Risk-Management Policy Introduction This paper describes a risk-management policy that will be utilized by a large multi-international corporation in addressing the security breaches that have been affecting them in the past. It describes the mitigation strategies that will be utilized by the company in countering these security risks. The multi-international corporation has encountered several security breaches on their customer’s confidential data and financial assets which are private and normally secured. Their customer’s credit card information was also compromised through an attack that was infiltrated on their network via a vulnerable wireless connection within the organization. Another breach that the organization endured during the course of its operations was an inside job where personal data was stolen. This was achieved through the weak access-control policies that are utilized within the organization which allowed unauthorized individual access to valuable data (Case Study). This paper dwells on ascertaining whether the policy implemented will be effective in ensuring that the customer and organization’s information is adequately secured from future security breaches.
This policy will be important because it will help in restoring the customers confidence in the organization’s handling of their confidential data and financial assets. It is also vital since it provides authority and accountability to specific people concerning the authority of disclosing or sharing the information in the organization. According to Calder, Watkins &. Watkins, the organizations governing body has to give powers along with the necessary authority to a system administrator who will be the only person who can access the organization’s data. The security on the organization’s customer’s confidential information will be enforced through the use of passwords which will remain known only to their systems administrator (2010). In addition, the systems administrator within the organization will be solely responsible for disclosing any information to any authorized personnel who may require it. To enhance the data’s security further, the system administrator will be required to utilize several data encryption techniques. This will include encryption techniques like the creation of block ciphers, feistel cipher structures and the utilization of other advanced encryption standards. These techniques will help in ensuring that unauthorized people within the organization cannot interpret the meaning of the data. This will further prevent them from divulging any information concerning their customers to the members of the public (Calder, Watkins &. Watkins, 2010).
The Multi-international organization will have to employ a competent network administrator who will be solely responsible of ensuring that the network is secured from external intruders. This will help in preventing any unauthorized damage and access that the organization’s computers may encounter. The Network administrator may apply some of the common wireless security features which include the Wireless Equivalent on Privacy (WEP) along with the Wi-Fi Protected Network Access features (WPA). There are various standards of the two technologies in the market that can be adopted by the organization in improving their network’s security. The network administrator will be required to configure all access points within the organization’s network with restrictions to ensure that no unauthorized parties get accessibility to their data (Jones &. Ashenden, 2005). This will further be enforced through the use of several encryption standards along with checks on the MAC addresses that are accessing the organization’s network. According to Jones &. Ashenden, the creation of privileged networks for use only by the organization’s personnel will also be vital in ensuring the information concerning the organization’s customers is secure (2005). In addition to the above measures, the organization’s network administrator can implement the newly introduced Wireless Intrusion Prevention Systems (WIPS). It is widely utilized for the purpose of countering the security risks that an organization’s network may encounter. This system could be utilized in line with other security measures that include network firewalls and passwords for accessing their systems (Jones &. Ashenden, 2005).
The paper examined the security risks that have been affecting the security of the multi-international organization’s information concerning their customers. The solutions suggested to the problems will be very effective in ensuring the organization’s network and information are well protected from intruders who may be having malicious intentions. The organization’s staff will have to comply with the standards of conduct required of them to ensure no information concerning their customers is divulged to unauthorized parties (Calder, Watkins &. Watkins, 2010).
Calder, A., Watkins, S., &. Watkins, S. G. (2010). Information Security Risk Management For ISO27001/ISO27002. London: IT Governance Ltd.
Jones A., &. Ashenden, D. (2005). Risk Management for Computer Security: Protecting Your Network &. Information Assets. New York: Butterworth-Heinemann.