Assessment Method for SCADA Information Security - Free Samples

Question: Discuss about the Assessment Method : SCADA Information Security. Answer: Introduction There are various sectors and industries that are set up in every country that contribute towards the economy and growth for the same. One such industry is the finance industry that comprises of many financial agencies, organizations and business units. Australia is also home to many such set ups that are providing excellent financial services and operations to the people and an example of the same is Aztek. It is an Australian organization that provides finance related services and therefore, manages and processes information related with the same. The population of the world is increasing rapidly and so is the demand for every service and solution. Aztek has managed to establish a good name in the market due to which its customer base has grown over the years. However, the current infrastructure and environment at Aztek is no longer suitable to perform the business operations with the required quality and results. There are various issues that are being coming up in terms of inform ation sharing and management, communication activities, business operations and continuity. Also, with the increase in the volumes and varieties of information, the types and number of security occurrences has also increased. The organization information is one of the prime assets for Aztek which cannot be avoided at any cost. Looking at the severity of the situation, the management at Aztek has proposed many projects. These projects have the objectives to make sure that the current set of problems is avoided and the business continuity and revenues are enhanced. Bring Your Own Devices (BYOD) is a scheme in which the members of staff of a particular organization are granted the permission to bring and use their personal gadgets and devices in office for the execution and accomplishment of the official tasks and activities. The several projects that have been recommended by the management were analyzed with their respective pros and cons and the one that has been selected for implementation at Aztek is BYOD project. There are different gadgets and technical devices that individuals own in the present times with some of the common devices being Smartphones, laptops, tablets, routers, modems etc. Aztek is a financial firm that is still growing and expanding. It may be challenging for the firm to procure different devices for different projects. For instance, a financial application and service that is provided by Aztek may be tested before release on the mobile devices. It would be required to test the same on different operating systems like Android, Windows, iOS etc. This will need at least four to five mobile devices which will come with a considerable cost. With the concept of BYOD, the same process can be done without any additional cost by asking the employees to use their own devices for the testing purpose. The costs that will be avoided in such processed may be utilized in other activities and tasks. Financial Services Review of the BYOD Project There are different types of information that the organizations deal with. Some of these information types may come under the least risk zones and there may be certain information sets that may require highest form of security and control. Financial information is critical and very sensitive in nature and the security of such information type cannot be taken lightly. The majority of information sets that belong to Aztek come under this category only. The control and secure monitoring of these information sets is therefore mandatory which shall also be guarded by multiple security laws and protocols. Australia has many bodies and departments that regulate the financial operations in the country and also look after the financial information for its correct flow and protection. One such body is Australian Securities and Investments Commission (ASIC). As the name suggests, ASIC is responsible for all types of payments that are carried out and their adherence to the standards and complian ce norms. The rules and policies that are defined by ASIC must be followed and maintained by Aztek in its implementation of BYOD in its architecture. In the current era, most of the payment processes are done online. The rules and policies around the electronic payments are different from the non-electronic payments. These e-payments are therefore guarded and regulated by an e-payments code which has been defined by ASIC. The protection of financial as well as other information that is associated with Aztek shall be protected as per the Intellectual Property and Privacy guidelines. Description of Project from the Financial Perspective There are many different goals and objectives that have been listed and included by Aztek as a business unit. To serve the customers with high-grade financial services that have utmost reliability and accuracy and least complexity involved. To make sure that the engagement and satisfaction levels of the employees associated with the organization is always high and is improved. To make sure that the engagement and satisfaction levels of the customers associated with the organization is always high and is improved. To complete all the organizational activities as per the delivery schedule and the project budget. The goals and objectives of a project are also involved which shall be aligned with the organizational goals. The case is the same with BYOD project which will be implemented in Aztek. The employees that are working in Aztek will gain an opportunity to bring their own devices which will be installed with the applications and tools being used for the organizational tasks. This will allow the employees to have a better work life balance as they will be able to work at home and other non-office locations as well. This will add to the objectives one and two of the organization as listed above. Better efficiency of the employees will contribute towards the better and accurate results of the financial operations. In this way, the customers will be provided with their expected services and their engagement levels will improve. Many additional costs in terms of cost of procurement and maintenance will be eliminated which will increase the adherence to the budget. Apart from the strategic alignment of the project with the organizational objectives, a number of additional benefits will also be involved. The devices of the employees will remain with them and during the days wherein there will be lesser work in the organization; these may be used for hands-on on the upcoming financial operations and project activities by the employees. In this manner, they will be able to gain the required ease of usage and familiarity along with possible risk areas that will be involved. The employees will be able to share their details of work and the activities completed in a day with their Project and Functional Managers using the resource management and reporting tools through their devices (Gessner, 2016). Testing of the applications and services will be done with much ease and with the use of increased number of devices using the BYOD scheme. It will enhance the chances of identifying more number of bugs and defects. The employees will be able to share the information and stay connected with fellow employees at all times (Retailwire, 2016). The rules and guidelines that have been stated by the Australian Boards and Bodies will also be maintained in the project. On the basis of the feasibility study, the project has been found to be feasible from the viewpoints of operational, technical and economical feasibility. Impact of BYOD on the Current Security Infrastructure of Aztek BYOD is a scheme that has a number of positive implications on the organizations but it comes with its own challenges and issues. The same would happen with the implementation of BYOD in Aztek. All of the risks and threats will require a specific medium for execution and this medium is termed as a threat agent. There may be many different agents that may be present within and outside of the organization that may give shape to the attacks. For instance, the staff members, internal and external networks, technical tools and equipment, end-users etc. will come under the category of threat agents. There will be a strategy that will be required for the handling and control of these threats. BYOD is a new and first of its kind project that will be implemented in Aztek. This will lead to the emergence of many new forms of security risks and attacks and a control strategy will need to be added up for the same. The newest addition in the organization will be in the form of the devices that will be brought in by the employees for the execution of the professional tasks. These devices may have the security tools implemented in them which may be fit for the personal tasks of the employees but may not be sufficient for the protection of the organizational information. An analysis of these devices would be required to be done by the IT and security team at Aztek to make the devices suitable for use. The basic security in the form of malware protection, intrusion detection, authentication and access control will be necessary to be implemented. The threat agents that are associated with Aztek may include many different entities but a large portion of the attacks will take place through the medium of networks. A risk analysis of all of these network based attacks will be necessary to be done which shall be followed by the development of the measures for network security and management. There are many new tools that have been created with the development of technology in the area of network technology. These tools along with the latest concepts of business intelligence shall be applied for removing the threats and attacks from their root altogether. This will end all the probability of the attack taking place in the future (Coleman, 2011). The employees of Aztek will make use of their devices at their homes and other non-office locations as well. This is because their devices will be equipped with the specific tools and applications that will be required for the execution of professional tasks. However, some of these applications must be allowed to be accessed from the office networks only. This is because public networks and use of devices by the unauthorized users may add up to the likelihood of the risks (Newton, 2015). The devices of the employees may be used by their family members and friends as well. These individuals may access the official tools and the information may get exposed to them. Such will be the accidental attacks to security and privacy of information. There may also be intentional attacks that the employees may execute so that they may receive monetary or other benefits from the parties. The strategies will be required to be developed and implemented for the avoidance of such insider threats (Trendmicro, 2016). The security policy must explicitly state the risks and the corresponding security strategy to treat them. Risk Assessment Process Risk is defined as any activity or action that may have a positive or negative impact with its result and may not be preferred for the entities in which they may occur. In most cases, the outcome of these risks is negative. There are many risks that are associated with the BYOD project of Aztek that need to be assessed and managed with a proper plan and with utmost dedication (Crane, 2013). Risk management is a process that combines many steps and phases that are taken to make sure that the risks are avoided. The management of these risks and occurrences need to be treated with a proper plan and the following is the set of phases that will be involved in the risk management procedure followed at Aztek. Aztek: Process for the management of risks An identification of the risks will be required so that the further actions and steps may be taken (Capterra, 2016). There are various data sources that shall be explored to make sure that the risks are correctly identified (Berg, 2016). The next step in the process shall include the correct assessment and prioritization of the risks. This step in the risk management process will list down the risks in the form of a risk register. The risk register will provide the information on the risk and its description, its impact and likelihood along with the level in terms of the overall risk ranking (Castsoftware, 2016). Planning is an essential step in every activity and the same holds true for the management of the risks as well. The risk management plan must list down the resources responsible for the management of risks along with the description of the processes for the handling of the risks that are identified and analyzed. The next process shall include the treatment strategies that may be applied and the guidelines that shall be taken for the treatment strategy for a particular risk (Microsoft, 2016). The management and administrative bodies must look after the status of the risks by carrying out verification and validation processes frequently (Development, 2013). The risks shall be monitored and controlled and a report must be prepared for covering the activities that are carried out for every risk (Vila, 2012). Risk Register for Aztek There may also be situations in which the users, that is, the device owners may not take adequate measures for the avoidance and prevention of the risks. For instance, they may not update their devices regularly to avoid the attacks and threats (Qld, 2016). This may lead to the increased probability of the risks. There are also risks and threats that may come up in the form of insider threats. The devices of the employees may be used by their family members and friends as well. These individuals may access the official tools and the information may get exposed to them. Such will be the accidental attacks to security and privacy of information. There may also be intentional attacks that the employees may execute so that they may receive monetary or other benefits from the parties. The strategies will be required to be developed and implemented for the avoidance of such insider threats (Markovic-Petrovic Stojanovic, 2014). Data Security for Aztek Financial information is critical and very sensitive in nature and the security of such information type cannot be taken lightly. The majority of information sets that belong to Aztek come under this category only. The control and secure monitoring of these information sets is therefore mandatory which shall also be guarded by multiple security laws and protocols. Sensitive Data: The information including the passwords and PIN number of the users for accessing their financial data or the transactional details associated with the user accounts (Scu, 2016). Confidential Data: The financial services and projects taken up by the organization along with the new set of technologies and activities that the organization might be working upon. Private Data: The information of the members of the staff and the customers such as their names and address and contact details (Test-institute, 2016). Public Data: The set of goals and strategies of the organization with the vision and mission. The above set of information categories and types shall be allowed to be accessed only to the users who are authorized to handle the same. It shall be based upon the attributes and the roles of the users (Chapman, 2000). Information Classification User role and Privileges Type of the information/data: Sensitive Information Sets Allowed to be Accessed Board of directors of Aztek and company CEO Resources responsible and accountable for the maintenance of security: CIO of the company and security manager Type of the information/data: Confidential Information Sets Allowed to be Accessed Project Managers Leaders, Department Heads Resources responsible and accountable for the maintenance of security - CIO of the company and security manager Type of the information/data: Private Information Sets Allowed to be Accessed Data Scientists and Data Managers (Dey, 2008) Resources responsible and accountable for the maintenance of security Security Manager, Security Analysts Type of the information/data: Public Information Sets Allowed to be Accessed Company stakeholders Resources responsible and accountable for the maintenance of security Security team of Aztek Conclusion Aztek is an Australian organization that provides finance related services and therefore, manages and processes information related with the same. The population of the world is increasing rapidly and so is the demand for every service and solution. Aztek has managed to establish a good name in the market due to which its customer base has grown over the years. However, the current infrastructure and environment at Aztek is no longer suitable to perform the business operations with the required quality and results. There are various issues that are being coming up in terms of information sharing and management, communication activities, business operations and continuity. BYOD is a new and first of its kind project that will be implemented in Aztek. This will lead to the emergence of many new forms of security risks and attacks and a control strategy will need to be added up for the same. The newest addition in the organization will be in the form of the devices that will be brought in by the employees for the execution of the professional tasks. The threat agents that are associated with Aztek may include many different entities but a large portion of the attacks will take place through the medium of networks. A risk analysis of all of these network based attacks will be necessary to be done which shall be followed by the development of the measures for network security and management. The devices of the employees may be used by their family members and friends as well. These individuals may access the official tools and the information may get exposed to them. Such will be the accidental attacks to security and privacy of information. The management of these risks and occurrences need to be treated with a proper plan with the use of administrative checks, stronger technical controls and physical security. Also, the security plan and the security strategy that is followed in the organization must be updated with the latest set of controls in all of these three areas. References Berg, H. (2016). Risk Management. Retrieved 22 September 2017, from https://ww.gnedenko-forum.org/Journal/2010/022010/RTA_2_2010-09.pdf Berg, H. (2010). Risk Management: Procedures, Methods and Experiences. Retrieved 3 September 2017, from https://ww.gnedenko-forum.org/Journal/2010/022010/RTA_2_2010-09.pdf Capterra,. (2016). Best Risk Management Software | 2016 Reviews of the Most Popular Systems. Capterra.com. Retrieved 22 September 2017, from https://www.capterra.com/risk-management-software/ Castsoftware,. (2016). What is Software Risk How To Prevent Software Risk | CAST Software. Castsoftware.com. Retrieved 22 September 2017, from https://www.castsoftware.com/research-labs/software-risk Chapman, C. (2000). A desirable future for technology risk management. International Journal Of Risk Assessment And Management, 1(1/2), 69. https://dx.doi.org/10.1504/ijram.2000.001488 Cioupdate,. (2016). Effective Measures to Deal with Cloud Security -- CIO Update. Cioupdate.com. Retrieved 22 September 2017, from https://www.cioupdate.com/technology-trends/effective-measures-to-deal-with-cloud-security.html Coleman, T. (2011). A Practical Guide to Risk Management. Cfapubs.org. Retrieved 3 September 2017, from https://www.cfapubs.org/doi/pdf/10.2470/rf.v2011.n3.1 Crane, L. (2013). Introduction to Risk Management. Retrieved 3 September 2017, from https://extensionrme.org/pubs/IntroductionToRiskManagement.pdf Development, C. (2013). What are the 5 Risk Management Process Steps?. Continuing Professional Development. Retrieved 22 September 2017, from https://continuingprofessionaldevelopment.org/risk-management-steps-in-risk-management-process/ Dey, P. (2008). Risk management in information technology projects. International Journal Of Risk Assessment And Management, 9(3), 311. https://dx.doi.org/10.1504/ijram.2008.019747 Gessner, D. (2016). Towards a User-Friendly Security-Enhancing BYOD Solution. Retrieved 22 September 2017, from https://in.nec.com/en_IN/images/120324.pdf Grimes, R. (2016). The 5 cloud risks you have to stop ignoring. InfoWorld. Retrieved 22 September 2017, from https://www.infoworld.com/article/2614369/security/the-5-cloud-risks-you-have-to-stop-ignoring.html InformationWeek,. (2016). 9 Worst Cloud Security Threats - InformationWeek. InformationWeek. Retrieved 22 September 2017, from https://www.informationweek.com/cloud/infrastructure-as-a-service/9-worst-cloud-security-threats/d/d-id/1114085?page_number=2 Markovic-Petrovic, J., Stojanovic, M. (2014). An Improved Risk Assessment Method for SCADA Information Security. Elektronika Ir Elektrotechnika, 20(7). https://dx.doi.org/10.5755/j01.eee.20.7.8027 Microsoft,. (2016). Risk Management Process Overview. Technet.microsoft.com. Retrieved 22 September 2017, from https://technet.microsoft.com/en-us/library/cc535304.aspx Newton, P. (2015). Managing Project Risks. Retrieved 3 September 2017, from https://www.free-management-ebooks.com/dldebk-pdf/fme-project-risk.pdf Proconceptsllc,. (2016). Risk Radar Enterprise, Risk Management Software | Pro-Concepts LLC. Proconceptsllc.com. Retrieved 22 September 2017, from https://www.proconceptsllc.com/risk-radar-enterprise.html Qld,. (2016). Risks of cloud computing | Queensland Government. Business.qld.gov.au. Retrieved 22 September 2017, from https://www.business.qld.gov.au/business/running/technology-for-business/cloud-computing-business/cloud-computing-risks Retailwire,. (2016). Happiness Is Bringing Your Own Computer Devices to Work RetailWire. Retailwire.com. Retrieved 22 September 2017, from https://www.retailwire.com/discussion/16188/happiness-is-bringing-your-own-computer-devices-to-work Scu,. (2016). The Risk Management Process - Risk Management - SCU. Scu.edu.au. Retrieved 22 September 2017, from https://scu.edu.au/risk_management/index.php/8/ Stoneburner, G. (2002). Risk Management Guide for Information Technology Systems. Retrieved 3 September 2017, from https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist800-30.pdf Test-institute,. (2016). What Is Software Risk And Software Risk Management? - International Software Test Institute. Test-institute.org. Retrieved 22 September 2017, from https://www.test-institute.org/What_Is_Software_Risk_And_Software_Risk_Management.php Trendmicro,. (2016). BYOD - Consumerization of IT Mobility - Trend Micro USA. Trendmicro.com. Retrieved 22 September 2017, from https://www.trendmicro.com/us/enterprise/challenges/it-consumerization/ Uasask. (2017). IT Risk Management Procedure. Retrieved 3 September 2017, from https://www.usask.ca/ict/documents/IT%20Risk%20Management%20Procedure.pdf Vila, S. (2012). Risk Management Model in ITIL. Retrieved 3 September 2017, from https://fenix.tecnico.ulisboa.pt/downloadFile/395144242579/Risk%20management%20on%