent easily access the sensitive information of the organization.

In the case of BRI, there is a myriad of vulnerabilities and predisposing conditions. The identification and authentication controls of the organization's systems are inadequate. The system does not have a lower limit for the characters for the passwords of the employees and other pertinent network infrastructure devices. The lack of a more moderate bound for the passwords predisposes the organization's systems to malicious attacks from evil individuals. The user account passwords also lack an expiration date implying that most employees do not change them and this can lead to attackers accessing sensitive information several times because the employees are not likely to update their passwords. The organization does not also have other means for authentication, and therefore, attackers only have to break the passwords to get access to sensitive information. BRI also allows users to have a significant amount of access to intelligence databases. An employee can easily access confidential information, and this severely influences the security of the organization's intelligence data. With regards to data security, BRI does not encrypt all its data, and this is a predisposing condition to malicious individuals accessing the sensitive data. Another predisposing factor to insecurity in the organization's information technology system infrastructure is the use of wireless systems and the fact that employees are allowed to bring their devices and connect with the organization's network. The implication of this is that the method of allowing employees to use their tools and connect with the agency's system creates loopholes for attackers to access sensitive information.

The data center manager is the only person who has the relevant information concerning a recovery plan in the event of a network failure or any other mishap. The data center manager being the only one with a recovery plan is a threat source as in the event of a disaster, no one else in the agency will know what steps to follow. Risk management techniques require that relevant individuals in an organization are conscious of...