Information Technology and Systems Management

Question: Discuss about the Information Technology and Systems Management. Answer: Introduction A risk refers to the possibility of an event that may result in some sort of damage and negative impact. Information technology and systems are exposed to a number of risks of varied categories and the same may result in low to severe impact. It is necessary for the project in the IT field to follow a well devised risk management plan cover the necessary steps as risk identification, risk analysis, risk evaluation and risk treatment (Gartner, 2016). There are a number of methods to treat the risks such as risk avoidance, risk acceptance, risk mitigation and risk transfer. The report discusses various topic under IT risks and elaborates each one of them in complete detail. Stakeholder Map Operational Executive Internal Security Expert Network Designer Administrator Verifier Project Manager External Technical Expert and Analyst Security Head Program Manager Business Analyst End User Security Virtues There are broadly four virtues of security that must always be considered in order to protect the system from the security risks and attacks. Daily consideration: Security must be considered on a daily basis and the steps must be taken to keep the assets secure at all times rather than performing the same at fixed intervals Community Effort: Security should be considered as a community effort that is all the parties that are involved must take care of security rather than a designated team to perform the task Higher focus: The focus that is put forward by the security team must be high and must be generalized as well Education: It is not possible for the resources to practice security measures without any knowledge or background and thus, training sessions must be arranged (Day, 2003) Internet Security Internet suffers from a number of security risks and threats and in spite of a number of measures and protocols developed to keep the internet safe from all such risks, there are still numerous cases that are encountered on a frequent basis. As per the internet threat model, it is possible for the attackers to devise a measure through which they can add, delete, modify, duplicate or perform any other operation on the internet packets that are transferred from one location to the other (Rescorla, 2003). There are a number of internet and network security risks that are prevailing in the present era and some of them have been discussed below. Malware Threats These are the most common threats that are present and the information on the internet can get exposed due to the same. A number of malware such as viruses, logic bombs, Trojan horses, worms, adware and many others get downloaded on the users machine through the internet and can gain unauthorized access to the information. These may or may not be reproducible in nature but have the potential to cause severe damage. Integrity Attacks Message and media alteration attacks are executed on the network to make unauthorized changes to the information that is being exchanged. These are the assaults that occur by making modifications to the message in the middle of the correspondence, for example, re-steering the bring in an unapproved way or rolling out improvements in the message that is being exchanged to bestow deceiving data to the collector. Call re-steering is executed by the aggressors to re-course the call and include or expel elements that are not approved to be a part of the same. Get back to holing is another type of message change uprightness assault in which the call is deliberately postponed by making blunders in the set up or expanding the turnaround time or comparable exercises (Obidinnu Ibor, 2016). Quality of Service (QoS) abuse These are the assaults which are incorporated under the accessibility classification since they influence the accessibility of correspondence with most extreme quality. There are likewise assaults in this particular class in which exceptional instruments are utilized that fumes the transfer speed of a specific association or system (Shaidani, 2016). Server Impersonation In this type of the assault, the aggressor imitates as the media server, gets the solicitation for a specific correspondence, sends the reaction and plays out the pernicious movement. The accessibility of the ordinary correspondence is not reestablished and the same causes a serious effect on the specific type of correspondence. Media Session Hijacking At the point when the media session is in advancement, then the assailant may play out a movement in which the media session is captured and the media is re-coordinated to another endpoint. It causes the inaccessibility of typical interchanges and in this way influences the accessibility of the data. Mental Models of Computer Security Risks Mental models are the simplified concepts that explain how a particular process or phenomenon works in reality. The mental models to understand the security risks associated with computer systems and information technology is based upon a number of conceptual models which are as explained below. Physical Safety: The physical concept associated with the security of any system is significant as individualized and localized physical control is of utmost importance. Medical Infections: The model of security episodes as medicinal contamination is grounded in the examples of dispersion of vindictive code irresistible sicknesses, and the significance of heterogeneity in the bigger system. A few investigations of system security have focused on the idea of the system as a biological community of security. Criminal Behavior: There is a presence of malicious intent or criminal behavior involved behind the execution of the risk or an attack associated with the same. Warfare: The risks and attacks are executed due to the presence of the enemy who makes the ground for the execution of these attacks Economic Failure: These risks are often seen as market or economy failures which may cause severe damage to the victim organization (Asgharpour, 2016) These mental models explain the reason and participants behind the risks that take place. As per these models, every risk termed as r in the system has a designated list of participants who are either involved or get affected by the risk and are represented as p. Multi-dimensional scaling is used to understand the behavior and involvement of experts and non-experts behind the mental models of security. Perception of Risks It is important for the organization and the project teams to perceive the risks correctly. There are a number of factors that are associated with the risks in terms of likelihood, impact, nature of risk, type of risk and likewise. Model of impact for the unfortunate events (Slovic, 2016) The methodology to manage and treat the risks depends largely upon the way the risks are perceived. This perception also aids the team to form the methods to control and mitigate the risks. Security Metrics Security metrics provides a mechanism to build a distinction between the metrics and measurements. The security metrics associated with the computer and information risks must be SMART this is they must be specific, measurable, attainable, repeatable and time dependent in nature. In order to generate or draw the security metrics for the security risks, there is a series of steps that must be followed. First of all the goals and objectives must be defined to design the metrics. It is also important to make a decision on which metrics to generate. Strategy, benchmarks and targets must then also be finalized for the designing of the metrics. An action plan must then be created and executed to bring the security metrics in place. These metrics that are created must include the risk management, patch management, cost benefit analysis and other features and factors considered in them (Sans, 2016). Use Case Models Use Cases and Brief Descriptions Use Case Description Authentication Check A request response structure to make sure that the authentication checks are performed for maintenance of the security Identity Management Two layer authentication including the keying in of a onetime password for security Access Management Authorization and authentication checks Network security Network monitoring and scans to make sure that there are no risks involved Use Case Diagrams Conclusion IT risk management is a broad concept that comprises of a number of components and techniques present within them. The several risks that are present in the world of information technology can be handled with a number of different mechanisms such as identity and access management, anti-viruses, use of firewalls, intrusion detection and prevention and a number of different other methods. It is also necessary to set up and install a high level of physical security in the infrastructure to prevent the risks from occurring. Perception of risks and the security metrics associated with the risks are extremely significant in dealing with the risks that are probable to the IT security. These measures should be created accurately and with utmost perfection in order to deal with the risks. There are a number of measures and steps that are already being taken in order to protect the system from the risks but the same are not enough to protect the system. Security managers thus are required to t ake a step forward to ensure the security from the events and manage the risks at all levels. References Asgharpour, F. (2016). Mental Models of Computer Security Risks. Retrieved 9 September 2016, from https://www.econinfosec.org/archive/weis2007/papers/80.pdf Day, K. (2003). Inside The Security Mind - Making the tough decisions (1st ed., p. 25). Pearson Education Inc. Gartner,. (2016). IT Risk Management. Gartner.com. Retrieved 9 September 2016, from https://www.gartner.com/technology/consulting/it-risk-management.jsp Obidinnu, J. Ibor, A. (2016). A survey of Attacks on VoIP networks and Countermeasures. Ajol.info. Retrieved 9 September 2016, from https://www.ajol.info/index.php/wajiar/article/viewFile/128074/117625 Rescorla, E. (2003). The Internet is Too Secure Already (1st ed.). RTFM Inc. Sans,. (2016). A Guide to Security Metrics. Sans.org. Retrieved 9 September 2016, from https://www.sans.org/reading-room/whitepapers/auditing/guide-security-metrics-55 Shaidani, S. (2016). and Defenses Against Voice over IP (VoIP). Retrieved 9 September 2016, from https://www.cs.tufts.edu/comp/116/archive/fall2015/sshaidani.pdf Slovic, P. (2016). Perception of Risk (1st ed.). American Association for the Advancement of Science.