Académique Documents
Professionnel Documents
Culture Documents
I declare that this submission is my own work and has not been copied from someone else or
commissioned to another to complete. Any materials used in this work (whether from published
sources, the Internet or elsewhere) have been fully acknowledged and referenced and are
without fabrication or falsification of data.
I have adhered to relevant ethical guidelines and procedures in the completion of this
assignment. I have not allowed another student to have access to or copy from this work. The
work has not been submitted previously.
The University may submit this work to the national plagiarism detection facility. This searches
the Internet and an extensive database of reference material, including other students work and
available essay sites., to identify any duplication with the work you have submitted. Once your
work has been submitted to the detection service it will be stored electronically in a database
and compared against work submitted from this and other universities. The material will be
stored in this manner indefinitely.
2.1 Overview............................................................................................................................ 4
3 Evaluation of Risks................................................................................................................. 10
4 Countermeasures...................................................................................................................17
6 References............................................................................................................................. 25
This report will explain The Company name call TrendMaster Limited which provides
processing data for major retailers to provide detailed analysis of customer spend on products
and services. Because of the Increased turnover and demand for reports has resulted in a
requirement company is moving to a new premises with more new staff, to give range of
business services to the customers as per their requirements and to get more business.
This report will explain risk factors which can TrendMasters face, why those are Risk to the
organisation, discussing the probability of the risk occurring, the impact, and how it will affect to
the business and identify and justify countermeasures which the identified risks
Here is an implementation plan will be shown which will be prioritised and justification of why
TrendMaster limited should implement certain countermeasures for the organisation.
To identify the threats PESTLE, PRIMOF and SWOT analysis tools are more helpful to analyse
very easily, (Priest, A. Management of Risk,( Risk Principles ) 5CI003. (week 02),
Presentation1)
In business terms, a risk is the possibility of an event which would reduce the value of the
business was it to occur. Such an event is called an "adverse event."( Blakley.B ,
McDermott.E and Geer.D,2001,p.97)
In TrendMaster Limited there are a number of risks internally and externally that need to be
brought to attention.
Leaving confidential This can be happened because negligence of the employees, whilst at
information/Documents work such as leaving confidential information on a printer and not
on a printer picking it up. This is a risk for company as the whole staff share a one
printer, if they do not collect the printout straight away and its at risk of
breaking data integrity. Its depending on the data that has been
printed.
Server room is visible to Server room is situated next to Directors office in the ground floor, this
everybody. could be damaging in various ways from if a fire were to break out or a
flood occur, all data is lost as explain in above, and also the fact that
any person could easily see the server room, because its facing to the
reception/meeting area and there is a window directly facing to the
server room as well, if the admin is diverted, then easily could go into
the room and cause robbery, disruption or damage.
Loss of main experience There is 2 senior staff members in TrendMaster company, These key
senior staff staff are well known to the business with their experience in this
company, therefore key staff is very important as they are best at their
role and know what to achieve effectively in the business processes.
The loss of these key staff is damaging to the company processes,
which could reason errors and negligence of the company. As well if
they joining to a competitor, competitor will know all the secrets of the
company. The key customers of the company will also can be loos with
Documents can stolen Documents can be stolen from the main stores, because easy access
from the store room to the store room. Customers documented data and company data can
be stolen.
Lots of windows within In this new building there are so many window access, Its allow for
the building many access for thieves, because the glass windows are very easy to
break.
It is easy to spy through As an example whatever the work is done by the Director easily visible
the windows to the outsides through the window without knowing, because window
is situated at behind the directors chair. Therefore its easy to obtain
company data through the window.
Easy access to the Allows for easy access for thieves to Server room, because server
server room room is state at first ground next to Directors office and the reception
and meeting area, so the people who are entered to the office
everyone can see the server room and it will easier to gain
unauthorised access.
Unauthorized access Through security passes unauthorised access (Visitors and members
of staff) is a risk, as it is easy for someone to do cause damage to the
building and to the computer system.
Loss of essential The business process could be stop for the time period until the
services service is connected again. For an example if electricity is drop, then
for that period business is not functioning well. Therefore the loss of
essential services can be highly damaging to the business As well as
loos of air, electricity and water, could be a risk as this may result in the
computers the people who are work with computers (staff).
Errors mistakes and If entered data to the system is wrong (by mistakenly) staff has to
negligence done by the rectify the error, this will be a loos of time to be spent for another work.
staff
This will be a result in loss of time, resources and finances.
Malicious Software Having limited poor antivirus software, inadequate IT policies will be a
high risk for virus attacks. Because of that IT/IS Trend Master company
is at risk form phishing/spoofing
Hacking This is another way that can be obtaining company data through
communication link.
Backup Drive Failure Always should on alert with the backup driver, because if the system
were breakdown there should be a backup driver to run the system
(not to stop the business process) if the back drivers fail to restore the
system then it will be a major problem for the business process.
DOS attacks Denial of service attack is systems are overloaded by sending lots of
data and e-mails to the servers through communication link, because
of heavy traffic employees and customers are unable to access the
companys website and servers.
Data are stored on high The data which is stored in the hardware devices can be stolen by the
volume data storage theft and unauthorised access persons because those devices are
hardware. very easy to be stolen.
Each and every risk is different in terms of the possibility of it taking place, how they will impact,
and the type of impact and how the amount of downtime will affect the business.
In this section gives an overview of the evaluation of risks to the TrendMaster Company.
With the following tool it is to quantify the likelihood of each risk and its impact to the company.
Each risk is prioritised according to the likelihood and impact rating as mention below
Priest, A. Management of Risk, (Risk Principles) 5CI003. (Week 03), Risk Plan
Firstly the likelihood and impact scores should be allocated and then the priority score should
be calculated like
The priority score decide the over roll risk factors to the company
Activity Impact
5CI003 IT Risk Analysis Page 10
Floods Flood is high risk to the company. Because this would be loos the all data &
Likelihood 35 (L) information which is stored in the company (documents, servers). It could
damage to the Servers building, Personal Computers and furniture as they w
Impact 90 (VH)
become wet and will not be to use again. Business process can be stop due
Priority 62.5 (H)
unavailability of data/information/systems etc. until business is start up with fr
Impact time 02 weeks systems (redevelop).
Earthquakes Because of this company could be totally destroyed (depending on the size o
Likelihood 40(L) the earthquake), if the Richter scale is low then the company will be able to d
the operations within short time, If Richter scale is high the damage to the
Impact 100 (VH)
building and the equipment in the building could be high . Therefore, resulting
Priority 70 (H)
repair work needing to be carried out to fix the problems could be taken seve
hours or days. This would be highly damage to the business process of the
Impact time 01 week
company.
Fire The probability of fire taking place in the building is reasonably low, and the
Likelihood 30 (L) damage caused by fire is extremely high because to recover the damaged (d
equipment and building) would be taken much more time and loos of data of
Impact 100 (VH)
company and the customer is high risk. Because of the damage to the compa
Priority 65 (H)
is high then it could loos the customers as well and wont be able rebuild the
Impact time 02 weeks company up to the current level.
Leaving confidential Sensitive data, such as customers details could be sent to the printers, then
information/Documents on customers detail documents could be goes to wrong hands.
a printer
Staffs are more concern about to collect printed documents as soon as sent
Likelihood 30 (L)
the printer, to get the printed document staff members who are in ground floo
Impact 50 (M) has to go to 1st floor and near to the stairs because of that there can be a
Priority 40 (L) distraction and staff could be forget to get the printed document then docume
can be end up in to wrong people.
And also customers could be loos, due to negligence and improper control of
Impact time 1 hour
data and information about customers. This could be effect to the reputation
the company as well.
Likelihood 30 (L)
Same as above point important company and customers data could be goes
Impact 50 (M) the wrong hands.
Priority 40 (L)
Secret details can be leak to the competitors.
Impact time 1 hour
Server room is visible to All the data / information of the company are stored and the systems are run
everybody. the servers which are located in the server room. Every visitors, new custom
Likelihood 50 (M) can be visible the server room, therefore this could be reason to loos custom
(to negligence and improper control of data) because server room is a locate
Impact 90(VH)
easy access area.
Priority 70 (H)
Anyone could damage the server room easily.
Impact time 2 Weeks
Loss of main experience This would be directly impact to the operation of the company, because the
senior staff staffs are limited so to manage the operations each and every staff members
Likelihood 35 (L) have targets to achieve. Therefore to cover the unavailable staff members wo
is extra effort. Then the all operation of the company would be slow and serv
Impact 90 (VH)
which customers expect could be slow with the workload demands. Because
Priority 62.5 (H)
it customer could be loos, without replacing a proper new staff member
generally day-to-day operations of the business will be hard to manage
And knowledge of the company would take (through staff member) place the
Impact time 2 Week
competitor.
Documents can stolen Easy access for thefts because it is near to the staircase and any employee c
from the store room access the store room then anyone can take the secret document from the s
Impact 90 (VH) This could impact to the reputation of the company and if break the customer
Priority 65 (H) trust (customers details could be transferred to unknown persons) because o
this reason main customers of the company might be loos.
Impact time 2 days If the secrets of the company loos, competitors could launch the products be
company launch products to the market.
Lots of windows within the Easy access for thefts because of the glass windows. Theft could be steal
building important information, equipments etc...
Impact 50 (M) trust (negative reputation) the turnover of the company could go down.
Priority 45 (M)
Easy to spy through the The things what are happening inside are clearly visible through the windows
windows
Company secrets can be visible to outsiders (theft, competitors).
Likelihood 40 (L)
Impact 50 (M)
Priority 45 (M)
Easy access to the server The server room is situated at first floor near to entrance, therefore the serve
room room is visible to everyone and this could be reason for break the customers
Likelihood 60 (M) trust.Customers would have thought that their secrets will leak to their
competitors. This could impact to the reputation of the company
Impact 70 (H)
Priority 65 (H)
Unauthorized access There is no control on access to the building, as well as anyone can easily
Likelihood 65 (H) access to any place in the building. This would be easily access to the server
room, store room, printer, directors room and could obtain the company data
Impact 70 (H)
and information. This also could be a impact to the reputation of the compan
Priority 67.5 (H)
Loss of essential services When there is a power failure on electricity or telecommunication then compa
Likelihood 30 (L) system could be stop processing, electricity could be directly damage to the
computer hardware equipments. Therefore the process can be stop until its
Impact 50 (M)
repaired. This could be damaged to the company data/information which is
Priority 40 (L)
stored.
Then this could be financially loss because company has to purchase the
Impact time 02 hours
relevant hardware products and require technical assistance in repairing the
problem until system back on again.
Errors mistakes and When Entered wrong data to the system (by mistakenly) will get the wrong
negligence done by the staff results (GIGO), (Lidwell, W. Holden,K. Butler,J.2010. p112)
Impact 70 (M) the company data base therefore staff has to rectify the error.
Priority 80 (H) This will be loos of time to be spent for another work and could be an
impact to the reputation of the company due to supplying wrong details to
Impact time 2 days
the customers.
Communication failure Company needs better communication link with customer in order to
Likelihood 40 (L) supply the details what they need online, and there could be video
conferencing, IP phone calls conferencing etc.
Impact 50 (M)
Priority 45 (M) Therefore if there is a failure in the communication Company wont be able
to supply the better service to the customer.
Impact time 2 days This would be impact to the company reputation as well as it would be
effect to the business.
Malicious software Customers data which is saved in the system could be corrupted due to
Likelihood 40 (L) the Malicious software and saved data might be lost.
Impact 50 (M) If the system got attack continuously the system may become a worst and
Priority 45 (M) not be able to access and until system is setting up to the running again
employees wont be able to do the business process.
Impact time 2 days
Hacking When connecting to non trusted network (internet) then lots of people can
Likelihood 70 (H) access the company network through internet connection, if there is no
protection between the trusted (company network) and non trusted
Impact 60 (M)
network (internet) Hackers could be able to access to the company
Priority 65 (H)
network and get the company data and information
Backup driver failure If the backup driver is fail to get the backups regularly it would be risk,
Impact 90 (VH) be able to start up with the backups due to the backup drives would not be
able to use.
Priority 65 (H)
Company would loss all the data which company has, it will tack long
period to collect all data in to the system again.
Impact time 1 Month
DOS attack This will cause a receiving lots of data from outside of the company
Likelihood 60 (H) (internet) and make a traffic jam on the network that could be damage to
the network traffic and once attack is done deny user will access the
Impact 50 (M)
company site and it would impact to the company system.
Priority 55 (M)
When use internet for exchanging the data with customers and employees
are searching required data for the company, this kind of attack can be
launch by hackers. And also there could be communication problems to
Impact time 2 days
who are accesses to the network internally and externally.( Prowell ,S,
Kraus, R, Borkin, M, 2010. p1)
Floods
Earthquakes
Fire
Unattended machines
Unauthorized access
Communication failure
Malicious software
Hacking
DOS attack
For each and every above identified risk, produce a list and justification of all countermeasures
that may be taken to attend to the risk
Floods
Locate the servers and PCs in a higher place form the ground leval (3 to 4 feet
above)
Get an Insurance cover, if there any damage occurred to the building equipment,
company can claim the amount for the damage and start the operations as soon as
possible.
Introduce a flood plan for the company
Earthquakes
Get an Insurance cover, if there any damage occurred to the building equipment,
company can claim.
Take daily backups and store it in a secure place from out of the premises. In order
to start the operations of the company if there any damage occurred to the premises.
Fire
Have an evacuation plan on the building and train the staff accordingly, and have a
drill once in 6 month to review the ideas and to aware of the thing to do when ever
fire occurred.Conduct the full scale building disaster exercise in conjunction with
local emergency response groups (Craighead ,G.p598)
Put up evacuation site maps in each every exit and visible places to everybody.
Construct proper fire exit and safety doors (Binggeli, C. 2011. p340)
Put fire extinguishers in order to stop small scale fire, before turning into a full scale
blaze and give training to the staff how to use the safety equipments.
Locate the Fire/ heat detectors should locate and install in a proper places
Server rooms must be shield and its better to install the Fire suppression(oxygen
absorbs equipment), in order to stop the fire not to spread inside the server room
and it will secure the hardware equipments.(this system harmful to people)(.Stewar,
J, M. 2004.p156)
Install a fire alarm system in each and every room.
5CI003 IT Risk Analysis Page 18
Leaving confidential information/Documents on a printer
Install a printer in ground floor as well, but it should be locate in place where nobody
can access.
Introduce a company policy in order to reduce the error which staff makes.
Introduce a new print management system to the employee card with Radio
Frequency Identity (RFID) technology, When ever staff wanted to get print out staff
can use the RFID.
Unattended machines
Setting up an IT security policy. These all policies should cover all the in-house rules
and regulations. That the staff must follow.
o Eg. Lock the PC before leave the work place
o Setting up systems to ensure staff regularly change and update their
password this will help to avoid data theft via other employees accounts.
Cover the sever room entrance and put two door entrance to the server room with a
new partition (physical barriers). Nobody will see the server room entrance, because
there is another door before access to the server room door (.Stewar, J, M.
2004.p156)
Put dual control access to the server room (If administrator not available), two
persons have to authenticate to open the door
Introduce a system for access to the server room with the use of employee ID
(RFID),in order to trace the people who are entered to the server room
Rotate the job function within the staff at least once a year to motivate the staff
because when doing same job function for longer period staff members can be fed
up with the work they do, therefore its better to have a staff job role revision would
take a new approach to improving motivation amongst the staff.
Give allowances with the increase of the company profits and for performance which
staff achieved.
Give additional training sessions for the staff
5CI003 IT Risk Analysis Page 19
Having meetings with the staff regularly to communicate company updates and
discuss the company and staff issues and make solutions.
Make regular salary reviews because of that staffs feel happy with their salary and
the company
Documents can stolen from the store room
Having lockable filing Cabinets and implement a company policy with dedicating the
responsibilities.
Implement a Dual control key handling system to open the store room (Like access
to the server room)
Once the finish document work should destroy or shedder the unused documents
under supervision of Senior staff member.
Make arrangement to install some windows safety bars, in order to have security
from the theft who are trying to enter through glass windows
Put some Roller Blinds/curtains for the windows it will be cover the window, therefore
no one can spy through the window
Implement a security entering card which was explained above (RFID), this will be
cost effective for the company all system is run by a one access card.
Store company and customer data in an encryption method, its more secure. It
makes sure that the data does not fail in to unintended hands.
Implement a Dual control key handling system to open the server room (Like access
to the store room) and introduce a policy with the dedicated responsibilities.
Put up a physical berries to enter to the server room (explained in Server room is
visible to everybody point )and install a camera for that location(.Stewar, J, M.
2004.p156)
Unauthorized access
Implement a Visitors procedure plan to stop entering anyone just walking into the
building. This plan can be done by the receptionist or security guard at the main
entrance like.
o Visitors must produce their identity to checked and ensure about the visitor
o Introduce a log book for the visitors.
Install a generator for backup electricity, if there is any drop on electricity supply
ceases for a short period of time. To prevent any damage to the computers and keep
the business operational when the electricity utilities fails.
Install some UPS power for essential equipment (Main Server, Directors PC, System
administrators PC) if the generator didnt start automatically all power could be
disconnected. Therefore having a UPS power is more secure the system.
This will be highly impact to the company because the data which is entering to the
system is done by the staff and they can be enter wrong data to the system and staff
can be leak the company secrets and information to the others. To stop this, always
staff has to educate (training sessions) and have team meetings.
Communication failure
Malicious software
Install proper Antivirus software to each and every computer link to the company system
and network will need an up to date anti-virus package to ensure the computers are
Always The IT manager (responsible person) has to check and ensuring that full network
backups are taken of all the computers day by day and keep a copy in a safe place
where out from the office premises.
Have test, regularly to run the system with the backups to ensure that recovery can
actually take place when needed.
DOS attack
Introduce a company policy in order to reduce the error which staff makes
Introduce a employee card with radio frequency identity (RFID) technology
o This will cover most of the systems which company use
Printing
Access to the building
Access to the server room
Attendance (In/Out)
Access to the secure areas
Visitors who are enter to the company
Locate the servers and PCs in a higher place form the ground (3 to 4 feet above)
Introduce a flood plan for the company.
Take Insurance cover (cover all risks which identified).
Have an evacuation plan on the building and train the staff accordingly.
Put up evacuation site maps.
Construct proper fire exit and safety doors.
Locate the Fire/ heat detectors should locate and install in proper places.
Install a printer in ground floor and locate in place where nobody (outsiders) can see.
Setting up an IT security policy. This should cover all the in-house rules and
regulations. That the staff must follow.
o Put dual control access to the server room, Store room, entering for security
areas
o Lock the PC before leave the work place
o Have a password policy
o Business Continuity Planning
o System planning
o User management
o Operations
o Use of Computers
Rotate the job function within the staff at least once a year
Make regular salary reviews to keep the Senior experience staff in the company.
Having lockable filing Cabinets.
Install a Closed Circuit Television (CCTV).
Install a generator for backup electricity and Install some UPS power for essential
equipment.
Once the finish document work should destroy under supervision of Senior staff
member.
5CI003 IT Risk Analysis Page 24
Make arrangement to install some windows safety bars.
Put some Roller Blinds/curtains for the windows.
Store company and customer data in an encryption method.
Install a firewall (hardware and software) to the system to protect from the Hacker.
Have secret and secure place to keep the copies of the backups and check and test
regular basis. I recommended having a data warehouse for this.
Cover the sever room entrance and put two door entrance to the server room with a
new partition (physical barriers).
Install proper Antivirus software to each and every computer and always update
Systems and Patches for software.
Mobile broadband and have an alternative connection from another service provider
BCS (2011) Organised cyber-criminals [Online] The British Computer Society (BCS)
[Cited:03 October 2011] Available at:<http://www.bcs.org/content/conWebDoc/10576>
Binggeli, C. (2010). Building Systems for Interior Designers. Ed2. Canada : John Willey
& Sons [Accessed 25 October 2011]
Craighead, G.(2008). High-Rise Security and Fire Life Safety, ed.3. USA :Butterworth-
Hienemann [Accessed 25 October 2011] Available at:< http://books.google.com/books?
id=4BWyBELDQIwC&printsec=frontcover&dq=High-
Rise+Security+and+Fire+Life+Safety+By+Geoff+Craighead&hl=en&ei=uIS3TrneNc_OrQ
fIzKmbCA&sa=X&oi=book_result&ct=book-preview-
link&resnum=1&ved=0CC8QuwUwAA#v=onepage&q&f=false>
Ioannidis, S.& Keromytis, A.D.& Bellovin, S.M. & Smith, J.M.(2000) Implementing a
Distributed Firewall . [Online] [Accessed:25 October 2011] Available at:
<http://delivery.acm.org.ez-proxy.unv.wlv.ac.uk/10.1145/360000/353052/p190-
ioannidis.pdf?ip=134.220.2.101&acc=ACTIVE
%20SERVICE&CFID=67483464&CFTOKEN=80860091&__acm__=1320722827_84b14
5879fa6f90399fbadf51349566c
Prowell, S. & Kraus, R. & Borkin, M.( 2010). Seven Deadliest Network Attacks .USA :
Elsevier. [Accessed 15 October 2011] Available at:<http://books.google.co.uk/books?
id=S2tRtuKNndYC&printsec=frontcover&dq=Seven+Deadliest+Network+Attacks+By+St
acy+Prowell,+Rob+Kraus,+Mike+Borkin&hl=en&ei=-b-
2TqeaMYfmrAe8_MjIAw&sa=X&oi=book_result&ct=result&resnum=1&ved=0CC4Q6AE
wAA#v=onepage&q&f=false>
Raval, V & Fichadia, A (2007) Risks, Controls, and Security Concepts and Applications.
Wiley.
Sophos (2011) Police probe into claims of computer hacking by Murdoch's News
International [online] [Cited 05 October 2011] Available at: <
http://nakedsecurity.sophos.com/2011/08/01/police-probe-into-claims-of-computer-
hacking-by-murdochs-news-international/>
Stewar, J, M. (2004). Security + Fast pass. USA : SYBEX [Accessed 30 October 2011]
Sophos (2011) Hacking the Web: Hijacking search results [online] [Cited 05 October
2011] Available at: http://nakedsecurity.sophos.com/2011/02/13/hacking-the-web-
hijacking-search-results/>
Wideman, R.M. (2007). Management of Risk: Guidance for Practitioners. UK: Office of
Government Commerce (OGC). [Accessed 01 October 2011] Available at:<
http://www.maxwideman.com/papers/risk_guidance/risk_guidance.pdf>