1. The Problem areas in this case include:
– The risk of employees from the newly acquired company, Skyhaven, having access to sensitive data of Code Galore due to vulnerabilities on both servers. This can be addressed by implementing biometric security or face recognition methods for access, or by granting access rights and permissions only to authorized users.
– The dispersal of the source code from Skyhaven across workstations and servers, which will be merged with Codegalore’s code. To mitigate this, the installation of up-to-date antivirus software and firewalls can protect Codegalore’s code from any malicious content on Skyhaven’s machines.
– The lack of awareness among Skyhaven employees regarding the company’s security policies compared to Code Galore employees. Conducting security training sessions for Skyhaven employees can help them understand the importance of data security and related issues.
5 employees at Skyhaven do not perform backups and are not knowledgeable about security configuration and patch management. It is essential to make it mandatory for these employees to utilize technologies such as snapshots and continuous data protection (CDP) for backups. Which aspect of the CIA (confidentiality, integrity, and availability) triad is most critical to Code Galore’s business goals? Why? Their current objective is to generate decent profits and enhance the company’s financial condition for its survival. They urgently desire a merger with Skyhaven without spending much on security. They are also establishing a WAN to facilitate communication between employees and enable easy access to code and data. For Code Galore, the most important aspects of the triad are availability and confidentiality. The lack of security measures using various data protection techniques may grant employees from Skyhaven unauthorized access to the company’s confidential data.
Change introduces risk, and several significant changes have occurred. Which of these changes presents the greatest risk? The areas of greatest risk are:
1 Data Security: The merging of companies makes data security a top priority, as it determines who can access specific information.
2 Confidentiality of Data: Employees at Skyhaven may have access to the confidential data of Code Galore.
4. If three of the greatest risk events occurred, what would be the worst-case scenarios?
1. Code Galore’s computers, which are connected to Skyhaven, could be attacked by malicious software and viruses, posing a significant threat to the business.
2. Inadequate security measures may expose sensitive company data.
5. How can newly identified risk events that have arisen due to changes in senior management be effectively communicated by the CSO?
Ans. The CSO should document and suggest ways to mitigate these risks. Meetings with senior management should be organized to address urgent areas such as data security, access rights, backup systems, and configuration issues before they escalate and cause further losses for the company.
RISK ANALYSIS:
Risk Event
Probability
Impact
Overall Risk rating
Pros/cons of change
Internal Network Break in from outside
High
Loss of competitive advantage, loss of confidential data
High
Security is decreased
Virus, worm, Trojan infections
High
Corruption and loss of data
High
Security is compromised because of corruption and leak of data. Source code stolen by internal / external resources
High
Loss of competitive edge
High
Financial loses because of loss of data and code
Sabotage of source code
High
Loss of competitive edge
High
Financial loses because of loss of data and code
Data extrusion through interception of wireless signals
High
Loss of policy
High
Loss of proprietary information
Attacks against others initiated by code galore employees
Medium
Loss of reputation
High
Negative media exposure
Pirated software, music, media used within code galore
Low
Loss of reputation
High
Negative media exposure
Prolonged IT outage
High
Disruption, Loss of productivity.
High
Financial losses
Denial of Service attack
High
Loss of productivity
High
Restoration of system might be needed
