A Risk Management Policy Essay Example | Topics and Well Written Essays - 750 words

A Risk Management Policy - Essay Example To determine the full extent of an organization’s vulnerability to security breaches, a risk assessment should be undertaken to gather comprehensive information and data prior to designing the risk management policy. Due to the fast pace of technology, attack tools frequently change parallel with updates in software increasing the probabilities of security risks. In this particular case, the organization faced the following types of threats: unauthorized access from the internal personnel and confidentiality breach as a result of infiltration by a hacker or an attacker. The assessment indicates weakness in their overall information security system and policies requiring the revisions and enforcement in risk management. Proposed Management Risk Policies To address the risk on information being stolen by inside personnel, the following measures are recommended: (1) strengthen company policies on recruitment and screening new IT applicants and present IT personnel to include background checking in terms of past work experiences, credentials and qualifications; (2) a code of discipline must be incorporated in the policies to contain sanctions for violations and infractions of policies, particularly on confidentiality of information, to wit: reprimand for initial violations, warning for subsequent infractions, suspension without pay, expulsion, outright firing, as required; (3) a classification of both hardware and software systems according to crucial importance must immediately be made to determine authorized and trust users depending on lengths of service and roles and responsibilities; (4) codes and personal access numbers must be assigned; and (5) a rotation of critical authorized employees must be implemented as a check and balanc e mechanism, concurrent with regular monitoring and audits of critical and crucial confidential areas. To address the hacker or attacker from infiltrating the system, the following courses of action are suggested: â€Å"(1) apply software security, (2) control use of administrative privileges, (3) control access based on the need to know, (4) continuous vulnerability testing and remediation, (5) install anti-Malware defenses, (6) limit and control ports,