Question

In: Computer Science

A large, independent statutory agency, whose focus is to provide services and support to Australians living...

A large, independent statutory agency, whose focus is to provide services and support to Australians living with disability, seek the experience of a Cyber Security Risk & Governance Manager for a long 12+12-month contract, based in Greenway, South Canberra.

The primary duties of the Cyber Security Risk & Governance Manager will include but not be limited to: ‘Undertake an agency-wide Cyber Security risk assessment and maintain its currency on an ongoing basis.’

To assess the cyber risk, the Cyber Security Risk & Governance Manager must follow several dynamic steps.

Using your own words, summarise 5 (five) of the steps that YOU will apply to undertake the agency-wide Cyber Security risk assessment if you were to become the Cyber Security Risk & Governance Manager of this large, independent statutory agency.

Solutions

Expert Solution

As all the modern day business and tasks are shifting to online, the IT infratructure acts as the backbone of entire business system workflow. This in result demands for detailed Cyber security risk assessment to assess the risk and impact of cyber security attack.. Below are some steps that we should take to assess the cyber security risk.

1. Asses nature of Business: The first step should be to asses, what is the nature of business for which cyber security need to be assesed. Which includes the prducts line up, portfolio, domain and what are the upstream downstream applications if the business is IT based. Who all are the vendors and who access the sytme in and out.

2. Recognize the risk/threat :

a) Misuse of information/data by an authorized user. This could be the result of an unapproved use of data or changes made without approval. An unauthorized user can get access inside business data and information using different hacking & phishing methods.

b) Data leakage of information: This includes permitting the use of unencrypted flash storage devices without regulation; deficient paper retention and destruction practices; transmitting Non-Public Personal Information (NPPI) over unsecured channels; or accidentally sending sensitive information to the wrong recipient.

c) Unauthorized access: This could be from a direct hacking attack / compromise, malware infection, or trojan, virus attack.

d) Data Loss : This can be the result of poor data handling, encryption and back-up processes.

3. Inherited Risk and its impact : Here we need to assess what could be the impact to the business with the foresaid risks assesed. The risk could be classified into

Low: Such risks cause minimal impact which can cause negligible impact to business

Medium : Such risks need to assed propely, such risks are recoverable.

High : These risks are on priority risks handling. Such risks can non recoverable and can halt the business flow untill resolved

4. Analyze the operating environment :There is need to look at several categories of information to adequately assess your operating environment. Ultimately, we want to identify threat prevention, mitigation, detection, or compensating controls and their relationship to identified threats. A few examples include:

  • User Provisioning Controls
  • Administration Controls
  • User Authentication Controls
  • Infrastructure Data Protection Controls
  • Data Center Physical & Environmental Security Controls
  • Continuity of Operations Control

5. Evaluating the risk rating : The risks assed above need to be rated on the basis of damage or impact it can cause to running business, Below are some standard classification of rated risks

  • Critical – Such risks cause significant and urgent threat to the organization and risk reduction remediation should be followed immediately.
  • Medium – A controlled threat to the organization exists, and risk reduction remediation should be completed in a reasonable period of time.
  • Low – Threats are normal and generally acceptable, but may still have some impact to the organization.. These can be handedled on low priority

Related Solutions

A large, independent statutory agency, whose focus is to provide services and support to Australians living...
A large, independent statutory agency, whose focus is to provide services and support to Australians living with disability, seek the experience of a Cyber Security Risk & Governance Manager for a long 12+12-month contract, based in Greenway, South Canberra. The primary duties of the Cyber Security Risk & Governance Manager will include but not be limited to: ‘Undertake an agency-wide Cyber Security risk assessment and maintain its currency on an ongoing basis.’ To assess the cyber risk, the Cyber Security...
Discuss the adequacy of mental health services in the United States and provide examples to support...
Discuss the adequacy of mental health services in the United States and provide examples to support your viewpoint.
Provide a real world example of a large government agency that has had a major impact...
Provide a real world example of a large government agency that has had a major impact on society from a financial perspective (either positive or negative) and why? 350 words answer.
What support services might an organization provide to make the work of researchers and design engineers...
What support services might an organization provide to make the work of researchers and design engineers more effective?
For each of the following independent situations, answer the specific revenue concerns (provide authoritative support where...
For each of the following independent situations, answer the specific revenue concerns (provide authoritative support where appropriate). 1)        Company A enters into a contract on February 1, 2018 to manage rental property for Company B for the next 5 years. Company A will provide all services related to the management of the property and will receive a monthly payment equal to 2% of the gross rentals from the property. Historically, property of this type in this area has averaged an...
For each of the following independent situations, answer the specific revenue concerns (provide authoritative support where...
For each of the following independent situations, answer the specific revenue concerns (provide authoritative support where appropriate). Use new revenue recognition, ASC 606. 1)        Company A enters into a contract on February 1, 2018 to manage rental property for Company B for the next 5 years. Company A will provide all services related to the management of the property and will receive a monthly payment equal to 2% of the gross rentals from the property. Historically, property of this type...
For each of the following independent situations, answer the specific revenue concerns (provide authoritative support where...
For each of the following independent situations, answer the specific revenue concerns (provide authoritative support where appropriate). 1)        Company A enters into a contract on February 1, 2018 to manage rental property for Company B for the next 5 years. Company A will provide all services related to the management of the property and will receive a monthly payment equal to 2% of the gross rentals from the property. Historically, property of this type in this area has averaged an...
What national support services are available for patients/ families diagnosed with degenerative neurologic problems.(provide a brief...
What national support services are available for patients/ families diagnosed with degenerative neurologic problems.(provide a brief description of the services provided)
What types of support services should hospitals provide to assist couples who have experienced a loss...
What types of support services should hospitals provide to assist couples who have experienced a loss of pregnancy? What should the role of the nurse be in establishing these services and supporting the affected couples?
Should the sec/PCAOB provide a complete list of non-audit services that independent auditor are prohibited from...
Should the sec/PCAOB provide a complete list of non-audit services that independent auditor are prohibited from providing to their public company audit clients? defend your answer
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT