Question

A large, independent statutory agency, whose focus is to provide services and support to Australians living with disability, seek the experience of a Cyber Security Risk & Governance Manager for a long 12+12-month contract, based in Greenway, South Canberra.

The primary duties of the Cyber Security Risk & Governance Manager will include but not be limited to: ‘Undertake an agency-wide Cyber Security risk assessment and maintain its currency on an ongoing basis.’

To assess the cyber risk, the Cyber Security Risk & Governance Manager must follow several dynamic steps.

Using your own words, summarise 5 (five) of the steps that YOU will apply to undertake the agency-wide Cyber Security risk assessment if you were to become the Cyber Security Risk & Governance Manager of this large, independent statutory agency.

Answer 1

As all the modern day business and tasks are shifting to online, the IT infratructure acts as the backbone of entire business system workflow. This in result demands for detailed Cyber security risk assessment to assess the risk and impact of cyber security attack.. Below are some steps that we should take to assess the cyber security risk.

1. Asses nature of Business: The first step should be to asses, what is the nature of business for which cyber security need to be assesed. Which includes the prducts line up, portfolio, domain and what are the upstream downstream applications if the business is IT based. Who all are the vendors and who access the sytme in and out.

2. Recognize the risk/threat :

a) Misuse of information/data by an authorized user. This could be the result of an unapproved use of data or changes made without approval. An unauthorized user can get access inside business data and information using different hacking & phishing methods.

b) Data leakage of information: This includes permitting the use of unencrypted flash storage devices without regulation; deficient paper retention and destruction practices; transmitting Non-Public Personal Information (NPPI) over unsecured channels; or accidentally sending sensitive information to the wrong recipient.

c) Unauthorized access: This could be from a direct hacking attack / compromise, malware infection, or trojan, virus attack.

d) Data Loss : This can be the result of poor data handling, encryption and back-up processes.

3. Inherited Risk and its impact : Here we need to assess what could be the impact to the business with the foresaid risks assesed. The risk could be classified into

Low: Such risks cause minimal impact which can cause negligible impact to business

Medium : Such risks need to assed propely, such risks are recoverable.

High : These risks are on priority risks handling. Such risks can non recoverable and can halt the business flow untill resolved

4. Analyze the operating environment :There is need to look at several categories of information to adequately assess your operating environment. Ultimately, we want to identify threat prevention, mitigation, detection, or compensating controls and their relationship to identified threats. A few examples include:

• User Provisioning Controls
• Administration Controls
• User Authentication Controls
• Infrastructure Data Protection Controls
• Data Center Physical & Environmental Security Controls
• Continuity of Operations Control

5. Evaluating the risk rating : The risks assed above need to be rated on the basis of damage or impact it can cause to running business, Below are some standard classification of rated risks

• Critical – Such risks cause significant and urgent threat to the organization and risk reduction remediation should be followed immediately.
• Medium – A controlled threat to the organization exists, and risk reduction remediation should be completed in a reasonable period of time.
• Low – Threats are normal and generally acceptable, but may still have some impact to the organization.. These can be handedled on low priority