Tuesday, May 5, 2020
Security and Risk Management Proposal for MYOB Australia - Samples
Question: Discuss about the Security and Risk Management Proposal for MYOB Australia. Answer: Introduction The chosen organization for the investigation of various risks and preparation of risk management plan is MYOB (Mind Your Own Business), Australia. MYOB is an Australian based organization that develops tax and accounting softwares for helping small and medium sized business organizations. Since the advent of cloud computing services, MYOB has hosted its entire operations online in the cloud interface (Lim et al., 2013). Instead of physical storage and manual handling of the operations, the cloud based system is much more efficient and does not require additional physical storage space. However, due to hosting the entire operations, the company faces some serious security risks. The main risks will be discussed later in this report. Due to the chances of occurrence of the risks, some disaster may occur during anytime that will not only disrupt in the business operations but will also incur serious long term consequences in the business of MYOB. Hence, it is important to prepare a con tingency plan in order to recover the system from the possible attacks and security issues. However, contingency planning is only a short term plan for system recovery. It is more important to develop a risk management plan in order to ensure that the chances of the risks are minimized to as low as possible. Moreover, business continuity planning is required in order to maintain business continuity in spite of occurrence of the risks. In this report, the current situation at MYOB has been analyzed with the help of some risk analysis tools and techniques. Moreover, the main risks have been identified and a contingency plan has been prepared. Finally, a proposal has been prepared for the business continuity planning of the organization. Investigation In order to investigate the existing situation at MYOB and identify the risks associated with it, a number of tools and techniques have been used. These tools and techniques are described as follows. Documentation Review Documentation review is a basic risk assessment technique that is used to analyze the existing situation in an organization. Analysis and review of the existing situation helps to identify the gaps that may result in the security risks and issues. For this project, a documentation review was conducted where the documents of MYOB were reviewed for analyzing the current situation of the company. Delphi Technique In Delphi technique, a team of experts are contracted anonymously and some information is sent to them for analysis and review. The whole process is kept anonymous in order to avoid biasing. After the information is sent, the experts analyze it and reach suitable conclusions (Sadgrove et al., 2016). These conclusions are listed, documentation and sent back. This Delphi technique is an effective analysis tool as a team of experts conduct the entire analysis process. Interview Personal or questionnaire interview is one of the most effective tools for risk analysis in an organization. In addition to understanding the existing situation at the organization, several diverse ideas can be generated in the interview that helps to analyze various aspects of the organization instead of focusing on just one. In this particular project, a questionnaire based interview has been conducted on the current employees of MYOB. The main aim of this interview was to identify the gaps that may cause risks in the companys existing business system. Instead of conducting overall overview, the employees opinions were collected (Suter II, 2016). The advantage of this approach was that different employees opined about various gaps that the existing situation of MYOB currently has. SWOT Analysis SWOT analysis is also an effective tool that can be used to identify four main aspects of an organization Strength, Weakness, Opportunity and Threat. However, SWOT analysis is only based on overall rough analysis and cannot be considered as 100% accurate. Still, SWOT analysis has been used to identify the overall situation at the organization including its strengths and opportunities. Risk Analysis Matrix The identified risks are analyzed with the help of risk analysis matrix as follows. Details of the Risk Responsible Stakeholder Risk Reason Risk Effect Suggested Management Strategy System Integration with a 3rd party without prior verification of identity can be a major risk. Unverified 3rd party softwares can cause serious damage to the organizations setup. Marketing Manager Some 3rd party entities are only developed by unethical users who ingrate with a parent software provider and then steal confidential information and customer details from the same. They do it to earn ransom and unethically use other persons personal information. This type of risk mainly affects the company employees as well as the clients. However, this also disrupts the regular operations of the company significantly. Before integrating with a 3rd party entity, the company must verify the identity of the same. Technical Setup can be a major reason for the vulnerability of system risk. System Administration Since technology is evolving every day, the company needs to update its softwares accordingly. However, if the hardware is also not updated accordingly, the softwares may not be supported and the company will lose market competitiveness. The main effect of unavailability of technical setup is that the company will not be able to update its softwares and hence, will lose market competitiveness. The company needs to upgrade its hardware technical setup at regular intervals (say 6 months). Internal Sabotage can also be a significant risk in this field Operations Manager The main origin of this risk is the internal employees of the company. Some unethical employees may try to sabotage the organizations operations by performing unethical operations in the office premises that include surfing unsafe websites, using own flash drives, using own computer in the office server and others. The effect of this risk can be significant on the companys internal server. Malwares can easily enter into the server and maybe able to destroy many important business documents stored inside the server. In order to manage this risk, suitable monitoring of employees is necessary. Moreover, strict policies should be implemented regarding the use of personal flash drives and systems in office. Poor auditing and lack of business insight can also result in disastrous consequences for the organization. System Auditor and Senior Consultant Due to lack of proper auditing, the company may not be able get hold on the existing market. Moreover, due to lack of market insight, the company can lose market competitiveness while its rivals will gain more market share. The main effect of this risk is that the company will lose market competitiveness as well as share to the rivals. Without market insight and auditing, no organization can advance in the current market. A suitable auditing plan must be used and some expert auditors must be recruited instead of inexperienced personnel. Cyber security risk is by far the most significant risk that is faced by the organization. External agents like malwares, viruses, hackers are always targeting the cloud based servers in order to steal confidential information for ransom. Cyber attacks cause the maximum amount of damage to an organization. System Administrator The main reason for this risk is the absence of sufficient firewalls and antivirus softwares. Hosting too many confidential information in the cloud server also attracts hackers to attempt an attack on the server. The effect of cyber attacks are long reaching; confidential files and information are lost, ransom needs to be paid in most cases for the recovery of the files, loss of business continuity and finally leak of business strategy helping the rivals to gain competitive advantage The suggested management strategy is to implement cyber security measures like strong system firewalls, antivirus and other similar softwares. These softwares ensure all the threats are eliminated from the system Disaster Recovery (DR) Plan In order to prepare the disaster recovery plan, the identified risks are to be analyzed in detail. The identified risks are as follows. Integration with 3rd Party Entity As discussed in the risk analysis matrix, integration with 3rd party entity without verifying its identity or origin can be a reason for serious vulnerability or risk of the organization. During the course of the business operations, the company may need to integrate with some 3rd party softwares and systems in order to enhance the business system (Mason, 2014). The duty of these 3rd party softwares is to enhance the existing software operations including quality, performance and additional features. However, there are some fraud 3rd party softwares that appear to provide services and after integration, they just use the business link to break into the central server for stealing data and information. Since MYOB uses cloud server for hosting all the data, it is even more easier to break into it and steal information. Lack of Technical Setup During the analysis, it has been found that there is a lack of sufficient technical setup at MYOB. Initially, the technical setup was developed of the highest configuration for the system that was available then (Thakor, 2016). However, MYOB needed to upgrade the system frequently in order to accommodate new software versions. On the other hand, there have been no recent records of technical upgrade at MYOB whereas many new versions of accounting softwares have been released since. As a result, the existing technical setup does not support the latest software versions that in turn leads to the loss of market competitiveness of the company. Internal Sabotage There have been a number of records of internal sabotage inside MYOB. There are records of some employees who unethically used external flash drives inside the computer system. Due to this, many malwares entered the server and resulted in server disruptions (Eriksson et al., 2014). Moreover, the company once allowed BYOD (Bring Your Own Device) for the employees. However, after finding that many malwares were entering from the external devices, the company stopped this policy and provided systems for employees to work. Poor Auditing Poor auditing was once a serious issue in the organizational operations at MYOB. Due to recruitment of inexperienced and incompetent auditors, the company underwent a phase of business downfall. Moreover, there was a lack of market insight of the companys Senior Consultant that resulted in loss of market competitiveness of the company. Cyber Security Cyber security is a common risk for all business organizations that use cloud computing servers for data storage and management. MYOB is a company that uses cloud server to store all business and client data to save physical storage spaces as well as avoid manual data handling (Li, 2014). Hence, there is a significant threat related to the security of the data stored in the cloud server. Disaster Recovery (DR) Plan From the list of all the risks and threats, it is evident that without any disaster recovery plan, the company will not be able to recover easily if any of the significant risks actually occur. Firstly, the company needs to minimize the chances of occurrence of such a risk at all cost. In order to do that, the company needs to prepare plans in advance and take suitable measures accordingly. Secondly, the company needs to implement strict policies regarding the use of devices inside office premises violation of which will lead to serious consequences (Brindley, 2017). Thirdly, the company will need to implement strong firewalls and antivirus softwares in the existing server. Finally, the company must upgrade the existing technical setup in order to support more advanced versions of various softwares. Proposal for Contingency Plan and Business Continuity Plan (BCP) In order to prepare a contingency plan for maintaining business continuity, the company needs to ensure some sequential steps are followed. This is explained as follows. Contingency planning for business continuity mainly contains four main steps Identify, Analyze, Create and Measure. Identify This step mainly involves identification and assessment of any risk that may occur / have occurred during the course of business operations. Identification of the risk is required in order to find and apply suitable solution. Analyze This step includes the impact of the risk on the daily business operations. If it has minor impact, it can be addressed in due course. However, if it has massive impact on the business, it must be addressed immediately at all costs (Schwing Albers, 2013). For this, analysis of the risk is necessary to understand its extent of power for affecting the business. Create In this step, a risk management plan is created in order to address the identified risk. The plan should be created such that the risk is mitigated and long term strategy is developed so that the risk does not occur anytime in the future. Measure This is the final step where the entire system is measured after the application of the risk management plan. The system is tested in order to ensure the chance of occurrence of the risk is minimized and a maintenance plan is developed. The aim of this plan is to ensure maintenance of the system is done properly in order to avoid occurrence of any risks in future. Analysis and Report on Controls In order to control the risk aspect, MYOB needs to use the risk management tools effectively. Moreover, simple application of the tools is not sufficient; it is important to apply risk management tools in all seven OSI model layers (Boritz, Carnaghan Alencar, 2014). This is to ensure the stored data is protected in every phase storage, presentation, transport, etc. Special encryption techniques can be used to encrypt the data while it is being stored in the cloud interface or transmitted to another system. If all the seven OSI model layers are protected and encrypted, it is highly unlikely to be affected by any security risks. Logical Map of Organizational Structure The logical map of organizational structure is shown in the following diagram. Conclusion In this report, the current situation at MYOB has been analyzed with the help of some risk analysis tools and techniques. Since the advent of cloud computing services, MYOB has hosted its entire operations online in the cloud interface. Instead of physical storage and manual handling of the operations, the cloud based system is much more efficient and does not require additional physical storage space. However, due to hosting the entire operations, the company faces some serious security risks. The main risks will be discussed later in this report. Due to the chances of occurrence of the risks, some disaster may occur during anytime that will not only disrupt in the business operations but will also incur serious long term consequences in the business of MYOB. In order to control the risks discussed in this report, MYOB needs to use the risk management tools effectively. Moreover, simple application of the tools is not sufficient; it is important to apply risk management tools in all seven OSI model layers. This is to ensure the stored data is protected in every phase storage, presentation, transport, etc. Special encryption techniques can be used to encrypt the data while it is being stored in the cloud interface or transmitted to another system. References Boritz, J. E., Carnaghan, C., Alencar, P. S. (2014). Business modeling to improve auditor risk assessment: An investigation of alternative representations.Journal of Information Systems,28(2), 231-256. Brindley, C. (Ed.). (2017).Supply chain risk. Taylor Francis. Eriksson, K., Jonsson, S., Lindbergh, J., Lindstrand, A. (2014). Modeling firm specific internationalization risk: An application to banks risk assessment in lending to firms that do international business.International Business Review,23(6), 1074-1085. Li, W. (2014).Risk assessment of power systems: models, methods, and applications. John Wiley Sons. Lim, S. S., Vos, T., Flaxman, A. D., Danaei, G., Shibuya, K., Adair-Rohani, H., ... Aryee, M. (2013). A comparative risk assessment of burden of disease and injury attributable to 67 risk factors and risk factor clusters in 21 regions, 19902010: a systematic analysis for the Global Burden of Disease Study 2010.The lancet,380(9859), 2224-2260. Mason, K. (2014). Risky (Agri?) Business: Risk Assessment, Analysis and Management as Bio?political Strategies.Sociologia ruralis,54(3), 382-397. Sadgrove, K. (2016).The complete guide to business risk management. Routledge. Schwing, R. C., Albers, W. A. (2013).Societal risk assessment: How safe is safe enough?. Springer. Suter II, G. W. (2016).Ecological risk assessment. CRC press. Thakor, A. V. (2016). The highs and the lows: a theory of credit risk assessment and pricing through the business cycle.Journal of Financial Intermediation,25, 1-29.