The School of Technology

Module: Risk Analysis Assessment Number: 2

By: Mr. G P D Sameera Ushantha

Student Number: 1027190

11th November 2011

Module Leader: Mr. Adrian Priest

5CI003 IT Risk Analysis Page i

Declaration :

I declare that this submission is my own work and has not been copied from someone else or
commissioned to another to complete. Any materials used in this work (whether from published
sources, the Internet or elsewhere) have been fully acknowledged and referenced and are
without fabrication or falsification of data.
I have adhered to relevant ethical guidelines and procedures in the completion of this
assignment. I have not allowed another student to have access to or copy from this work. The
work has not been submitted previously.

By this declaration and by submitting this work, I confirm my understanding that

The University may submit this work to the national plagiarism detection facility. This searches
the Internet and an extensive database of reference material, including other students work and
available essay sites., to identify any duplication with the work you have submitted. Once your
work has been submitted to the detection service it will be stored electronically in a database
and compared against work submitted from this and other universities. The material will be
stored in this manner indefinitely.

5CI003 IT Risk Analysis Page 2

Table of Contents
1 Introduction............................................................................................................................... 3

2 Risks to the organization and Information Technology/Information Systems (IT/IS)..................4

2.1 Overview............................................................................................................................ 4

2.2 Physical threats.................................................................................................................. 5

2.3 Non-Physical threats.......................................................................................................... 8

3 Evaluation of Risks................................................................................................................. 10

3.1 Physical Threats...............................................................................................................10

3.2 Non-Physical threats........................................................................................................14

4 Countermeasures...................................................................................................................17

5 Recommendation of measures to be taken to protect organization and their priorities...........23

6 References............................................................................................................................. 25

5CI003 IT Risk Analysis Page 3

1 Introduction

This report will explain The Company name call TrendMaster Limited which provides
processing data for major retailers to provide detailed analysis of customer spend on products
and services. Because of the Increased turnover and demand for reports has resulted in a
requirement company is moving to a new premises with more new staff, to give range of
business services to the customers as per their requirements and to get more business.

In the organisation there will be different risks that may experience.

This report will explain risk factors which can TrendMasters face, why those are Risk to the
organisation, discussing the probability of the risk occurring, the impact, and how it will affect to
the business and identify and justify countermeasures which the identified risks

Finally, the recommendation should implement in order to protect the business.

Here is an implementation plan will be shown which will be prioritised and justification of why
TrendMaster limited should implement certain countermeasures for the organisation.

5CI003 IT Risk Analysis Page 4

2 Risks to the organization and Information
Technology/Information Systems (IT/IS)
2.1 Overview
In this analysis of the case study, the main consideration is the business assets has resulted in
the identification of threats which can directly look in to the TrendMaster Limited.

To identify the threats PESTLE, PRIMOF and SWOT analysis tools are more helpful to analyse
very easily, (Priest, A. Management of Risk,( Risk Principles ) 5CI003. (week 02),
Presentation1)

PESTLE analysis (Political, Economic, Social, Technology, Legal, Environment)

PRIMO-F analysis (People, Recourses, Innovation, Marketing, Operation, Finance)

5CI003 IT Risk Analysis Page 5

SWOT (Strengths, Weakness, Opportunities, Threats).

Syntel, Inc. (2011)SWOT Analysis,[online]

Pahl, N. Richter, A. 2009. p6

In business terms, a risk is the possibility of an event which would reduce the value of the
business was it to occur. Such an event is called an "adverse event."( Blakley.B ,
McDermott.E and Geer.D,2001,p.97)

In TrendMaster Limited there are a number of risks internally and externally that need to be
brought to attention.

2.2 Physical threats

Risk Why it is a risk to the Trade Master Limited?

Floods Floods specificity can damage to the building, Servers, Personal

Computers and furniture as they will become wet and will not be to use
again,

This is a risk for loosing large amounts of data/information and

important documents.

Earthquakes It is a risk to Organization, because it could be disastrous and

everything that company have worked could be lost. Earthquakes

5CI003 IT Risk Analysis Page 6


Fire.
Leaving confidential
information/Documents
on a printer
Unattended machines
Server room is visible to
everybody.
Loss of main experience
senior staff
5CI003 IT Risk Analysis
specificity also can cause damage to the building, servers, Personal
Computers and furniture as well,
This is a risk for loosing large amounts of data/information and
important documents.
This can be a large amount of damage the company, It could be
damaged to paper work, PC's, laptops, Servers, machinery and the
building in general, which financially it would not only affect the
business but it could be a reason to stop the business processes.
This can be happened because negligence of the employees, whilst at
work such as leaving confidential information on a printer and not
picking it up. This is a risk for company as the whole staff share a one
printer, if they do not collect the printout straight away and its at risk of
breaking data integrity. Its depending on the data that has been
printed.
Employees may be at risk of leaving company information on their
computer screen mostly. At the reception area/receptionist/Directors
table/employees that are work at ground floor, that visitors or
customers are able to see whilst waiting or that passers-by through the
windows and glass door as this new building have a windows in every
room.
Server room is situated next to Directors office in the ground floor, this
could be damaging in various ways from if a fire were to break out or a
flood occur, all data is lost as explain in above, and also the fact that
any person could easily see the server room, because its facing to the
reception/meeting area and there is a window directly facing to the
server room as well, if the admin is diverted, then easily could go into
the room and cause robbery, disruption or damage.
There is 2 senior staff members in TrendMaster company, These key
staff are well known to the business with their experience in this
company, therefore key staff is very important as they are best at their
role and know what to achieve effectively in the business processes.
The loss of these key staff is damaging to the company processes,
which could reason errors and negligence of the company. As well if
they joining to a competitor, competitor will know all the secrets of the
company. The key customers of the company will also can be loos with
Page 7
 the key staff member

As the team is small, if a member of staff resigned, business functions

also would be stop for a little period, to operate without that personnel
member.

Documents can stolen Documents can be stolen from the main stores, because easy access
from the store room to the store room. Customers documented data and company data can
be stolen.

Lots of windows within In this new building there are so many window access, Its allow for
the building many access for thieves, because the glass windows are very easy to
break.

It is easy to spy through As an example whatever the work is done by the Director easily visible
the windows to the outsides through the window without knowing, because window
is situated at behind the directors chair. Therefore its easy to obtain
company data through the window.

Easy access to the Allows for easy access for thieves to Server room, because server
server room room is state at first ground next to Directors office and the reception
and meeting area, so the people who are entered to the office
everyone can see the server room and it will easier to gain
unauthorised access.

Unauthorized access Through security passes unauthorised access (Visitors and members
of staff) is a risk, as it is easy for someone to do cause damage to the
building and to the computer system.

Loss of essential The business process could be stop for the time period until the
services service is connected again. For an example if electricity is drop, then
for that period business is not functioning well. Therefore the loss of
essential services can be highly damaging to the business As well as
loos of air, electricity and water, could be a risk as this may result in the
computers the people who are work with computers (staff).

2.3 Non-Physical threats

Customers data can be leak for their competitors, if the customer didnt trust us we will loos
business,

Risk Why it is a risk to the Trade Master Limited?

5CI003 IT Risk Analysis Page 8

Passive and Active With the use of Passive and active attacks can damaged to the
attacks system, and can be done some data changes.

Errors mistakes and If entered data to the system is wrong (by mistakenly) staff has to
negligence done by the rectify the error, this will be a loos of time to be spent for another work.
staff
This will be a result in loss of time, resources and finances.

Communications failure If there is a communication failure data which is communicating can

interrupt and data can be loos. There could be noises when
exchanging data and when having conference calls with clients.

Malicious Software Having limited poor antivirus software, inadequate IT policies will be a
high risk for virus attacks. Because of that IT/IS Trend Master company
is at risk form phishing/spoofing

Under Malware there are lots of categories, viruses, sniffers or spam ,

backdoors, Trojan horse, spyware, rootkits, worms, zombies.

Hacking This is another way that can be obtaining company data through
communication link.

It is a risk to the company on many different levels, one of the main

reason is the main business of the company is processing data for
major retailers to provide analysis of customer spend on products and
services, so company and the clients are exchange the data through
communication links. Therefore, there is a possibility of getting data
when do the exchanging.

Backup Drive Failure Always should on alert with the backup driver, because if the system
were breakdown there should be a backup driver to run the system
(not to stop the business process) if the back drivers fail to restore the
system then it will be a major problem for the business process.

DOS attacks Denial of service attack is systems are overloaded by sending lots of
data and e-mails to the servers through communication link, because
of heavy traffic employees and customers are unable to access the
companys website and servers.

Data are stored on high The data which is stored in the hardware devices can be stolen by the
volume data storage theft and unauthorised access persons because those devices are
hardware. very easy to be stolen.

5CI003 IT Risk Analysis Page 9

3 Evaluation of Risks
The main Risks to the TrendMaster Company identified and its explained in the above section.
And this section will evaluates each risk.

Each and every risk is different in terms of the possibility of it taking place, how they will impact,
and the type of impact and how the amount of downtime will affect the business.

In this section gives an overview of the evaluation of risks to the TrendMaster Company.

With the following tool it is to quantify the likelihood of each risk and its impact to the company.
Each risk is prioritised according to the likelihood and impact rating as mention below

Title Score Likelihood Impact to the company

Very Low (VL) 0-20 Highly unlikely to occur Insignificant impact
Low (L) 21-40 Unlikely to occur Minor impact
Medium (M) 41-60 Likely to occur Measurable impact
High (H) 61-80 Very likely to occur Significant impact
Very High (VH) 81-100 Highly likely to occur Major impact

Priest, A. Management of Risk, (Risk Principles) 5CI003. (Week 03), Risk Plan

Firstly the likelihood and impact scores should be allocated and then the priority score should
be calculated like

Priority equals to the average of Likelihood and Impact score

Priority = (Likelihood + Impact) / 2

The priority score decide the over roll risk factors to the company

3.1 Physical Threats

Activity Impact
5CI003 IT Risk Analysis Page 10
Floods Flood is high risk to the company. Because this would be loos the all data &

Likelihood 35 (L) information which is stored in the company (documents, servers). It could
damage to the Servers building, Personal Computers and furniture as they w
Impact 90 (VH)
become wet and will not be to use again. Business process can be stop due
Priority 62.5 (H)
unavailability of data/information/systems etc. until business is start up with fr
Impact time 02 weeks systems (redevelop).

Earthquakes Because of this company could be totally destroyed (depending on the size o

Likelihood 40(L) the earthquake), if the Richter scale is low then the company will be able to d
the operations within short time, If Richter scale is high the damage to the
Impact 100 (VH)
building and the equipment in the building could be high . Therefore, resulting
Priority 70 (H)
repair work needing to be carried out to fix the problems could be taken seve
hours or days. This would be highly damage to the business process of the
Impact time 01 week
company.

Fire The probability of fire taking place in the building is reasonably low, and the

Likelihood 30 (L) damage caused by fire is extremely high because to recover the damaged (d
equipment and building) would be taken much more time and loos of data of
Impact 100 (VH)
company and the customer is high risk. Because of the damage to the compa
Priority 65 (H)
is high then it could loos the customers as well and wont be able rebuild the
Impact time 02 weeks company up to the current level.

Leaving confidential Sensitive data, such as customers details could be sent to the printers, then
information/Documents on customers detail documents could be goes to wrong hands.
a printer
Staffs are more concern about to collect printed documents as soon as sent
Likelihood 30 (L)
the printer, to get the printed document staff members who are in ground floo
Impact 50 (M) has to go to 1st floor and near to the stairs because of that there can be a
Priority 40 (L) distraction and staff could be forget to get the printed document then docume
can be end up in to wrong people.

And also customers could be loos, due to negligence and improper control of
Impact time 1 hour
data and information about customers. This could be effect to the reputation
the company as well.

5CI003 IT Risk Analysis Page 11

Unattended machines Employees leaving information on their computer screen.

Likelihood 30 (L)
Same as above point important company and customers data could be goes
Impact 50 (M) the wrong hands.
Priority 40 (L)
Secret details can be leak to the competitors.
Impact time 1 hour

Server room is visible to All the data / information of the company are stored and the systems are run
everybody. the servers which are located in the server room. Every visitors, new custom

Likelihood 50 (M) can be visible the server room, therefore this could be reason to loos custom
(to negligence and improper control of data) because server room is a locate
Impact 90(VH)
easy access area.
Priority 70 (H)
Anyone could damage the server room easily.
Impact time 2 Weeks

Loss of main experience This would be directly impact to the operation of the company, because the
senior staff staffs are limited so to manage the operations each and every staff members

Likelihood 35 (L) have targets to achieve. Therefore to cover the unavailable staff members wo
is extra effort. Then the all operation of the company would be slow and serv
Impact 90 (VH)
which customers expect could be slow with the workload demands. Because
Priority 62.5 (H)
it customer could be loos, without replacing a proper new staff member
generally day-to-day operations of the business will be hard to manage

And knowledge of the company would take (through staff member) place the
Impact time 2 Week
competitor.

This could have a significant impact on business operations.

Documents can stolen Easy access for thefts because it is near to the staircase and any employee c
from the store room access the store room then anyone can take the secret document from the s

Likelihood 40 (L) room

Impact 90 (VH) This could impact to the reputation of the company and if break the customer
Priority 65 (H) trust (customers details could be transferred to unknown persons) because o
this reason main customers of the company might be loos.

Impact time 2 days If the secrets of the company loos, competitors could launch the products be
company launch products to the market.

Lots of windows within the Easy access for thefts because of the glass windows. Theft could be steal
building important information, equipments etc...

5CI003 IT Risk Analysis Page 12

Likelihood 40 (L) This could impact to the reputation of the company and if break the customer

Impact 50 (M) trust (negative reputation) the turnover of the company could go down.

Priority 45 (M)

Impact time 2 days

Easy to spy through the The things what are happening inside are clearly visible through the windows
windows
Company secrets can be visible to outsiders (theft, competitors).
Likelihood 40 (L)

Impact 50 (M)

Priority 45 (M)

Impact time 2 days

Easy access to the server The server room is situated at first floor near to entrance, therefore the serve
room room is visible to everyone and this could be reason for break the customers

Likelihood 60 (M) trust.Customers would have thought that their secrets will leak to their
competitors. This could impact to the reputation of the company
Impact 70 (H)

Priority 65 (H)

Impact time 5 days

Unauthorized access There is no control on access to the building, as well as anyone can easily

Likelihood 65 (H) access to any place in the building. This would be easily access to the server
room, store room, printer, directors room and could obtain the company data
Impact 70 (H)
and information. This also could be a impact to the reputation of the compan
Priority 67.5 (H)

Impact time 1 Day

Loss of essential services When there is a power failure on electricity or telecommunication then compa

Likelihood 30 (L) system could be stop processing, electricity could be directly damage to the
computer hardware equipments. Therefore the process can be stop until its
Impact 50 (M)
repaired. This could be damaged to the company data/information which is
Priority 40 (L)
stored.

Then this could be financially loss because company has to purchase the
Impact time 02 hours
relevant hardware products and require technical assistance in repairing the
problem until system back on again.

5CI003 IT Risk Analysis Page 13

3.2 Non-Physical threats

Errors mistakes and When Entered wrong data to the system (by mistakenly) will get the wrong
negligence done by the staff results (GIGO), (Lidwell, W. Holden,K. Butler,J.2010. p112)

5CI003 IT Risk Analysis Page 14

Likelihood 90 (L) In order to supply correct details to the retailers correct data has to be in

Impact 70 (M) the company data base therefore staff has to rectify the error.

Priority 80 (H) This will be loos of time to be spent for another work and could be an
impact to the reputation of the company due to supplying wrong details to
Impact time 2 days
the customers.

Communication failure Company needs better communication link with customer in order to

Likelihood 40 (L) supply the details what they need online, and there could be video
conferencing, IP phone calls conferencing etc.
Impact 50 (M)

Priority 45 (M) Therefore if there is a failure in the communication Company wont be able
to supply the better service to the customer.

Impact time 2 days This would be impact to the company reputation as well as it would be
effect to the business.

Malicious software Customers data which is saved in the system could be corrupted due to

Likelihood 40 (L) the Malicious software and saved data might be lost.

Impact 50 (M) If the system got attack continuously the system may become a worst and
Priority 45 (M) not be able to access and until system is setting up to the running again
employees wont be able to do the business process.
Impact time 2 days

Hacking When connecting to non trusted network (internet) then lots of people can

Likelihood 70 (H) access the company network through internet connection, if there is no
protection between the trusted (company network) and non trusted
Impact 60 (M)
network (internet) Hackers could be able to access to the company
Priority 65 (H)
network and get the company data and information

Impact time 1 days

Backup driver failure If the backup driver is fail to get the backups regularly it would be risk,

5CI003 IT Risk Analysis Page 15

Likelihood 40 (L) because in the event of computer or system failure, the system wouldnt

Impact 90 (VH) be able to start up with the backups due to the backup drives would not be
able to use.
Priority 65 (H)
Company would loss all the data which company has, it will tack long
period to collect all data in to the system again.
Impact time 1 Month

DOS attack This will cause a receiving lots of data from outside of the company

Likelihood 60 (H) (internet) and make a traffic jam on the network that could be damage to
the network traffic and once attack is done deny user will access the
Impact 50 (M)
company site and it would impact to the company system.
Priority 55 (M)
When use internet for exchanging the data with customers and employees
are searching required data for the company, this kind of attack can be
launch by hackers. And also there could be communication problems to
Impact time 2 days
who are accesses to the network internally and externally.( Prowell ,S,
Kraus, R, Borkin, M, 2010. p1)

5CI003 IT Risk Analysis Page 16

 Priority measurement
Risks
VL L M H VH

Floods

Earthquakes

Fire

Leaving confidential information/Documents on a printer

Unattended machines

Server room is visible to everybody

Loss of main experience senior staff

Documents can stolen from the store room

Lots of windows within the building

Easy to spy through the windows

Easy access to the server room

Unauthorized access

Loss of essential services

Errors mistakes and negligence done by the staff

Communication failure

Malicious software

Hacking

Backup driver failure

DOS attack

5CI003 IT Risk Analysis Page 17

4 Countermeasures
The countermeasures that could be implementing in the Company to reduce the above
identified and analysed the impact of each risk.

For each and every above identified risk, produce a list and justification of all countermeasures
that may be taken to attend to the risk

Floods

Locate the servers and PCs in a higher place form the ground leval (3 to 4 feet
above)
Get an Insurance cover, if there any damage occurred to the building equipment,
company can claim the amount for the damage and start the operations as soon as
possible.
Introduce a flood plan for the company

Put up a link to the emergency services.

Earthquakes

Get an Insurance cover, if there any damage occurred to the building equipment,
company can claim.

Take daily backups and store it in a secure place from out of the premises. In order
to start the operations of the company if there any damage occurred to the premises.

Install a link to the emergency services.

Fire

Have an evacuation plan on the building and train the staff accordingly, and have a
drill once in 6 month to review the ideas and to aware of the thing to do when ever
fire occurred.Conduct the full scale building disaster exercise in conjunction with
local emergency response groups (Craighead ,G.p598)
Put up evacuation site maps in each every exit and visible places to everybody.
Construct proper fire exit and safety doors (Binggeli, C. 2011. p340)
Put fire extinguishers in order to stop small scale fire, before turning into a full scale
blaze and give training to the staff how to use the safety equipments.
Locate the Fire/ heat detectors should locate and install in a proper places
Server rooms must be shield and its better to install the Fire suppression(oxygen
absorbs equipment), in order to stop the fire not to spread inside the server room
and it will secure the hardware equipments.(this system harmful to people)(.Stewar,
J, M. 2004.p156)
Install a fire alarm system in each and every room.
5CI003 IT Risk Analysis Page 18
Leaving confidential information/Documents on a printer

Install a printer in ground floor as well, but it should be locate in place where nobody
can access.

Allocate a separate dedicated printer to Director Room, most of the company

decision are taken by the director and he is the person who having confidential
documents to be print.

Introduce a company policy in order to reduce the error which staff makes.

Introduce a new print management system to the employee card with Radio
Frequency Identity (RFID) technology, When ever staff wanted to get print out staff
can use the RFID.

Unattended machines

Setting up an IT security policy. These all policies should cover all the in-house rules
and regulations. That the staff must follow.
o Eg. Lock the PC before leave the work place
o Setting up systems to ensure staff regularly change and update their
password this will help to avoid data theft via other employees accounts.

Server room is visible to everybody.

Cover the sever room entrance and put two door entrance to the server room with a
new partition (physical barriers). Nobody will see the server room entrance, because
there is another door before access to the server room door (.Stewar, J, M.
2004.p156)

Put dual control access to the server room (If administrator not available), two
persons have to authenticate to open the door

Introduce a system for access to the server room with the use of employee ID
(RFID),in order to trace the people who are entered to the server room

Loss of main experience senior staff

Rotate the job function within the staff at least once a year to motivate the staff
because when doing same job function for longer period staff members can be fed
up with the work they do, therefore its better to have a staff job role revision would
take a new approach to improving motivation amongst the staff.
Give allowances with the increase of the company profits and for performance which
staff achieved.
Give additional training sessions for the staff
5CI003 IT Risk Analysis Page 19
 Having meetings with the staff regularly to communicate company updates and
discuss the company and staff issues and make solutions.
Make regular salary reviews because of that staffs feel happy with their salary and
the company
Documents can stolen from the store room
Having lockable filing Cabinets and implement a company policy with dedicating the
responsibilities.
Implement a Dual control key handling system to open the store room (Like access
to the server room)
Once the finish document work should destroy or shedder the unused documents
under supervision of Senior staff member.

Lots of windows within the building

Make arrangement to install some windows safety bars, in order to have security
from the theft who are trying to enter through glass windows

Easy to spy through the windows

Put up covers on window glasses (stickers)

Put some Roller Blinds/curtains for the windows it will be cover the window, therefore
no one can spy through the window

Easy access to the server room

Implement a security entering card which was explained above (RFID), this will be
cost effective for the company all system is run by a one access card.

Store company and customer data in an encryption method, its more secure. It
makes sure that the data does not fail in to unintended hands.

Implement a Dual control key handling system to open the server room (Like access
to the store room) and introduce a policy with the dedicated responsibilities.
Put up a physical berries to enter to the server room (explained in Server room is
visible to everybody point )and install a camera for that location(.Stewar, J, M.
2004.p156)

Unauthorized access

Implement a Visitors procedure plan to stop entering anyone just walking into the
building. This plan can be done by the receptionist or security guard at the main
entrance like.
o Visitors must produce their identity to checked and ensure about the visitor
o Introduce a log book for the visitors.

5CI003 IT Risk Analysis Page 20

 o They must be taken in to the building and guide by a member of staff at all
time.
Have a password policy to change staff members passwords regularly and if the
password lock by typing wrong password twice staff member has to report to the
administrator or Manager to un lock the password (.Stewar, J, M. 2004.p165).
The presence security guard at an entrance
Employees must swipe their RFID to the system when accesses the building (In/Out)
and it should link to the attendance system of the employee to mark the attendance.
Secure all external entrance and exit doors and give the responsibility to the security
guards to check time to time (roster base)
Install a Closed Circuit Television (CCTV) to monitor and record video activity.

Introduce an e-mail policy is an important countermeasure to ensure that

confidential data is not leaked or shared without permission. Also, this controls what
types of files are sent and received by employees.

Loss of essential services

Install a generator for backup electricity, if there is any drop on electricity supply
ceases for a short period of time. To prevent any damage to the computers and keep
the business operational when the electricity utilities fails.
Install some UPS power for essential equipment (Main Server, Directors PC, System
administrators PC) if the generator didnt start automatically all power could be
disconnected. Therefore having a UPS power is more secure the system.

Errors mistakes and negligence done by the staff

This will be highly impact to the company because the data which is entering to the
system is done by the staff and they can be enter wrong data to the system and staff
can be leak the company secrets and information to the others. To stop this, always
staff has to educate (training sessions) and have team meetings.

Implement a security policy with an agreement when employees recruiting process.

Communication failure

Mobile broadband in place for backup communications

Have an alternative connection from another service provider.

Malicious software

Install proper Antivirus software to each and every computer link to the company system
and network will need an up to date anti-virus package to ensure the computers are

5CI003 IT Risk Analysis Page 21

 adequately protected. The IT manager must need to ensure this is up to date and check
regular basis anti-virus scans are completed.
Always update Systems and Patches for software which is using for the company
system.eg-Keeping Microsoft Windows system updates up to date, it will help to stop
malicious software being able to exploit system.
Hacking
Store company data by doing encryption, is more secure. It makes sure that the data
does not fail in to unintended hands. Because if some hacker is stolen data from the
company without having the decryption algorithm they cannot decrypt (convert it to
understandable form) the data. The data which company has will store in encryption
method.( parliament.uk. 2006)
Install a firewall (hardware and software) to the system. It is mechanism to protect
the company network from unauthorized users accessing from another computing
networks. Using a firewall is the most effective and important first step that company
could take to help protect the Network. What it does is block the communication
paths from unauthorized entries (hackers).Its mean when a massage (data packets)
are coming in to the network it will filter before it is reach to the company network
(authorized massage/data packets will only enter to the system), where the only port
are open to the network. firewall is a collection of components, interposed between
two networks, that filters traffic between them according to some security policy.
Conventional firewalls rely on network topology restrictions to perform this
filtering( Ioannidis, S.& Keromytis, A.D.& Bellovin, S.M. & Smith, J.M. 2000)

Install Hacking detection software to the system.

Install a Password protected system when there is wireless network.

5CI003 IT Risk Analysis Page 22

Backup driver failure

Always The IT manager (responsible person) has to check and ensuring that full network
backups are taken of all the computers day by day and keep a copy in a safe place
where out from the office premises.

Have test, regularly to run the system with the backups to ensure that recovery can
actually take place when needed.

DOS attack

Install a DOS attack detectors to the system.

o Sequential Change- point detection

o Network Intrusion Detection System (NIDS)

5CI003 IT Risk Analysis Page 23

5 Recommendation of measures to be taken to protect
organization and their priorities
We have identified the Risks that can be occurred to the TrendMaster Company, and based on
the countermeasures that explained above, here are recommended solutions for the company.
What has to be done with medium budget.

Introduce a company policy in order to reduce the error which staff makes
Introduce a employee card with radio frequency identity (RFID) technology
o This will cover most of the systems which company use
Printing
Access to the building
Access to the server room
Attendance (In/Out)
Access to the secure areas
Visitors who are enter to the company
Locate the servers and PCs in a higher place form the ground (3 to 4 feet above)
Introduce a flood plan for the company.
Take Insurance cover (cover all risks which identified).

Install a link to the emergency services.

Have an evacuation plan on the building and train the staff accordingly.
Put up evacuation site maps.
Construct proper fire exit and safety doors.
Locate the Fire/ heat detectors should locate and install in proper places.

Install a printer in ground floor and locate in place where nobody (outsiders) can see.

Setting up an IT security policy. This should cover all the in-house rules and
regulations. That the staff must follow.
o Put dual control access to the server room, Store room, entering for security
areas
o Lock the PC before leave the work place
o Have a password policy
o Business Continuity Planning
o System planning
o User management
o Operations
o Use of Computers
Rotate the job function within the staff at least once a year
Make regular salary reviews to keep the Senior experience staff in the company.
Having lockable filing Cabinets.
Install a Closed Circuit Television (CCTV).
Install a generator for backup electricity and Install some UPS power for essential
equipment.
Once the finish document work should destroy under supervision of Senior staff
member.
5CI003 IT Risk Analysis Page 24
 Make arrangement to install some windows safety bars.
Put some Roller Blinds/curtains for the windows.
Store company and customer data in an encryption method.
Install a firewall (hardware and software) to the system to protect from the Hacker.
Have secret and secure place to keep the copies of the backups and check and test
regular basis. I recommended having a data warehouse for this.

Cover the sever room entrance and put two door entrance to the server room with a
new partition (physical barriers).

Install proper Antivirus software to each and every computer and always update
Systems and Patches for software.

Mobile broadband and have an alternative connection from another service provider

Install a DOS attack detectors to the system.

5CI003 IT Risk Analysis Page 25

6 References
Blakley, B. & McDermott, E. & Geer, D. (2001). Information security is information risk
management. New York: NSPW '01 Proceedings of the workshop on New security
paradigms. [Online]. p.97 [Accessed 01 October 2011] Available
at:<http://delivery.acm.org.ez-proxy.unv.wlv.ac.uk/10.1145/510000/508187/p97-
blakley.pdf?ip=134.220.2.101&acc=ACTIVE
%20SERVICE&CFID=64413103&CFTOKEN=99550935&__acm__=1319605442_29324
529598cbe7f9f1bc6289a2b9987>

BCS (2011) Organised cyber-criminals [Online] The British Computer Society (BCS)
[Cited:03 October 2011] Available at:<http://www.bcs.org/content/conWebDoc/10576>

Binggeli, C. (2010). Building Systems for Interior Designers. Ed2. Canada : John Willey
& Sons [Accessed 25 October 2011]

Craighead, G.(2008). High-Rise Security and Fire Life Safety, ed.3. USA :Butterworth-
Hienemann [Accessed 25 October 2011] Available at:< http://books.google.com/books?
id=4BWyBELDQIwC&printsec=frontcover&dq=High-
Rise+Security+and+Fire+Life+Safety+By+Geoff+Craighead&hl=en&ei=uIS3TrneNc_OrQ
fIzKmbCA&sa=X&oi=book_result&ct=book-preview-
link&resnum=1&ved=0CC8QuwUwAA#v=onepage&q&f=false>

Ioannidis, S.& Keromytis, A.D.& Bellovin, S.M. & Smith, J.M.(2000) Implementing a
Distributed Firewall . [Online] [Accessed:25 October 2011] Available at:
<http://delivery.acm.org.ez-proxy.unv.wlv.ac.uk/10.1145/360000/353052/p190-
ioannidis.pdf?ip=134.220.2.101&acc=ACTIVE
%20SERVICE&CFID=67483464&CFTOKEN=80860091&__acm__=1320722827_84b14
5879fa6f90399fbadf51349566c

Pahl, N. Richter, A. (2009). SWOT Analysis - Idea, Methodology And A Practical

Approach. Germany: GRIN Verlag

Prowell, S. & Kraus, R. & Borkin, M.( 2010). Seven Deadliest Network Attacks .USA :
Elsevier. [Accessed 15 October 2011] Available at:<http://books.google.co.uk/books?
id=S2tRtuKNndYC&printsec=frontcover&dq=Seven+Deadliest+Network+Attacks+By+St
acy+Prowell,+Rob+Kraus,+Mike+Borkin&hl=en&ei=-b-
2TqeaMYfmrAe8_MjIAw&sa=X&oi=book_result&ct=result&resnum=1&ved=0CC4Q6AE
wAA#v=onepage&q&f=false>

Raval, V & Fichadia, A (2007) Risks, Controls, and Security Concepts and Applications.
Wiley.

5CI003 IT Risk Analysis Page 26

 Sophos (2010) Security Threat Report Mid-year 2010 [online] [Cited 05 October 2011]
Available at: <http://www.sophos.com/security/topic/security-threat-report-
mid2010/threat-grows.html>

Sophos (2011) Police probe into claims of computer hacking by Murdoch's News
International [online] [Cited 05 October 2011] Available at: <
http://nakedsecurity.sophos.com/2011/08/01/police-probe-into-claims-of-computer-
hacking-by-murdochs-news-international/>

Stewar, J, M. (2004). Security + Fast pass. USA : SYBEX [Accessed 30 October 2011]

Sophos (2011) Hacking the Web: Hijacking search results [online] [Cited 05 October
2011] Available at: http://nakedsecurity.sophos.com/2011/02/13/hacking-the-web-
hijacking-search-results/>

Syntel, Inc. (2011)SWOT Analysis,[online] [Accessed:05 October 2011] Available

at<http://web.ebscohost.com/ehost/pdfviewer/pdfviewer?vid=14&hid=11&sid=4ecb54f3-
b901-495f-9feb-ee7df3e67872%40sessionmgr112>

www.parliament.uk. (2011). Reducing Flood Risk. [Online] [Accessed:05 October 2011]

Available at: <http://www.parliament.uk/business/publications/research/key-issues-for-
the-new-parliament/green-growth/reducing-flood-risk/>

www.parliament.uk. (2006). DATA ENCRYPTION. [Online] [Accessed:25 October 2011]

Available at: < http://www.parliament.uk/documents/post/postpn270.pdf>

Wideman, R.M. (2007). Management of Risk: Guidance for Practitioners. UK: Office of
Government Commerce (OGC). [Accessed 01 October 2011] Available at:<
http://www.maxwideman.com/papers/risk_guidance/risk_guidance.pdf>

Lidwell,W. Holden,K. Butler,J.(2010). Universal principles of design: 125 ways to

enhance usability, influence. Minneapolis: Rockport Publishers. [online] [Accessed 10
October 2011] Available at: <http://books.google.com/books?
id=zXAx9_Y8GiEC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepag
e&q&f=false>

5CI003 IT Risk Analysis Page 27