Running head: INFORMATION SYSTEMS (IS) RISK MANAGEMENT

Information Systems (IS) Risk Management

August 17, 2015
Information Systems (IS) Risk Management
In any business, computers and whatever new technology they have keeps that business
above the water utilizing the company's resources for sales, accounting, record keeping, and
emails internally or externally. In order to keep the technology gears well-greased and
maintained, is to make sure all internal employees abide by the rules and policies set forth by the
company and also follow protocol for technology from external users with their use of company
information. Because one slip up and the whole system goes down. For example, all it would
take is one individual to insert a flash drive in the computer, harmless, but he or she does not
know that embedded in the flash drive is a virus, and so the mess begins. This paper will discuss
Riordan Manufacturing possible computer vulnerabilities along with describing the different
threats associated with internal and external personnel. Finally, this paper will delve into what
type of security measures are necessary or appropriate to secure the information system while
allowing a maximum amount of uninterrupted workflow.
In any company or any corporation, the risk of a computer attack from cyber criminals
are very likely to happen. It is not a question of it will never happen to the company, but more

on the lines of when the company is going to get hacked. Believe it or not, the single largest
threat to an organization and its information security is from within, and many times,
organizations suffer from key individuals intentionally stealing information or corrupting files
(Taylor, Fritsch, & Liederbach, 2015, p. 325). Every day company information is taken, and
some will not even notice until it is too late, and the damage is already done to the system where
it is corrupt. In many occasions of computer information security hacks from within, there is
practically no detection of an occurrence. Many times, computer information is opened,
changed, stolen, or damaged without the companys knowledge, because the crime is covered up
through the use of special programs.
Another area of concern for Riordan Manufacturing is social engineering. This is where
employees are led into believing that he or she is getting their computer fixed by an Information
Specialist over the phone, but in reality, is not. Possibly one of the best ways for hackers to
acquire access to a network is by manipulating the innocent nature of a companys employees.
Because in reality, why go to all the trouble of generating a software package to steal passwords
from the companys network, if individuals will just give out this personal information. You can
have the best technical systems in place, but they're not effective if people aren't educated about
the risks, and a recent survey conducted by Deloitte found three-quarters of companies have not
trained staff in the risks of information leakage and social engineering (Whittle, 2008). It is
imperative that all employees understand the importance of company information, should not
give out his or her computer information over the business phone and understand what an email
containing phishing may look like.
Finally, an area where vulnerability happens and is possibly the most accidental insider
threat is that of an unsecure company wireless network. With the emergence of laptop and

INFORMATION SYSTEMS (IS) RISK MANAGEMENT

mobile computing has come the growth of wireless Internet access points, accessible by Wi-Fi
connections (Taylor, Fritsch, & Liederbach, 2015, p. 327). Whether it is Starbucks, an
international airport or a famous hotel chain, these unsecured networks can quickly put sensitive
information in danger. All it takes is a peek into e-mail communications or file transfers for
valuable data to be stolen, and Wi-Fi networks are most susceptible to these attacks but don't
overlook Bluetooth on smartphones (Beaver, 2015). Also, if the company has wireless local area
networks inside the organization, employees could use this to gain access and explore the
systems databases after regular working hours, which would be bad for any type of business.
Many different corporations institute intricate organization systems and data-handling
guidelines that are too complex to track or monitor. Although data classification is important, it
should not be a hurdle in protecting sensitive data, and leverage existing efforts such as business
impact analysis (BIA) or disaster recovery (DR) exercises that seek to identify and protect
critical areas and sensitive data (Kark, 2015). This is why steps should be made to curtail those
that wish to cause harm to small or big businesses.
Out of all this mayhem and exploiting the company of personal or private information,
there are ways to help lower the risk of an attack on the company itself. All a company can do is
prepare for the worst and hope for the best. Because of the possibility of threats to a company is
the employees, it is important that the company set guidelines for all to follow. To protect the
company and its information, Information Technology gurus suggest using an approach known
as the two-pronged approach. First, use monitoring software to check email and internet traffic
for certain keywords or file types, and might also choose to block certain websites and
applications completely (Whittle, 2008). The second approach is to devise a Standard Operating
Procedure explaining all employees' responsibility for network security, and after he or she has

INFORMATION SYSTEMS (IS) RISK MANAGEMENT

read and understood, ensure it is signed by everybody and again stress that all employees
thoroughly understand the risks and his or her responsibilities. Because in the end it is all about
protecting Riordan Manufacturing and her secrets of new products.
For companies that utilize the wireless internet, Riordan Manufacturing cannot control
the networks outside of the business, but Riordan Manufacturing can enable secure wireless
hotspots for users that wish to utilize the Wi-Fi. This entails using a Virtual Private Network
(VPN) for remote network connectivity, a personal firewall to keep users from connecting to the
wireless computer and Secure Socket Layer/Transport Layer Security (SSL/TLS) for all
messaging, such as Webmail via Hypertext Transfer Protocol Secure (HTTPS), Post Office
Protocol (POP3s), Internet Message Access Protocol (IMAPs) and Simple Mail Transfer Protocol
(SMTPs) (Beaver, 2015). What is important is to make sure that any business internal wireless
networks are secure by utilizing correct encryption and authentication with Wireless Protected
Access (WPA) or Wi-Fi Protected Access 2 (WPA2), but most importantly is to ensure and
enable logging for Riordan Manufacturing. Another vulnerable area that employees and
personnel tend to forget is Bluetooth on his or her smartphone. Deactivating Bluetooth if it's not
needed or at least making the smartphone non-discoverable can also cut down on wireless
network attacks from an external or internal source.
One last area that should be addressed in any corporation is the Internet usage and what
sites that are visited. Filtering content in HTTP and e-mail communications at the network
perimeter is the best way to check for and block sensitive information from going out to such
sites (Beaver, 2015). Keep in mind that even though a company utilizes the most secure
software, there is always that chance that company information may escape out via encrypted
programs or from personal devices.

INFORMATION SYSTEMS (IS) RISK MANAGEMENT

These are just a few examples that could help reduce Riordan Manufacturing from
becoming a victim of hacking. Today, we live in the world where anyone has the ability to abuse
the information security systems put in place by a big corporation. We also live in the third
wave of the information society, and undoubtedly, abuses in information security resulting in
computer crime and cyber terrorism will only grow in the future (Taylor, Fritsch, & Liederbach,
2015, p. 343). If implemented correctly, these technical safeguards will only work for a very
short time, and updates or corrections will have to be made to correct any wrongdoing within the
software breaches. However, for a business with a long-term value, he or she has to ensure that
the companys policies are strictly adhered to. Because the individuals committing these attacks
will no longer be the relatively uneducated crook of the past, but he or she may well be a very
sophisticated criminal, a greedy inside employee, a highly motivated terrorist, or the agent
provocateur from a rogue government (Taylor, Fritsch, & Liederbach, 2015, p. 343). If done
correctly and joined with employee alertness and proper security measures for determining if the
countermeasures are working properly, can provide outstanding protection against internal or
external threats around the world. Because in the end, it all boils down to one person in any
business or corporation, and that person is the employee.

INFORMATION SYSTEMS (IS) RISK MANAGEMENT

References
Beaver, K. (2015). Five common insider threats and how to mitigate them. Retrieved from
http://searchsecurity.techtarget.com/tip/Five-common-insider-threats-and-how-tomitigate-them
Kark, K. (2015). Create a data breach response plan in 10 easy steps. Retrieved from
http://searchsecurity.techtarget.com/tip/Create-a-data-breach-response-plan-in-10-easysteps
Taylor, R. W., Fritsch, E. J., & Liederbach, J. (2015). Digital Crime and Digital Terrorism (3rd
ed.). Boston, MA: Pearson.
Whittle, S. (2008). The top five internal security threats. Retrieved from
http://www.zdnet.com/article/the-top-five-internal-security-threats/