Homework 1

 

1. Briefly explain each of the steps in the risk management process.

1. ͸ԺÒ¾ÍÊѧࢻ¡Ãкǹ¡ÒèѴ¡ÒäÇÒÁàÊÕè§ÇèÒÁÕ ÍÐäúéÒ§

Solutions

 

1.Establish the organisation and risk management context

´ÙºÃÔº·¢Í§Í§¤ì¡ÃÇèÒÁÕâ¤Ã§ÊÃéÒ§ ¹âºÒ ¡ÅÂØ·¸ìÍÂèÒ§äà ¡ÒèѴ¡ÒäÇÒÁàÊÕ觷Õè¨Ðà¡ÕèÂÇ¢éͧ¹Ñé¹ÁÕÍÐäúéÒ§

2.Identifying, analysing and evaluating the risks the business faces

¡Ó˹´ ÇÔà¤ÃÒÐËì áÅлÃÐàÁÔ¹¤ÇÒÁàÊÕ觷Õè¨Ðà¡Ô´¢Öé¹ã¹àªÔ§¸ØáԨ áÅдÙÇèÒIT ªèÇÂàÊÃÔÁ Å´¤ÇÒÁàÊÕè§ÍÂèÒ§äÃä´éºéÒ§

3.Designing and implementing preventive and corrective controls

Í͡ẺáÅдÓà¹Ô¹¡ÒÃ㹡ÒäǺ¤ØÁ »éͧ¡Ñ¹ á¡éä¢ ¼Å¡Ãзº¢Í§ÀѤء¤ÒÁàËÅèÒ¹Ñé¹ ÇèÒàÃҨл¡»éͧÍÂèÒ§äà  »¡»éͧáÅéÇÂѧÁռšÃзºÍÂÙèàÃÒ¡çµéͧá¡éä¢ (á¹Çâ¹éÇ·Ò§´éÒ¹ Security ¨Ðà»ç¹ preventive)

4.Monitoring and reviewing the strategy to ensure its effectiveness and that it responds to changes

à½éÒ´ÙáÅзº·Ç¹´ÙÇèÒ¤ÇÒÁàÊÕ觷Õèà¡Ô´¢Öé¹áÅСÒäǺ¤ØÁ¤ÇÒÁàÊÕè§ä´é¼ÅËÃ×ÍäÁè ËÃ×Í¡ÒÃÅ´·Í¹¤ÇÒÁàÊÕè§ ä´éÁÒ¡¹éÍÂà¾Õ§㴠àÃÒµéͧÁÑè¹´Ù ·º·Ç¹ËÃ×Í»ÃѺ»Ãاá¹Ç¹âºÒµèÒ§æ´éÇÂ

2. What is the purpose of business continuity management?

2. ¡ÒèѴ¡ÒäÇÒÁµèÍà¹×èͧ·Ò§¸ØáԨ ÁըشÁØè§ËÁÒÂÍÂèÒ§äÃ

Solutions

 

1.The purpose of business continuity management is to identify the risks that have the potential to interrupt the normal course of business operations

2.implement preventive controls to prevent the occurrence of such risks

3. and develop corrective controls for coping should the preventive controls fail and the risk eventuate.

1. BCM à»ç¹Êèǹ˹Ö觢ͧ¡ÒèѴ¡ÒäÇÒÁàÊÕè§ ¨Ð¡Ó˹´´ÙÇèÒ¤ÇÒÁàÊÕ觷Ñé§ËÁ´·ÕèÁÕ ¨ÐÁռŷÓãËé¡Ãкǹ¡ÒøØáԨàÃÒª§Ñ¡

2. ¡ÃÃÁÇÔ¸Õ·Õè¨Ð¤Çº¤ØÁ»éͧ¡Ñ¹¼Å¡Ãзº¤ÇÒÁàÊÕ觷Ñé§ËÁ´

3. ¾Ñ²¹ÒÇÔ¸Õ¡Ò÷Õè¨Ðá¡éä¢ ËÃ×Í»éͧ¡Ñ¹àÁ×èÍÃкºã¹¸ØáԨ¢Í§àÃÒÅéÁàËÅÇ áÅлÃÐàÁÔ¹¤èÒ¤ÇÒÁàÊÕ觷Õè¨Ðà¡Ô´¢Öé¹

 

3. IT governance requires that IT delivers value to the business and that IT risks are mitigated. Who is responsible for IT governance? Who is responsible for IT security and risk management?

3. äÍ·ÕÀÔºÒžÂÒÁÂÒÁãËéͧ¤ì¡ÃµèÒ§æÊè§Áͺ¤Ø³¤èÒ ã¤Ã¤ÇÃà»ç¹¤¹ÃѺ¼Ô´ªÍº

Solutions

 

An effective IT security strategy requires a holistic security-conscious environment throughout the entire organisation. In this environment, management is committed to safeguarding the security of IT assets and the business as a whole is committed to achieving the following:

 

àÁ×èÍàÃÒÁÕ¡ÅÂØ·¸ìã¹àÃ×èͧ¤ÇÒÁÁÑ蹤§»ÅÍ´ÀÑ·ҧ´éÒ¹ IT àÍÒÁÒãªéã¹Í§¤ì¡Ã àÃÒ¨ÐÁͧà»ç¹ÀÒ¾ÃÇÁ·Õè·ÓãËéͧ¤ì¡ÃàÃÒà»ç¹ÍÂèÒ§äúéÒ§

 

·        Ensuring stakeholders’ confidence and trust in the business

·        ¼ÙéÁÕÊèǹä´éÊèǹàÊÕÂËÃ×ÍÁÕÊèǹà¡ÕèÂÇ¢éͧ(stakeholders) ÁÕ¤ÇÒÁàª×èÍÁÑè¹ ¤ÇÒÁàª×èͶ×ÍáÅÐäÇéÇҧ㨠¶éÒàÃÒÁÕ¡ÅÂØ·¸ì·Ò§´éÒ¹ security ·Õà»ç¹ÁÒµÃÒ°Ò¹ÊҡŹÑé¹ ¼Ùé·ÕèÁÕÊèǹà¡ÕèÂÇ¢éͧ¡ç¨Ðàª×èÍÁÑè¹äÇéÇÒ§ã¨

 

·        Maintaining the confidentiality of personal and financial information

·        ¤§äÇé«Ö觤ÇÒÁÅѺËÃ×Í¢éÍÁÙÅ੾ÒÐÊèǹºØ¤¤Å ¤ÇÒÁÅѺ¢éÍÁÙÅ·Ò§´éÒ¹¡ÒÃà§Ô¹ ¨Ð¤§ÃÑ¡ÉÒäÇéä´é äÁèÃÑèÇäËÅä»ÊÙ褧äÁè¾Ö觻ÃÐʧ¤ì

 

·        Safeguarding sensitive business information from unauthorised disclosure

·        »¡»éͧäÁèãËé¢éÍÁÙÅ·Ò§¸ØáԨ·Õèà»ç¹¢éÍÁÙÅàªÔ§¡ÒÃá¢è§¢Ñ¹ ËÃ×Í¢éÍÁÙÅ·ÕèÍè͹äËÇÁÒ¡æ äÁè¶Ö§à»Ô´à¼ÂÍÍ¡ä»ÊÙèºØ¤¤ÅÀÒ¹͡

 

·        Preventing illegal or malicious attacks on IT resources (hardware, software and data) from inside and outside the company

·        »éͧ¡Ñ¹¡ÒáÃзӷÕèäÁè¶Ù¡µéͧ¨Ò¡·Ñé§ÀÒ¹͡áÅÐÀÒÂã¹ ËÃ×Í¡ÒèÙèâ¨Á ¡ÒúءÃØ¡·ÕèäÁèËÇѧ¼Å´Õ ¡ÒÃà¢éÒÁÒâ´ÂäÁèä´éÃѺ͹حҵ«Ö觨ÐÁռŵèÍ·ÃѾÂÒ¡Ãà·¤â¹âÅÂÕÊÒÃʹà·È¢Í§àÃÒ

 

 

 

 

 

·        Protecting the company’s IT resources (hardware, software and data) from misuse and fraud

·        »¡»éͧã¹àÃ×èͧ·ÃѾÂҡ÷Ñé§ÁÇŢͧͧ¤ì¡Ã ¨Ò¡¡ÒÃãªé»ÃÐ⪹ìËÃ×ÍáÊǧ»ÃÐ⪹ì¨Ò¡¡ÅØèÁºØ¤¤Å¼ÙéãªéµèÒ§æ ·ÕèÍÒ¨¨ÐãªéäÁè¶Ù¡µéͧ ËÃ×ÍÁÕ¡ÒééÍ⡧ ¢Ñ´¡ÑºÊ×觷Õè¤ÇèÐà»ç¹

 

·        Protecting the IT resources, physically and logically, from disruption

·        »¡»éͧ·ÃѾÂҡ÷ҧ´éÒ¹ IT ¨Ò¡¡ÒÃá¡éä¢à»ÅÕè¹á»Å§ËÃ×Í¡ÒûÅÍÁá»Å§µèÒ§æ ä´é·Ñé§ËÁ´ ¶éÒàÃÒÁÕ¹âºÒ·ҧ´éÒ¹ Security

 

·        Fulfilling the legislative and regulatory requirements of the society in which the business operates

·        àÃÒ·ÓµÒÁ¢éÍ¡Ó˹´ËÃ×Í¡®ÃÐàºÕº¢Í§ÀÒ¤ÃÑ°·ÕèÁÕäÇé «Ö觨зÓãËé¸ØáԨ¢Í§àÃÒ´Óà¹Ô¹µèÍä»ä´éÍÂèÒ§µèÍà¹×èͧ ËÃ×ÍÁÕ¤ÇÒÁÊÁºÙóìà»ç¹»ÃÐ⪹ì Êѧ¤Á¡çäÁèà´×Í´Ãé͹

 

·        Creating a responsible work culture that promotes quality and security consciousness and curtails hostile and antagonistic employee behaviour

 

·        ÇѲ¹¸ÃÃÁͧ¤ì¡Ã ÇѲ¹¸ÃÃÁ¡Ò÷ӧҹ àÃÒÍÂÒ¡¨ÐãËé ¡ÒõÃÐ˹ѡÃѺÃÙé¤ÇÒÁÊӤѭ¢Í§ security ¹Ñé¹ ãËéÍÂÙèã¹ÇѲ¹¸ÃÃÁ¡Ò÷ӧҹ ÍÂÙèã¹·Ñȹ¤µÔ ÇèÒÁÕ·Ñȹ¤µÔã¹àªÔ§ºÇ¡µèÍàÃ×èͧ¹Õé ÂÍÁÃѺ ¨Ð·ÓãËé¡Ò÷ӧҹÁդسÀÒ¾´Õ ¤ÇÒÁÁÑ蹤§»ÅÍ´ÀÑÂã¹àÃ×èͧ¢Í§¢éÍÁÙÅ¡ç¨ÐÊÙ§ ¶éÒàÃÒ»ÃѺÇѲ¹¸ÃÃÁ¡Ò÷ӧҹ ãËéÂÖ´ security ÍÂÙèµÅÍ´ à¾ÃÒзء¤¹ã¹Í§¤ì¡ÃÅéǹáÅéÇÁÕ˹éÒ·ÕèªèÇÂÃѺ¼Ô´ªÍº·Ñé§ÊÔé¹

 

Business managers need to promote the risk management strategy and the preventive and corrective controls to all stakeholders to ensure that the security strategy is implemented correctly. A plan, policy or strategy is not useful if it is ignored.

 

           

4.      Explain how IT represents both an opportunity and a source of vulnerability for business.

        ͸ԺÒÂÇèÒ IT à»ç¹ä´é·Ñé§âÍ¡ÒÈáÅФÇÒÁÍè͹áÍã¹àªÔ§¸ØáԨÍÂèÒ§äÃ

 

Modern Information and Communication Technologies (ICTs) present the corporate world with new challenges and opportunities. These technologies on the one hand facilitate faster and more efficient achievement of business goals, such as manufacturing and easy access to global markets, and on the other hand, leave businesses dependent on data and information that increases their vulnerability to loss of valuable data and information through security breaches and natural calamities.

ã¹àÃ×èͧ¢Í§à·¤â¹âÅÂÕÊÒÃʹà·ÈáÅСÒÃÊ×èÍÊÒèзÓãËé¸ØáԨÁÕâÍ¡ÒÈãËÁèæ ãËéÁͧ»Ñ­ËÒáÅÐÍØ»ÊÃäà»ç¹¤ÇÒÁ·éÒ·ÒÂ(challenges) ¤×ÍãËéÁͧã¹àªÔ§ºÇ¡ à·¤â¹âÅÂÕãËÁèæ àÃÒ¶×ÍÇèÒà»ç¹âÍ¡ÒÈ·Ò§¸ØáԨ·Õè¨ÐáÊǧ»ÃÐ⪹ìËÃ×ÍàÍÒÁÒ»ÃÐÂØ¡µìãªé¡ÑºÍ§¤ì¡Ã â´Â੾ÒеÑÇ IT ¨ÐªèÇÂÍÐäÃàÃÒä´éºéÒ§

 

 

5.      Choose an organisation that uses IT (e.g. your workplace or your university) and complete the following tasks:

(a)   Explain the role of IT in the organisation.

(b)   Identify, analyse and evaluate the IT risks that the organisation faces.

(c)   Suggest some controls that the organisation should, in your opinion, have in place to prevent and correct these risks. Be sure not to focus just on technological controls.

(d)   Try to think of a new risk the organisation might face in the future. What steps should the organisation take now and in the future to protect itself from this risk?

 

The discussion should include critical elements of IT governance, such as:

·              Alignment with the business strategy

·              Delivery of value

·              Management of risk

·              Management of resources

·              Measurement of performance.

 

IT risks can take many forms. For example, the business’s headquarters could be destroyed by fire or its customer database could be accessed and modified by a hacker. On the other hand, many risks are small in scale and relatively mundane, but still costly for the individual business affected. They could be a burst water pipe, a backhoe digging up a communications cable or simply a staff member dropping a hard disk drive and destroying its contents. Poor procedures for choosing and maintaining hardware and software are another risk.

 

Discussion on (c) may include BCM, accountability policies, intrusion identification systems, firewalls, physical security etc.

 

New risks may include emerging aspects, such as wireless security, privacy concerns of technologies like RFID.